sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: adjust configuration for nubus provisioning, preparatory steps for refactored selfservice-listener

Browse Source
This commit is contained in:
Andreas Niemann
2024-05-13 11:57:36 +02:00
parent 82c7ee1e10
commit 62f0a4bef2
4 changed files with 135 additions and 103 deletions
Download Patch File Download Diff File Expand all files Collapse all files

156
helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl
View File

@@ -440,7 +440,7 @@ portal-server:
{{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}
provisioning:
enabled: false
enabled: true
api:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
@@ -463,6 +463,8 @@ provisioning:
- name: {{ . | quote }}
{{- end }}
credentialSecretName: "ums-provisioning-dispatcher-credentials"
config:
UDM_HOST: "ums-udm-rest-api"
prefill:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningPrefill.registry | quote }}
@@ -474,69 +476,19 @@ provisioning:
- name: {{ . | quote }}
{{- end }}
credentialSecretName: "ums-provisioning-prefill-credentials"
nats:
config:
authorization:
enabled: false
users:
- user: "admin"
password: "$NATS_PASSWORD"
permissions:
publish: ">"
subscribe: ">"
- user: "$NATS_API_USER"
password: "$NATS_API_PASSWORD"
permissions:
publish: ">"
subscribe: ">"
- user: "$NATS_DISPATCHER_USER"
password: "$NATS_DISPATCHER_PASSWORD"
permissions:
publish: ">"
subscribe: ">"
- user: "$NATS_PREFILL_USER"
password: "$NATS_PREFILL_PASSWORD"
permissions:
publish: ">"
subscribe: ">"
extraEnvVars:
- name: NATS_USER
value: "admin"
- name: NATS_PASSWORD
valueFrom:
secretKeyRef:
name: ums-provisioning-nats-credentials
key: admin_password
- name: NATS_API_USER
valueFrom:
secretKeyRef:
name: ums-provisioning-api-credentials
key: NATS_USER
- name: NATS_API_PASSWORD
valueFrom:
secretKeyRef:
name: ums-provisioning-api-credentials
key: NATS_PASSWORD
- name: NATS_DISPATCHER_USER
valueFrom:
secretKeyRef:
name: ums-provisioning-dispatcher-credentials
key: NATS_USER
- name: NATS_DISPATCHER_PASSWORD
valueFrom:
secretKeyRef:
name: ums-provisioning-dispatcher-credentials
key: NATS_PASSWORD
- name: NATS_PREFILL_USER
valueFrom:
secretKeyRef:
name: ums-provisioning-prefill-credentials
key: NATS_USER
- name: NATS_PREFILL_PASSWORD
valueFrom:
secretKeyRef:
name: ums-provisioning-prefill-credentials
key: NATS_PASSWORD
register_consumers:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
repository: {{ .Values.images.umsWaitForDependency.repository }}
pullPolicy: {{ .Values.global.imagePullPolicy }}
tag: {{ .Values.images.umsWaitForDependency.tag }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
credentialSecretName: "ums-provisioning-register-consumers-credentials"
jsonSecretName: "ums-provisioning-register-consumers-json-secrets"
provisioningApiBaseUrl: "http://ums-provisioning-api/internal/admin/v1/subscriptions"
nats:
nats:
image:
@@ -557,14 +509,13 @@ provisioning:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsNatsReloader.tag | quote }}
ingress:
host: "localhost"
tls:
enabled: false
udm-listener:
enabled: false
enabled: true
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }}
repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }}
@@ -575,15 +526,18 @@ udm-listener:
- name: {{ . | quote }}
{{- end }}
config:
debugLevel: "4"
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
ldapPort: "389"
internalApiHost: "ums-provisioning-api"
notifierServer: "ums-ldap-notifier"
tlsMode: "off"
natsHost: "ums-provisioning-nats"
natsUser: {{ .Values.provisioning.udmListener.nats.username | quote }}
natsPassword: {{ .Values.provisioning.udmListener.nats.password | default .Values.secrets.univentionManagementStack.provisioning.udmListener.nats.password | quote }}
eventsUsernameUdm: {{ .Values.provisioning.api.udmListener.username | quote }}
eventsPasswordUdm: {{ .Values.provisioning.api.udmListener.password | default .Values.secrets.univentionManagementStack.provisioning.api.udmListener.password | quote }}
stack-data-ums:
enabled: true
@@ -1547,23 +1501,6 @@ extraSecrets:
- name: ums-portal-server-authenticator-credentials
stringData:
authenticator.secret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
- name: ums-provisioning-api-credentials
stringData:
NATS_USER: "api"
NATS_PASSWORD: "password"
- name: ums-provisioning-dispatcher-credentials
stringData:
UDM_USERNAME: "cn=admin"
UDM_PASSWORD: "password"
NATS_USER: "dispatcher"
NATS_PASSWORD: "password"
- name: ums-provisioning-prefill-credentials
stringData:
NATS_USER: "prefill"
NATS_PASSWORD: "password"
- name: ums-provisioning-nats-credentials
stringData:
admin_password: "nimda"
- name: ums-udm-rest-api-credentials
stringData:
ldap.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
@@ -1578,4 +1515,53 @@ extraSecrets:
stringData:
KEYCLOAK_ADMIN_PASSWORD: {{ .Values.secrets.keycloak.adminPassword | quote }}
GUARDIAN_MANAGEMENT_API_CLIENT_SECRET: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
- name: ums-provisioning-nats-credentials
stringData:
admin_password: {{ .Values.provisioning.nats.password | default .Values.secrets.univentionManagementStack.provisioning.nats.password | quote }}
- name: ums-provisioning-api-credentials
stringData:
NATS_USER: {{ .Values.provisioning.api.nats.username | quote }}
NATS_PASSWORD: {{ .Values.provisioning.api.nats.password | default .Values.secrets.univentionManagementStack.provisioning.api.nats.password | quote }}
ADMIN_NATS_USER: {{ .Values.provisioning.nats.username | quote }}
ADMIN_NATS_PASSWORD: {{ .Values.provisioning.nats.password | default .Values.secrets.univentionManagementStack.provisioning.nats.password | quote }}
ADMIN_USERNAME: {{ .Values.provisioning.api.admin.username | quote }}
ADMIN_PASSWORD: {{ .Values.provisioning.api.admin.password | default .Values.secrets.univentionManagementStack.provisioning.api.admin.password | quote }}
PREFILL_USERNAME: {{ .Values.provisioning.api.prefill.username | quote }}
PREFILL_PASSWORD: {{ .Values.provisioning.api.prefill.password | default .Values.secrets.univentionManagementStack.provisioning.api.prefill.password | quote }}
EVENTS_USERNAME_UDM: {{ .Values.provisioning.api.udmListener.username | quote }}
EVENTS_PASSWORD_UDM: {{ .Values.provisioning.api.udmListener.password | default .Values.secrets.univentionManagementStack.provisioning.api.udmListener.password | quote }}
- name: ums-provisioning-dispatcher-credentials
stringData:
UDM_USERNAME: "cn=admin"
UDM_PASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
NATS_USER: {{ .Values.provisioning.dispatcher.nats.username | quote }}
NATS_PASSWORD: {{ .Values.provisioning.dispatcher.nats.password | default .Values.secrets.univentionManagementStack.provisioning.dispatcher.nats.password | quote }}
- name: ums-provisioning-prefill-credentials
stringData:
NATS_USER: {{ .Values.provisioning.prefill.nats.username | quote }}
NATS_PASSWORD: {{ .Values.provisioning.prefill.nats.password | default .Values.secrets.univentionManagementStack.provisioning.prefill.nats.password | quote }}
UDM_USERNAME: "cn=admin"
UDM_PASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
PREFILL_USERNAME: {{ .Values.provisioning.api.prefill.username | quote }}
PREFILL_PASSWORD: {{ .Values.provisioning.api.prefill.password | default .Values.secrets.univentionManagementStack.provisioning.api.prefill.password | quote }}
- name: "ums-provisioning-udm-listener-credentials"
stringData:
NATS_USER: {{ .Values.provisioning.udmListener.nats.username | quote }}
NATS_PASSWORD: {{ .Values.provisioning.udmListener.nats.password | default .Values.secrets.univentionManagementStack.provisioning.udmListener.nats.password | quote }}
EVENTS_USERNAME_UDM: {{ .Values.provisioning.api.udmListener.username | quote }}
EVENTS_PASSWORD_UDM: {{ .Values.provisioning.api.udmListener.password | default .Values.secrets.univentionManagementStack.provisioning.api.udmListener.password | quote }}
- name: "ums-provisioning-register-consumers-credentials"
stringData:
ADMIN_USERNAME: {{ .Values.provisioning.api.admin.username | quote }}
ADMIN_PASSWORD: {{ .Values.provisioning.api.admin.password | default .Values.secrets.univentionManagementStack.provisioning.api.admin.password | quote }}
- name: "ums-provisioning-register-consumers-json-secrets"
stringData:
consumer.json: |
{ "name": "consumer", "realms_topics": [["udm", "groups/group"]], "request_prefill": true, "password": "s0m3p4ss" }
- name: "ums-provisioning-selfservice-listener-credentials"
stringData:
NATS_USER: {{ .Values.provisioning.selfservice.nats.username | quote }}
NATS_PASSWORD: {{ .Values.provisioning.selfservice.nats.password | default .Values.secrets.univentionManagementStack.provisioning.selfservice.nats.password | quote }}
...

8
helmfile/environments/default/images.yaml
View File

@@ -670,7 +670,7 @@ images:
# upstreamMirrorStartFrom: ['0', '14', '0']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
tag: "0.21.3@sha256:29c5f216ab0f8d12c1e77969de6e82046c0d47e1111838fb0a2dcd9950c0175d"
tag: "0.25.0@sha256:c6c9d1e4a46222105ded32c8e87cb2e9b19945592a9ada4e6c13e6942d721694"
umsProvisioningEventsAndConsumerApi:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
@@ -680,7 +680,7 @@ images:
# upstreamMirrorStartFrom: ['0', '14', '0']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
tag: "0.21.3@sha256:4cb498a64dd40c0963ca1ca382213ad5b8a4de5eb57650946d78ac44b359f43f"
tag: "0.25.0@sha256:f0382154126421e4078beede3ce2579f61859da64c497cb5c93acc693bf71647"
umsProvisioningPrefill:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
@@ -690,7 +690,7 @@ images:
# upstreamMirrorStartFrom: ['0', '14', '0']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
tag: "0.21.3@sha256:944ff8558d12c59f3490cba68680281c3fa5468fd6fd011fd002befcb9956973"
tag: "0.25.0@sha256:a5beae74c2575fa20d305ae635bc0c2bba64a9b1173819f8ddd4cca3fb59f6a4"
umsProvisioningUdmListener:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
@@ -700,7 +700,7 @@ images:
# upstreamMirrorStartFrom: ['0', '14', '0']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
tag: "0.21.3@sha256:e1cd42558e44bb72ed5c7798cef711db94df7d10d6895c993ca6412df1d25f02"
tag: "0.25.0@sha256:b67e31d11461d02bc211117408ded3c0428d224b056f26734add7c024d5f710a"
umsSelfserviceInvitation:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'

37
helmfile/environments/default/provisioning.yaml Normal file
View File

@@ -0,0 +1,37 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
provisioning:
nats:
username: "admin"
password: ""
api:
nats:
username: "api"
password: ""
admin:
username: "admin"
password: ""
prefill:
username: "prefill"
password: ""
udmListener:
username: "udmListener"
password: ""
dispatcher:
nats:
username: "dispatcher"
password: ""
prefill:
nats:
username: "prefill"
password: ""
udmListener:
nats:
username: "udmListener"
password: ""
selfservice:
nats:
username: "selfservice"
password: ""
...

35
helmfile/environments/default/secrets.gotmpl
View File

@@ -31,20 +31,29 @@ secrets:
portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }}
portalListener: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum | quote }}
provisioning:
apiNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }}
apiAdminNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "apiAdmin" "nats" | sha1sum | quote }}
apiAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }}
dispatcherPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "dispatcher_service" | sha1sum | quote }}
prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }}
prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }}
udmProducerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }}
dispatcherUdmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmlistener" "nats" | sha1sum | quote }}
udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
nats:
natsAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "admin" "nats" | sha1sum | quote }}
password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nats" "admin" | b64enc | quote }}
api:
nats:
password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nats" "api" | b64enc | quote }}
admin:
password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin" | b64enc | quote }}
prefill:
password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "prefill" | b64enc | quote }}
udmListener:
password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "udmListener" | b64enc | quote }}
dispatcher:
nats:
password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nats" "dispatcher" | b64enc | quote }}
prefill:
nats:
password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nats" "prefill" | b64enc | quote }}
udmListener:
nats:
password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nats" "udmListener" | b64enc | quote }}
selfservice:
nats:
password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nats" "selfservice" | b64enc | quote }}
postgresql:
postgresUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "postgres_user" | sha1sum | quote }}
keycloakUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum | quote }}