diff --git a/docs/migrations.md b/docs/migrations.md
index 4bc4b7f4..3bff78df 100644
--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -9,6 +9,11 @@ SPDX-License-Identifier: Apache-2.0
* [Disclaimer](#disclaimer)
* [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
* [Manual checks/actions](#manual-checksactions)
+ * [v1.6.0+](#v160)
+ * [Pre-upgrade to v1.6.0+](#pre-upgrade-to-v160)
+ * [Upstream contraint: Nubus' external secrets](#upstream-contraint-nubus-external-secrets)
+ * [Post-upgrade to v1.6.0+](#post-upgrade-to-v160)
+ * [Upstream contraint: Nubus' initialization of `univentionObjectIdentifier`](#upstream-contraint-nubus-initialization-of-univentionobjectidentifier)
* [v1.4.0+](#v140)
* [Pre-upgrade to v1.4.0+](#pre-upgrade-to-v140)
* [Helmfile new feature: `functional.authentication.ssoFederation`](#helmfile-new-feature-functionalauthenticationssofederation)
@@ -49,15 +54,12 @@ SPDX-License-Identifier: Apache-2.0
* [Post-upgrade to v1.0.0+](#post-upgrade-to-v100)
* [Configuration Improvement: Separate user permission for using Video Conference component](#configuration-improvement-separate-user-permission-for-using-video-conference-component)
* [Optional Cleanup](#optional-cleanup)
- * [v0.9.0](#v090)
- * [Pre-upgrade to v0.9.0](#pre-upgrade-to-v090)
- * [Updated `cluster.networking.cidr`](#updated-clusternetworkingcidr)
- * [Updated customizable template attributes](#updated-customizable-template-attributes)
- * [`migrations` S3 bucket](#migrations-s3-bucket)
* [Automated migrations - Details](#automated-migrations---details)
+ * [v1.6.0+ (automated)](#v160-automated)
+ * [v1.6.0+ migrations-post](#v160-migrations-post)
* [v1.2.0+ (automated)](#v120-automated)
- * [migrations-pre](#migrations-pre)
- * [migrations-post](#migrations-post)
+ * [v1.2.0+ migrations-pre](#v120-migrations-pre)
+ * [v1.2.0+ migrations-post](#v120-migrations-post)
* [v1.1.0+ (automated)](#v110-automated)
* [v1.0.0+ (automated)](#v100-automated)
* [Related components and artifacts](#related-components-and-artifacts)
@@ -89,6 +91,7 @@ To upgrade existing deployments, you cannot skip any version mentioned in the co
| Mandatory version |
| ----------------- |
+| v1.5.x |
| v1.1.x |
| v1.0.0 |
| v0.9.0 |
@@ -101,6 +104,29 @@ If you would like more details about the automated migrations, please read secti
# Manual checks/actions
+## v1.6.0+
+
+### Pre-upgrade to v1.6.0+
+
+#### Upstream contraint: Nubus' external secrets
+
+> **Note**
+> External Secrets are not yet a supported feature. We are working on making it available in 2025, though it is possible to make use of the support for external secrets within single applications using the openDesk [customization](../helmfile/environments/default/customization.yaml.gotmpl) options.
+
+**Target group:** Operators that use external secrets for Nubus.
+
+Please ensure you read the [Nubus 1.10.0 "Migration steps" section](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/changelog.html#v1-10-0-migration-steps) with focus on the paragraph "Operators that make use of the following UDM Listener secrets variables" and act accordingly.
+
+### Post-upgrade to v1.6.0+
+
+#### Upstream contraint: Nubus' initialization of `univentionObjectIdentifier`
+
+**Target group:** All upgrades.
+
+We try to address this issue with the automated upgrades already, see [v1.6.0+ migrations-post](#v160-migrations-post) for reference. But it is best to ensure that the job `ums-udm-rest-api-1-update-univention-object-identifier` was triggered successfully. If that is not the case you might want to start the job manually, see [Nubus 1.10.0 "Migration steps" section](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/changelog.html#v1-10-0-migration-steps) for reference.
+
+Once completed successfully all jobs from that naming scheme spawned by later deployments can be removed. We will ensure the job is not rolled out on updates with a later openDesk release.
+
## v1.4.0+
### Pre-upgrade to v1.4.0+
@@ -687,42 +713,28 @@ kubectl -n ${NAMESPACE} delete pvc shared-run-ums-ldap-server-0
kubectl -n ${NAMESPACE} delete pvc ox-connector-ox-contexts-ox-connector-0
```
-## v0.9.0
-
-### Pre-upgrade to v0.9.0
-
-#### Updated `cluster.networking.cidr`
-
-- Action: `cluster.networking.cidr` is now an array (was a string until v0.8.1); please update your setup accordingly if you explicitly set this value.
-- Reference:[cluster.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/cluster.yaml)
-
-#### Updated customizable template attributes
-
-- Action: Please update your custom deployment values according to the updated default value structure.
-- References:
- - `functional.` prefix for `authentication.*`, `externalServices.*`, `admin.*` and `filestore.*`, see [functional.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/functional.yaml).
- - `debug.` prefix for `cleanup.*`, see [debug.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/debug.yaml).
- - `monitoring.` prefix for `prometheus.*` and `grafana.*`, see [monitoring.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/monitoring.yaml).
- - `smtp.` prefix for `localpartNoReply`, see [smtp.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/smtp.yaml).
-
-#### `migrations` S3 bucket
-
-- Action: For self-managed/external S3/object storages, please create a bucket called `migrations` using your S3 endpoint.
-- Reference: `objectstores.migrations` in [objectstores.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/objectstores.yaml)
-
# Automated migrations - Details
+## v1.6.0+ (automated)
+
+> **Note**
+> Details can be found in [run_5.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_5.py).
+
+### v1.6.0+ migrations-post
+
+- Triggering of the `ldapUpdateUniventionObjectIdentifier` job to fill the attribute `univentionObjectIdentifier` on existing objects. Please read [the products upstream documentation for reference](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html#v1-10-0-migration-steps).
+
## v1.2.0+ (automated)
> **Note**
> Details can be found in [run_4.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_4.py).
-### migrations-pre
+### v1.2.0+ migrations-pre
- Delete PVC `group-membership-cache-ums-portal-consumer-0`: With the upgrade the Nubus Portal Consumer no longer requires to be executed with root privileges. The PVC contains files that require root permission to access them, therefore the PVC gets deleted (and re-created) during the upgrade.
- Delete StatefulSet `ums-portal-consumer`: A bug was fixed in the templating of the Portal Consumer's PVC causing the values in `persistence.storages.nubusPortalConsumer.*` to be ignored. As these values are immutable, we had to delete the whole StatefulSet.
-### migrations-post
+### v1.2.0+ migrations-post
- Restarting Deployment `ums-provisioning-udm-transformer` and StatefulSet `ums-provisioning-udm-listener` as well as deleting the Nubus Provisioning consumer `durable_name:incoming` on stream `stream:incoming`: Due to a bug in Nubus 1.7.0 the `incoming` stream was blocked after the upgrade, the aforementioned measures unblock the stream.
diff --git a/helmfile/apps/nubus/values-nubus-guardian.yaml.gotmpl b/helmfile/apps/nubus/values-nubus-guardian.yaml.gotmpl
new file mode 100644
index 00000000..60e49d85
--- /dev/null
+++ b/helmfile/apps/nubus/values-nubus-guardian.yaml.gotmpl
@@ -0,0 +1,235 @@
+{{/*
+SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+#
+# This file is currently optional for customizing purposes only. It will be a mandatory part of Nubus in a later release.
+#
+nubusGuardian:
+ authorizationApi:
+ containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 1000
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ seLinuxOptions:
+ {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }}
+ image:
+ registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianAuthorizationApi.registry | quote }}
+ repository: {{ .Values.images.nubusGuardianAuthorizationApi.repository }}
+ tag: {{ .Values.images.nubusGuardianAuthorizationApi.tag }}
+ imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ imagePullSecrets:
+ {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
+ podAnnotations:
+ intents.otterize.com/service-name: "ums-guardian-authorization-api"
+ {{- with .Values.annotations.nubusGuardian.authorizationApiPod }}
+ {{ . | toYaml | nindent 6 }}
+ {{- end }}
+ podSecurityContext:
+ fsGroup: 1000
+ fsGroupChangePolicy: "Always"
+ replicaCount: {{ .Values.replicas.umsGuardianAuthorizationApi }}
+ resources:
+ {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }}
+ global:
+ podAnnotations:
+ {{ .Values.annotations.nubusGuardian.globalPod | toYaml | nindent 6 }}
+ ingress:
+ annotations:
+ {{ .Values.annotations.nubusGuardian.ingressIngress | toYaml | nindent 6 }}
+ certManager:
+ enabled: false
+ tls:
+ enabled: {{ .Values.ingress.tls.enabled }}
+ secretName: {{ .Values.ingress.tls.secretName | quote }}
+ items:
+ - name: management-ui
+ host: ""
+ # -- Define the Ingress paths.
+ paths:
+ - path: /univention/guardian/management-ui
+ pathType: Prefix
+ backend:
+ service:
+ name: guardian-management-ui
+ port:
+ number: 80
+ ingressClassName: ""
+ annotations:
+ {{ .Values.annotations.nubusGuardian.ingressManagementUi | toYaml | nindent 10 }}
+ tls:
+ # enabled: true
+ secretName: ""
+ - name: management-api
+ host: ""
+ paths:
+ - path: /guardian/management
+ pathType: Prefix
+ backend:
+ service:
+ name: guardian-management-api
+ port:
+ number: 80
+ ingressClassName: ""
+ annotations:
+ {{ .Values.annotations.nubusGuardian.ingressManagementApi | toYaml | nindent 10 }}
+ tls:
+ # enabled: true
+ secretName: ""
+ - name: authorization-api
+ host: ""
+ paths:
+ - path: /guardian/authorization
+ pathType: Prefix
+ backend:
+ service:
+ name: guardian-authorization-api
+ port:
+ number: 80
+ ingressClassName: ""
+ annotations:
+ {{ .Values.annotations.nubusGuardian.ingressAuthorizationApi | toYaml | nindent 10 }}
+ tls:
+ # enabled: true
+ secretName: ""
+ managementApi:
+ containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 1000
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ seLinuxOptions:
+ {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 8 }}
+ image:
+ registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementApi.registry | quote }}
+ repository: {{ .Values.images.nubusGuardianManagementApi.repository }}
+ tag: {{ .Values.images.nubusGuardianManagementApi.tag }}
+ imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ imagePullSecrets:
+ {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
+ podAnnotations:
+ intents.otterize.com/service-name: "ums-guardian-management-api"
+ {{- with .Values.annotations.nubusGuardian.managementApiPod }}
+ {{ . | toYaml | nindent 6 }}
+ {{- end }}
+ podSecurityContext:
+ fsGroup: 1000
+ fsGroupChangePolicy: "Always"
+ replicaCount: {{ .Values.replicas.umsGuardianManagementApi }}
+ resources:
+ {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }}
+ managementUi:
+ containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 1000
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ seLinuxOptions:
+ {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 8 }}
+ image:
+ registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementUi.registry | quote }}
+ repository: {{ .Values.images.nubusGuardianManagementUi.repository }}
+ tag: {{ .Values.images.nubusGuardianManagementUi.tag }}
+ imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ imagePullSecrets:
+ {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
+ podAnnotations:
+ intents.otterize.com/service-name: "ums-guardian-management-ui"
+ {{- with .Values.annotations.nubusGuardian.managementUiPod }}
+ {{ . | toYaml | nindent 6 }}
+ {{- end }}
+ replicaCount: {{ .Values.replicas.umsGuardianManagementUi }}
+ resources:
+ {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}
+ openPolicyAgent:
+ containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 1000
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ seLinuxOptions:
+ {{ .Values.seLinuxOptions.umsGuardianOpenPolicyAgent | toYaml | nindent 8 }}
+ image:
+ registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpenPolicyAgent.registry | quote }}
+ repository: {{ .Values.images.nubusOpenPolicyAgent.repository }}
+ tag: {{ .Values.images.nubusOpenPolicyAgent.tag }}
+ imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ imagePullSecrets:
+ {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
+ podSecurityContext:
+ fsGroup: 1000
+ fsGroupChangePolicy: "Always"
+ podAnnotations:
+ intents.otterize.com/service-name: "ums-ums-open-policy-agent"
+ replicaCount: {{ .Values.replicas.umsGuardianOpenPolicyAgent }}
+ resources:
+ {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }}
+ postgresql:
+ connection:
+ host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
+ port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
+ auth:
+ username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
+ database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
+ existingSecret:
+ name: "ums-guardian-postgresql-opendesk-credentials"
+ keyMapping:
+ password: "guardianDatabasePassword"
+ provisioning:
+ enabled: false
+ config:
+ nubusBaseUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain }}
+ keycloak:
+ credentialSecret:
+ name: "ums-opendesk-keycloak-credentials"
+ key: "admin_password"
+ realm: {{ .Values.platform.realm | quote }}
+ username: "kcadmin"
+ keycloak:
+ auth:
+ existingSecret:
+ name: "ums-opendesk-guardian-client-secret"
+ keyMapping:
+ password: "managementApiClientSecret"
+ connection:
+ host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
+ baseUrl: "http://ums-keycloak:8080"
+ image:
+ registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianProvisioning.registry | quote }}
+ repository: {{ .Values.images.nubusGuardianProvisioning.repository }}
+ tag: {{ .Values.images.nubusGuardianProvisioning.tag }}
+ imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ serviceAccount:
+ annotations:
+ {{ .Values.annotations.nubusGuardian.serviceAccount | toYaml | nindent 6 }}
+---
diff --git a/helmfile/apps/nubus/values-nubus.yaml.gotmpl b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
index e7da36db..3fb0eb09 100644
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -1,5 +1,5 @@
{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
SPDX-License-Identifier: Apache-2.0
*/}}
---
@@ -260,233 +260,6 @@ keycloak:
value: "jks"
{{- end }}
-nubusGuardian:
- authorizationApi:
- containerSecurityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 1000
- runAsNonRoot: true
- runAsUser: 1000
- seccompProfile:
- type: RuntimeDefault
- seLinuxOptions:
- {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }}
- image:
- registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianAuthorizationApi.registry | quote }}
- repository: {{ .Values.images.nubusGuardianAuthorizationApi.repository }}
- tag: {{ .Values.images.nubusGuardianAuthorizationApi.tag }}
- imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
- imagePullSecrets:
- {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
- podAnnotations:
- intents.otterize.com/service-name: "ums-guardian-authorization-api"
- {{- with .Values.annotations.nubusGuardian.authorizationApiPod }}
- {{ . | toYaml | nindent 6 }}
- {{- end }}
- podSecurityContext:
- fsGroup: 1000
- fsGroupChangePolicy: "Always"
- replicaCount: {{ .Values.replicas.umsGuardianAuthorizationApi }}
- resources:
- {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }}
- global:
- podAnnotations:
- {{ .Values.annotations.nubusGuardian.globalPod | toYaml | nindent 6 }}
- ingress:
- annotations:
- {{ .Values.annotations.nubusGuardian.ingressIngress | toYaml | nindent 6 }}
- certManager:
- enabled: false
- tls:
- enabled: {{ .Values.ingress.tls.enabled }}
- secretName: {{ .Values.ingress.tls.secretName | quote }}
- items:
- - name: management-ui
- host: ""
- # -- Define the Ingress paths.
- paths:
- - path: /univention/guardian/management-ui
- pathType: Prefix
- backend:
- service:
- name: guardian-management-ui
- port:
- number: 80
- ingressClassName: ""
- annotations:
- {{ .Values.annotations.nubusGuardian.ingressManagementUi | toYaml | nindent 10 }}
- tls:
- # enabled: true
- secretName: ""
- - name: management-api
- host: ""
- paths:
- - path: /guardian/management
- pathType: Prefix
- backend:
- service:
- name: guardian-management-api
- port:
- number: 80
- ingressClassName: ""
- annotations:
- {{ .Values.annotations.nubusGuardian.ingressManagementApi | toYaml | nindent 10 }}
- tls:
- # enabled: true
- secretName: ""
- - name: authorization-api
- host: ""
- paths:
- - path: /guardian/authorization
- pathType: Prefix
- backend:
- service:
- name: guardian-authorization-api
- port:
- number: 80
- ingressClassName: ""
- annotations:
- {{ .Values.annotations.nubusGuardian.ingressAuthorizationApi | toYaml | nindent 10 }}
- tls:
- # enabled: true
- secretName: ""
- managementApi:
- containerSecurityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 1000
- runAsNonRoot: true
- runAsUser: 1000
- seccompProfile:
- type: RuntimeDefault
- seLinuxOptions:
- {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 8 }}
- image:
- registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementApi.registry | quote }}
- repository: {{ .Values.images.nubusGuardianManagementApi.repository }}
- tag: {{ .Values.images.nubusGuardianManagementApi.tag }}
- imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
- imagePullSecrets:
- {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
- podAnnotations:
- intents.otterize.com/service-name: "ums-guardian-management-api"
- {{- with .Values.annotations.nubusGuardian.managementApiPod }}
- {{ . | toYaml | nindent 6 }}
- {{- end }}
- podSecurityContext:
- fsGroup: 1000
- fsGroupChangePolicy: "Always"
- replicaCount: {{ .Values.replicas.umsGuardianManagementApi }}
- resources:
- {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }}
- managementUi:
- containerSecurityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 1000
- runAsNonRoot: true
- runAsUser: 1000
- seccompProfile:
- type: RuntimeDefault
- seLinuxOptions:
- {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 8 }}
- image:
- registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementUi.registry | quote }}
- repository: {{ .Values.images.nubusGuardianManagementUi.repository }}
- tag: {{ .Values.images.nubusGuardianManagementUi.tag }}
- imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
- imagePullSecrets:
- {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
- podAnnotations:
- intents.otterize.com/service-name: "ums-guardian-management-ui"
- {{- with .Values.annotations.nubusGuardian.managementUiPod }}
- {{ . | toYaml | nindent 6 }}
- {{- end }}
- replicaCount: {{ .Values.replicas.umsGuardianManagementUi }}
- resources:
- {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}
- openPolicyAgent:
- containerSecurityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 1000
- runAsNonRoot: true
- runAsUser: 1000
- seccompProfile:
- type: RuntimeDefault
- seLinuxOptions:
- {{ .Values.seLinuxOptions.umsGuardianOpenPolicyAgent | toYaml | nindent 8 }}
- image:
- registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpenPolicyAgent.registry | quote }}
- repository: {{ .Values.images.nubusOpenPolicyAgent.repository }}
- tag: {{ .Values.images.nubusOpenPolicyAgent.tag }}
- imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
- imagePullSecrets:
- {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
- podSecurityContext:
- fsGroup: 1000
- fsGroupChangePolicy: "Always"
- podAnnotations:
- intents.otterize.com/service-name: "ums-ums-open-policy-agent"
- replicaCount: {{ .Values.replicas.umsGuardianOpenPolicyAgent }}
- resources:
- {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }}
- postgresql:
- connection:
- host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
- port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
- auth:
- username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
- database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
- existingSecret:
- name: "ums-guardian-postgresql-opendesk-credentials"
- keyMapping:
- password: "guardianDatabasePassword"
- provisioning:
- enabled: false
- config:
- nubusBaseUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain }}
- keycloak:
- credentialSecret:
- name: "ums-opendesk-keycloak-credentials"
- key: "admin_password"
- realm: {{ .Values.platform.realm | quote }}
- username: "kcadmin"
- keycloak:
- auth:
- existingSecret:
- name: "ums-opendesk-guardian-client-secret"
- keyMapping:
- password: "managementApiClientSecret"
- connection:
- host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
- baseUrl: "http://ums-keycloak:8080"
- image:
- registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianProvisioning.registry | quote }}
- repository: {{ .Values.images.nubusGuardianProvisioning.repository }}
- tag: {{ .Values.images.nubusGuardianProvisioning.tag }}
- imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
- serviceAccount:
- annotations:
- {{ .Values.annotations.nubusGuardian.serviceAccount | toYaml | nindent 6 }}
-
nubusNotificationsApi:
enabled: false
additionalAnnotations:
@@ -1364,6 +1137,9 @@ nubusUdmListener:
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+ persistence:
+ size: {{ .Values.persistence.storages.nubusUdmListener.size | quote }}
+# storageClass: -- coalesce .Values.persistence.storages.nubusUdmListener.storageClassName .Values.persistence.storageClassNames.RWO | quote --
podAnnotations:
{{ .Values.annotations.nubusUdmListener.pod | toYaml | nindent 4 }}
replicaCount: {{ .Values.replicas.umsUdmListener }}
diff --git a/helmfile/apps/opendesk-migrations-pre/helmfile-child.yaml.gotmpl b/helmfile/apps/opendesk-migrations-pre/helmfile-child.yaml.gotmpl
index 0c6b6944..4034cd65 100644
--- a/helmfile/apps/opendesk-migrations-pre/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/opendesk-migrations-pre/helmfile-child.yaml.gotmpl
@@ -4,7 +4,7 @@
repositories:
# openDesk Migrations
# Source:
- - name: "openproject-migrations-repo"
+ - name: "opendesk-migrations-repo"
keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.migrations.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
@@ -14,7 +14,7 @@ repositories:
releases:
- name: "opendesk-migrations-pre"
- chart: "openproject-migrations-repo/{{ .Values.charts.migrations.name }}"
+ chart: "opendesk-migrations-repo/{{ .Values.charts.migrations.name }}"
version: "{{ .Values.charts.migrations.version }}"
wait: true
waitForJobs: true
diff --git a/helmfile/environments/default/charts.yaml.gotmpl b/helmfile/environments/default/charts.yaml.gotmpl
index bff9285c..e0c9b4d2 100644
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -231,7 +231,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-migrations"
name: "opendesk-migrations"
- version: "1.6.0"
+ version: "1.7.0"
verify: true
minio:
# providerCategory: "Community"
diff --git a/helmfile/environments/default/images.yaml.gotmpl b/helmfile/environments/default/images.yaml.gotmpl
index 4c8f5b58..cba96d20 100644
--- a/helmfile/environments/default/images.yaml.gotmpl
+++ b/helmfile/environments/default/images.yaml.gotmpl
@@ -296,7 +296,7 @@ images:
# upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
- tag: "1.6.1@sha256:cc97de002f5821e3b3751879514f3f45a3b4ffa851d999187c3cf3dd0dee82e7"
+ tag: "1.7.0@sha256:326555aa8660ad1c29c850e7c06e601a51ce3fde994bb88a3638173a987ea836"
milter:
# providerCategory: "Community"
# providerResponsible: "openDesk"
diff --git a/helmfile/environments/default/persistence.yaml.gotmpl b/helmfile/environments/default/persistence.yaml.gotmpl
index f33b384c..7bbf943f 100644
--- a/helmfile/environments/default/persistence.yaml.gotmpl
+++ b/helmfile/environments/default/persistence.yaml.gotmpl
@@ -36,6 +36,14 @@ persistence:
nubusProvisioningNats:
size: "1Gi"
storageClassName: ~
+ # This option was introduced with openDesk 1.6. For now we want to use the Helm charts default empty string
+ # to avoid issues during the upgrade modifying an existing PV, as the migrations in 1.6 required a smooth
+ # Nubus deployment.
+ # In a later openDesk release we will advise in the migrations.md to explicitly set this on existing deployments
+ # to the default storage class.
+ nubusUdmListener:
+ size: "1Gi"
+ #storageClassName: ""
oxConnector:
size: "1Gi"
storageClassName: ~
diff --git a/helmfile/shared/migrations.yaml.gotmpl b/helmfile/shared/migrations.yaml.gotmpl
index 28e62462..00b619bb 100644
--- a/helmfile/shared/migrations.yaml.gotmpl
+++ b/helmfile/shared/migrations.yaml.gotmpl
@@ -19,7 +19,7 @@ cleanup:
deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
migrations:
- runId: 4
+ runId: 5
namespace: {{ .Values.apps.migrations.namespace | default .Release.Namespace | quote }}
loglevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
failOnUnexpectedState: true