fix(univention-management-stack): Update provisioning charts, images and helm value to add authentication

helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl

@@ -22,6 +22,11 @@ config:
   tlsMode: "off"
   natsHost: "ums-provisioning-nats"
   natsPort: "4222"
+  natsUser: "udmlistener"
+  natsPassword: {{ .Values.secrets.univentionManagementStack.provisioning.udmListenerNatsPassword }}
+  internalApiHost: "ums-provisioning-api"
+  eventsUsernameUdm: "udmproducer"
+  eventsPasswordUdm: {{ .Values.secrets.univentionManagementStack.provisioning.udmProducerPassword }}
 
 resources:
   {{ .Values.resources.umsProvisioningUdmListener | toYaml | nindent 4 }}

helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl

@@ -4,23 +4,6 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 
-dispatcher:
-  image:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningDispatcher.registry | quote }}
-    repository: {{ .Values.images.umsProvisioningDispatcher.repository | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsProvisioningDispatcher.tag | quote }}
-    pullSecrets:
-      {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . | quote }}
-      {{- end }}
-  resources:
-    {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 4 }}
-  config:
-    UDM_HOST: "ums-udm-rest-api"
-    UDM_PORT: 9979
-    UDM_USERNAME: "cn=admin"
-
 api:
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
@@ -35,6 +18,24 @@ api:
     rootPath: "/univention/provisioning-api"
   resources:
     {{ .Values.resources.umsProvisioningEventsAndConsumerApi | toYaml | nindent 4 }}
+  credentialSecretName: "ums-provisioning-api-credentials"
+
+dispatcher:
+  image:
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningDispatcher.registry | quote }}
+    repository: {{ .Values.images.umsProvisioningDispatcher.repository | quote }}
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    tag: {{ .Values.images.umsProvisioningDispatcher.tag | quote }}
+    pullSecrets:
+      {{- range .Values.global.imagePullSecrets }}
+      - name: {{ . | quote }}
+      {{- end }}
+  resources:
+    {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 4 }}
+  config:
+    UDM_HOST: "ums-udm-rest-api"
+    UDM_PORT: 80
+  credentialSecretName: "ums-provisioning-dispatcher-credentials"
   
 prefill:
   image: 
@@ -48,13 +49,152 @@ prefill:
       {{- end }}
   resources:
     {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 4 }}
+  config:
+    UDM_HOST: "ums-udm-rest-api"
+    UDM_PORT: 80
+  credentialSecretName: "ums-provisioning-prefill-credentials"
 
 nats:
-  bundled: true
+  affinity: ""
   nameOverride: ""
+  bundled: true
+  connection:
+    host: "ums-provisioning-nats"
+    port: 4222
+  config:
+    authorization:
+      enabled: true
+      users:
+        - user: "$NATS_USER"
+          password: "$NATS_PASSWORD"
+          permissions:
+            publish: ">"
+            subscribe: ">"
+        - user: "$NATS_API_USER"
+          password: "$NATS_API_PASSWORD"
+          permissions:
+            publish: ">"
+            subscribe: ">"
+        - user: "$NATS_DISPATCHER_USER"
+          password: "$NATS_DISPATCHER_PASSWORD"
+          permissions:
+            publish: ">"
+            subscribe: ">"
+        - user: "$NATS_PREFILL_USER"
+          password: "$NATS_PREFILL_PASSWORD"
+          permissions:
+            publish: ">"
+            subscribe: ">"
+        - user: "$NATS_UDMLISTENER_USER"
+          password: "$NATS_UDMLISTENER_PASSWORD"
+          permissions:
+            publish: ">"
+            subscribe: ">"
+        - user: "$NATS_ADMIN_USER"
+          password: "$NATS_ADMIN_PASSWORD"
+          permissions:
+            publish: ">"
+            subscribe: ">"
   resources:
     {{ .Values.resources.umsProvisioningNats | toYaml | nindent 4 }}
 
+  extraEnvVars:
+    - name: NATS_USER
+      value: "master_admin"
+    - name: NATS_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-nats-credentials
+          key: admin_password
+    - name: NATS_ADMIN_USER
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-api-credentials
+          key: ADMIN_NATS_USER
+    - name: NATS_ADMIN_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-api-credentials
+          key: ADMIN_NATS_PASSWORD
+    - name: NATS_API_USER
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-api-credentials
+          key: NATS_USER
+    - name: NATS_API_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-api-credentials
+          key: NATS_PASSWORD
+    - name: NATS_DISPATCHER_USER
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-dispatcher-credentials
+          key: NATS_USER
+    - name: NATS_DISPATCHER_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-dispatcher-credentials
+          key: NATS_PASSWORD
+    - name: NATS_PREFILL_USER
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-prefill-credentials
+          key: NATS_USER
+    - name: NATS_PREFILL_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-prefill-credentials
+          key: NATS_PASSWORD
+    - name: NATS_UDMLISTENER_USER
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-udmlistener-credentials
+          key: NATS_USER
+    - name: NATS_UDMLISTENER_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-udmlistener-credentials
+          key: NATS_PASSWORD
+
+extraSecrets:
+  - name: ums-provisioning-nats-credentials
+    stringData:
+      admin_password: {{ .Values.secrets.nats.natsAdminPassword }}
+  - name: ums-provisioning-api-credentials
+    stringData:
+      NATS_USER: "api"
+      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiNatsPassword }}
+      ADMIN_NATS_USER: "admin"
+      ADMIN_NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminNatsPassword }}
+      UDM_HOST: "udm-rest-api"
+      ADMIN_USERNAME: "admin"
+      ADMIN_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminPassword }}
+      DISPATCHER_USERNAME: "dispatcher"
+      DISPATCHER_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherPassword }}
+      PREFILL_USERNAME: "prefill"
+      PREFILL_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillPassword }}
+      EVENTS_USERNAME_UDM: "udmproducer"
+      EVENTS_PASSWORD_UDM: {{ .Values.secrets.univentionManagementStack.provisioning.udmProducerPassword }}
+  - name: ums-provisioning-dispatcher-credentials
+    stringData:
+      NATS_USER: "dispatcher"
+      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherNatsPassword }}
+      DISPATCHER_USERNAME: "dispatcher"
+      DISPATCHER_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherPassword }}
+  - name: ums-provisioning-prefill-credentials
+    stringData:
+      NATS_USER: "prefill"
+      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillNatsPassword }}
+      UDM_USERNAME: "cn=admin"
+      UDM_PASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+      PREFILL_USERNAME: "prefill"
+      PREFILL_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillPassword }}
+  - name: ums-provisioning-udmlistener-credentials
+    stringData:
+      NATS_USER: "udmlistener"
+      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.udmListenerNatsPassword }}
+
 containerSecurityContext:
   allowPrivilegeEscalation: false
   capabilities:

helmfile/environments/default/charts.yaml

@@ -546,7 +546,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "provisioning"
-    version: "0.14.0"
+    version: "0.20.2"
     verify: true
   umsProvisioningUdmListener:
     # providerCategory: 'Supplier'
@@ -558,7 +558,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "udm-listener"
-    version: "0.14.0"
+    version: "0.20.2"
     verify: true
   umsSelfserviceListener:
     # providerCategory: 'Supplier'

helmfile/environments/default/images.yaml

@@ -636,7 +636,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '14', '0']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.14.0@sha256:2b51c4f2c71e044c67b036ab9084cb30330a7d38aae02a81ddf08752534ffa6f"
+    tag: "0.20.2@sha256:738a8a6028ede63d22369ec58ac4834a0b34445cac216cb9475c24ccb1eaed1e"
   umsProvisioningEventsAndConsumerApi:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -646,7 +646,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '14', '0']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.14.0@sha256:c27f585d77fa030b0663ca6c5799ae1a7950f30e34e08407c295451af0a6b653"
+    tag: "0.20.2@sha256:46523693c84e5e6639e9762a43b1dbfa98954391da268c70a152b76e26d9c6c2"
   umsProvisioningPrefill:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -656,7 +656,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '14', '0']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.14.0@sha256:f781373c3df8db73dcb87e5390deabe3f948054e15d9e107a556185773d473b0"
+    tag: "0.20.2@sha256:47143e4a3bb68c814dd7017b273b138c061a5bbb0f7e71c32ba45b2c15f1d831"
   umsProvisioningUdmListener:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -666,7 +666,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '14', '0']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.14.0@sha256:90875ae80579651555c19db4badd474d7750b7322ab309d7812b40971a6813c5"
+    tag: "0.20.2@sha256:011c73748fb406ad68e35be683da79429b420e1e42a39733b342632eb3efec2d"
   umsSelfserviceInvitation:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'

helmfile/environments/default/secrets.gotmpl

@@ -30,6 +30,21 @@ secrets:
     storeDavUsers:
       portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }}
       portalListener: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum | quote }}
+    provisioning:
+      apiNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }}
+      apiAdminNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "apiAdmin" "nats" | sha1sum | quote }}
+      apiAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }}
+      dispatcherPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "dispatcher_service" | sha1sum | quote }}
+      prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }}
+      prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }}
+      udmProducerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
+      dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }}
+      dispatcherUdmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
+      udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmlistener" "nats" | sha1sum | quote }}
+      udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
+  nats:
+    natsAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "admin" "nats" | sha1sum | quote }}
+
   postgresql:
     postgresUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "postgres_user" | sha1sum | quote }}
     keycloakUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum | quote }}