sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 23:41:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(services): Add memcached service

Browse Source 
Add documentation about cache service and refactor into seperate default environment file.
Refactor OpenProject to use external memcached service.
This commit is contained in:
Dominik Kaminski
2023-10-11 14:34:40 +02:00
parent 85b8fcaab5
commit 72e3afdffd
15 changed files with 143 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGELOG.md
View File

@@ -459,3 +459,8 @@
* **open-xchange:** OX AppSuite 8 within SWP is now publicly available ([6dc470f](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/6dc470fd67edbb9711e406acb067569ca357b989))
* **services:** Add clamav-simple deployment ([505f25c](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/505f25c5493ebb9e0181233ed5b7d8018e3a315d))
* **sovereign-workplace:** Initial commit ([533c504](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/533c5040faebd91f4012b604d0f4779ea1510424))
<!--
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
-->

73
README.md
View File

@@ -215,6 +215,7 @@ subdirectory `/helmfile/apps/services`.
| Jitsi | `jitsi.enabled` | `true` | Videoconferencing | Functional |
| Keycloak | `keycloak.enabled` | `true` | Identity Provider | Functional |
| MariaDB | `mariadb.enabled` | `true` | Database | Eval |
| Memcached | `memcached.enabled` | `true` | Cache Database | Eval |
| Nextcloud | `nextcloud.enabled` | `true` | File share | Functional |
| OpenProject | `openproject.enabled` | `true` | Project management | Functional |
| OX Appsuite | `oxAppsuite.enabled` | `true` | Groupware | Functional |
@@ -238,8 +239,8 @@ subdirectory `/helmfile/apps/services`.
#### Databases
In case you don't got for a develop or evaluation environment you want to point
the application to your own database instances.
When deploying this suite to production, you need to configure the applications to use your production grade database
service.
| Component | Name | Type | Parameter | Key | Default |
|-------------|--------------------|------------|-----------|----------------------------------------|----------------------------|
@@ -283,6 +284,24 @@ the application to your own database instances.
| | | | Username | `databases.xwiki.username` | `xwiki_user` |
| | | | Password | `databases.xwiki.password` | |
#### Cache
When deploying this suite to production, you need to configure the applications to use your production grade cache
service.
| Component | Name | Type | Parameter | Key | Default |
|------------------|------------------|-----------|-----------|------------------------------|------------------|
| Intercom Service | Intercom Service | Redis | | | |
| | | | Host | `cache.intercomService.host` | `redis-headless` |
| | | | Port | `cache.intercomService.port` | `6379` |
| Nextcloud | Nextcloud | Redis | | | |
| | | | Host | `cache.nextcloud.host` | `redis-headless` |
| | | | Port | `cache.nextcloud.port` | `6379` |
| OpenProject | OpenProject | Memcached | | | |
| | | | Host | `cache.openproject.host` | `memcached` |
| | | | Port | `cache.openproject.port` | `11211` |
### Scaling
The Replicas of components can be increased, while we still have to look in the
@@ -350,30 +369,32 @@ This section summarizes various aspects of security and compliance aspects.
This list gives you an overview of default security settings and if they comply with security standards:
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|-------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
| OpenProject | openproject | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | - |
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
### Helm Chart Trust Chain

1
helmfile/apps/intercom-service/helmfile.yaml
View File

@@ -17,7 +17,6 @@ releases:
chart: "intercom-service-repo/intercom-service"
version: "2.0.0"
values:
- "values.yaml"
- "values.gotmpl"
condition: "intercom.enabled"

4
helmfile/apps/intercom-service/values.gotmpl
View File

@@ -25,7 +25,9 @@ ics:
portal:
apiKey: {{ .Values.secrets.centralnavigation.apiKey }}
redis:
password: {{ .Values.secrets.redis.password }}
host: {{ .Values.cache.intercomService.host }}
port: {{ .Values.cache.intercomService.port }}
password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password }}
openxchange:
url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"

8
helmfile/apps/intercom-service/values.yaml
View File

@@ -1,8 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
istio:
enabled: false
virtualService:
enabled: false
...

6
helmfile/apps/nextcloud/values-nextcloud.gotmpl
View File

@@ -12,10 +12,14 @@ externalDatabase:
user: "{{ .Values.databases.nextcloud.username }}"
host: "{{ .Values.databases.nextcloud.host }}"
password: "{{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser }}"
extraEnv:
REDIS_HOST: {{ .Values.cache.nextcloud.host | quote }}
REDIS_HOST_PORT: {{ .Values.cache.nextcloud.port | quote }}
REDIS_HOST_PASSWORD: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password }}
redis:
auth:
enabled: true
password: {{ .Values.secrets.redis.password }}
password: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password }}
ingress:
enabled: {{ .Values.ingress.enabled }}
className: {{ .Values.ingress.ingressClassName }}

3
helmfile/apps/openproject/values.gotmpl
View File

@@ -14,6 +14,9 @@ image:
tag: "{{ .Values.images.openproject.tag }}"
memcached:
connection:
host: "{{ .Values.cache.openproject.host }}"
port: {{ .Values.cache.openproject.port }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.memcached.repository }}"

9
helmfile/apps/openproject/values.yaml
View File

@@ -4,6 +4,9 @@
image:
registry: "registry.souvap-univention.de"
memcached:
bundled: false
probes:
liveness:
initialDelaySeconds: 300
@@ -27,6 +30,12 @@ openproject:
# seed will only be executed on initial installation
seed_locale: "de"
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
# For more details and more options see
# https://www.openproject.org/docs/installation-and-operations/configuration/environment/
environment:

7
helmfile/apps/services/helmfile.yaml
View File

@@ -82,6 +82,13 @@ releases:
- "values-redis.gotmpl"
- "values-redis.yaml"
condition: "redis.enabled"
- name: "memcached"
chart: "bitnami-repo/memcached"
version: "6.6.2"
values:
- "values-memcached.yaml"
- "values-memcached.gotmpl"
condition: "memcached.enabled"
- name: "postgresql"
chart: "postgresql-repo/postgresql"
version: "2.0.2"

19
helmfile/apps/services/values-memcached.gotmpl Normal file
View File

@@ -0,0 +1,19 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.memcached.repository }}"
tag: "{{ .Values.images.memcached.tag }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
resources:
{{ .Values.resources.memcached | toYaml | nindent 2 }}
...

18
helmfile/apps/services/values-memcached.yaml Normal file
View File

@@ -0,0 +1,18 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1001
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
serviceAccount:
create: true
...

16
helmfile/environments/default/cache.yaml Normal file
View File

@@ -0,0 +1,16 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
cache:
intercomService:
host: "redis-headless"
port: 6379
password: ""
nextcloud:
host: "redis-headless"
port: 6379
password: ""
openproject:
host: "memcached"
port: 11211
...

4
helmfile/environments/default/images.yaml
View File

@@ -77,8 +77,8 @@ images:
# @supplier: "openDesk DevSecOps"
memcached:
repository: "bitnami/memcached"
tag: "1.6.21-debian-11-r84@sha256:81747acd297d3fcd05706ea771d441a6f01b28d722c366a06f922b6b7d4033dd"
# @supplier: "OpenProject"
tag: "1.6.21-debian-11-r107@sha256:247ec29efd6030960047a623aef025021154662edf6b6d6e88c97936f164d99d"
# @supplier: "openDesk DevSecOps"
milter:
repository: "clamav/clamav"
tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"

7
helmfile/environments/default/resources.yaml
View File

@@ -114,6 +114,13 @@ resources:
requests:
cpu: 0.1
memory: "500Mi"
memcached:
limits:
cpu: 1
memory: "256Mi"
requests:
cpu: 0.1
memory: "32Mi"
milter:
limits:
cpu: 4

2
helmfile/environments/default/workplace.yaml
View File

@@ -21,6 +21,8 @@ keycloak:
enabled: true
mariadb:
enabled: true
memcached:
enabled: true
nextcloud:
enabled: true
openproject: