sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(univention-management-stack): Switch to Univention Keycloak

Browse Source
This commit is contained in:
Thorsten Roßner
2023-12-15 08:38:46 +01:00
parent 1b9f394489
commit 902076c629
53 changed files with 865 additions and 2386 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
.gitlab-ci.yml
View File

@@ -86,12 +86,6 @@ variables:
options:
- "yes"
- "no"
DEPLOY_KEYCLOAK:
description: "Enable Keycloak deployment."
value: "no"
options:
- "yes"
- "no"
DEPLOY_OX:
description: "Enable OX AppSuite8 deployment."
value: "no"
@@ -255,31 +249,6 @@ ums-deploy:
variables:
COMPONENT: "univention-management-stack"
keycloak-deploy:
stage: "component-deploy-stage-1"
extends: ".deploy-common"
rules:
- if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
$NAMESPACE =~ /.+/ &&
($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_KEYCLOAK != "no")
when: "always"
variables:
COMPONENT: "keycloak"
keycloak-bootstrap-deploy:
stage: "component-deploy-stage-1"
extends: ".deploy-common"
timeout: "30m"
rules:
- if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
$NAMESPACE =~ /.+/ &&
($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_KEYCLOAK != "no")
when: "always"
variables:
COMPONENT: "keycloak-bootstrap"
ox-deploy:
stage: "component-deploy-stage-1"
extends: ".deploy-common"
@@ -461,7 +430,7 @@ run-tests:
\"DEPLOY_ELEMENT\": \"${DEPLOY_ELEMENT}\", \
\"DEPLOY_ICS\": \"${DEPLOY_ICS}\", \
\"DEPLOY_JITSI\": \"${DEPLOY_JITSI}\", \
\"DEPLOY_KEYCLOAK\": \"${DEPLOY_KEYCLOAK}\", \
\"DEPLOY_KEYCLOAK\": \"${DEPLOY_UMS}\", \
\"DEPLOY_NEXTCLOUD\": \"${DEPLOY_NEXTCLOUD}\", \
\"DEPLOY_OPENPROJECT\": \"${DEPLOY_OPENPROJECT}\", \
\"DEPLOY_OX\": \"${DEPLOY_OX}\", \

9
COMPONENTS-SERVICE.md
View File

@@ -21,7 +21,9 @@ This services is used by:
## Database - PostgreSQL
This services is used by:
- Keycloak
- Univention Management Stack
- Self Service
- Keycloak
- OpenProject
## Redis
@@ -33,11 +35,12 @@ This service is used by:
## Postfix
This service is used by:
- Keycloak (e.g. new device login notification)
- Nextcloud (e.g. share file notifictions)
- Open-Xchange (emails)
- OpenProject (general notifications)
- UMS (e.g. password reset emails)
- Univention Management Stack
- Self Service (e.g. password reset emails)
- Keycloak (e.g. new device login notification)
- XWiki (e.g. change notifications)
## TURN Server

2
CONTRIBUTING.md
View File

@@ -52,8 +52,6 @@ Valid commit scopes:
- `collabora`
- `ìntercom-service`
- `jitsi`
- `keycloak`
- `keycloak-bootstrap`
- `nextcloud`
- `open-xchange`
- `openproject`

16
README.md
View File

@@ -67,19 +67,19 @@ If you want to address other topics, please check the section
# Requirements
⟶ Visit our detailed [Requirements](docs/requirements.md) overview.
⟶ Visit our detailed [Requirements](./docs/requirements.md) overview.
# Getting started
⟶ Visit our detailed [Getting started](docs/getting-started.md) guide.
⟶ Visit our detailed [Getting started](./docs/getting-started.md) guide.
# Advanced customization
- [External services](docs/external-services.md)
- [Security](docs/security.md)
- [Scaling](docs/scaling.md)
- [Monitoring](docs/monitoring.md)
- [Theming](docs/theming.md)
- [External services](./docs/external-services.md)
- [Security](./docs/security.md)
- [Scaling](./docs/scaling.md)
- [Monitoring](./docs/monitoring.md)
- [Theming](./docs/theming.md)
# Releases
@@ -95,7 +95,7 @@ The following release artefacts are provided beside the default source code asse
# Components
⟶ Visit our detailed [Component](docs/getting-started.md) docs.
⟶ Visit our detailed [Component](./docs/components.md) docs.
# License

9
docs/ci.md
View File

@@ -7,11 +7,11 @@ SPDX-License-Identifier: Apache-2.0
This page will cover openDesk automation via Gitlab CI.
<!-- TOC -->
* [Deployment](#deployment)
* [Tests](#tests)
* [Deployment](#deployment)
* [Tests](#tests)
<!-- TOC -->
## Deployment
# Deployment
The project includes a `.gitlab-ci.yml` that allows you to execute the deployment from a Gitlab instance of your choice.
@@ -30,8 +30,7 @@ Based on your input, the following variables will be set:
You might want to set credential variables in the Gitlab project at `Settings` > `CI/CD` > `Variables`.
## Tests
# Tests
The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project.
The `DEPLOY_`-variables are used to determine which components should be tested.

55
docs/components.md
View File

@@ -7,20 +7,20 @@ SPDX-License-Identifier: Apache-2.0
This section covers the internal system requirements as well as external service requirements for productive use.
<!-- TOC -->
* [Overview](#overview)
* [Component integration](#component-integration)
* [Intercom Service (ICS)](#intercom-service-ics)
* [Filepicker](#filepicker)
* [Central Navigation](#central-navigation)
* [(Read & write) Central contacts](#read--write-central-contacts)
* [OpenProject Filestore](#openproject-filestore)
* [Identity data flows](#identity-data-flows)
* [Provisioning](#provisioning)
* [Component specific documentation](#component-specific-documentation)
* [Links to component docs](#links-to-component-docs)
* [Overview](#overview)
* [Component integration](#component-integration)
* [Intercom Service (ICS)](#intercom-service-ics)
* [Filepicker](#filepicker)
* [Central Navigation](#central-navigation)
* [(Read \& write) Central contacts](#read--write-central-contacts)
* [OpenProject Filestore](#openproject-filestore)
* [Identity data flows](#identity-data-flows)
* [Provisioning](#provisioning)
* [Component specific documentation](#component-specific-documentation)
* [Links to component docs](#links-to-component-docs)
<!-- TOC -->
## Overview
# Overview
openDesk consists out of a variety of open-source projects. Here is a list with the description and type.
@@ -38,7 +38,6 @@ they need to be replaced in production deployments.
| Element | Secure communications platform | Functional |
| Intercom Service | Cross service data exchange | Functional |
| Jitsi | Videoconferencing | Functional |
| Keycloak | Identity Provider | Functional |
| MariaDB | Database | Eval |
| Memcached | Cache Database | Eval |
| MinIO | Object Storage | Eval |
@@ -49,18 +48,17 @@ they need to be replaced in production deployments.
| Postfix | MTA | Eval |
| PostgreSQL | Database | Eval |
| Redis | Cache Database | Eval |
| Univention Corporate Server | Identity Management & Portal | Functional |
| Univention Management Stack | Identity Management & Portal | Eval |
| Univention Management Stack | Identity Management & Portal | Functional |
| XWiki | Knowledgebase | Functional |
## Component integration
# Component integration
Some use cases require inter component integration.
```mermaid
flowchart TD
OXAppSuiteFrontend-->|SilentLogin, Filepicker, CentralNavigation|IntercomService
IntercomService-->|SilentLogin, TokenExchange|Keycloak
IntercomService-->|SilentLogin, TokenExchange|IdP
IntercomService-->|Filepicker|Nextcloud
IntercomService-->|CentralNavigation|Portal
OXAppSuiteBackend-->|Filepicker|Nextcloud
@@ -71,7 +69,7 @@ flowchart TD
OXAppSuiteFrontend-->|Filepicker|OXAppSuiteBackend
```
### Intercom Service (ICS)
## Intercom Service (ICS)
The UCS Intercom Service's role is to enable cross-application integration based on browser interaction.
Handling authentication when the frontend of an application is using the API from another application is often a
@@ -84,7 +82,7 @@ login.
Currently only OX AppSuite is using the frontend-based integration, and therefore it is right now the only consumer of
the ICS API.
### Filepicker
## Filepicker
The Nextcloud filepicker which is integrated into the OX AppSuite allows you to add attachments or links to files from
and saving attachments to Nextcloud.
@@ -94,34 +92,33 @@ Frontend-based integration means that OX AppSuite in the browser is communicatin
While using backend-based integration, OX AppSuite middleware is communicating with Nextcloud, which is especially used
when adding a file to an email or storing a file into Nextcloud.
### Central Navigation
## Central Navigation
Central navigation is based on an API endpoint in the portal that provides the contents of the portal for a user to
allow components to render the menu showing all available SWP applications for the user.
### (Read & write) Central contacts
## (Read & write) Central contacts
Open-Xchange App Suite is used to manage contacts within openDesk. There is an API in the AppSuite that is being used by
Nextcloud to lookup contacts as well as to create contacts. This is maybe done when a file is shared with a not yet
available personal contact.
### OpenProject Filestore
## OpenProject Filestore
By default, Nextcloud is a configured option for storing attachments in OpenProject.
The Filestore can be enabled on a per-project level in OpenProject's project admin section.
## Identity data flows
# Identity data flows
An overview of
- components that consume the LDAP service. Mostly by using a dedicated LDAP search account.
- components using Keycloak as identity provider. If not otherwise denoted based on the OAuth2 / OIDC flows.
- components using Univention Keycloak as identity provider (IdP). If not otherwise denoted based on the OAuth2 / OIDC flows.
Some components trust others to handle authentication for them.
```mermaid
flowchart TD
K[Keycloak]-->L[LDAP]
K[IdP]-->L[LDAP]
N[Nextcloud]-->L
O[OpenProject] --> L
A[OX AppSuite]-->L
@@ -142,7 +139,7 @@ flowchart TD
F[Postfix]-->D
```
## Provisioning
# Provisioning
Currently, active provisioning is only done for OX AppSuite. The OX-Connector is synchronizing, creating, modifying and
deleting activities for the following objects to the OX AppSuite using the AppSuite's SOAP API:
@@ -153,7 +150,7 @@ deleting activities for the following objects to the OX AppSuite using the AppSu
- Functional Mailboxes
- Resources
## Component specific documentation
# Component specific documentation
We want to provide more information per component in separate, component-specific markdown file.
To establish a common view on the components, we are going to cover various aspects:
@@ -173,6 +170,6 @@ To establish a common view on the components, we are going to cover various aspe
- **Uninstall**: Documented and working complete uninstallation of the component.
- **Debugging**: Some helpful information when it comes to debugging a component, e.g. setting log level.
## Links to component docs
# Links to component docs
- [Intercom-Service](./components/intercom-service.md)

12
docs/external-services.md
View File

@@ -8,12 +8,12 @@ SPDX-License-Identifier: Apache-2.0
This document will cover the additional configuration to use external services like databases, caches or buckets.
<!-- TOC -->
* [Database](#database)
* [Objectstore](#objectstore)
* [Cache](#cache)
* [Database](#database)
* [Objectstore](#objectstore)
* [Cache](#cache)
<!-- TOC -->
## Database
# Database
When deploying this suite to production, you need to configure the applications to use your production grade database
service.
@@ -72,7 +72,7 @@ service.
| | | | Username | `databases.xwiki.username` | `xwiki_user` |
| | | | Password | `databases.xwiki.password` | |
## Objectstore
# Objectstore
When deploying this suite to production, you need to configure the applications to use your production grade objectstore
service.
@@ -89,7 +89,7 @@ service.
| | | Username | `objectstores.openproject.username` | `openproject_user` |
| | | Use IAM profile | `objectstores.openproject.useIAMProfile` | |
## Cache
# Cache
When deploying this suite to production, you need to configure the applications to use your production grade cache
service.

82
docs/getting-started.md
View File

@@ -8,38 +8,38 @@ SPDX-License-Identifier: Apache-2.0
This documentation should enable you to create your own evaluation instance of openDesk on your Kubernetes cluster.
<!-- TOC -->
* [Requirements](#requirements)
* [Customize environment](#customize-environment)
* [Domain](#domain)
* [Requirements](#requirements)
* [Customize environment](#customize-environment)
* [Domain](#domain)
* [Apps](#apps)
* [Private Image registry](#private-image-registry)
* [Private Helm registry](#private-helm-registry)
* [Cluster capabilities](#cluster-capabilities)
* [Service](#service)
* [Networking](#networking)
* [Ingress](#ingress)
* [Container runtime](#container-runtime)
* [Volumes](#volumes)
* [Connectivity](#connectivity)
* [Mail/SMTP configuration](#mailsmtp-configuration)
* [TURN configuration](#turn-configuration)
* [Certificate issuer](#certificate-issuer)
* [Password seed](#password-seed)
* [Private Image registry](#private-image-registry)
* [Private Helm registry](#private-helm-registry)
* [Cluster capabilities](#cluster-capabilities)
* [Service](#service)
* [Networking](#networking)
* [Ingress](#ingress)
* [Container runtime](#container-runtime)
* [Volumes](#volumes)
* [Connectivity](#connectivity)
* [Mail/SMTP configuration](#mailsmtp-configuration)
* [TURN configuration](#turn-configuration)
* [Certificate issuer](#certificate-issuer)
* [Password seed](#password-seed)
* [Install](#install)
* [Install single app](#install-single-app)
* [Install single release/chart](#install-single-releasechart)
* [Access deployment](#access-deployment)
* [Uninstall](#uninstall)
* [Install single app](#install-single-app)
* [Install single release/chart](#install-single-releasechart)
* [Access deployment](#access-deployment)
* [Uninstall](#uninstall)
<!-- TOC -->
Thanks for looking into the openDesk Getting started guide. This documents covers essentials configuration steps to
deploy openDesk onto your kubernetes infrastructure.
## Requirements
# Requirements
Detailed system requirements are covered on [requirements](requirements.md) page.
## Customize environment
# Customize environment
Before deploying openDesk, you have to configure the deployment to suit your environment.
To keep your deployment up to date, we recommend customizing in `dev`, `test` or `prod` and not in `default` environment
@@ -50,7 +50,7 @@ files.
For the following guide, we will use `dev` as environment, where variables can be set in
`helmfile/environments/dev/values.yaml`.
### Domain
## Domain
The deployment is designed to deploy each app under a subdomains. For your convenience, we recommend to create a
`*.domain.tld` A-Record to your cluster ingress controller, otherwise you need to create an A-Record for each subdomain.
@@ -107,7 +107,6 @@ All available apps and their default value can be found in `helmfile/environment
| Element | `element.enabled` | `true` | Secure communications platform |
| Intercom Service | `intercom.enabled` | `true` | Cross service data exchange |
| Jitsi | `jitsi.enabled` | `true` | Videoconferencing |
| Keycloak | `keycloak.enabled` | `true` | Identity Provider |
| MariaDB | `mariadb.enabled` | `true` | Database |
| Memcached | `memcached.enabled` | `true` | Cache Database |
| MinIO | `minio.enabled` | `true` | Object Storage |
@@ -128,7 +127,7 @@ jitsi:
enabled: false
```
### Private Image registry
## Private Image registry
By default, all OCI artifacts are proxied via the project's image registry, which should get replaced soon by the
OCI registries provided by Open CoDE.
@@ -153,7 +152,7 @@ global:
- "external-registry"
```
### Private Helm registry
## Private Helm registry
Some apps use OCI style registry and some use Helm chart museum style registries.
In `helmfile/environments/default/charts.yaml` you can find all helm charts used and modify their registry, repository
@@ -180,10 +179,9 @@ The following environment variables have to be exposed when using the example:
| `OD_PRIVATE_HELM_REGISTRY_USERNAME` | Username |
| `OD_PRIVATE_HELM_REGISTRY_PASSWORD` | Password |
## Cluster capabilities
### Cluster capabilities
#### Service
### Service
Some apps, like Jitsi or Dovecot, require HTTP and external TCP connections.
These apps create a Kubernetes service object.
@@ -196,7 +194,7 @@ cluster:
type: "NodePort"
```
#### Networking
### Networking
If your cluster has not the default `cluster.local` domain configured, you need to provide the domain via:
@@ -214,7 +212,7 @@ cluster:
cidr: "127.0.0.0/8"
```
#### Ingress
### Ingress
By default, the `ingressClassName` is empty to choose your default ingress controller, you may want to customize it by
setting:
@@ -224,7 +222,7 @@ ingress:
ingressClassName: "cilium"
```
#### Container runtime
### Container runtime
Some apps require specific configuration for container runtimes. You can set your container runtime like `cri-o`,
`containerd` or `docker` by:
@@ -235,7 +233,7 @@ cluster:
engine: "containerd"
```
#### Volumes
### Volumes
When your cluster has a `ReadWriteMany` volume provisioner, you can benefit from distributed or scaling of apps. By
default, only `ReadWriteOnce` is enabled. To enable `ReadWriteMany` you can set:
@@ -255,9 +253,9 @@ persistence:
RWO: "my-read-write-once-class"
```
### Connectivity
## Connectivity
#### Mail/SMTP configuration
### Mail/SMTP configuration
To use the full potential of the openDesk, you need to set up an SMTP Smarthost/Relay which allows to send emails from
the whole subdomain.
@@ -269,7 +267,7 @@ smtp:
password: "secret"
```
#### TURN configuration
### TURN configuration
Some components (Jitsi, Element) use for direct communication a TURN server. You can configure your own TURN server with
these options:
@@ -286,7 +284,7 @@ turn:
port: "5349"
```
#### Certificate issuer
### Certificate issuer
As mentioned in [requirements](requirements.md#certificate-management) you can provide your own valid certificate. A TLS
secret with name `opendesk-certificates-tls` needs to be present in application namespace. For deployment, you can
@@ -313,7 +311,7 @@ certificate:
wildcard: true
```
### Password seed
## Password seed
All secrets are generated from a single master password via Master Password (algorithm).
To prevent others from using your openDesk instance, we highly recommend setting an individual master password via:
@@ -337,7 +335,7 @@ helmfile apply -e dev -n <NAMESPACE> [-l <label>] [--suppress-diff]
- `-l <label>`: Label selector
- `--suppress-diff`: Disable diff printing
### Install single app
## Install single app
You can also install or upgrade only a single app like Collabora, either by label selector:
@@ -352,7 +350,7 @@ cd helmfile/apps/collabora
helmfile apply -e dev -n <NAMESPACE>
```
### Install single release/chart
## Install single release/chart
Instead of iteration through all services, you can also deploy a single release like mariadb by:
@@ -360,7 +358,7 @@ Instead of iteration through all services, you can also deploy a single release
helmfile apply -e dev -n <NAMESPACE> -l name=mariadb
```
## Access deployment
# Access deployment
When all apps are successfully deployed and pod status' went to `Running` or `Succeeded`, you can navigate to
@@ -394,7 +392,7 @@ Now you can log in with obtained credentials:
| `default.user` | `40615..............................e9e2f` | Application user |
| `default.admin` | `bdbbb..............................04db6` | Administrator |
## Uninstall
# Uninstall
You can uninstall the deployment by:

25
docs/monitoring.md
View File

@@ -9,15 +9,15 @@ This document will cover how you can enable observability with Prometheus based
well as the overall status of monitoring integration.
<!-- TOC -->
* [Technology](#technology)
* [Defaults](#defaults)
* [Metrics](#metrics)
* [Alerts](#alerts)
* [Dashboards for Grafana](#dashboards-for-grafana)
* [Components](#components)
* [Technology](#technology)
* [Defaults](#defaults)
* [Metrics](#metrics)
* [Alerts](#alerts)
* [Dashboards for Grafana](#dashboards-for-grafana)
* [Components](#components)
<!-- TOC -->
## Technology
# Technology
We provide integration into the Prometheus based monitoring.
Together with
@@ -27,12 +27,12 @@ easily leverage the full potential of open-source cloud-native observability sta
Before enabling the following options, you need to install the respective CRDs from the kube-prometheus-stack
repository or prometheus operator.
## Defaults
# Defaults
All configurable options and their defaults can be found in
[`monitoring.yaml`](../helmfile/environments/default/monitoring.yaml).
## Metrics
# Metrics
To deploy podMonitor and serviceMonitor custom resources, enable it by:
@@ -44,7 +44,7 @@ prometheus:
enabled: true
```
## Alerts
# Alerts
Some helm-charts provide a default set of prometheusRules for alerting, enable it by:
@@ -54,7 +54,7 @@ prometheus:
enabled: true
```
## Dashboards for Grafana
# Dashboards for Grafana
To deploy optional ConfigMaps with Grafana dashboards, enable it by:
@@ -64,7 +64,8 @@ grafana:
enabled: true
```
## Components
# Components
| Component | Metrics (pod- or serviceMonitor) | Alerts (prometheusRule) | Dashboard (Grafana) |
|:----------|-----------------------------------|-------------------------|---------------------|
| Collabora | :white_check_mark: | :white_check_mark: | :white_check_mark: |

32
docs/requirements.md
View File

@@ -7,17 +7,17 @@ SPDX-License-Identifier: Apache-2.0
This section covers the internal system requirements as well as external service requirements for productive use.
<!-- TOC -->
* [TL;DR;](#tldr)
* [Hardware](#hardware)
* [Kubernetes](#kubernetes)
* [Ingress controller](#ingress-controller)
* [Volume provisioner](#volume-provisioner)
* [Certificate management](#certificate-management)
* [External services](#external-services)
* [Deployment](#deployment)
* [TL;DR;](#tldr)
* [Hardware](#hardware)
* [Kubernetes](#kubernetes)
* [Ingress controller](#ingress-controller)
* [Volume provisioner](#volume-provisioner)
* [Certificate management](#certificate-management)
* [External services](#external-services)
* [Deployment](#deployment)
<!-- TOC -->
## TL;DR;
# TL;DR;
openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s) cluster.
- K8s cluster >= 1.24, [CNCF Certified Kubernetes Distro](https://www.cncf.io/certification/software-conformance/)
@@ -30,7 +30,7 @@ openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s)
- Certificate handling with [cert-manager](https://cert-manager.io/)
- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8
## Hardware
# Hardware
The following minimal requirements are thought for initial evaluation deployment:
@@ -40,7 +40,7 @@ The following minimal requirements are thought for initial evaluation deployment
| RAM | 16 GB, recommended 32 GB |
| Disk | HDD or SSD, >10 GB |
## Kubernetes
# Kubernetes
Any self-hosted or managed K8s cluster >= 1.24 listed in
[CNCF Certified Kubernetes Distros](https://www.cncf.io/certification/software-conformance/) should be supported.
@@ -49,7 +49,7 @@ The deployment is tested against [kubespray](https://github.com/kubernetes-sigs/
> **Note:** The deployment is not tested against OpenShift.
## Ingress controller
# Ingress controller
The deployment is intended to use only over HTTPS via a configured FQDN, therefor it is required to have a proper
configured ingress controller deployed.
@@ -63,14 +63,14 @@ configured ingress controller deployed.
When you want to use Open-Xchange Appsuite 8, you need to deploy and configure additionally [Istio](https://istio.io/)
## Volume provisioner
# Volume provisioner
Initial evaluation deployment requires a `ReadWriteOnce` volume provisioner. For local deployment a local- or hostPath-
provisioner is sufficient.
> **Note:** Some components requiring a `ReadWriteMany` volume provisioner for distributed mode or scaling.
## Certificate management
# Certificate management
This deployment leverages [cert-manager](https://cert-manager.io/) to generate valid certificates. This is **optional**,
but a secret containing a valid TLS certificate is required.
@@ -78,7 +78,7 @@ but a secret containing a valid TLS certificate is required.
Only `Certificate` resources will be deployed, the `cert-manager` including its CRD must be installed prior to this or
openDesk certificate management disabled.
## External services
# External services
Evaluation the openDesk deployment does not require any external service to start, but features may be limited.
@@ -97,7 +97,7 @@ Evaluation the openDesk deployment does not require any external service to star
| | Object Storage | | MinIO |
| Voice | TURN | | Coturn |
## Deployment
# Deployment
The deployment of each individual component is [Helm](https://helm.sh/) based. The 35+ Helm charts are configured and
templated via [Helmfile](https://helmfile.readthedocs.io/en/latest/) to provide a streamlined deployment experience.

4
docs/scaling.md
View File

@@ -8,10 +8,10 @@ SPDX-License-Identifier: Apache-2.0
This document should cover the abilities to scale apps.
<!-- TOC -->
* [Replicas](#replicas)
* [Replicas](#replicas)
<!-- TOC -->
## Replicas
# Replicas
The Replicas can be increased of almost any component, but is only effective for high-availability or load-balancing for
apps with a check-mark in `Scaling (effective)` column.

15
docs/security.md
View File

@@ -8,12 +8,12 @@ SPDX-License-Identifier: Apache-2.0
This document should cover the current status of security measurements.
<!-- TOC -->
* [Helm Chart Trust Chain](#helm-chart-trust-chain)
* [Kubernetes Security Enforcements](#kubernetes-security-enforcements)
* [NetworkPolicies](#networkpolicies)
* [Helm Chart Trust Chain](#helm-chart-trust-chain)
* [Kubernetes Security Enforcements](#kubernetes-security-enforcements)
* [NetworkPolicies](#networkpolicies)
<!-- TOC -->
## Helm Chart Trust Chain
# Helm Chart Trust Chain
Helm Charts which are released via openDesk CI/CD process are always signed. The public GPG keys are present in
`pubkey.gpg` file and are validated during helmfile installation.
@@ -28,7 +28,6 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
| istio-resources-repo | yes | :white_check_mark: |
| jitsi-repo | yes | :white_check_mark: |
| keycloak-extensions-repo | no | :x: |
| keycloak-theme-repo | yes | :white_check_mark: |
| mariadb-repo | yes | :white_check_mark: |
| nextcloud-repo | no | :x: |
| opendesk-certificates-repo | yes | :white_check_mark: |
@@ -43,9 +42,11 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
| postfix-repo | yes | :white_check_mark: |
| postgresql-repo | yes | :white_check_mark: |
| ums-repo | no | :x: |
| univention-keycloak-repo | yes | :white_check_mark: |
| univention-keycloak-bootstrap-repo | yes | :white_check_mark: |
| xwiki-repo | no | :x: |
## Kubernetes Security Enforcements
# Kubernetes Security Enforcements
This list gives you an overview of default security settings and if they comply with security standards:
@@ -111,7 +112,7 @@ This list gives you an overview of default security settings and if they comply
| XWiki | xwiki | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 101 |
| | xwiki initContainers | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
## NetworkPolicies
# NetworkPolicies
Kubernetes NetworkPolicies are an important measure to secure your kubernetes apps and clusters.
When applied, they restrict the traffic to your services.

12
docs/theming.md
View File

@@ -8,13 +8,13 @@ SPDX-License-Identifier: Apache-2.0
This document will cover the theming and customization of your openDesk deployment.
<!-- TOC -->
* [Strings and texts](#strings-and-texts)
* [Colors](#colors)
* [Strings and texts](#strings-and-texts)
* [Colors](#colors)
* [Images and Logos](#images-and-logos)
* [Known limits](#known-limits)
* [Known limits](#known-limits)
<!-- TOC -->
## Strings and texts
# Strings and texts
The deployment name can be changed by:
@@ -24,7 +24,7 @@ theme:
productName: "openDesk Cloud"
```
## Colors
# Colors
The primary color and their derivates with lesser opacity be customized by:
@@ -50,7 +50,7 @@ theme:
faviconIco: "..."
```
## Known limits
# Known limits
Not all applications support theming. Known exceptions are:
- Univention Corporate Container (should be superseded by the Univention Management Stack which has planned support

16
examples/private-helm-registry.yaml.gotmpl
View File

@@ -59,26 +59,26 @@ charts:
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
keycloak:
umsKeycloak:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
keycloakBootstrap:
umsKeycloakBootstrap:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
keycloakExtensions:
opendeskKeycloakBootstrap:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsKeycloakExtensions:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
keycloakTheme:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
mariadb:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}

2
helmfile.yaml
View File

@@ -7,9 +7,7 @@
helmfiles:
# Path to the helmfile state file being processed BEFORE releases in this state file
- path: "helmfile/apps/services/helmfile.yaml"
- path: "helmfile/apps/keycloak/helmfile.yaml"
- path: "helmfile/apps/univention-management-stack/helmfile.yaml"
- path: "helmfile/apps/keycloak-bootstrap/helmfile.yaml"
- path: "helmfile/apps/intercom-service/helmfile.yaml"
- path: "helmfile/apps/open-xchange/helmfile.yaml"
- path: "helmfile/apps/nextcloud/helmfile.yaml"

2
helmfile/apps/element/values-element.gotmpl
View File

@@ -13,7 +13,7 @@ global:
configuration:
additionalConfiguration:
logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
"net.nordeck.element_web.module.opendesk":
config:

2
helmfile/apps/element/values-synapse.gotmpl
View File

@@ -38,7 +38,7 @@ configuration:
oidc:
clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
turn:
sharedSecret: {{ .Values.turn.credentials | quote }}

2
helmfile/apps/element/values-synapse.yaml
View File

@@ -25,6 +25,8 @@ configuration:
homeserver:
guestModule:
enabled: true
oidc:
clientId: "opendesk-matrix"
containerSecurityContext:
allowPrivilegeEscalation: false

8
helmfile/apps/intercom-service/values.gotmpl
View File

@@ -13,8 +13,10 @@ global:
ics:
secret: {{ .Values.secrets.intercom.secret | quote }}
issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
originRegex: "{{ .Values.istio.domain }}|{{ .Values.global.domain }}"
keycloak:
realm: {{ .Values.platform.realm | quote }}
default:
domain: {{ .Values.global.domain | quote }}
oidc:
@@ -33,7 +35,9 @@ ics:
password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }}
openxchange:
url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
audience: "opendesk-oxappsuite"
nextcloud:
audience: "opendesk-nextcloud"
image:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
repository: {{ .Values.images.intercom.repository | quote }}

5
helmfile/apps/intercom-service/values.yaml
View File

@@ -1,6 +1,11 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
ics:
oidc:
id: "opendesk-intercom"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:

2
helmfile/apps/jitsi/values-jitsi.gotmpl
View File

@@ -22,6 +22,8 @@ image:
settings:
jwtAppSecret: {{ .Values.secrets.jitsi.jwtAppSecret | quote }}
keycloakRealm: {{ .Values.platform.realm | quote }}
keycloakClientId: "opendesk-jitsi"
theme:
{{ .Values.theme | toYaml | nindent 2 }}

32
helmfile/apps/keycloak-bootstrap/helmfile.yaml
View File

@@ -1,32 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# openDesk Keycloak Bootstrap
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-keycloak-bootstrap
- name: "opendesk-keycloak-bootstrap-repo"
oci: {{ .Values.charts.keycloakBootstrap.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.keycloakBootstrap.verify }}
username: {{ .Values.charts.keycloakBootstrap.username | quote }}
password: {{ .Values.charts.keycloakBootstrap.password | quote }}
url: "{{ .Values.charts.keycloakBootstrap.registry }}/{{ .Values.charts.keycloakBootstrap.repository }}"
releases:
- name: "opendesk-keycloak-bootstrap"
chart: "opendesk-keycloak-bootstrap-repo/{{ .Values.charts.keycloakBootstrap.name }}"
version: "{{ .Values.charts.keycloakBootstrap.version }}"
values:
- "values-bootstrap.gotmpl"
- "values-bootstrap.yaml"
installed: {{ .Values.keycloak.enabled }}
# as we have seen some slow clusters we want to ensure we not just fail due to a timeout.
timeout: 1800
commonLabels:
deploy-stage: "component-1"
component: "keycloak-bootstrap"
...

34
helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl
View File

@@ -1,34 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
registry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
config:
administrator:
password: {{ .Values.secrets.keycloak.adminPassword | quote }}
image:
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.keycloakBootstrap.repository | quote }}
tag: {{ .Values.images.keycloakBootstrap.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.keycloakBootstrap | toYaml | nindent 2 }}
additionalAnnotations:
annotations:
intents.otterize.com/service-name: "keycloak-bootstrap"
...

7
helmfile/apps/keycloak-bootstrap/values-bootstrap.yaml
View File

@@ -1,7 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
config:
administrator:
username: "kcadmin"
...

66
helmfile/apps/keycloak/helmfile.yaml
View File

@@ -1,66 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# VMWare Bitnami
# Source: https://github.com/bitnami/charts/
- name: "keycloak-repo"
oci: {{ .Values.charts.keycloak.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.keycloak.verify }}
username: {{ .Values.charts.keycloak.username | quote }}
password: {{ .Values.charts.keycloak.password | quote }}
url: "{{ .Values.charts.keycloak.registry }}/{{ .Values.charts.keycloak.repository }}"
# openDesk Keycloak Theme
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-keycloak-theme
- name: "keycloak-theme-repo"
oci: {{ .Values.charts.keycloakTheme.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.keycloakTheme.verify }}
username: {{ .Values.charts.keycloakTheme.username | quote }}
password: {{ .Values.charts.keycloakTheme.password | quote }}
url: "{{ .Values.charts.keycloakTheme.registry }}/{{ .Values.charts.keycloakTheme.repository }}"
# openDesk Keycloak Extensions
- name: "keycloak-extensions-repo"
oci: {{ .Values.charts.keycloakExtensions.oci }}
username: {{ .Values.charts.keycloakExtensions.username | quote }}
password: {{ .Values.charts.keycloakExtensions.password | quote }}
url: "{{ .Values.charts.keycloakExtensions.registry }}/{{ .Values.charts.keycloakExtensions.repository }}"
releases:
- name: "keycloak-theme"
chart: "keycloak-theme-repo/{{ .Values.charts.keycloakTheme.name }}"
version: "{{ .Values.charts.keycloakTheme.version }}"
values:
- "values-theme.gotmpl"
installed: {{ .Values.keycloak.enabled }}
- name: "keycloak"
chart: "keycloak-repo/{{ .Values.charts.keycloak.name }}"
version: "{{ .Values.charts.keycloak.version }}"
values:
- "values-keycloak.gotmpl"
- "values-keycloak.yaml"
- "values-keycloak-idp.yaml"
wait: true
installed: {{ .Values.keycloak.enabled }}
- name: "keycloak-extensions"
chart: "keycloak-extensions-repo/{{ .Values.charts.keycloakExtensions.name }}"
version: "{{ .Values.charts.keycloakExtensions.version }}"
needs:
- "keycloak"
values:
- "values-extensions.yaml"
- "values-extensions.gotmpl"
installed: {{ .Values.keycloak.enabled }}
commonLabels:
deploy-stage: "component-1"
component: "keycloak"
...

45
helmfile/apps/keycloak/values-extensions.yaml
View File

@@ -1,45 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
global:
keycloak:
host: "keycloak"
adminUsername: "kcadmin"
adminRealm: "master"
realm: "souvap"
handler:
appConfig:
captchaProtectionEnable: "False"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
postgresql:
enabled: false
proxy:
ingress:
annotations:
nginx.org/proxy-buffer-size: "8k"
nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
...

1693
helmfile/apps/keycloak/values-keycloak-idp.yaml
View File

File diff suppressed because it is too large Load Diff

89
helmfile/apps/keycloak/values-keycloak.gotmpl
View File

@@ -1,89 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
image:
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.keycloak.repository | quote }}
tag: {{ .Values.images.keycloak.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
externalDatabase:
host: {{ .Values.databases.keycloak.host | quote }}
port: {{ .Values.databases.keycloak.port }}
user: {{ .Values.databases.keycloak.username | quote }}
database: {{ .Values.databases.keycloak.name | quote }}
password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
auth:
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
replicaCount: {{ .Values.replicas.keycloak }}
keycloakConfigCli:
extraEnvVars:
- name: "LDAP_GROUPS_DN"
value: "cn=groups,dc=swp-ldap,dc=internal"
- name: "LDAP_USERS_DN"
value: "cn=users,dc=swp-ldap,dc=internal"
- name: "LDAP_SERVER_URL"
value: {{ .Values.ldap.host | quote }}
- name: "IDENTIFIER"
value: "souvap"
- name: "THEME"
value: "souvap"
- name: "KEYCLOAK_AVAILABILITYCHECK_TIMEOUT"
value: "600s"
- name: "UNIVENTION_CORPORATE_SERVER_DOMAIN"
value: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
- name: "KEYCLOAK_DOMAIN"
value: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
- name: "OPENXCHANGE_8_DOMAIN"
value: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
- name: "XWIKI_DOMAIN"
value: "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
- name: "OPENPROJECT_DOMAIN"
value: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
- name: "NEXTCLOUD_DOMAIN"
value: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
- name: "MATRIX_DOMAIN"
value: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
- name: "JITSI_DOMAIN"
value: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
- name: "ELEMENT_DOMAIN"
value: "{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
- name: "INTERCOM_SERVICE_DOMAIN"
value: "{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
- name: "CLIENT_SECRET_INTERCOM_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
- name: "CLIENT_SECRET_MATRIX_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
- name: "CLIENT_SECRET_JITSI_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.jitsi | quote }}
- name: "CLIENT_SECRET_NCOIDC_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
- name: "CLIENT_SECRET_OPENPROJECT_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
- name: "CLIENT_SECRET_XWIKI_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
- name: "CLIENT_SECRET_AS8OIDC_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
- name: "KEYCLOAK_STORAGEPROVICER_UCSLDAP_NAME"
value: "storage_provider_ucsldap"
- name: "LDAPSEARCH_PASSWORD"
value: {{ .Values.secrets.univentionManagementStack.ldapSearch.keycloak | quote }}
- name: "LDAPSEARCH_USERNAME"
value: "ldapsearch_keycloak"
resources:
{{ .Values.resources.keycloak | toYaml | nindent 4 }}
resources:
{{ .Values.resources.keycloak | toYaml | nindent 2 }}
...

85
helmfile/apps/keycloak/values-keycloak.yaml
View File

@@ -1,85 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
postgresql:
enabled: false
externalDatabase:
existingSecret: ""
existingSecretPasswordKey: ""
auth:
adminUser: "kcadmin"
# not working as expected with older helm chart, check if it works with most recent one.
# meanwhile we set the loglevel using the extraEnvVars a bit below.
# logging:
# level: "DEBUG"
extraEnvVars:
- name: "KC_LOG_LEVEL"
value: "INFO"
extraStartupArgs: >
-Dkeycloak.profile.feature.token_exchange=enabled
-Dkeycloak.profile.feature.admin_fine_grained_authz=enabled
service:
type: "ClusterIP"
ingress:
enabled: false
extraVolumes:
- name: "keycloak-theme"
configMap:
name: "keycloak-theme"
items:
- key: "theme.properties"
path: "souvap/login/theme.properties"
- key: "messages_de.properties"
path: "souvap/login/messages/messages_de.properties"
- key: "messages_en.properties"
path: "souvap/login/messages/messages_en.properties"
- key: "styles.css"
path: "souvap/login/resources/css/styles.css"
- key: "logo.svg"
path: "souvap/login/resources/img/logo_phoenix.svg"
- key: "login.ftl"
path: "souvap/login/login.ftl"
extraVolumeMounts:
- name: "keycloak-theme"
mountPath: "/opt/bitnami/keycloak/themes"
keycloakConfigCli:
enabled: true
command:
- "java"
- "-jar"
- "/opt/bitnami/keycloak-config-cli/keycloak-config-cli-19.0.3.jar"
args:
- "--import.var-substitution.enabled=true"
cache:
enabled: false
containerSecurityContext:
enabled: true
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
podSecurityContext:
fsGroup: 1001
fsGroupChangePolicy: "OnRootMismatch"
...

13
helmfile/apps/keycloak/values-theme.gotmpl
View File

@@ -1,13 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}
...

1
helmfile/apps/nextcloud/values-bootstrap.gotmpl
View File

@@ -28,6 +28,7 @@ config:
password: {{ .Values.secrets.centralnavigation.apiKey | quote }}
userOidc:
password: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
realm: {{ .Values.platform.realm }}
database:
host: {{ .Values.databases.nextcloud.host | quote }}

7
helmfile/apps/nextcloud/values-bootstrap.yaml
View File

@@ -7,11 +7,10 @@ config:
apps:
integrationSwp:
username: "phoenixusername"
username: "opendesk_username"
userOidc:
username: "ncoidc"
userIdAttribute: "entryuuid"
realm: "souvap"
username: "opendesk-nextcloud"
userIdAttribute: "opendesk_useruuid"
cryptpad:
enabled: true

6
helmfile/apps/open-xchange/values-dovecot.gotmpl
View File

@@ -23,9 +23,9 @@ dovecot:
password: {{ .Values.secrets.univentionManagementStack.ldapSearch.dovecot | quote }}
oidc:
introspectionHost: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
introspectionPath: "/realms/souvap/protocol/openid-connect/token/introspect"
clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
clientID: "as8oidc"
introspectionPath: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token/introspect"
clientSecret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
clientID: "opendesk-dovecot"
loginTrustedNetworks: {{ .Values.cluster.networking.cidr | quote }}
certificate:

4
helmfile/apps/open-xchange/values-dovecot.yaml
View File

@@ -27,8 +27,8 @@ dovecot:
oidc:
enabled: true
clientID: "as8oidc"
usernameAttribute: "phoenixusername"
clientID: "opendesk-dovecot"
usernameAttribute: "opendesk_username"
submission:
enabled: true

16
helmfile/apps/open-xchange/values-openxchange.gotmpl
View File

@@ -69,18 +69,18 @@ appsuite:
resources:
{{ .Values.resources.openxchangeGotenberg | toYaml | nindent 8 }}
properties:
"com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/certs"
"com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
"com.openexchange.authentication.oauth.tokenEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token"
"com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
"com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
"com.openexchange.authentication.oauth.tokenEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
"com.openexchange.authentication.oauth.clientSecret": {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
"com.openexchange.oidc.rpRedirectURIAuth": "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/auth"
"com.openexchange.oidc.opAuthorizationEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/auth"
"com.openexchange.oidc.opTokenEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token"
"com.openexchange.oidc.opIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
"com.openexchange.oidc.opJwkSetEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/certs"
"com.openexchange.oidc.opAuthorizationEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
"com.openexchange.oidc.opTokenEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
"com.openexchange.oidc.opIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
"com.openexchange.oidc.opJwkSetEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
"com.openexchange.oidc.clientSecret": {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
"com.openexchange.oidc.rpRedirectURIPostSSOLogout": "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/logout"
"com.openexchange.oidc.opLogoutEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
"com.openexchange.oidc.opLogoutEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
"com.openexchange.oidc.rpRedirectURILogout": "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
secretProperties:
com.openexchange.cookie.hash.salt: {{ .Values.secrets.oxAppsuite.cookieHashSalt | quote }}

8
helmfile/apps/open-xchange/values-openxchange.yaml
View File

@@ -55,16 +55,16 @@ appsuite:
com.openexchange.oidc.startDefaultBackend: "true"
com.openexchange.oidc.ssoLogout: "true"
com.openexchange.oidc.userLookupNamePart: "full"
com.openexchange.oidc.userLookupClaim: "phoenixusername"
com.openexchange.oidc.clientId: "as8oidc"
com.openexchange.oidc.userLookupClaim: "opendesk_username"
com.openexchange.oidc.clientId: "opendesk-oxappsuite"
# OAUTH
com.openexchange.oauth.provider.enabled: "true"
com.openexchange.oauth.provider.contextLookupClaim: "context"
com.openexchange.oauth.provider.contextLookupNamePart: "full"
com.openexchange.oauth.provider.mode: "expect_jwt"
com.openexchange.oauth.provider.userLookupNamePart: "full"
com.openexchange.oauth.provider.userLookupClaim: "phoenixusername"
com.openexchange.authentication.oauth.clientId: "as8oidc"
com.openexchange.oauth.provider.userLookupClaim: "opendesk_username"
com.openexchange.authentication.oauth.clientId: "opendesk-oxappsuite"
# MAIL
com.openexchange.mail.authType: "xoauth2"
com.openexchange.mail.loginSource: "mail"

10
helmfile/apps/openproject-bootstrap/values.gotmpl
View File

@@ -4,18 +4,18 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
registry: "{{ .Values.global.imageRegistry }}"
registry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: {{ .Values.global.imageRegistry }}
repository: "{{ .Values.images.openprojectBootstrap.repository }}"
tag: "{{ .Values.images.openprojectBootstrap.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: {{ .Values.images.openprojectBootstrap.repository | quote }}
tag: {{ .Values.images.openprojectBootstrap.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy |quote }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}

11
helmfile/apps/openproject/values.gotmpl
View File

@@ -46,7 +46,10 @@ openproject:
mail: "openproject-admin@swp-domain.internal"
password_reset: "false"
password: {{ .Values.secrets.openproject.adminPassword | quote }}
oidc:
authorizationEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
tokenEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
userinfoEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
ingress:
host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
enabled: {{ .Values.ingress.enabled }}
@@ -56,13 +59,13 @@ ingress:
secretName: {{ .Values.ingress.tls.secretName | quote }}
environment:
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
# Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }}
OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"

9
helmfile/apps/openproject/values.yaml
View File

@@ -22,11 +22,8 @@ openproject:
oidc:
enabled: true
provider: "keycloak"
identifier: "openproject"
authorizationEndpoint: "/realms/souvap/protocol/openid-connect/auth"
tokenEndpoint: "/realms/souvap/protocol/openid-connect/token"
userinfoEndpoint: "/realms/souvap/protocol/openid-connect/userinfo"
scope: "[openid,phoenix]"
identifier: "opendesk-openproject"
scope: "[openid,opendesk]"
# seed will only be executed on initial installation
seed_locale: "de"
@@ -53,7 +50,7 @@ s3:
# https://www.openproject.org/docs/installation-and-operations/configuration/environment/
environment:
OPENPROJECT_LOG__LEVEL: "info"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_LOGIN: "phoenixusername"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_LOGIN: "opendesk_username"
OPENPROJECT_LOGIN__REQUIRED: "true"
OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"

67
helmfile/apps/univention-management-stack/helmfile.yaml
View File

@@ -72,17 +72,80 @@ repositories:
password: {{ .Values.charts.umsSelfserviceListener.password | quote }}
url: "{{ .Values.charts.umsSelfserviceListener.registry }}/{{ .Values.charts.umsSelfserviceListener.repository }}"
# Univention Keycloak Extensions
- name: "ums-keycloak-extensions-repo"
oci: {{ .Values.charts.umsKeycloakExtensions.oci }}
username: {{ .Values.charts.umsKeycloakExtensions.username | quote }}
password: {{ .Values.charts.umsKeycloakExtensions.password | quote }}
url: "{{ .Values.charts.umsKeycloakExtensions.registry }}/{{ .Values.charts.umsKeycloakExtensions.repository }}"
# Univention Keycloak
- name: "ums-keycloak-repo"
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.umsKeycloak.verify }}
oci: {{ .Values.charts.umsKeycloak.oci }}
username: {{ .Values.charts.umsKeycloak.username | quote }}
password: {{ .Values.charts.umsKeycloak.password | quote }}
url: "{{ .Values.charts.umsKeycloak.registry }}/{{ .Values.charts.umsKeycloak.repository }}"
- name: "ums-keycloak-bootstrap-repo"
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.umsKeycloakBootstrap.verify }}
oci: {{ .Values.charts.umsKeycloakBootstrap.oci }}
username: {{ .Values.charts.umsKeycloakBootstrap.username | quote }}
password: {{ .Values.charts.umsKeycloakBootstrap.password | quote }}
url: "{{ .Values.charts.umsKeycloakBootstrap.registry }}/{{ .Values.charts.umsKeycloakBootstrap.repository }}"
- name: "opendesk-keycloak-bootstrap-repo"
oci: {{ .Values.charts.opendeskKeycloakBootstrap.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.opendeskKeycloakBootstrap.verify }}
username: {{ .Values.charts.opendeskKeycloakBootstrap.username | quote }}
password: {{ .Values.charts.opendeskKeycloakBootstrap.password | quote }}
url: "{{ .Values.charts.opendeskKeycloakBootstrap.registry }}/\
{{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
# VMWare Bitnami
# Source: https://github.com/bitnami/charts/
- name: "nginx-repo"
oci: true
oci: {{ .Values.charts.nginx.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.nginx.verify }}
username: "{{ .Values.charts.nginx.username }}"
username: {{ .Values.charts.nginx.username | quote }}
password: {{ .Values.charts.nginx.password | quote }}
url: "{{ .Values.charts.nginx.registry }}/{{ .Values.charts.nginx.repository }}"
releases:
- name: "ums-keycloak"
chart: "ums-keycloak-repo/{{ .Values.charts.umsKeycloak.name }}"
version: "{{ .Values.charts.umsKeycloak.version }}"
values:
- "values-ums-keycloak.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-keycloak-extensions"
chart: "ums-keycloak-extensions-repo/{{ .Values.charts.umsKeycloakExtensions.name }}"
version: "{{ .Values.charts.umsKeycloakExtensions.version }}"
values:
- "values-ums-keycloak-extensions.yaml.gotmpl"
needs:
- "ums-keycloak"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-keycloak-bootstrap"
chart: "ums-keycloak-bootstrap-repo/{{ .Values.charts.umsKeycloakBootstrap.name }}"
version: "{{ .Values.charts.umsKeycloakBootstrap.version }}"
values:
- "values-ums-keycloak-bootstrap.yaml.gotmpl"
needs:
- "ums-keycloak"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "opendesk-keycloak-bootstrap"
chart: "opendesk-keycloak-bootstrap-repo/{{ .Values.charts.opendeskKeycloakBootstrap.name }}"
version: "{{ .Values.charts.opendeskKeycloakBootstrap.version }}"
values:
- "values-opendesk-keycloak-bootstrap.yaml.gotmpl"
needs:
- "ums-keycloak-bootstrap"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-stack-gateway"
chart: "nginx-repo/{{ .Values.charts.nginx.name }}"
version: "{{ .Values.charts.nginx.version }}"

320
helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl Normal file
View File

@@ -0,0 +1,320 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
registry: "{{ .Values.global.imageRegistry }}"
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.opendeskKeycloakBootstrap.repository }}"
tag: "{{ .Values.images.opendeskKeycloakBootstrap.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
config:
keycloak:
adminUser: "kcadmin"
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
realm: {{ .Values.platform.realm | quote }}
intraCluster:
enabled: true
internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
custom:
clientScopes:
- name: "read_contacts"
protocol: "openid-connect"
- name: "write_contacts"
protocol: "openid-connect"
- name: "opendesk"
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
clients:
- name: "opendesk-dovecot"
clientId: "opendesk-dovecot"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
consentRequired: false
frontchannelLogout: false
publicClient: false
attributes:
backchannel.logout.session.required: false
defaultClientScopes:
- "opendesk"
- name: "opendesk-intercom"
clientId: "opendesk-intercom"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback"
consentRequired: false
frontchannelLogout: false
publicClient: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
protocolMappers:
- name: "intercom-audience"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "opendesk-intercom"
id.token.claim: false
access.token.claim: true
# temporary additional claim while entryuuid is a hardcoded attribute in IntercomService and we cannot set
# it to `opendesk_useruuid` standard claim. For reference:
# https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/app.js#L89
- name: "entryuuid_temp"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "entryuuid"
jsonType.label: "String"
# temporary additional claim while phoenixusername is a hardcoded attribute in IntercomService and we cannot
# set it to `opendesk_username` standard claim. For reference:
# https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/routes/navigation.js#L27
- name: "phoenixusername_temp"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "phoenixusername"
jsonType.label: "String"
defaultClientScopes:
- "opendesk"
- "offline_access"
- name: "opendesk-jitsi"
clientId: "opendesk-jitsi"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
redirectUris:
- "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: true
fullScopeAllowed: true
defaultClientScopes:
- "opendesk"
- "profile"
- name: "opendesk-matrix"
clientId: "opendesk-matrix"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
standardFlowEnabled: true
directAccessGrantsEnabled: true
serviceAccountsEnabled: true
consentRequired: false
frontchannelLogout: false
publicClient: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk"
optionalClientScopes:
- "email"
- "profile"
# This is a temporary OIDC client for matrix, as the OIDC logout still uses "matrix" as client ID. Unless that
# is solved and also is able to use "opendesk-matrix" we keep that dummy client that
- name: "matrix"
clientId: "matrix"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
standardFlowEnabled: true
directAccessGrantsEnabled: true
consentRequired: false
frontchannelLogout: false
publicClient: false
attributes:
post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
- name: "opendesk-nextcloud"
clientId: "opendesk-nextcloud"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/user_oidc/backchannel-logout/ncoidc"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
protocolMappers:
- name: "context"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "oxContextIDNum"
id.token.claim: true
access.token.claim: true
claim.name: "context"
jsonType.label: "String"
defaultClientScopes:
- "opendesk"
- "email"
- "read_contacts"
- "write_contacts"
- name: "opendesk-openproject"
clientId: "opendesk-openproject"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
serviceAccountsEnabled: true
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
protocolMappers:
- name: "opendeskProjectmanagementAdmin"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "opendeskProjectmanagementAdmin"
id.token.claim: true
access.token.claim: true
claim.name: "openproject_admin"
jsonType.label: "String"
defaultClientScopes:
- "opendesk"
- "email"
- "profile"
- name: "opendesk-oxappsuite"
clientId: "opendesk-oxappsuite"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/*"
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/ajax/oidc/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
protocolMappers:
- name: "context"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "oxContextIDNum"
id.token.claim: true
access.token.claim: true
claim.name: "context"
jsonType.label: "String"
defaultClientScopes:
- "opendesk"
- "read_contacts"
- "write_contacts"
- name: "opendesk-xwiki"
clientId: "opendesk-xwiki"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
attributes:
backchannel.logout.session.required: false
backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/NOT_YET_IMPLEMENTED_DONT_FORGET_TO_DISABLE_FCL_WHEN_BCL_IS_ACTIVATED/backchannel-logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk"
- "address"
- "email"
- "profile"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak-bootstrap"
podSecurityContext:
enabled: true
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
resources:
{{ .Values.resources.opendeskKeycloakBootstrap | toYaml | nindent 2 }}
...

2
helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl
View File

@@ -14,7 +14,7 @@ stackDataContext:
ldapBase: {{ .Values.ldap.baseDn | quote }}
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
idpSamlMetadataUrl: {{ printf "https://%s.%s%s" .Values.global.hosts.keycloak .Values.global.domain "/realms/souvap/protocol/saml/descriptor" | quote }}
idpSamlMetadataUrl: {{ printf "https://%s.%s/%s/%s/%s" .Values.global.hosts.keycloak .Values.global.domain "realms" .Values.platform.realm "protocol/saml/descriptor" | quote }}
umcSamlSpFqdn: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
idpFqdn: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}

80
helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl Normal file
View File

@@ -0,0 +1,80 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
registry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsKeycloakBootstrap.repository | quote }}
tag: {{ .Values.images.umsKeycloakBootstrap.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
config:
keycloak:
adminUser: "kcadmin"
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
realm: {{ .Values.platform.realm | quote }}
intraCluster:
enabled: true
internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
loginLinks:
- link_number: 1
language: "de"
description: "Passwort vergessen?"
href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten"
- link_number: 1
language: "en"
description: "Forgot password?"
href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten"
ums:
ldap:
internalHostname: {{ .Values.ldap.host | quote }}
baseDN: {{ .Values.ldap.baseDn | quote }}
readUserDN: "uid=ldapsearch_keycloak,cn=users,dc=swp-ldap,dc=internal"
readUserPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.keycloak | quote }}
mappers:
- ldapAndUserModelAttributeName: "opendeskProjectmanagementAdmin"
- ldapAndUserModelAttributeName: "oxContextIDNum"
saml:
serviceProviderHostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
twoFactorAuthentication:
enabled: true
group: "2fa-users"
containerSecurityContext:
enabled: true
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: false
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak-bootstrap"
podSecurityContext:
enabled: true
fsGroup: 1000
fsGroupChangePolicy: "Always"
resources:
{{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 2 }}
...

51
helmfile/apps/keycloak/values-extensions.gotmpl → helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
View File

@@ -5,7 +5,11 @@ SPDX-License-Identifier: Apache-2.0
---
global:
keycloak:
host: "ums-keycloak:8080"
adminUsername: "kcadmin"
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
adminRealm: "master"
realm: {{ .Values.platform.realm | quote }}
postgresql:
connection:
host: {{ .Values.databases.keycloakExtension.host | quote }}
@@ -17,30 +21,65 @@ global:
handler:
image:
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.keycloakExtensionHandler.repository | quote }}
tag: {{ .Values.images.keycloakExtensionHandler.tag | quote }}
repository: {{ .Values.images.umsKeycloakExtensionHandler.repository | quote }}
tag: {{ .Values.images.umsKeycloakExtensionHandler.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
appConfig:
captchaProtectionEnable: false
smtpPassword: {{ .Values.smtp.password | quote }}
smtpHost: {{ .Values.smtp.host | quote }}
smtpPort: {{ .Values.smtp.port | quote }}
smtpUsername: {{ .Values.smtp.username | quote }}
mailFrom: "noreply@{{ .Values.global.domain }}"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
resources:
{{ .Values.resources.keycloakExtension | toYaml | nindent 4 }}
{{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 4 }}
postgresql:
enabled: false
proxy:
image:
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.keycloakExtensionProxy.repository | quote }}
tag: {{ .Values.images.keycloakExtensionProxy.tag | quote }}
repository: {{ .Values.images.umsKeycloakExtensionProxy.repository | quote }}
tag: {{ .Values.images.umsKeycloakExtensionProxy.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
ingress:
annotations:
nginx.org/proxy-buffer-size: "8k"
nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
paths:
- pathType: "Prefix"
path: "/realms"
- pathType: "Prefix"
path: "/resources"
- pathType: "Prefix"
path: "/fingerprintjs"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
resources:
{{ .Values.resources.keycloakProxy | toYaml | nindent 4 }}
{{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 4 }}
...

56
helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl Normal file
View File

@@ -0,0 +1,56 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imageRegistry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsKeycloak.repository | quote }}
tag: {{ .Values.images.umsKeycloak.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
config:
admin:
password: {{ .Values.secrets.keycloak.adminPassword | quote }}
database:
host: {{ .Values.databases.keycloak.host | quote }}
port: {{ .Values.databases.keycloak.port }}
user: {{ .Values.databases.keycloak.username | quote }}
database: {{ .Values.databases.keycloak.name | quote }}
password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
podSecurityContext:
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
theme:
univentionTheme: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/theme.css"
univentionCustomTheme: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/css/custom.css"
favIcon: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/favicon.ico"
replicaCount: {{ .Values.replicas.keycloak }}
resources:
{{ .Values.resources.umsKeycloak | toYaml | nindent 2 }}
...

10
helmfile/apps/xwiki/values.gotmpl
View File

@@ -29,10 +29,10 @@ customConfigs:
xwiki.authentication.ldap.groupcache_expiration: 300
"xwiki.properties":
"oidc.endpoint.authorization": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/auth"
"oidc.endpoint.token": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token"
"oidc.endpoint.userinfo": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/userinfo"
"oidc.endpoint.logout": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
"oidc.endpoint.authorization": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
"oidc.endpoint.token": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
"oidc.endpoint.userinfo": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
"oidc.endpoint.logout": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
"oidc.secret": {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
"url.trustedDomains": "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
"workplaceServices.navigationEndpoint": "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
@@ -46,7 +46,7 @@ properties:
"property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": {{ .Values.theme.colors.secondaryGreyLight | quote }}
## Link LDAP users and users authenticated through OIDC
"property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
"property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
"property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
ingress:
enabled: {{ .Values.ingress.enabled }}

8
helmfile/apps/xwiki/values.yaml
View File

@@ -22,13 +22,13 @@ customConfigs:
xwiki.authentication.ldap.update_photo: 1
xwiki.properties:
oidc.scope: "openid,profile,email,address,phoenix"
oidc.scope: "openid,profile,email,address,opendesk"
oidc.endpoint.userinfo.method: "GET"
oidc.user.nameFormater: "${oidc.user.phoenixusername._clean._lowerCase}"
oidc.user.subjectFormater: "${oidc.user.phoenixusername._lowerCase}"
oidc.user.nameFormater: "${oidc.user.opendesk_username._clean._lowerCase}"
oidc.user.subjectFormater: "${oidc.user.opendesk_username._lowerCase}"
# yamllint disable-line rule:line-length
oidc.userinfoclaims: "xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype"
oidc.clientid: "xwiki"
oidc.clientid: "opendesk-xwiki"
oidc.endpoint.token.auth_method: "client_secret_basic"
oidc.skipped: false
oidc.logoutMechanism: "rpInitiated"

10
helmfile/environments/default/_helper.gotmpl
View File

@@ -1,10 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
ldap:
host: "ums-ldap-server"
notifierHost: "ums-ldap-notifier"
baseDn: "dc=swp-ldap,dc=internal"
...

11
helmfile/environments/default/_helper.yaml Normal file
View File

@@ -0,0 +1,11 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
ldap:
host: "ums-ldap-server"
notifierHost: "ums-ldap-notifier"
baseDn: "dc=swp-ldap,dc=internal"
## Define Keycloak realmname for openDesk
platform:
realm: "opendesk"
...

80
helmfile/environments/default/charts.yaml
View File

@@ -85,7 +85,7 @@ charts:
repository: "sovereign-workplace/souvap/tooling/charts/dovecot"
name: "dovecot"
oci: true
version: "1.3.6"
version: "1.3.7"
verify: true
username: ~
password: ~
@@ -165,37 +165,52 @@ charts:
username: ~
password: ~
keycloak:
# renovate:
# registryUrl=https://registry-1.docker.io
# packageName=bitnamicharts/keycloak
# dataSource=docker
# dependencyType=service
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/bitnami-charts"
name: "keycloak"
oci: true
version: "12.1.5"
verify: true
username: ~
password: ~
keycloakBootstrap:
umsKeycloak:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/sovereign-workplace-keycloak-bootstrap/sovereign-workplace-keycloak-bootstrap
# packageName=souvap/tooling/charts/univention-keycloak/ums-keycloak
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-keycloak-bootstrap"
name: "sovereign-workplace-keycloak-bootstrap"
repository: "sovereign-workplace/souvap/tooling/charts/univention-keycloak"
name: "ums-keycloak"
oci: true
version: "1.1.12"
version: "1.0.1"
verify: true
username: ~
password: ~
keycloakExtensions:
umsKeycloakBootstrap:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/univention-keycloak-bootstrap/ums-keycloak-bootstrap
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/univention-keycloak-bootstrap"
name: "ums-keycloak-bootstrap"
oci: true
version: "1.0.1"
verify: true
username: ~
password: ~
opendeskKeycloakBootstrap:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/opendesk-keycloak-bootstrap/opendesk-keycloak-bootstrap
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/opendesk-keycloak-bootstrap"
name: "opendesk-keycloak-bootstrap"
oci: true
version: "1.0.3"
verify: true
username: ~
password: ~
umsKeycloakExtensions:
# renovate:
# registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable
# packageName=keycloak-extensions
@@ -209,21 +224,6 @@ charts:
username: ~
password: ~
keycloakTheme:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/keycloak-theme/opendesk-keycloak-theme
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/keycloak-theme"
name: "opendesk-keycloak-theme"
oci: true
version: "2.0.0"
verify: true
username: ~
password: ~
mariadb:
# renovate:
# registryUrl=https://registry.opencode.de
@@ -457,7 +457,7 @@ charts:
repository: "sovereign-workplace/souvap/tooling/charts/opendesk-otterize"
name: "opendesk-otterize"
oci: true
version: "1.1.6"
version: "1.2.0"
verify: true
username: ~
password: ~
@@ -531,7 +531,7 @@ charts:
repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element"
name: "opendesk-synapse"
oci: true
version: "2.6.0"
version: "2.6.2"
verify: true
username: ~
password: ~
@@ -674,7 +674,7 @@ charts:
repository: "api/v4/projects/155/packages/helm/stable"
name: "stack-data-swp"
oci: false
version: "0.39.3"
version: "0.39.4"
username: ~
password: ~

33
helmfile/environments/default/images.yaml
View File

@@ -100,36 +100,35 @@ images:
repository: "jitsi/jvb"
tag: "stable-8922@sha256:75dd613807e19cbbd440d071b60609fa9e4ee50a1396b14deb0ed779d882a554"
# @supplier: "Nordeck"
keycloak:
umsKeycloak:
# renovate:
# registryUrl=https://docker.io
# registryUrl=https://docker.software-univention.de
# dependencyType=vendor
repository: "bitnami/keycloak"
tag: "19.0.3-debian-11-r22@sha256:4ac04104d20d4861ecca24ff2d07d71b34a98ee1148c6e6b6e7969a6b2ad085e"
repository: "keycloak-keycloak"
tag: "22.0.3-ucs1@sha256:6b17a63d4c6bc60f9c645902f8dbb7ad094a867065e40c43cc81c867c1b8ba00"
# @supplier: "Univention"
keycloakUnivention:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/keycloak-app-on-use-base-manpub-tr"
tag: "latest"
# @supplier: "Univention"
keycloakBootstrap:
umsKeycloakBootstrap:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=service
repository: "souvap/tooling/images/ansible"
tag: "4.10.0@sha256:89d8212c20e03b0fd079e08afaf3247c1b96b380c4db1b572d68d0b4a6abc0ac"
repository: "souvap/tooling/images/univention-keycloak-bootstrap"
tag: "1.0.5@sha256:81ccf77e5af77385e4d0c4ff6a7df2cec11691ea76c6c23c36eb1ef0d51ad687"
# @supplier: "Univention"
opendeskKeycloakBootstrap:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=service
repository: "souvap/tooling/images/opendesk-keycloak-bootstrap"
tag: "1.0.3@sha256:b9c18294bdf5b3b79caa789e899403bbf1b485f05a0be3e09895e5161506d4a8"
# @supplier: "openDesk DevSecOps"
keycloakExtensionHandler:
umsKeycloakExtensionHandler:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
repository: "souvap/tooling/images/keycloak-extensions/keycloak-handler"
tag: "latest@sha256:e67bdfc655e43b7fb83b025e13f949b04fdd98e089b33401275d03e340e03e2e"
# @supplier: "Univention"
keycloakExtensionProxy:
umsKeycloakExtensionProxy:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor

27
helmfile/environments/default/resources.yaml
View File

@@ -95,28 +95,35 @@ resources:
requests:
cpu: 0.1
memory: "384Mi"
keycloak:
opendeskKeycloakBootstrap:
limits:
cpu: 99
memory: "512Mi"
requests:
cpu: 0.1
memory: "256Mi"
umsKeycloak:
limits:
cpu: 99
memory: "2Gi"
requests:
cpu: 0.1
memory: "512Mi"
keycloakExtension:
limits:
cpu: 99
memory: "256Mi"
requests:
cpu: 0.1
memory: "48Mi"
keycloakBootstrap:
umsKeycloakBootstrap:
limits:
cpu: 99
memory: "512Mi"
requests:
cpu: 0.1
memory: "256Mi"
keycloakProxy:
umsKeycloakExtensionHandler:
limits:
cpu: 99
memory: "256Mi"
requests:
cpu: 0.1
memory: "48Mi"
umsKeycloakExtensionProxy:
limits:
cpu: 99
memory: "256Mi"

1
helmfile/environments/default/secrets.gotmpl
View File

@@ -49,6 +49,7 @@ secrets:
keycloak:
adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "adminPassword" | sha1sum | quote }}
clientSecret:
dovecot: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "dovecot_client_secret" | sha1sum | quote }}
intercom: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "intercom_client_secret" | sha1sum | quote }}
matrix: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "matrix_client_secret" | sha1sum | quote }}
jitsi: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "jitsi_plain_client_secret" | sha1sum | quote }}