fix(nubus): Merge yaml files for better maintainability

docs/debugging.md

@@ -12,6 +12,7 @@ SPDX-License-Identifier: Apache-2.0
   * [Adding a container to a pod/deployment - Dev/Test only](#adding-a-container-to-a-poddeployment---devtest-only)
   * [Temporary/ephemeral containers](#temporaryephemeral-containers)
 * [Components](#components)
+  * [Helmfile](#helmfile)
   * [MariaDB](#mariadb)
   * [Nextcloud](#nextcloud)
   * [OpenProject](#openproject)
@@ -142,6 +143,15 @@ kubectl -n ${NAMESPACE} attach -it -c ${EPH_CONTAINER_NAME} ${POD_NAME}
 
 # Components
 
+## Helmfile
+
+When refactoring the Helmfile structure you want to ensure that there are not unintended mistakes by e.g. `diff`
+comparing the output of Helmfile from before and after the change by calling:
+
+```shell
+helmfile template -e dev >output_to_compare.yaml
+```
+
 ## MariaDB
 
 When using the openDesk bundled MariaDB, you can explore the database(s) using the MariaDB interactive terminal from the Pod's command line: `mariadb -u root -p`. On the password prompt, provide the value for `MARIADB_ROOT_PASSWORD` found in the Pod's environment.

helmfile/apps/nubus/helmfile-child.yaml.gotmpl

@@ -44,8 +44,6 @@ releases:
     version: "{{ .Values.charts.nubus.version }}"
     values:
       - "values-nubus.yaml.gotmpl"
-      - "values-opendesk-customization.yaml.gotmpl"
-      - "values-opendesk-images.yaml.gotmpl"
       {{ range .Values.customization.release.ums }}
       - {{ . }}
       {{ end }}

helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl

@@ -1,728 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-keycloak:
-  enabled: true
-  ingress:
-    enabled: false
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: false
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsKeycloak | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  podAnnotations:
-    intents.otterize.com/service-name: "ums-keycloak"
-  replicaCount: {{ .Values.replicas.keycloak }}
-  resources:
-    {{ .Values.resources.umsKeycloak | toYaml | nindent 4 }}
-
-nubusGuardian:
-  authorizationApi:
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
-    podAnnotations:
-      intents.otterize.com/service-name: "ums-guardian-authorization-api"
-    podSecurityContext:
-      fsGroup: 1000
-      fsGroupChangePolicy: "Always"
-    replicaCount: {{ .Values.replicas.umsGuardianAuthorizationApi }}
-    resources:
-      {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - ALL
-      privileged: false
-      readOnlyRootFilesystem: true
-      runAsGroup: 1000
-      runAsNonRoot: true
-      runAsUser: 1000
-      seccompProfile:
-        type: RuntimeDefault
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }}
-  managementApi:
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
-    podAnnotations:
-      intents.otterize.com/service-name: "ums-guardian-management-api"
-    podSecurityContext:
-      fsGroup: 1000
-      fsGroupChangePolicy: "Always"
-    replicaCount: {{ .Values.replicas.umsGuardianManagementApi }}
-    resources:
-      {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - ALL
-      privileged: false
-      readOnlyRootFilesystem: true
-      runAsGroup: 1000
-      runAsNonRoot: true
-      runAsUser: 1000
-      seccompProfile:
-        type: RuntimeDefault
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 8 }}
-  managementUi:
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
-    podAnnotations:
-      intents.otterize.com/service-name: "ums-guardian-management-ui"
-    replicaCount: {{ .Values.replicas.umsGuardianManagementUi }}
-    resources:
-      {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - ALL
-      privileged: false
-      readOnlyRootFilesystem: true
-      runAsGroup: 1000
-      runAsNonRoot: true
-      runAsUser: 1000
-      seccompProfile:
-        type: RuntimeDefault
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 8 }}
-  openPolicyAgent:
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
-    podSecurityContext:
-      fsGroup: 1000
-      fsGroupChangePolicy: "Always"
-    podAnnotations:
-      intents.otterize.com/service-name: "ums-ums-open-policy-agent"
-    replicaCount: {{ .Values.replicas.umsGuardianOpenPolicyAgent }}
-    resources:
-      {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - ALL
-      privileged: false
-      readOnlyRootFilesystem: true
-      runAsGroup: 1000
-      runAsNonRoot: true
-      runAsUser: 1000
-      seccompProfile:
-        type: RuntimeDefault
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsGuardianOpenPolicyAgent | toYaml | nindent 8 }}
-  provisioning:
-    # Using openDesk keycloak provisioning
-    enabled: false
-
-nubusNotificationsApi:
-  additionalAnnotations:
-    intents.otterize.com/service-name: "ums-notifications-api"
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsNotificationsApi | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  serviceAccount:
-    create: true
-  replicaCount: {{ .Values.replicas.umsNotificationsApi }}
-  resources:
-    {{ .Values.resources.umsNotificationsApi | toYaml | nindent 4 }}
-
-nubusUmcServer:
-  additionalAnnotations:
-    intents.otterize.com/service-name: "ums-umc-server"
-  containerSecurityContext:
-    enabled: true
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    runAsUser: 0
-    runAsGroup: 0
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: false
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
-  containerSecurityContextInit:
-    enabled: true
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    runAsUser: 0
-    runAsGroup: 0
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: false
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
-  containerSecurityContextSssd:
-    enabled: true
-    allowPrivilegeEscalation: true
-    capabilities:
-      drop:
-        - "ALL"
-      add:
-        - "DAC_OVERRIDE"
-        - "SETGID"
-        - "AUDIT_WRITE"
-        - "SETUID"
-        - "CHOWN"
-        - "SETPCAP"
-        - "FOWNER"
-        - "FSETID"
-        - "KILL"
-        - "MKNOD"
-        - "NET_BIND_SERVICE"
-        - "SYS_CHROOT"
-    runAsUser: 0
-    runAsGroup: 0
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: false
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  proxy:
-    replicaCount: {{ .Values.replicas.umsUmcServerProxy }}
-  replicaCount: {{ .Values.replicas.umsUmcServer }}
-
-  resources:
-    {{ .Values.resources.umsUmcServer | toYaml | nindent 4 }}
-  selfService:
-    passwordresetEmailBody: |
-        Sehr geehrte Benutzerin, sehr geehrter Benutzer,
-
-        Ihr Benutzername für {domainname} lautet: {username}
-
-        Sie erhalten diese Nachricht, da Sie Ihr Passwort zurücksetzen möchten oder weil Ihr Benutzer neu im System angelegt wurde.
-
-        Klicken Sie bitte auf den folgenden Link, um Ihr Passwort zu setzen:
-        https://{fqdn}/univention/portal/#/selfservice/newpassword/?token={token}&username={username}
-
-        Der genannte Link ist nur 48 Stunden gültig, danach fordern Sie ihn bitte erneut an unter:
-        https://{fqdn}/univention/portal/#/selfservice/passwordforgotten
-
-        Mit freundlichen Grüßen
-        Ihr {domainname} Passwort-Service
-
-nubusKeycloakExtensions:
-  enabled: true
-  handler:
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
-    replicaCount: {{ .Values.replicas.umsKeycloakExtensionsHandler }}
-    podAnnotations:
-      intents.otterize.com/service-name: "ums-keycloak-extensions-handler"
-    resources:
-      {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 6 }}
-    securityContext:
-      seccompProfile:
-        type: "RuntimeDefault"
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }}
-  proxy:
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
-    replicaCount: {{ .Values.replicas.umsKeycloakExtensionsProxy }}
-    podAnnotations:
-      intents.otterize.com/service-name: "ums-keycloak-extensions-proxy"
-    resources:
-      {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
-    securityContext:
-      seccompProfile:
-        type: "RuntimeDefault"
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }}
-
-nubusPortalConsumer:
-  portalConsumer:
-    image:
-      pullSecrets:
-        {{- range .Values.global.imagePullSecrets }}
-        - name: {{ . | quote }}
-        {{- end }}
-  podAnnotations:
-    intents.otterize.com/service-name: "ums-portal-consumer"
-  replicaCount: {{ .Values.replicas.umsPortalConsumer }}
-  resources:
-    {{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }}
-  resourcesWaitForDependency:
-    {{ .Values.resources.umsPortalConsumerDependencies | toYaml | nindent 4 }}
-  persistence:
-    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: {{ .Values.persistence.size.nubus.portalConsumer | quote }}
-  securityContext:
-    seccompProfile:
-      type: "RuntimeDefault"
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsPortalConsumer | toYaml | nindent 6 }}
-  {{- if .Values.certificate.selfSigned }}
-  extraVolumes:
-    - name: "trusted-cert-secret-volume"
-      secret:
-        secretName: "opendesk-certificates-ca-tls"
-        items:
-          - key: "ca.crt"
-            path: "ca-certificates.crt"
-          - key: "ca.crt"
-            path: "cacert.pem"
-  extraVolumeMounts:
-    - name: "trusted-cert-secret-volume"
-      mountPath: "/etc/ssl/certs/ca-certificates.crt"
-      subPath: "ca-certificates.crt"
-  waitForDependency:
-    extraVolumeMounts:
-      - name: "trusted-cert-secret-volume"
-        readOnly: true
-        mountPath: "/etc/ssl/certs/ca-certificates.crt"
-        subPath: "ca-certificates.crt"
-      - name: "trusted-cert-secret-volume"
-        readOnly: true
-        mountPath: "/usr/local/lib/python3.11/dist-packages/certifi/cacert.pem"
-        subPath: "cacert.pem"
-    extraEnvVars:
-      - name: "REQUESTS_CA_BUNDLE"
-        value: "/etc/ssl/certs/ca-certificates.crt"
-      - name: "DEFAULT_CA_BUNDLE_PATH"
-        value: "/etc/ssl/certs/ca-certificates.crt"
-      - name: "SSL_CERT_FILE"
-        value: "/etc/ssl/certs/ca-certificates.crt"
-  {{- end }}
-
-nubusUdmListener:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 102
-    runAsGroup: 65534
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsUdmListener | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  replicaCount: {{ .Values.replicas.umsUdmListener }}
-  resources:
-    {{ .Values.resources.umsUdmListener | toYaml | nindent 4 }}
-
-nubusPortalServer:
-  additionalAnnotations:
-    intents.otterize.com/service-name: "ums-portal-server"
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsPortalServer | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  serviceAccount:
-    create: true
-  replicaCount: {{ .Values.replicas.umsPortalServer }}
-  resources:
-    {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}
-  {{- if .Values.certificate.selfSigned }}
-  extraVolumes:
-    - name: "trusted-cert-crt-secret-volume"
-      secret:
-        secretName: "opendesk-certificates-ca-tls"
-        items:
-          - key: "ca.crt"
-            path: "ca-certificates.crt"
-          - key: "ca.crt"
-            path: "cacert.pem"
-  extraVolumeMounts:
-    - name: "trusted-cert-crt-secret-volume"
-      readOnly: true
-      mountPath: "/etc/ssl/certs/ca-certificates.crt"
-      subPath: "ca-certificates.crt"
-    - name: "trusted-cert-crt-secret-volume"
-      readOnly: true
-      mountPath: "/usr/local/lib/python3.11/dist-packages/certifi/cacert.pem"
-      subPath: "cacert.pem"
-    - name: "trusted-cert-crt-secret-volume"
-      readOnly: true
-      mountPath: "/usr/lib/python3/dist-packages/botocore/cacert.pem"
-      subPath: "cacert.pem"
-    - name: "trusted-cert-crt-secret-volume"
-      readOnly: true
-      mountPath: "/usr/lib/python3/dist-packages/certifi/cacert.pem"
-      subPath: "cacert.pem"
-  {{- end }}
-
-nubusLdapNotifier:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 101
-    runAsGroup: 102
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsLdapNotifier | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  podAnnotations:
-    intents.otterize.com/service-name: "ums-ldap-notifier"
-  replicaCount: {{ .Values.replicas.umsLdapNotifier }}
-  resources:
-    {{ .Values.resources.umsLdapNotifier | toYaml | nindent 4 }}
-
-nubusLdapServer:
-  global:
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
-  replicaCountPrimary: {{ .Values.replicas.umsLdapServerPrimary }}
-  replicaCountSecondary: {{ .Values.replicas.umsLdapServerSecondary }}
-  replicaCountProxy: {{ .Values.replicas.umsLdapServerProxy }}
-  additionalAnnotations:
-    intents.otterize.com/service-name: "ums-ldap-server"
-  serviceAccount:
-    create: true
-  initResources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
-  resources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
-  persistence:
-    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: {{ .Values.persistence.size.nubus.ldapServerData | quote }}
-  extraVolumes:
-    - name: "migration-scripts"
-      secret:
-        secretName: "ums-ldap-server-migration"
-        defaultMode: 0555
-  extraVolumeMounts:
-    - name: "migration-scripts"
-      mountPath: "/entrypoint.d/30-purge.sh"
-      subPath: "30-purge.sh"
-    - name: "migration-scripts"
-      mountPath: "/entrypoint.d/95-slapadd-24-ldiff.sh"
-      subPath: "95-slapadd-24-ldif.sh"
-  extraSecrets:
-    - name: "ums-ldap-server-migration"
-      stringData:
-        30-purge.sh: |
-          #!/usr/bin/env bash
-          me=$(basename "$0")
-          echo "- Running ${me}"
-          if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
-            echo "- Cleaning up /var/lib/univention-ldap."
-            cd /var/lib/univention-ldap
-            rm -rf internal
-            rm -rf ldap
-            ls -l
-          else
-            echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
-          fi
-        95-slapadd-24-ldif.sh: |
-          #!/usr/bin/env bash
-          me=$(basename "$0")
-          echo "- Running ${me}"
-          ls -l /var/lib/univention-ldap
-          if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
-            echo "- slapadd-ing /var/lib/univention-ldap/ldap-24-export.ldif"
-            ls -l /var/lib/univention-ldap/
-            rm -rf /var/lib/univention-ldap/ldap
-            rm -rf /var/lib/univention-ldap/internal
-            echo "- deleted /var/lib/univention-ldap/ldap and /var/lib/univention-ldap/internal"
-            ls -l /var/lib/univention-ldap/
-            mkdir /var/lib/univention-ldap/ldap
-            mkdir /var/lib/univention-ldap/internal
-            echo "- created /var/lib/univention-ldap/ldap and /var/lib/univention-ldap/internal"
-            ls -l /var/lib/univention-ldap/
-            /usr/sbin/slapadd -v -l /var/lib/univention-ldap/ldap-24-export.ldif
-            echo "- slapadd executed"
-            ls -l /var/lib/univention-ldap/
-            mv /var/lib/univention-ldap/ldap-24-export.ldif /var/lib/univention-ldap/ldap-24-export.ldif-imported
-            echo "- import file renamed"
-            ls -l /var/lib/univention-ldap/
-          else
-            echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
-          fi
-nubusPortalFrontend:
-  additionalAnnotations:
-    intents.otterize.com/service-name: "ums-portal-frontend"
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsPortalFrontend | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  serviceAccount:
-    create: true
-  replicaCount: {{ .Values.replicas.umsPortalFrontend }}
-  resources:
-    {{ .Values.resources.umsPortalFrontend | toYaml | nindent 4 }}
-  portalFrontend:
-    branding:
-      css: {{ .Values.theme.styles.portal.main | toJson }}
-      # Requires .ico, .svg does not work.
-      favicon: {{ .Values.theme.imagery.portal.faviconIco | toJson }}
-      # The actual `logo` is set in customizing image, the logo down here is for for waiting spinner.
-      logo: {{ .Values.theme.imagery.portal.waitingSpinnerSvg | toJson }}
-      backgroundImage: {{ .Values.theme.imagery.portal.backgroundSvg | toJson }}
-
-nubusStackDataUms:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsStackDataUms | toYaml | nindent 6 }}
-  pullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  additionalAnnotations:
-    intents.otterize.com/service-name: "ums-stack-data-ums"
-  resources:
-    {{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
-  initResources:
-    {{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
-
-nubusSelfServiceConsumer:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsSelfserviceConsumer | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  podAnnotations:
-    intents.otterize.com/service-name: "ums-selfservice-listener"
-  resources:
-    {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
-  replicaCount: {{ .Values.replicas.umsSelfserviceConsumer }}
-
-nubusUdmRestApi:
-  additionalAnnotations:
-    intents.otterize.com/service-name: "ums-udm-rest-api"
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsUdmRestApi | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  serviceAccount:
-    annotations:
-      intended.usage: "compliance"
-  resources:
-    {{ .Values.resources.umsUdmRestApi | toYaml | nindent 4 }}
-  initResources:
-    {{ .Values.resources.umsUdmRestApiInit | toYaml | nindent 4 }}
-  replicaCount: {{ .Values.replicas.umsUdmRestApi }}
-
-nubusUmcGateway:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsUmcGateway | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  replicaCount: {{ .Values.replicas.umsUmcGateway }}
-  resources:
-    {{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
-  initResources:
-    {{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
-
-nubusKeycloakBootstrap:
-  additionalAnnotations:
-    argocd.argoproj.io/hook: "Sync"
-  containerSecurityContext:
-    enabled: true
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    readOnlyRootFilesystem: false
-    runAsGroup: 1000
-    runAsNonRoot: true
-    runAsUser: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsKeycloakBootstrap | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  podAnnotations:
-    intents.otterize.com/service-name: "ums-keycloak-bootstrap"
-  resources:
-    {{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 4 }}
-
-nubusProvisioning:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsProvisioning | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  replicaCount:
-    dispatcher: {{ .Values.replicas.umsProvisioningDispatcher }}
-    udmTransformer: {{ .Values.replicas.umsProvisioningUdmTransformer }}
-    prefill: {{ .Values.replicas.umsProvisioningPrefill }}
-    api: {{ .Values.replicas.umsProvisioningApi }}
-
-  serviceAccount:
-    create: true
-  nats:
-    config:
-      cluster:
-        replicas: {{ .Values.replicas.umsProvisioningNats }}
-    containerSecurityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - "ALL"
-      enabled: true
-      runAsUser: 1000
-      runAsGroup: 1000
-      seccompProfile:
-        type: "RuntimeDefault"
-      readOnlyRootFilesystem: true
-      runAsNonRoot: true
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsProvisioningNats | toYaml | nindent 8 }}
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
-    persistence:
-      size: {{ .Values.persistence.size.nubus.provisioningNats }}
-    resources:
-      {{ .Values.resources.umsProvisioningNats | toYaml | nindent 6 }}
-    additionalAnnotations:
-      intents.otterize.com/service-name: "ums-provisioning-nats"
-    serviceAccount:
-      create: true
-  api:
-    resources:
-      {{ .Values.resources.umsProvisioningApi | toYaml | nindent 6 }}
-    additionalAnnotations:
-      intents.otterize.com/service-name: "ums-provisioning-api"
-  dispatcher:
-    resources:
-      {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 6 }}
-    additionalAnnotations:
-      intents.otterize.com/service-name: "ums-provisioning-dispatcher"
-  prefill:
-    resources:
-      {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 6 }}
-    additionalAnnotations:
-      intents.otterize.com/service-name: "ums-provisioning-prefill"
-  registerConsumers:
-    additionalAnnotations:
-      intents.otterize.com/service-name: "ums-provisioning-register-consumers"
-    podAnnotations:
-      intents.otterize.com/service-name: "ums-provisioning-register-consumers"
-  udmTransformer:
-    resources:
-      {{ .Values.resources.umsProvisioningUdmTransformer | toYaml | nindent 6 }}
-    additionalAnnotations:
-      intents.otterize.com/service-name: "ums-provisioning-udm-transformer"
-  resources:
-    registerConsumers:
-      {{ .Values.resources.umsProvisioningRegisterConsumers | toYaml | nindent 6 }}

helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl

@@ -1,266 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-keycloak:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloak.registry | quote }}
-    repository: {{ .Values.images.nubusKeycloak.repository }}
-    tag: {{ .Values.images.nubusKeycloak.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusKeycloakBootstrap:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }}
-    repository: {{ .Values.images.nubusKeycloakBootstrap.repository }}
-    tag: {{ .Values.images.nubusKeycloakBootstrap.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusKeycloakExtensions:
-    handler:
-      image:
-        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionHandler.registry | quote }}
-        repository: {{ .Values.images.nubusKeycloakExtensionHandler.repository }}
-        tag: {{ .Values.images.nubusKeycloakExtensionHandler.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-    proxy:
-      image:
-        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionProxy.registry | quote }}
-        repository: {{ .Values.images.nubusKeycloakExtensionProxy.repository }}
-        tag: {{ .Values.images.nubusKeycloakExtensionProxy.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusLdapNotifier:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapNotifier.registry | quote }}
-    repository: {{ .Values.images.nubusLdapNotifier.repository }}
-    tag: {{ .Values.images.nubusLdapNotifier.tag }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusLdapServer:
-  ldapServer:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServer.registry | quote }}
-      repository: {{ .Values.images.nubusLdapServer.repository }}
-      tag: {{ .Values.images.nubusLdapServer.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    leaderElector:
-      image:
-        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServerLeaderElector.registry | quote }}
-        repository: {{ .Values.images.nubusLdapServerLeaderElector.repository }}
-        tag: {{ .Values.images.nubusLdapServerLeaderElector.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  dhInitcontainer:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServerDhInitContainer.registry | quote }}
-      repository: {{ .Values.images.nubusLdapServerDhInitContainer.repository }}
-      tag: {{ .Values.images.nubusLdapServerDhInitContainer.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  waitForDependency:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
-      repository: {{ .Values.images.nubusWaitForDependency.repository }}
-      tag: {{ .Values.images.nubusWaitForDependency.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusNotificationsApi:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusNotificationsApi.registry | quote }}
-    repository: {{ .Values.images.nubusNotificationsApi.repository }}
-    tag: {{ .Values.images.nubusNotificationsApi.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusPortalFrontend:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalFrontend.registry | quote }}
-    repository: {{ .Values.images.nubusPortalFrontend.repository }}
-    tag: {{ .Values.images.nubusPortalFrontend.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusPortalConsumer:
-  portalConsumer:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalConsumer.registry | quote }}
-      repository: {{ .Values.images.nubusPortalConsumer.repository }}
-      tag: {{ .Values.images.nubusPortalConsumer.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  waitForDependency:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
-      repository: {{ .Values.images.nubusWaitForDependency.repository }}
-      tag: {{ .Values.images.nubusWaitForDependency.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusPortalServer:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalServer.registry | quote }}
-    repository: {{ .Values.images.nubusPortalServer.repository }}
-    tag: {{ .Values.images.nubusPortalServer.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusProvisioning:
-  api:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }}
-      repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
-      tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  dispatcher:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningDispatcher.registry | quote }}
-      repository: {{ .Values.images.nubusProvisioningDispatcher.repository }}
-      tag: {{ .Values.images.nubusProvisioningDispatcher.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  udmTransformer:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmTransformer.registry | quote }}
-      repository: {{ .Values.images.nubusProvisioningUdmTransformer.repository }}
-      tag: {{ .Values.images.nubusProvisioningUdmTransformer.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  prefill:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }}
-      repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
-      tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registerConsumers:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
-      repository: {{ .Values.images.nubusWaitForDependency.repository }}
-      tag: {{ .Values.images.nubusWaitForDependency.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  nats:
-    nats:
-      image:
-        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNats.registry | quote }}
-        repository: {{ .Values.images.nubusNats.repository }}
-        tag: {{ .Values.images.nubusNats.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    reloader:
-      image:
-        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsReloader.registry | quote }}
-        repository: {{ .Values.images.nubusNatsReloader.repository }}
-        tag: {{ .Values.images.nubusNatsReloader.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    natsBox:
-      image:
-        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsBox.registry | quote }}
-        repository: {{ .Values.images.nubusNatsBox.repository }}
-        tag: {{ .Values.images.nubusNatsBox.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusProvisioningEventsAndConsumerApi:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }}
-    repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
-    tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusProvisioningPrefill:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }}
-    repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
-    tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusUdmListener:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmListener.registry | quote }}
-    repository: {{ .Values.images.nubusProvisioningUdmListener.repository }}
-    tag: {{ .Values.images.nubusProvisioningUdmListener.tag }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusSelfServiceConsumer:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfServiceConsumer.registry | quote }}
-    repository: {{ .Values.images.nubusSelfServiceConsumer.repository }}
-    tag: {{ .Values.images.nubusSelfServiceConsumer.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  waitForDependency:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
-      repository: {{ .Values.images.nubusWaitForDependency.repository }}
-      tag: {{ .Values.images.nubusWaitForDependency.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusUdmRestApi:
-  udmRestApi:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUdmRestApi.registry | quote }}
-      repository: {{ .Values.images.nubusUdmRestApi.repository }}
-      tag: {{ .Values.images.nubusUdmRestApi.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusUmcGateway:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcGateway.registry | quote }}
-    repository: {{ .Values.images.nubusUmcGateway.repository }}
-    tag: {{ .Values.images.nubusUmcGateway.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusUmcServer:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcServer.registry | quote }}
-    repository: {{ .Values.images.nubusUmcServer.repository }}
-    tag: {{ .Values.images.nubusUmcServer.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  proxy:
-    image:
-      registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusUmcServerProxy.registry | quote }}
-      repository: {{ .Values.images.nubusUmcServerProxy.repository }}
-      tag: {{ .Values.images.nubusUmcServerProxy.tag }}
-      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusWaitForDependency:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
-    repository: {{ .Values.images.nubusWaitForDependency.repository }}
-    tag: {{ .Values.images.nubusWaitForDependency.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-
-nubusGuardian:
-  provisioning:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianProvisioning.registry | quote }}
-      repository: {{ .Values.images.nubusGuardianProvisioning.repository }}
-      tag: {{ .Values.images.nubusGuardianProvisioning.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  authorizationApi:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianAuthorizationApi.registry | quote }}
-      repository: {{ .Values.images.nubusGuardianAuthorizationApi.repository }}
-      tag: {{ .Values.images.nubusGuardianAuthorizationApi.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  managementApi:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementApi.registry | quote }}
-      repository: {{ .Values.images.nubusGuardianManagementApi.repository }}
-      tag: {{ .Values.images.nubusGuardianManagementApi.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  managementUi:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementUi.registry | quote }}
-      repository: {{ .Values.images.nubusGuardianManagementUi.repository }}
-      tag: {{ .Values.images.nubusGuardianManagementUi.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  openPolicyAgent:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpenPolicyAgent.registry | quote }}
-      repository: {{ .Values.images.nubusOpenPolicyAgent.repository }}
-      tag: {{ .Values.images.nubusOpenPolicyAgent.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusStackDataUms:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }}
-    repository: {{ .Values.images.nubusDataLoader.repository }}
-    tag: {{ .Values.images.nubusDataLoader.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}