fix(univention-management-stack): Update provisioning charts, images and helm value to add authentication

helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl

@@ -22,6 +22,11 @@ config:
   tlsMode: "off"
   natsHost: "ums-provisioning-nats"
   natsPort: "4222"
+  natsUser: "udmlistener"
+  natsPassword: {{ .Values.secrets.univentionManagementStack.provisioning.udmListenerNatsPassword }}
+  internalApiHost: "ums-provisioning-api"
+  eventsUsernameUdm: "udmproducer"
+  eventsPasswordUdm: {{ .Values.secrets.univentionManagementStack.provisioning.udmProducerPassword }}
 
 resources:
   {{ .Values.resources.umsProvisioningUdmListener | toYaml | nindent 4 }}

helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl

@@ -4,23 +4,6 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 
-dispatcher:
-  image:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningDispatcher.registry | quote }}
-    repository: {{ .Values.images.umsProvisioningDispatcher.repository | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsProvisioningDispatcher.tag | quote }}
-    pullSecrets:
-      {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . | quote }}
-      {{- end }}
-  resources:
-    {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 4 }}
-  config:
-    UDM_HOST: "ums-udm-rest-api"
-    UDM_PORT: 9979
-    UDM_USERNAME: "cn=admin"
-
 api:
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
@@ -35,6 +18,24 @@ api:
     rootPath: "/univention/provisioning-api"
   resources:
     {{ .Values.resources.umsProvisioningEventsAndConsumerApi | toYaml | nindent 4 }}
+  credentialSecretName: "ums-provisioning-api-credentials"
+
+dispatcher:
+  image:
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningDispatcher.registry | quote }}
+    repository: {{ .Values.images.umsProvisioningDispatcher.repository | quote }}
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    tag: {{ .Values.images.umsProvisioningDispatcher.tag | quote }}
+    pullSecrets:
+      {{- range .Values.global.imagePullSecrets }}
+      - name: {{ . | quote }}
+      {{- end }}
+  resources:
+    {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 4 }}
+  config:
+    UDM_HOST: "ums-udm-rest-api"
+    UDM_PORT: 80
+  credentialSecretName: "ums-provisioning-dispatcher-credentials"
   
 prefill:
   image: 
@@ -48,13 +49,152 @@ prefill:
       {{- end }}
   resources:
     {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 4 }}
+  config:
+    UDM_HOST: "ums-udm-rest-api"
+    UDM_PORT: 80
+  credentialSecretName: "ums-provisioning-prefill-credentials"
 
 nats:
-  bundled: true
+  affinity: ""
   nameOverride: ""
+  bundled: true
+  connection:
+    host: "ums-provisioning-nats"
+    port: 4222
+  config:
+    authorization:
+      enabled: true
+      users:
+        - user: "$NATS_USER"
+          password: "$NATS_PASSWORD"
+          permissions:
+            publish: ">"
+            subscribe: ">"
+        - user: "$NATS_API_USER"
+          password: "$NATS_API_PASSWORD"
+          permissions:
+            publish: ">"
+            subscribe: ">"
+        - user: "$NATS_DISPATCHER_USER"
+          password: "$NATS_DISPATCHER_PASSWORD"
+          permissions:
+            publish: ">"
+            subscribe: ">"
+        - user: "$NATS_PREFILL_USER"
+          password: "$NATS_PREFILL_PASSWORD"
+          permissions:
+            publish: ">"
+            subscribe: ">"
+        - user: "$NATS_UDMLISTENER_USER"
+          password: "$NATS_UDMLISTENER_PASSWORD"
+          permissions:
+            publish: ">"
+            subscribe: ">"
+        - user: "$NATS_ADMIN_USER"
+          password: "$NATS_ADMIN_PASSWORD"
+          permissions:
+            publish: ">"
+            subscribe: ">"
   resources:
     {{ .Values.resources.umsProvisioningNats | toYaml | nindent 4 }}
 
+  extraEnvVars:
+    - name: NATS_USER
+      value: "master_admin"
+    - name: NATS_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-nats-credentials
+          key: admin_password
+    - name: NATS_ADMIN_USER
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-api-credentials
+          key: ADMIN_NATS_USER
+    - name: NATS_ADMIN_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-api-credentials
+          key: ADMIN_NATS_PASSWORD
+    - name: NATS_API_USER
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-api-credentials
+          key: NATS_USER
+    - name: NATS_API_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-api-credentials
+          key: NATS_PASSWORD
+    - name: NATS_DISPATCHER_USER
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-dispatcher-credentials
+          key: NATS_USER
+    - name: NATS_DISPATCHER_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-dispatcher-credentials
+          key: NATS_PASSWORD
+    - name: NATS_PREFILL_USER
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-prefill-credentials
+          key: NATS_USER
+    - name: NATS_PREFILL_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-prefill-credentials
+          key: NATS_PASSWORD
+    - name: NATS_UDMLISTENER_USER
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-udmlistener-credentials
+          key: NATS_USER
+    - name: NATS_UDMLISTENER_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-udmlistener-credentials
+          key: NATS_PASSWORD
+
+extraSecrets:
+  - name: ums-provisioning-nats-credentials
+    stringData:
+      admin_password: {{ .Values.secrets.nats.natsAdminPassword }}
+  - name: ums-provisioning-api-credentials
+    stringData:
+      NATS_USER: "api"
+      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiNatsPassword }}
+      ADMIN_NATS_USER: "admin"
+      ADMIN_NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminNatsPassword }}
+      UDM_HOST: "udm-rest-api"
+      ADMIN_USERNAME: "admin"
+      ADMIN_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminPassword }}
+      DISPATCHER_USERNAME: "dispatcher"
+      DISPATCHER_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherPassword }}
+      PREFILL_USERNAME: "prefill"
+      PREFILL_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillPassword }}
+      EVENTS_USERNAME_UDM: "udmproducer"
+      EVENTS_PASSWORD_UDM: {{ .Values.secrets.univentionManagementStack.provisioning.udmProducerPassword }}
+  - name: ums-provisioning-dispatcher-credentials
+    stringData:
+      NATS_USER: "dispatcher"
+      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherNatsPassword }}
+      DISPATCHER_USERNAME: "dispatcher"
+      DISPATCHER_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherPassword }}
+  - name: ums-provisioning-prefill-credentials
+    stringData:
+      NATS_USER: "prefill"
+      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillNatsPassword }}
+      UDM_USERNAME: "cn=admin"
+      UDM_PASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+      PREFILL_USERNAME: "prefill"
+      PREFILL_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillPassword }}
+  - name: ums-provisioning-udmlistener-credentials
+    stringData:
+      NATS_USER: "udmlistener"
+      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.udmListenerNatsPassword }}
+
 containerSecurityContext:
   allowPrivilegeEscalation: false
   capabilities: