sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 15:31:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(Nubus): Update migrations for Nubus 1.10.x

Browse Source
This commit is contained in:
Thorsten Roßner
2025-06-13 11:25:55 +02:00
committed by Norbert Tretkowski
parent 3c2d17cf34
commit 66e78530df
8 changed files with 296 additions and 265 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
docs/migrations.md
View File

@@ -9,6 +9,11 @@ SPDX-License-Identifier: Apache-2.0
* [Disclaimer](#disclaimer) * [Disclaimer](#disclaimer)
* [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path) * [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
* [Manual checks/actions](#manual-checksactions) * [Manual checks/actions](#manual-checksactions)
* [v1.6.0+](#v160)
* [Pre-upgrade to v1.6.0+](#pre-upgrade-to-v160)
* [Upstream contraint: Nubus' external secrets](#upstream-contraint-nubus-external-secrets)
* [Post-upgrade to v1.6.0+](#post-upgrade-to-v160)
* [Upstream contraint: Nubus' initialization of `univentionObjectIdentifier`](#upstream-contraint-nubus-initialization-of-univentionobjectidentifier)
* [v1.4.0+](#v140) * [v1.4.0+](#v140)
* [Pre-upgrade to v1.4.0+](#pre-upgrade-to-v140) * [Pre-upgrade to v1.4.0+](#pre-upgrade-to-v140)
* [Helmfile new feature: `functional.authentication.ssoFederation`](#helmfile-new-feature-functionalauthenticationssofederation) * [Helmfile new feature: `functional.authentication.ssoFederation`](#helmfile-new-feature-functionalauthenticationssofederation)
@@ -49,15 +54,12 @@ SPDX-License-Identifier: Apache-2.0
* [Post-upgrade to v1.0.0+](#post-upgrade-to-v100) * [Post-upgrade to v1.0.0+](#post-upgrade-to-v100)
* [Configuration Improvement: Separate user permission for using Video Conference component](#configuration-improvement-separate-user-permission-for-using-video-conference-component) * [Configuration Improvement: Separate user permission for using Video Conference component](#configuration-improvement-separate-user-permission-for-using-video-conference-component)
* [Optional Cleanup](#optional-cleanup) * [Optional Cleanup](#optional-cleanup)
* [v0.9.0](#v090)
* [Pre-upgrade to v0.9.0](#pre-upgrade-to-v090)
* [Updated `cluster.networking.cidr`](#updated-clusternetworkingcidr)
* [Updated customizable template attributes](#updated-customizable-template-attributes)
* [`migrations` S3 bucket](#migrations-s3-bucket)
* [Automated migrations - Details](#automated-migrations---details) * [Automated migrations - Details](#automated-migrations---details)
* [v1.6.0+ (automated)](#v160-automated)
* [v1.6.0+ migrations-post](#v160-migrations-post)
* [v1.2.0+ (automated)](#v120-automated) * [v1.2.0+ (automated)](#v120-automated)
* [migrations-pre](#migrations-pre) * [v1.2.0+ migrations-pre](#v120-migrations-pre)
* [migrations-post](#migrations-post) * [v1.2.0+ migrations-post](#v120-migrations-post)
* [v1.1.0+ (automated)](#v110-automated) * [v1.1.0+ (automated)](#v110-automated)
* [v1.0.0+ (automated)](#v100-automated) * [v1.0.0+ (automated)](#v100-automated)
* [Related components and artifacts](#related-components-and-artifacts) * [Related components and artifacts](#related-components-and-artifacts)
@@ -89,6 +91,7 @@ To upgrade existing deployments, you cannot skip any version mentioned in the co
| Mandatory version | | Mandatory version |
| ----------------- | | ----------------- |
<!--| v1.2+ | add the entry to the table as soon as we get new migration requiring the set version (range) to be deployed first --> <!--| v1.2+ | add the entry to the table as soon as we get new migration requiring the set version (range) to be deployed first -->
| v1.5.x |
| v1.1.x | | v1.1.x |
| v1.0.0 | | v1.0.0 |
| v0.9.0 | | v0.9.0 |
@@ -101,6 +104,29 @@ If you would like more details about the automated migrations, please read secti
# Manual checks/actions # Manual checks/actions
## v1.6.0+
### Pre-upgrade to v1.6.0+
#### Upstream contraint: Nubus' external secrets
> **Note**<br>
> External Secrets are not yet a supported feature. We are working on making it available in 2025, though it is possible to make use of the support for external secrets within single applications using the openDesk [customization](../helmfile/environments/default/customization.yaml.gotmpl) options.
**Target group:** Operators that use external secrets for Nubus.
Please ensure you read the [Nubus 1.10.0 "Migration steps" section](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/changelog.html#v1-10-0-migration-steps) with focus on the paragraph "Operators that make use of the following UDM Listener secrets variables" and act accordingly.
### Post-upgrade to v1.6.0+
#### Upstream contraint: Nubus' initialization of `univentionObjectIdentifier`
**Target group:** All upgrades.
We try to address this issue with the automated upgrades already, see [v1.6.0+ migrations-post](#v160-migrations-post) for reference. But it is best to ensure that the job `ums-udm-rest-api-1-update-univention-object-identifier` was triggered successfully. If that is not the case you might want to start the job manually, see [Nubus 1.10.0 "Migration steps" section](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/changelog.html#v1-10-0-migration-steps) for reference.
Once completed successfully all jobs from that naming scheme spawned by later deployments can be removed. We will ensure the job is not rolled out on updates with a later openDesk release.
## v1.4.0+ ## v1.4.0+
### Pre-upgrade to v1.4.0+ ### Pre-upgrade to v1.4.0+
@@ -687,42 +713,28 @@ kubectl -n ${NAMESPACE} delete pvc shared-run-ums-ldap-server-0
kubectl -n ${NAMESPACE} delete pvc ox-connector-ox-contexts-ox-connector-0 kubectl -n ${NAMESPACE} delete pvc ox-connector-ox-contexts-ox-connector-0
``` ```
## v0.9.0
### Pre-upgrade to v0.9.0
#### Updated `cluster.networking.cidr`
- Action: `cluster.networking.cidr` is now an array (was a string until v0.8.1); please update your setup accordingly if you explicitly set this value.
- Reference:[cluster.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/cluster.yaml)
#### Updated customizable template attributes
- Action: Please update your custom deployment values according to the updated default value structure.
- References:
- `functional.` prefix for `authentication.*`, `externalServices.*`, `admin.*` and `filestore.*`, see [functional.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/functional.yaml).
- `debug.` prefix for `cleanup.*`, see [debug.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/debug.yaml).
- `monitoring.` prefix for `prometheus.*` and `grafana.*`, see [monitoring.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/monitoring.yaml).
- `smtp.` prefix for `localpartNoReply`, see [smtp.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/smtp.yaml).
#### `migrations` S3 bucket
- Action: For self-managed/external S3/object storages, please create a bucket called `migrations` using your S3 endpoint.
- Reference: `objectstores.migrations` in [objectstores.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/objectstores.yaml)
# Automated migrations - Details # Automated migrations - Details
## v1.6.0+ (automated)
> **Note**<br>
> Details can be found in [run_5.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_5.py).
### v1.6.0+ migrations-post
- Triggering of the `ldapUpdateUniventionObjectIdentifier` job to fill the attribute `univentionObjectIdentifier` on existing objects. Please read [the products upstream documentation for reference](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html#v1-10-0-migration-steps).
## v1.2.0+ (automated) ## v1.2.0+ (automated)
> **Note**<br> > **Note**<br>
> Details can be found in [run_4.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_4.py). > Details can be found in [run_4.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_4.py).
### migrations-pre ### v1.2.0+ migrations-pre
- Delete PVC `group-membership-cache-ums-portal-consumer-0`: With the upgrade the Nubus Portal Consumer no longer requires to be executed with root privileges. The PVC contains files that require root permission to access them, therefore the PVC gets deleted (and re-created) during the upgrade. - Delete PVC `group-membership-cache-ums-portal-consumer-0`: With the upgrade the Nubus Portal Consumer no longer requires to be executed with root privileges. The PVC contains files that require root permission to access them, therefore the PVC gets deleted (and re-created) during the upgrade.
- Delete StatefulSet `ums-portal-consumer`: A bug was fixed in the templating of the Portal Consumer's PVC causing the values in `persistence.storages.nubusPortalConsumer.*` to be ignored. As these values are immutable, we had to delete the whole StatefulSet. - Delete StatefulSet `ums-portal-consumer`: A bug was fixed in the templating of the Portal Consumer's PVC causing the values in `persistence.storages.nubusPortalConsumer.*` to be ignored. As these values are immutable, we had to delete the whole StatefulSet.
### migrations-post ### v1.2.0+ migrations-post
- Restarting Deployment `ums-provisioning-udm-transformer` and StatefulSet `ums-provisioning-udm-listener` as well as deleting the Nubus Provisioning consumer `durable_name:incoming` on stream `stream:incoming`: Due to a bug in Nubus 1.7.0 the `incoming` stream was blocked after the upgrade, the aforementioned measures unblock the stream. - Restarting Deployment `ums-provisioning-udm-transformer` and StatefulSet `ums-provisioning-udm-listener` as well as deleting the Nubus Provisioning consumer `durable_name:incoming` on stream `stream:incoming`: Due to a bug in Nubus 1.7.0 the `incoming` stream was blocked after the upgrade, the aforementioned measures unblock the stream.

235
helmfile/apps/nubus/values-nubus-guardian.yaml.gotmpl Normal file
View File

@@ -0,0 +1,235 @@
{{/*
SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
SPDX-License-Identifier: Apache-2.0
*/}}
---
#
# This file is currently optional for customizing purposes only. It will be a mandatory part of Nubus in a later release.
#
nubusGuardian:
authorizationApi:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
seLinuxOptions:
{{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianAuthorizationApi.registry | quote }}
repository: {{ .Values.images.nubusGuardianAuthorizationApi.repository }}
tag: {{ .Values.images.nubusGuardianAuthorizationApi.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
podAnnotations:
intents.otterize.com/service-name: "ums-guardian-authorization-api"
{{- with .Values.annotations.nubusGuardian.authorizationApiPod }}
{{ . | toYaml | nindent 6 }}
{{- end }}
podSecurityContext:
fsGroup: 1000
fsGroupChangePolicy: "Always"
replicaCount: {{ .Values.replicas.umsGuardianAuthorizationApi }}
resources:
{{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }}
global:
podAnnotations:
{{ .Values.annotations.nubusGuardian.globalPod | toYaml | nindent 6 }}
ingress:
annotations:
{{ .Values.annotations.nubusGuardian.ingressIngress | toYaml | nindent 6 }}
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
items:
- name: management-ui
host: ""
# -- Define the Ingress paths.
paths:
- path: /univention/guardian/management-ui
pathType: Prefix
backend:
service:
name: guardian-management-ui
port:
number: 80
ingressClassName: ""
annotations:
{{ .Values.annotations.nubusGuardian.ingressManagementUi | toYaml | nindent 10 }}
tls:
# enabled: true
secretName: ""
- name: management-api
host: ""
paths:
- path: /guardian/management
pathType: Prefix
backend:
service:
name: guardian-management-api
port:
number: 80
ingressClassName: ""
annotations:
{{ .Values.annotations.nubusGuardian.ingressManagementApi | toYaml | nindent 10 }}
tls:
# enabled: true
secretName: ""
- name: authorization-api
host: ""
paths:
- path: /guardian/authorization
pathType: Prefix
backend:
service:
name: guardian-authorization-api
port:
number: 80
ingressClassName: ""
annotations:
{{ .Values.annotations.nubusGuardian.ingressAuthorizationApi | toYaml | nindent 10 }}
tls:
# enabled: true
secretName: ""
managementApi:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
seLinuxOptions:
{{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 8 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementApi.registry | quote }}
repository: {{ .Values.images.nubusGuardianManagementApi.repository }}
tag: {{ .Values.images.nubusGuardianManagementApi.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
podAnnotations:
intents.otterize.com/service-name: "ums-guardian-management-api"
{{- with .Values.annotations.nubusGuardian.managementApiPod }}
{{ . | toYaml | nindent 6 }}
{{- end }}
podSecurityContext:
fsGroup: 1000
fsGroupChangePolicy: "Always"
replicaCount: {{ .Values.replicas.umsGuardianManagementApi }}
resources:
{{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }}
managementUi:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
seLinuxOptions:
{{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 8 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementUi.registry | quote }}
repository: {{ .Values.images.nubusGuardianManagementUi.repository }}
tag: {{ .Values.images.nubusGuardianManagementUi.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
podAnnotations:
intents.otterize.com/service-name: "ums-guardian-management-ui"
{{- with .Values.annotations.nubusGuardian.managementUiPod }}
{{ . | toYaml | nindent 6 }}
{{- end }}
replicaCount: {{ .Values.replicas.umsGuardianManagementUi }}
resources:
{{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}
openPolicyAgent:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
seLinuxOptions:
{{ .Values.seLinuxOptions.umsGuardianOpenPolicyAgent | toYaml | nindent 8 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpenPolicyAgent.registry | quote }}
repository: {{ .Values.images.nubusOpenPolicyAgent.repository }}
tag: {{ .Values.images.nubusOpenPolicyAgent.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
podSecurityContext:
fsGroup: 1000
fsGroupChangePolicy: "Always"
podAnnotations:
intents.otterize.com/service-name: "ums-ums-open-policy-agent"
replicaCount: {{ .Values.replicas.umsGuardianOpenPolicyAgent }}
resources:
{{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }}
postgresql:
connection:
host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
auth:
username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
existingSecret:
name: "ums-guardian-postgresql-opendesk-credentials"
keyMapping:
password: "guardianDatabasePassword"
provisioning:
enabled: false
config:
nubusBaseUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain }}
keycloak:
credentialSecret:
name: "ums-opendesk-keycloak-credentials"
key: "admin_password"
realm: {{ .Values.platform.realm | quote }}
username: "kcadmin"
keycloak:
auth:
existingSecret:
name: "ums-opendesk-guardian-client-secret"
keyMapping:
password: "managementApiClientSecret"
connection:
host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
baseUrl: "http://ums-keycloak:8080"
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianProvisioning.registry | quote }}
repository: {{ .Values.images.nubusGuardianProvisioning.repository }}
tag: {{ .Values.images.nubusGuardianProvisioning.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
serviceAccount:
annotations:
{{ .Values.annotations.nubusGuardian.serviceAccount | toYaml | nindent 6 }}
---

232
helmfile/apps/nubus/values-nubus.yaml.gotmpl
View File

@@ -1,5 +1,5 @@
{{/* {{/*
SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
SPDX-License-Identifier: Apache-2.0 SPDX-License-Identifier: Apache-2.0
*/}} */}}
--- ---
@@ -260,233 +260,6 @@ keycloak:
value: "jks" value: "jks"
{{- end }} {{- end }}
nubusGuardian:
authorizationApi:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
seLinuxOptions:
{{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianAuthorizationApi.registry | quote }}
repository: {{ .Values.images.nubusGuardianAuthorizationApi.repository }}
tag: {{ .Values.images.nubusGuardianAuthorizationApi.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
podAnnotations:
intents.otterize.com/service-name: "ums-guardian-authorization-api"
{{- with .Values.annotations.nubusGuardian.authorizationApiPod }}
{{ . | toYaml | nindent 6 }}
{{- end }}
podSecurityContext:
fsGroup: 1000
fsGroupChangePolicy: "Always"
replicaCount: {{ .Values.replicas.umsGuardianAuthorizationApi }}
resources:
{{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }}
global:
podAnnotations:
{{ .Values.annotations.nubusGuardian.globalPod | toYaml | nindent 6 }}
ingress:
annotations:
{{ .Values.annotations.nubusGuardian.ingressIngress | toYaml | nindent 6 }}
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
items:
- name: management-ui
host: ""
# -- Define the Ingress paths.
paths:
- path: /univention/guardian/management-ui
pathType: Prefix
backend:
service:
name: guardian-management-ui
port:
number: 80
ingressClassName: ""
annotations:
{{ .Values.annotations.nubusGuardian.ingressManagementUi | toYaml | nindent 10 }}
tls:
# enabled: true
secretName: ""
- name: management-api
host: ""
paths:
- path: /guardian/management
pathType: Prefix
backend:
service:
name: guardian-management-api
port:
number: 80
ingressClassName: ""
annotations:
{{ .Values.annotations.nubusGuardian.ingressManagementApi | toYaml | nindent 10 }}
tls:
# enabled: true
secretName: ""
- name: authorization-api
host: ""
paths:
- path: /guardian/authorization
pathType: Prefix
backend:
service:
name: guardian-authorization-api
port:
number: 80
ingressClassName: ""
annotations:
{{ .Values.annotations.nubusGuardian.ingressAuthorizationApi | toYaml | nindent 10 }}
tls:
# enabled: true
secretName: ""
managementApi:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
seLinuxOptions:
{{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 8 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementApi.registry | quote }}
repository: {{ .Values.images.nubusGuardianManagementApi.repository }}
tag: {{ .Values.images.nubusGuardianManagementApi.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
podAnnotations:
intents.otterize.com/service-name: "ums-guardian-management-api"
{{- with .Values.annotations.nubusGuardian.managementApiPod }}
{{ . | toYaml | nindent 6 }}
{{- end }}
podSecurityContext:
fsGroup: 1000
fsGroupChangePolicy: "Always"
replicaCount: {{ .Values.replicas.umsGuardianManagementApi }}
resources:
{{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }}
managementUi:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
seLinuxOptions:
{{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 8 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementUi.registry | quote }}
repository: {{ .Values.images.nubusGuardianManagementUi.repository }}
tag: {{ .Values.images.nubusGuardianManagementUi.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
podAnnotations:
intents.otterize.com/service-name: "ums-guardian-management-ui"
{{- with .Values.annotations.nubusGuardian.managementUiPod }}
{{ . | toYaml | nindent 6 }}
{{- end }}
replicaCount: {{ .Values.replicas.umsGuardianManagementUi }}
resources:
{{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}
openPolicyAgent:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
seLinuxOptions:
{{ .Values.seLinuxOptions.umsGuardianOpenPolicyAgent | toYaml | nindent 8 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpenPolicyAgent.registry | quote }}
repository: {{ .Values.images.nubusOpenPolicyAgent.repository }}
tag: {{ .Values.images.nubusOpenPolicyAgent.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
podSecurityContext:
fsGroup: 1000
fsGroupChangePolicy: "Always"
podAnnotations:
intents.otterize.com/service-name: "ums-ums-open-policy-agent"
replicaCount: {{ .Values.replicas.umsGuardianOpenPolicyAgent }}
resources:
{{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }}
postgresql:
connection:
host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
auth:
username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
existingSecret:
name: "ums-guardian-postgresql-opendesk-credentials"
keyMapping:
password: "guardianDatabasePassword"
provisioning:
enabled: false
config:
nubusBaseUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain }}
keycloak:
credentialSecret:
name: "ums-opendesk-keycloak-credentials"
key: "admin_password"
realm: {{ .Values.platform.realm | quote }}
username: "kcadmin"
keycloak:
auth:
existingSecret:
name: "ums-opendesk-guardian-client-secret"
keyMapping:
password: "managementApiClientSecret"
connection:
host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
baseUrl: "http://ums-keycloak:8080"
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianProvisioning.registry | quote }}
repository: {{ .Values.images.nubusGuardianProvisioning.repository }}
tag: {{ .Values.images.nubusGuardianProvisioning.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
serviceAccount:
annotations:
{{ .Values.annotations.nubusGuardian.serviceAccount | toYaml | nindent 6 }}
nubusNotificationsApi: nubusNotificationsApi:
enabled: false enabled: false
additionalAnnotations: additionalAnnotations:
@@ -1364,6 +1137,9 @@ nubusUdmListener:
pullPolicy: {{ .Values.global.imagePullPolicy | quote }} pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets: imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
persistence:
size: {{ .Values.persistence.storages.nubusUdmListener.size | quote }}
# storageClass: -- coalesce .Values.persistence.storages.nubusUdmListener.storageClassName .Values.persistence.storageClassNames.RWO | quote --
podAnnotations: podAnnotations:
{{ .Values.annotations.nubusUdmListener.pod | toYaml | nindent 4 }} {{ .Values.annotations.nubusUdmListener.pod | toYaml | nindent 4 }}
replicaCount: {{ .Values.replicas.umsUdmListener }} replicaCount: {{ .Values.replicas.umsUdmListener }}

4
helmfile/apps/opendesk-migrations-pre/helmfile-child.yaml.gotmpl
View File

@@ -4,7 +4,7 @@
repositories: repositories:
# openDesk Migrations # openDesk Migrations
# Source: # Source:
- name: "openproject-migrations-repo" - name: "opendesk-migrations-repo"
keyring: "../../files/gpg-pubkeys/opencode.gpg" keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.migrations.verify }} verify: {{ .Values.charts.migrations.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
@@ -14,7 +14,7 @@ repositories:
releases: releases:
- name: "opendesk-migrations-pre" - name: "opendesk-migrations-pre"
chart: "openproject-migrations-repo/{{ .Values.charts.migrations.name }}" chart: "opendesk-migrations-repo/{{ .Values.charts.migrations.name }}"
version: "{{ .Values.charts.migrations.version }}" version: "{{ .Values.charts.migrations.version }}"
wait: true wait: true
waitForJobs: true waitForJobs: true

2
helmfile/environments/default/charts.yaml.gotmpl
View File

@@ -231,7 +231,7 @@ charts:
registry: "registry.opencode.de" registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-migrations" repository: "bmi/opendesk/components/platform-development/charts/opendesk-migrations"
name: "opendesk-migrations" name: "opendesk-migrations"
version: "1.6.0" version: "1.7.0"
verify: true verify: true
minio: minio:
# providerCategory: "Community" # providerCategory: "Community"

2
helmfile/environments/default/images.yaml.gotmpl
View File

@@ -296,7 +296,7 @@ images:
# upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations" # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
registry: "registry.opencode.de" registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations" repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
tag: "1.6.1@sha256:cc97de002f5821e3b3751879514f3f45a3b4ffa851d999187c3cf3dd0dee82e7" tag: "1.7.0@sha256:326555aa8660ad1c29c850e7c06e601a51ce3fde994bb88a3638173a987ea836"
milter: milter:
# providerCategory: "Community" # providerCategory: "Community"
# providerResponsible: "openDesk" # providerResponsible: "openDesk"

8
helmfile/environments/default/persistence.yaml.gotmpl
View File

@@ -36,6 +36,14 @@ persistence:
nubusProvisioningNats: nubusProvisioningNats:
size: "1Gi" size: "1Gi"
storageClassName: ~ storageClassName: ~
# This option was introduced with openDesk 1.6. For now we want to use the Helm charts default empty string
# to avoid issues during the upgrade modifying an existing PV, as the migrations in 1.6 required a smooth
# Nubus deployment.
# In a later openDesk release we will advise in the migrations.md to explicitly set this on existing deployments
# to the default storage class.
nubusUdmListener:
size: "1Gi"
#storageClassName: ""
oxConnector: oxConnector:
size: "1Gi" size: "1Gi"
storageClassName: ~ storageClassName: ~

2
helmfile/shared/migrations.yaml.gotmpl
View File

@@ -19,7 +19,7 @@ cleanup:
deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }} deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
migrations: migrations:
runId: 4 runId: 5
namespace: {{ .Values.apps.migrations.namespace | default .Release.Namespace | quote }} namespace: {{ .Values.apps.migrations.namespace | default .Release.Namespace | quote }}
loglevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }} loglevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
failOnUnexpectedState: true failOnUnexpectedState: true