From 8c97bcf994487281ae94e6d66c73f4a11c08a0be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20K=C3=B6nig-Festl?= Date: Thu, 14 Mar 2024 15:59:31 +0100 Subject: [PATCH] fix(univention-management-stack): Update provisioning charts, images and helm value to add authentication --- ...lues-provisioning-udm-listener.yaml.gotmpl | 5 + .../values-provisioning.yaml.gotmpl | 176 ++++++++++++++++-- helmfile/environments/default/charts.yaml | 4 +- helmfile/environments/default/images.yaml | 8 +- helmfile/environments/default/secrets.gotmpl | 15 ++ 5 files changed, 184 insertions(+), 24 deletions(-) diff --git a/helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl index ceb123ad..a804db1c 100644 --- a/helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl @@ -22,6 +22,11 @@ config: tlsMode: "off" natsHost: "ums-provisioning-nats" natsPort: "4222" + natsUser: "udmlistener" + natsPassword: {{ .Values.secrets.univentionManagementStack.provisioning.udmListenerNatsPassword }} + internalApiHost: "ums-provisioning-api" + eventsUsernameUdm: "udmproducer" + eventsPasswordUdm: {{ .Values.secrets.univentionManagementStack.provisioning.udmProducerPassword }} resources: {{ .Values.resources.umsProvisioningUdmListener | toYaml | nindent 4 }} diff --git a/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl index c4f2cd37..e5072e37 100644 --- a/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl @@ -4,23 +4,6 @@ SPDX-License-Identifier: Apache-2.0 */}} --- -dispatcher: - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningDispatcher.registry | quote }} - repository: {{ .Values.images.umsProvisioningDispatcher.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsProvisioningDispatcher.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - resources: - {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 4 }} - config: - UDM_HOST: "ums-udm-rest-api" - UDM_PORT: 9979 - UDM_USERNAME: "cn=admin" - api: image: registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }} @@ -35,6 +18,24 @@ api: rootPath: "/univention/provisioning-api" resources: {{ .Values.resources.umsProvisioningEventsAndConsumerApi | toYaml | nindent 4 }} + credentialSecretName: "ums-provisioning-api-credentials" + +dispatcher: + image: + registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningDispatcher.registry | quote }} + repository: {{ .Values.images.umsProvisioningDispatcher.repository | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + tag: {{ .Values.images.umsProvisioningDispatcher.tag | quote }} + pullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + resources: + {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 4 }} + config: + UDM_HOST: "ums-udm-rest-api" + UDM_PORT: 80 + credentialSecretName: "ums-provisioning-dispatcher-credentials" prefill: image: @@ -48,13 +49,152 @@ prefill: {{- end }} resources: {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 4 }} + config: + UDM_HOST: "ums-udm-rest-api" + UDM_PORT: 80 + credentialSecretName: "ums-provisioning-prefill-credentials" nats: - bundled: true + affinity: "" nameOverride: "" + bundled: true + connection: + host: "ums-provisioning-nats" + port: 4222 + config: + authorization: + enabled: true + users: + - user: "$NATS_USER" + password: "$NATS_PASSWORD" + permissions: + publish: ">" + subscribe: ">" + - user: "$NATS_API_USER" + password: "$NATS_API_PASSWORD" + permissions: + publish: ">" + subscribe: ">" + - user: "$NATS_DISPATCHER_USER" + password: "$NATS_DISPATCHER_PASSWORD" + permissions: + publish: ">" + subscribe: ">" + - user: "$NATS_PREFILL_USER" + password: "$NATS_PREFILL_PASSWORD" + permissions: + publish: ">" + subscribe: ">" + - user: "$NATS_UDMLISTENER_USER" + password: "$NATS_UDMLISTENER_PASSWORD" + permissions: + publish: ">" + subscribe: ">" + - user: "$NATS_ADMIN_USER" + password: "$NATS_ADMIN_PASSWORD" + permissions: + publish: ">" + subscribe: ">" resources: {{ .Values.resources.umsProvisioningNats | toYaml | nindent 4 }} + extraEnvVars: + - name: NATS_USER + value: "master_admin" + - name: NATS_PASSWORD + valueFrom: + secretKeyRef: + name: ums-provisioning-nats-credentials + key: admin_password + - name: NATS_ADMIN_USER + valueFrom: + secretKeyRef: + name: ums-provisioning-api-credentials + key: ADMIN_NATS_USER + - name: NATS_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: ums-provisioning-api-credentials + key: ADMIN_NATS_PASSWORD + - name: NATS_API_USER + valueFrom: + secretKeyRef: + name: ums-provisioning-api-credentials + key: NATS_USER + - name: NATS_API_PASSWORD + valueFrom: + secretKeyRef: + name: ums-provisioning-api-credentials + key: NATS_PASSWORD + - name: NATS_DISPATCHER_USER + valueFrom: + secretKeyRef: + name: ums-provisioning-dispatcher-credentials + key: NATS_USER + - name: NATS_DISPATCHER_PASSWORD + valueFrom: + secretKeyRef: + name: ums-provisioning-dispatcher-credentials + key: NATS_PASSWORD + - name: NATS_PREFILL_USER + valueFrom: + secretKeyRef: + name: ums-provisioning-prefill-credentials + key: NATS_USER + - name: NATS_PREFILL_PASSWORD + valueFrom: + secretKeyRef: + name: ums-provisioning-prefill-credentials + key: NATS_PASSWORD + - name: NATS_UDMLISTENER_USER + valueFrom: + secretKeyRef: + name: ums-provisioning-udmlistener-credentials + key: NATS_USER + - name: NATS_UDMLISTENER_PASSWORD + valueFrom: + secretKeyRef: + name: ums-provisioning-udmlistener-credentials + key: NATS_PASSWORD + +extraSecrets: + - name: ums-provisioning-nats-credentials + stringData: + admin_password: {{ .Values.secrets.nats.natsAdminPassword }} + - name: ums-provisioning-api-credentials + stringData: + NATS_USER: "api" + NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiNatsPassword }} + ADMIN_NATS_USER: "admin" + ADMIN_NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminNatsPassword }} + UDM_HOST: "udm-rest-api" + ADMIN_USERNAME: "admin" + ADMIN_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminPassword }} + DISPATCHER_USERNAME: "dispatcher" + DISPATCHER_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherPassword }} + PREFILL_USERNAME: "prefill" + PREFILL_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillPassword }} + EVENTS_USERNAME_UDM: "udmproducer" + EVENTS_PASSWORD_UDM: {{ .Values.secrets.univentionManagementStack.provisioning.udmProducerPassword }} + - name: ums-provisioning-dispatcher-credentials + stringData: + NATS_USER: "dispatcher" + NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherNatsPassword }} + DISPATCHER_USERNAME: "dispatcher" + DISPATCHER_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherPassword }} + - name: ums-provisioning-prefill-credentials + stringData: + NATS_USER: "prefill" + NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillNatsPassword }} + UDM_USERNAME: "cn=admin" + UDM_PASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} + PREFILL_USERNAME: "prefill" + PREFILL_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillPassword }} + - name: ums-provisioning-udmlistener-credentials + stringData: + NATS_USER: "udmlistener" + NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.udmListenerNatsPassword }} + containerSecurityContext: allowPrivilegeEscalation: false capabilities: diff --git a/helmfile/environments/default/charts.yaml b/helmfile/environments/default/charts.yaml index ccf3c2e9..fc92fb37 100644 --- a/helmfile/environments/default/charts.yaml +++ b/helmfile/environments/default/charts.yaml @@ -546,7 +546,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/charts-mirror" name: "provisioning" - version: "0.14.0" + version: "0.20.2" verify: true umsProvisioningUdmListener: # providerCategory: 'Supplier' @@ -558,7 +558,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/charts-mirror" name: "udm-listener" - version: "0.14.0" + version: "0.20.2" verify: true umsSelfserviceListener: # providerCategory: 'Supplier' diff --git a/helmfile/environments/default/images.yaml b/helmfile/environments/default/images.yaml index 60193754..c1801b8c 100644 --- a/helmfile/environments/default/images.yaml +++ b/helmfile/environments/default/images.yaml @@ -636,7 +636,7 @@ images: # upstreamMirrorStartFrom: ['0', '14', '0'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher" - tag: "0.14.0@sha256:2b51c4f2c71e044c67b036ab9084cb30330a7d38aae02a81ddf08752534ffa6f" + tag: "0.20.2@sha256:738a8a6028ede63d22369ec58ac4834a0b34445cac216cb9475c24ccb1eaed1e" umsProvisioningEventsAndConsumerApi: # providerCategory: 'Supplier' # providerResponsible: 'Univention' @@ -646,7 +646,7 @@ images: # upstreamMirrorStartFrom: ['0', '14', '0'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api" - tag: "0.14.0@sha256:c27f585d77fa030b0663ca6c5799ae1a7950f30e34e08407c295451af0a6b653" + tag: "0.20.2@sha256:46523693c84e5e6639e9762a43b1dbfa98954391da268c70a152b76e26d9c6c2" umsProvisioningPrefill: # providerCategory: 'Supplier' # providerResponsible: 'Univention' @@ -656,7 +656,7 @@ images: # upstreamMirrorStartFrom: ['0', '14', '0'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill" - tag: "0.14.0@sha256:f781373c3df8db73dcb87e5390deabe3f948054e15d9e107a556185773d473b0" + tag: "0.20.2@sha256:47143e4a3bb68c814dd7017b273b138c061a5bbb0f7e71c32ba45b2c15f1d831" umsProvisioningUdmListener: # providerCategory: 'Supplier' # providerResponsible: 'Univention' @@ -666,7 +666,7 @@ images: # upstreamMirrorStartFrom: ['0', '14', '0'] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener" - tag: "0.14.0@sha256:90875ae80579651555c19db4badd474d7750b7322ab309d7812b40971a6813c5" + tag: "0.20.2@sha256:011c73748fb406ad68e35be683da79429b420e1e42a39733b342632eb3efec2d" umsSelfserviceInvitation: # providerCategory: 'Supplier' # providerResponsible: 'Univention' diff --git a/helmfile/environments/default/secrets.gotmpl b/helmfile/environments/default/secrets.gotmpl index e8cdb402..203197cd 100644 --- a/helmfile/environments/default/secrets.gotmpl +++ b/helmfile/environments/default/secrets.gotmpl @@ -30,6 +30,21 @@ secrets: storeDavUsers: portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }} portalListener: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum | quote }} + provisioning: + apiNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }} + apiAdminNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "apiAdmin" "nats" | sha1sum | quote }} + apiAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }} + dispatcherPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "dispatcher_service" | sha1sum | quote }} + prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }} + prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }} + udmProducerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }} + dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }} + dispatcherUdmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }} + udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmlistener" "nats" | sha1sum | quote }} + udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }} + nats: + natsAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "admin" "nats" | sha1sum | quote }} + postgresql: postgresUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "postgres_user" | sha1sum | quote }} keycloakUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum | quote }}