fix(univention-management-stack): Support for object-storage icons and portal files

fix(univention-management-stack): Test otterize policies
2025-12-06 07:21:36 +01:00 · 2024-02-09 16:32:26 +01:00
parent f2b8acfba8
commit 83ac645fae
11 changed files with 41 additions and 88 deletions
--- a/helmfile/apps/services/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services/values-minio.yaml.gotmpl
@@ -85,6 +85,8 @@ provisioning:
  enabled: true
  cleanupAfterFinished:
    enabled: true
+  extraCommands:
+    - "mc anonymous set download provisioning/ums/portal-assets"
  buckets:
    - name: "openproject"
      versioning: true
@@ -92,8 +94,8 @@ provisioning:
    - name: "openxchange"
      versioning: true
      withLock: false
-    - name: "ums"
-      versioning: true
+    - name: {{ .Values.objectstores.univentionManagementStack.bucket | quote }} 
+      versioning: false
      withLock: false
    - name: "nextcloud"
      versioning: true
@@ -160,7 +162,7 @@ provisioning:
      policies:
        - "openxchange-bucket-policy"
      setPolicies: true
-    - username: "ums_user"
+    - username: {{ .Values.objectstores.univentionManagementStack.username | quote }}
      password: {{ .Values.secrets.minio.umsUser | quote }}
      disabled: false
      policies:
--- a/helmfile/apps/univention-management-stack/helmfile.yaml
+++ b/helmfile/apps/univention-management-stack/helmfile.yaml
@@ -34,13 +34,6 @@ repositories:
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsOpenPolicyAgent.registry }}/{{ .Values.charts.umsOpenPolicyAgent.repository }}"
-  - name: "ums-store-dav-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsStoreDav.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStoreDav.registry }}/{{ .Values.charts.umsStoreDav.repository }}"
  - name: "ums-ldap-server-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsLdapServer.verify }}
@@ -219,15 +212,6 @@ releases:
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900

-  - name: "ums-store-dav"
-    chart: "ums-store-dav-repo/{{ .Values.charts.umsStoreDav.name }}"
-    version: "{{ .Values.charts.umsStoreDav.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-store-dav.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
  - name: "ums-ldap-server"
    chart: "ums-ldap-server-repo/{{ .Values.charts.umsLdapServer.name }}"
    version: "{{ .Values.charts.umsLdapServer.version }}"
--- a/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
@@ -23,8 +23,8 @@ persistence:

 portalListener:
  adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
-  assetsRoot: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-assets/" | quote }}
-  ucsInternalUrl: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-data" | quote }}
+  assetsRootPath: "portal-assets"
+  ucsInternalPath: "portal-data"

  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
  ldapHost: {{ .Values.ldap.host | quote }}
@@ -41,6 +41,10 @@ portalListener:
  udmApiUsername: "cn=admin"
  umcGetUrl: "http://ums-umc-server/get"
  umcSessionUrl: "http://ums-umc-server/get/session-info"
+  objectStorageEndpoint: "http://minio:9000"
+  objectStorageBucket: "ums"
+  objectStorageAccessKeyId: "ums_user"
+  objectStorageSecretAccessKey: {{ .Values.secrets.minio.umsUser | quote }}

 resources:
  {{ .Values.resources.umsPortalListener | toYaml | nindent 2 }}
--- a/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
@@ -18,7 +18,11 @@ portalServer:
  umcSessionUrl: "http://ums-umc-server/get/session-info"
  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
-  ucsInternalUrl: {{ printf "%s%s%s" "http://portal-server:" .Values.secrets.univentionManagementStack.storeDavUsers.portalServer "@ums-store-dav/portal-data" | quote }}
+  ucsInternalPath: "portal-data"
+  objectStorageEndpoint: "http://minio:9000"
+  objectStorageBucket: "ums"
+  objectStorageAccessKeyId: "ums_user"
+  objectStorageSecretAccessKey: {{ .Values.secrets.minio.umsUser | quote }}
  centralNavigation:
    enabled: true
    authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
--- a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
@@ -173,22 +173,22 @@ serverBlock: |
    }


-    ## store-dav
+    ## object storage (minio)
    location /univention/portal/icons/entries/ {
-      rewrite ^/univention/portal(/icons/entries/.*)$ /portal-assets$1 break;
-      proxy_pass http://ums-store-dav:80;
+      rewrite ^/univention/portal(/icons/entries/.*)$ /ums/portal-assets$1 break;
+      proxy_pass http://minio:9000;
    }
    location /univention/portal/icons/logos/ {
-      rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break;
-      proxy_pass http://ums-store-dav:80;
+      rewrite ^/univention/portal(/icons/logos/.*)$ /ums/portal-assets$1 break;
+      proxy_pass http://minio:9000;
    }
    location /univention/selfservice/icons/entries/ {
-      rewrite ^/univention/selfservice(/icons/entries/.*)$ /portal-assets$1 break;
-      proxy_pass http://ums-store-dav:80;
+      rewrite ^/univention/selfservice(/icons/entries/.*)$ /ums/portal-assets$1 break;
+      proxy_pass http://minio:9000;
    }
    location /univention/selfservice/icons/logos/ {
-      rewrite ^/univention/selfservice(/icons/logos/.*)$ /portal-assets$1 break;
-      proxy_pass http://ums-store-dav:80;
+      rewrite ^/univention/selfservice(/icons/logos/.*)$ /ums/portal-assets$1 break;
+      proxy_pass http://minio:9000;
    }


--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -343,7 +343,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize"
    name: "opendesk-otterize"
-    version: "1.7.1"
+    version: "1.7.3"
    verify: true
    # @supplier: "openDesk"

@@ -581,7 +581,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "portal-frontend"
-    version: "0.9.2"
+    version: "0.14.0"
    verify: true
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
@@ -595,7 +595,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "portal-listener"
-    version: "0.9.2"
+    version: "0.14.0"
    verify: true
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
@@ -609,7 +609,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "portal-server"
-    version: "0.9.2"
+    version: "0.14.0"
    verify: true
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
@@ -671,20 +671,6 @@ charts:
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
    # @mirrorFrom: ['0', '41', '8']

-  umsStoreDav:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/univention/store-dav
-    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "store-dav"
-    version: "0.9.3"
-    verify: true
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '9', '3']
-
  umsUdmRestApi:
    # renovate:
    # upstreamRegistry=registry.souvap-univention.de
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -579,18 +579,6 @@ images:
    tag: "2.6.6-bullseye@sha256:bf22cfb1301aae433213f5f8c687bc5d9ecc6b86daf1084be5f7a339bd27cadd"
    # @supplier: "Element"

-  umsConfigHtpasswd:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/images/univention/config-htpasswd
-    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/config-htpasswd"
-    tag: "0.9.4@sha256:ba4f6fa2736a789c6c7413cc784bfadbeda1b3269fee29a871207f6f2ba2ee08"
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '9', '4']
-
  umsDataLoader:
    # renovate:
    # upstreamRegistry=registry.souvap-univention.de
@@ -742,7 +730,7 @@ images:
    # dependencyType=supplier
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
-    tag: "0.9.4@sha256:97887159fc4a7febdf663761a65b7fac2eb7b99b6dd042c7d63ce6b254ea6fb9"
+    tag: "0.14.0@sha256:6f96a7479728e07c3d3311c85e1d14f7ef45f4d5bc5c9a008ce62203ef232f79"
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
    # @mirrorFrom: ['0', '9', '4']
@@ -754,7 +742,7 @@ images:
    # dependencyType=supplier
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-listener"
-    tag: "0.9.4@sha256:1e03db8153cbff0825c4370526d5d44a6b9b92c643b0e605d1bfc762ebac3a31"
+    tag: "0.14.0@sha256:5c86167d3a6ff7e85ff7e870596dd9864c1802b4f622c1f2378472744d4c4c34"
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
    # @mirrorFrom: ['0', '9', '4']
@@ -766,7 +754,7 @@ images:
    # dependencyType=supplier
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.9.4@sha256:47c825f83b61799b287b11cf5c548e05000c21e7d071d1f2095fbba4c952d84c"
+    tag: "0.14.0@sha256:d608db0692f9638e53101dabaf7749a9fbc29c316194f1977bd8986444f9f472"
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
    # @mirrorFrom: ['0', '9', '4']
@@ -871,18 +859,6 @@ images:
    tag: "1.25.3@sha256:40ce0d6b8f5fc174a4df8c59c8893164c540192ee862cb7253650a30d9dc3b73"
    # @supplier: "Univention"

-  umsStoreDav:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/images/univention/store-dav
-    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/store-dav"
-    tag: "0.9.4@sha256:4a2c7675c15a244a3a8c002e030db425cdbe5cd7bf8c21ced4bac6f5252382bd"
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '9', '4']
-
  umsUdmRestApi:
    # renovate:
    # upstreamRegistry=registry.souvap-univention.de
@@ -926,7 +902,7 @@ images:
    # dependencyType=supplier
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/wait-for-dependency"
-    tag: "0.9.4@sha256:63451fe519d557e52d5f99e21231594daebb2990eb734931172ad61543c443cb"
+    tag: "0.14.0@sha256:fda3f99be59614115997a55ad5887bf8f6482de4c8e168706aac3e42575b4915"
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
    # @mirrorFrom: ['0', '9', '4']
--- a/helmfile/environments/default/objectstore.gotmpl
+++ b/helmfile/environments/default/objectstore.gotmpl
@@ -12,4 +12,12 @@ objectstores:
    secret: ""
    username: "openproject_user"
    useIAMProfile: ""
+  univentionManagementStack:
+    backend: "minio"
+    bucket: "ums"
+    endpoint: ""
+    region: ""
+    secret: ""
+    username: "ums_user"
+    useIAMProfile: ""
 ...
--- a/helmfile/environments/default/persistence.yaml
+++ b/helmfile/environments/default/persistence.yaml
@@ -21,6 +21,5 @@ persistence:
      ldapServerShared: "1Gi"
      portalListener: "1Gi"
      selfserviceListener: "1Gi"
-      storeDav: "1Gi"
    xwiki: "1Gi"
 ...
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -466,13 +466,6 @@ resources:
    requests:
      cpu: 0.1
      memory: "256Mi"
-  umsStoreDav:
-    limits:
-      cpu: 99
-      memory: "1Gi"
-    requests:
-      cpu: 0.1
-      memory: "256Mi"
  umsUdmRestApi:
    limits:
      cpu: 99
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -24,9 +24,6 @@ secrets:
      administratorPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "Administrator" "ums" | sha1sum | quote }}
      userPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_password" | sha1sum | quote }}
      adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_admin" | sha1sum | quote }}
-    storeDavUsers:
-      portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }}
-      portalListener: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum | quote }}
  postgresql:
    postgresUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "postgres_user" | sha1sum | quote }}
    keycloakUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum | quote }}