From 72e3afdffdeb6f88f8e926426dbc26adf4b54e7a Mon Sep 17 00:00:00 2001 From: Dominik Kaminski Date: Wed, 11 Oct 2023 14:34:40 +0200 Subject: [PATCH] fix(services): Add memcached service Add documentation about cache service and refactor into seperate default environment file. Refactor OpenProject to use external memcached service. --- CHANGELOG.md | 5 ++ README.md | 73 ++++++++++++------- helmfile/apps/intercom-service/helmfile.yaml | 1 - helmfile/apps/intercom-service/values.gotmpl | 4 +- helmfile/apps/intercom-service/values.yaml | 8 -- .../apps/nextcloud/values-nextcloud.gotmpl | 6 +- helmfile/apps/openproject/values.gotmpl | 3 + helmfile/apps/openproject/values.yaml | 9 +++ helmfile/apps/services/helmfile.yaml | 7 ++ .../apps/services/values-memcached.gotmpl | 19 +++++ helmfile/apps/services/values-memcached.yaml | 18 +++++ helmfile/environments/default/cache.yaml | 16 ++++ helmfile/environments/default/images.yaml | 4 +- helmfile/environments/default/resources.yaml | 7 ++ helmfile/environments/default/workplace.yaml | 2 + 15 files changed, 143 insertions(+), 39 deletions(-) delete mode 100644 helmfile/apps/intercom-service/values.yaml create mode 100644 helmfile/apps/services/values-memcached.gotmpl create mode 100644 helmfile/apps/services/values-memcached.yaml create mode 100644 helmfile/environments/default/cache.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index 6516d0a9..a66c26f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -459,3 +459,8 @@ * **open-xchange:** OX AppSuite 8 within SWP is now publicly available ([6dc470f](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/6dc470fd67edbb9711e406acb067569ca357b989)) * **services:** Add clamav-simple deployment ([505f25c](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/505f25c5493ebb9e0181233ed5b7d8018e3a315d)) * **sovereign-workplace:** Initial commit ([533c504](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/533c5040faebd91f4012b604d0f4779ea1510424)) + + diff --git a/README.md b/README.md index 6f9c89f4..dbec3fc1 100644 --- a/README.md +++ b/README.md @@ -215,6 +215,7 @@ subdirectory `/helmfile/apps/services`. | Jitsi | `jitsi.enabled` | `true` | Videoconferencing | Functional | | Keycloak | `keycloak.enabled` | `true` | Identity Provider | Functional | | MariaDB | `mariadb.enabled` | `true` | Database | Eval | +| Memcached | `memcached.enabled` | `true` | Cache Database | Eval | | Nextcloud | `nextcloud.enabled` | `true` | File share | Functional | | OpenProject | `openproject.enabled` | `true` | Project management | Functional | | OX Appsuite | `oxAppsuite.enabled` | `true` | Groupware | Functional | @@ -238,8 +239,8 @@ subdirectory `/helmfile/apps/services`. #### Databases -In case you don't got for a develop or evaluation environment you want to point -the application to your own database instances. +When deploying this suite to production, you need to configure the applications to use your production grade database +service. | Component | Name | Type | Parameter | Key | Default | |-------------|--------------------|------------|-----------|----------------------------------------|----------------------------| @@ -283,6 +284,24 @@ the application to your own database instances. | | | | Username | `databases.xwiki.username` | `xwiki_user` | | | | | Password | `databases.xwiki.password` | | +#### Cache + +When deploying this suite to production, you need to configure the applications to use your production grade cache +service. + +| Component | Name | Type | Parameter | Key | Default | +|------------------|------------------|-----------|-----------|------------------------------|------------------| +| Intercom Service | Intercom Service | Redis | | | | +| | | | Host | `cache.intercomService.host` | `redis-headless` | +| | | | Port | `cache.intercomService.port` | `6379` | +| Nextcloud | Nextcloud | Redis | | | | +| | | | Host | `cache.nextcloud.host` | `redis-headless` | +| | | | Port | `cache.nextcloud.port` | `6379` | +| OpenProject | OpenProject | Memcached | | | | +| | | | Host | `cache.openproject.host` | `memcached` | +| | | | Port | `cache.openproject.port` | `11211` | + + ### Scaling The Replicas of components can be increased, while we still have to look in the @@ -350,30 +369,32 @@ This section summarizes various aspects of security and compliance aspects. This list gives you an overview of default security settings and if they comply with security standards: -| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup | -|------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:| -| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | -| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | -| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | -| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | -| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 | -| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 | -| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 | -| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 | -| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 | -| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - | -| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | -| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - | -| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | -| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | -| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | -| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 | -| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | -| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | -| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | -| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | -| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 | -| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | +| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup | +|-------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:| +| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | +| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | +| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | +| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | +| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 | +| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 | +| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 | +| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 | +| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 | +| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - | +| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | +| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - | +| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | +| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | +| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | +| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 | +| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | +| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | +| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | +| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | +| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 | +| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 | +| OpenProject | openproject | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | - | +| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | ### Helm Chart Trust Chain diff --git a/helmfile/apps/intercom-service/helmfile.yaml b/helmfile/apps/intercom-service/helmfile.yaml index 14d20a16..13a9e75a 100644 --- a/helmfile/apps/intercom-service/helmfile.yaml +++ b/helmfile/apps/intercom-service/helmfile.yaml @@ -17,7 +17,6 @@ releases: chart: "intercom-service-repo/intercom-service" version: "2.0.0" values: - - "values.yaml" - "values.gotmpl" condition: "intercom.enabled" diff --git a/helmfile/apps/intercom-service/values.gotmpl b/helmfile/apps/intercom-service/values.gotmpl index 9f25eb3f..323662f7 100644 --- a/helmfile/apps/intercom-service/values.gotmpl +++ b/helmfile/apps/intercom-service/values.gotmpl @@ -25,7 +25,9 @@ ics: portal: apiKey: {{ .Values.secrets.centralnavigation.apiKey }} redis: - password: {{ .Values.secrets.redis.password }} + host: {{ .Values.cache.intercomService.host }} + port: {{ .Values.cache.intercomService.port }} + password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password }} openxchange: url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" diff --git a/helmfile/apps/intercom-service/values.yaml b/helmfile/apps/intercom-service/values.yaml deleted file mode 100644 index c20a4004..00000000 --- a/helmfile/apps/intercom-service/values.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- -istio: - enabled: false - virtualService: - enabled: false -... diff --git a/helmfile/apps/nextcloud/values-nextcloud.gotmpl b/helmfile/apps/nextcloud/values-nextcloud.gotmpl index 09843728..62b3c92d 100644 --- a/helmfile/apps/nextcloud/values-nextcloud.gotmpl +++ b/helmfile/apps/nextcloud/values-nextcloud.gotmpl @@ -12,10 +12,14 @@ externalDatabase: user: "{{ .Values.databases.nextcloud.username }}" host: "{{ .Values.databases.nextcloud.host }}" password: "{{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser }}" +extraEnv: + REDIS_HOST: {{ .Values.cache.nextcloud.host | quote }} + REDIS_HOST_PORT: {{ .Values.cache.nextcloud.port | quote }} + REDIS_HOST_PASSWORD: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password }} redis: auth: enabled: true - password: {{ .Values.secrets.redis.password }} + password: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password }} ingress: enabled: {{ .Values.ingress.enabled }} className: {{ .Values.ingress.ingressClassName }} diff --git a/helmfile/apps/openproject/values.gotmpl b/helmfile/apps/openproject/values.gotmpl index 71df2eac..ed71702e 100644 --- a/helmfile/apps/openproject/values.gotmpl +++ b/helmfile/apps/openproject/values.gotmpl @@ -14,6 +14,9 @@ image: tag: "{{ .Values.images.openproject.tag }}" memcached: + connection: + host: "{{ .Values.cache.openproject.host }}" + port: {{ .Values.cache.openproject.port }} image: registry: "{{ .Values.global.imageRegistry }}" repository: "{{ .Values.images.memcached.repository }}" diff --git a/helmfile/apps/openproject/values.yaml b/helmfile/apps/openproject/values.yaml index 46f79bb2..ee09059e 100644 --- a/helmfile/apps/openproject/values.yaml +++ b/helmfile/apps/openproject/values.yaml @@ -4,6 +4,9 @@ image: registry: "registry.souvap-univention.de" +memcached: + bundled: false + probes: liveness: initialDelaySeconds: 300 @@ -27,6 +30,12 @@ openproject: # seed will only be executed on initial installation seed_locale: "de" +securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: false + # For more details and more options see # https://www.openproject.org/docs/installation-and-operations/configuration/environment/ environment: diff --git a/helmfile/apps/services/helmfile.yaml b/helmfile/apps/services/helmfile.yaml index 82a35a45..8d8811dd 100644 --- a/helmfile/apps/services/helmfile.yaml +++ b/helmfile/apps/services/helmfile.yaml @@ -82,6 +82,13 @@ releases: - "values-redis.gotmpl" - "values-redis.yaml" condition: "redis.enabled" + - name: "memcached" + chart: "bitnami-repo/memcached" + version: "6.6.2" + values: + - "values-memcached.yaml" + - "values-memcached.gotmpl" + condition: "memcached.enabled" - name: "postgresql" chart: "postgresql-repo/postgresql" version: "2.0.2" diff --git a/helmfile/apps/services/values-memcached.gotmpl b/helmfile/apps/services/values-memcached.gotmpl new file mode 100644 index 00000000..69668778 --- /dev/null +++ b/helmfile/apps/services/values-memcached.gotmpl @@ -0,0 +1,19 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + imageRegistry: "{{ .Values.global.imageRegistry }}" + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +image: + registry: "{{ .Values.global.imageRegistry }}" + repository: "{{ .Values.images.memcached.repository }}" + tag: "{{ .Values.images.memcached.tag }}" + pullPolicy: "{{ .Values.global.imagePullPolicy }}" + +resources: + {{ .Values.resources.memcached | toYaml | nindent 2 }} +... diff --git a/helmfile/apps/services/values-memcached.yaml b/helmfile/apps/services/values-memcached.yaml new file mode 100644 index 00000000..17c46a86 --- /dev/null +++ b/helmfile/apps/services/values-memcached.yaml @@ -0,0 +1,18 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + enabled: true + runAsUser: 1001 + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: true + +serviceAccount: + create: true +... diff --git a/helmfile/environments/default/cache.yaml b/helmfile/environments/default/cache.yaml new file mode 100644 index 00000000..03de5112 --- /dev/null +++ b/helmfile/environments/default/cache.yaml @@ -0,0 +1,16 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +cache: + intercomService: + host: "redis-headless" + port: 6379 + password: "" + nextcloud: + host: "redis-headless" + port: 6379 + password: "" + openproject: + host: "memcached" + port: 11211 +... diff --git a/helmfile/environments/default/images.yaml b/helmfile/environments/default/images.yaml index 5d93a7f1..317f4f67 100644 --- a/helmfile/environments/default/images.yaml +++ b/helmfile/environments/default/images.yaml @@ -77,8 +77,8 @@ images: # @supplier: "openDesk DevSecOps" memcached: repository: "bitnami/memcached" - tag: "1.6.21-debian-11-r84@sha256:81747acd297d3fcd05706ea771d441a6f01b28d722c366a06f922b6b7d4033dd" - # @supplier: "OpenProject" + tag: "1.6.21-debian-11-r107@sha256:247ec29efd6030960047a623aef025021154662edf6b6d6e88c97936f164d99d" + # @supplier: "openDesk DevSecOps" milter: repository: "clamav/clamav" tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f" diff --git a/helmfile/environments/default/resources.yaml b/helmfile/environments/default/resources.yaml index 750436d5..1b5288b1 100644 --- a/helmfile/environments/default/resources.yaml +++ b/helmfile/environments/default/resources.yaml @@ -114,6 +114,13 @@ resources: requests: cpu: 0.1 memory: "500Mi" + memcached: + limits: + cpu: 1 + memory: "256Mi" + requests: + cpu: 0.1 + memory: "32Mi" milter: limits: cpu: 4 diff --git a/helmfile/environments/default/workplace.yaml b/helmfile/environments/default/workplace.yaml index e6522989..30cd4fbd 100644 --- a/helmfile/environments/default/workplace.yaml +++ b/helmfile/environments/default/workplace.yaml @@ -21,6 +21,8 @@ keycloak: enabled: true mariadb: enabled: true +memcached: + enabled: true nextcloud: enabled: true openproject: