diff --git a/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl b/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl index 4dbbbb3c..712c3caa 100644 --- a/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl +++ b/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl @@ -5,37 +5,126 @@ SPDX-License-Identifier: Apache-2.0 --- keycloak: enabled: true + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + enabled: true + runAsUser: 1000 + runAsGroup: 1000 + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: false + runAsNonRoot: true + seLinuxOptions: + {{ .Values.seLinuxOptions.umsKeycloak | toYaml | nindent 6 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} podAnnotations: intents.otterize.com/service-name: "ums-keycloak" replicaCount: {{ .Values.replicas.keycloak }} resources: {{ .Values.resources.umsKeycloak | toYaml | nindent 4 }} -guardian: +nubusGuardian: authorizationApi: + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }} podAnnotations: intents.otterize.com/service-name: "ums-guardian-authorization-api" + podSecurityContext: + fsGroup: 1000 + fsGroupChangePolicy: "Always" replicaCount: {{ .Values.replicas.umsGuardianAuthorizationApi }} resources: {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + seLinuxOptions: + {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }} managementApi: + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }} podAnnotations: intents.otterize.com/service-name: "ums-guardian-management-api" + podSecurityContext: + fsGroup: 1000 + fsGroupChangePolicy: "Always" replicaCount: {{ .Values.replicas.umsGuardianManagementApi }} resources: {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + seLinuxOptions: + {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 8 }} managementUi: + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }} podAnnotations: intents.otterize.com/service-name: "ums-guardian-management-ui" replicaCount: {{ .Values.replicas.umsGuardianManagementUi }} resources: - {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}# + {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + seLinuxOptions: + {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 8 }} openPolicyAgent: + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }} + podSecurityContext: + fsGroup: 1000 + fsGroupChangePolicy: "Always" podAnnotations: intents.otterize.com/service-name: "ums-ums-open-policy-agent" replicaCount: {{ .Values.replicas.umsGuardianOpenPolicyAgent }} resources: {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + seLinuxOptions: + {{ .Values.seLinuxOptions.umsGuardianOpenPolicyAgent | toYaml | nindent 8 }} provisioning: # Using openDesk keycloak provisioning enabled: false @@ -43,9 +132,24 @@ guardian: nubusNotificationsApi: additionalAnnotations: intents.otterize.com/service-name: "ums-notifications-api" + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + enabled: true + runAsUser: 1000 + runAsGroup: 1000 + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: true + runAsNonRoot: true + seLinuxOptions: + {{ .Values.seLinuxOptions.umsNotificationsApi | toYaml | nindent 6 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} serviceAccount: - annotations: - intended.usage: "compliance" + create: true replicaCount: {{ .Values.replicas.umsNotificationsApi }} resources: {{ .Values.resources.umsNotificationsApi | toYaml | nindent 4 }} @@ -53,7 +157,40 @@ nubusNotificationsApi: nubusUmcServer: additionalAnnotations: intents.otterize.com/service-name: "ums-umc-server" + containerSecurityContext: + enabled: true + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + runAsUser: 0 + runAsGroup: 0 + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: true + runAsNonRoot: false + seLinuxOptions: + {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }} + containerSecurityContextInit: + enabled: true + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + runAsUser: 0 + runAsGroup: 0 + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: true + runAsNonRoot: false + seLinuxOptions: + {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + proxy: + replicaCount: {{ .Values.replicas.umsUmcServerProxy }} replicaCount: {{ .Values.replicas.umsUmcServer }} + resources: {{ .Values.resources.umsUmcServer | toYaml | nindent 4 }} selfService: @@ -75,19 +212,36 @@ nubusUmcServer: nubusKeycloakExtensions: handler: + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }} replicaCount: {{ .Values.replicas.umsKeycloakExtensionsHandler }} podAnnotations: intents.otterize.com/service-name: "ums-keycloak-extensions-handler" resources: {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 6 }} + securityContext: + seccompProfile: + type: "RuntimeDefault" + seLinuxOptions: + {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }} proxy: + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }} replicaCount: {{ .Values.replicas.umsKeycloakExtensionsProxy }} podAnnotations: intents.otterize.com/service-name: "ums-keycloak-extensions-proxy" resources: {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }} + securityContext: + seccompProfile: + type: "RuntimeDefault" + seLinuxOptions: + {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }} nubusPortalConsumer: + image: + pullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }} podAnnotations: intents.otterize.com/service-name: "ums-portal-consumer" replicaCount: {{ .Values.replicas.umsPortalConsumer }} @@ -99,29 +253,70 @@ nubusPortalConsumer: storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }} size: {{ .Values.persistence.size.nubus.portalConsumer | quote }} -nubusPortalConsumer: - podAnnotations: - intents.otterize.com/service-name: "ums-portal-consumer" - replicaCount: {{ .Values.replicas.umsPortalConsumer }} + +nubusUdmListener: + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + enabled: true + runAsUser: 102 + runAsGroup: 65534 + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: true + runAsNonRoot: true + seLinuxOptions: + {{ .Values.seLinuxOptions.umsUdmListener | toYaml | nindent 6 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + replicaCount: {{ .Values.replicas.umsUdmListener }} resources: - {{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }} - resourcesWaitForDependency: - {{ .Values.resources.umsPortalConsumerDependencies | toYaml | nindent 4 }} - persistence: - storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }} - size: {{ .Values.persistence.size.nubus.portalConsumer | quote }} + {{ .Values.resources.umsUdmListener | toYaml | nindent 4 }} nubusPortalServer: additionalAnnotations: intents.otterize.com/service-name: "ums-portal-server" + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + enabled: true + runAsUser: 1000 + runAsGroup: 1000 + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: true + runAsNonRoot: true + seLinuxOptions: + {{ .Values.seLinuxOptions.umsPortalServer | toYaml | nindent 6 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} serviceAccount: - annotations: - intended.usage: "compliance" + create: true replicaCount: {{ .Values.replicas.umsPortalServer }} resources: {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }} nubusLdapNotifier: + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + enabled: true + runAsUser: 101 + runAsGroup: 102 + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: true + runAsNonRoot: true + seLinuxOptions: + {{ .Values.seLinuxOptions.umsLdapNotifier | toYaml | nindent 6 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} podAnnotations: intents.otterize.com/service-name: "ums-ldap-notifier" replicaCount: {{ .Values.replicas.umsLdapNotifier }} @@ -129,6 +324,8 @@ nubusLdapNotifier: {{ .Values.resources.umsLdapNotifier | toYaml | nindent 4 }} nubusLdapServer: + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} highAvailabilityMode: false replicaCountPrimary: 1 replicaCountSecondary: 0 # {{ .Values.replicas.umsLdapServerSecondary }} @@ -136,8 +333,7 @@ nubusLdapServer: additionalAnnotations: intents.otterize.com/service-name: "ums-ldap-server" serviceAccount: - annotations: - intended.usage: "compliance" + create: true initResources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }} resources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }} persistence: @@ -199,9 +395,24 @@ nubusLdapServer: nubusPortalFrontend: additionalAnnotations: intents.otterize.com/service-name: "ums-portal-frontend" + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + enabled: true + runAsUser: 1000 + runAsGroup: 1000 + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: true + runAsNonRoot: true + seLinuxOptions: + {{ .Values.seLinuxOptions.umsPortalFrontend | toYaml | nindent 6 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} serviceAccount: - annotations: - intended.usage: "compliance" + create: true replicaCount: {{ .Values.replicas.umsPortalFrontend }} resources: {{ .Values.resources.umsPortalFrontend | toYaml | nindent 4 }} @@ -219,6 +430,22 @@ nubusStackDataUms: {{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }} nubusSelfServiceConsumer: + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + enabled: true + runAsUser: 1000 + runAsGroup: 1000 + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: true + runAsNonRoot: true + seLinuxOptions: + {{ .Values.seLinuxOptions.umsSelfserviceConsumer | toYaml | nindent 6 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} podAnnotations: intents.otterize.com/service-name: "ums-selfservice-listener" resources: @@ -228,6 +455,22 @@ nubusSelfServiceConsumer: nubusUdmRestApi: additionalAnnotations: intents.otterize.com/service-name: "ums-udm-rest-api" + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + enabled: true + runAsUser: 1000 + runAsGroup: 1000 + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: true + runAsNonRoot: true + seLinuxOptions: + {{ .Values.seLinuxOptions.umsUdmRestApi | toYaml | nindent 6 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} serviceAccount: annotations: intended.usage: "compliance" @@ -238,6 +481,22 @@ nubusUdmRestApi: replicaCount: {{ .Values.replicas.umsUdmRestApi }} nubusUmcGateway: + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + enabled: true + runAsUser: 1000 + runAsGroup: 1000 + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: true + runAsNonRoot: true + seLinuxOptions: + {{ .Values.seLinuxOptions.umsUmcGateway | toYaml | nindent 6 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} replicaCount: {{ .Values.replicas.umsUmcGateway }} resources: {{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }} @@ -252,17 +511,56 @@ nubusKeycloakBootstrap: {{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 4 }} nubusProvisioning: + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + enabled: true + runAsUser: 1000 + runAsGroup: 1000 + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: true + runAsNonRoot: true + seLinuxOptions: + {{ .Values.seLinuxOptions.umsProvisioning | toYaml | nindent 6 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + replicaCount: + dispatcher: {{ .Values.replicas.umsProvisioningDispatcher }} + udmTransformer: {{ .Values.replicas.umsProvisioningUdmTransformer }} + prefill: {{ .Values.replicas.umsProvisioningPrefill }} + api: {{ .Values.replicas.umsProvisioningApi }} + serviceAccount: - annotations: - intended.usage: "compliance" + create: true nats: + config: + cluster: + replicas: {{ .Values.replicas.umsProvisioningNats }} + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + enabled: true + runAsUser: 1000 + runAsGroup: 1000 + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: true + runAsNonRoot: true + seLinuxOptions: + {{ .Values.seLinuxOptions.umsProvisioningNats | toYaml | nindent 8 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }} resources: {{ .Values.resources.nubusProvisioning.nats | toYaml | nindent 6 }} additionalAnnotations: intents.otterize.com/service-name: "ums-provisioning-nats" serviceAccount: - annotations: - intended.usage: "compliance" + create: true api: resources: {{ .Values.resources.nubusProvisioning.api | toYaml | nindent 6 }} diff --git a/helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl b/helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl index 92e73d46..c88ea074 100644 --- a/helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl +++ b/helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl @@ -3,17 +3,22 @@ SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlic SPDX-License-Identifier: Apache-2.0 */}} --- +global: + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} + keycloak: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloak.registry | quote }} repository: {{ .Values.images.nubusKeycloak.repository }} tag: {{ .Values.images.nubusKeycloak.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} nubusKeycloakBootstrap: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }} repository: {{ .Values.images.nubusKeycloakBootstrap.repository }} tag: {{ .Values.images.nubusKeycloakBootstrap.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} nubusKeycloakExtensions: handler: @@ -21,18 +26,21 @@ nubusKeycloakExtensions: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionHandler.registry | quote }} repository: {{ .Values.images.nubusKeycloakExtensionHandler.repository }} tag: {{ .Values.images.nubusKeycloakExtensionHandler.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} proxy: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionProxy.registry | quote }} repository: {{ .Values.images.nubusKeycloakExtensionProxy.repository }} tag: {{ .Values.images.nubusKeycloakExtensionProxy.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} nubusLdapNotifier: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapNotifier.registry | quote }} repository: {{ .Values.images.nubusLdapNotifier.repository }} tag: {{ .Values.images.nubusLdapNotifier.tag }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} nubusLdapServer: ldapServer: @@ -40,28 +48,33 @@ nubusLdapServer: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServer.registry | quote }} repository: {{ .Values.images.nubusLdapServer.repository }} tag: {{ .Values.images.nubusLdapServer.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} dhInitcontainer: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServerDhInitContainer.registry | quote }} repository: {{ .Values.images.nubusLdapServerDhInitContainer.repository }} tag: {{ .Values.images.nubusLdapServerDhInitContainer.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} waitForDependency: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }} repository: {{ .Values.images.nubusWaitForDependency.repository }} tag: {{ .Values.images.nubusWaitForDependency.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} nubusNotificationsApi: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusNotificationsApi.registry | quote }} repository: {{ .Values.images.nubusNotificationsApi.repository }} tag: {{ .Values.images.nubusNotificationsApi.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} nubusPortalFrontend: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalFrontend.registry | quote }} repository: {{ .Values.images.nubusPortalFrontend.repository }} tag: {{ .Values.images.nubusPortalFrontend.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} nubusPortalConsumer: portalConsumer: @@ -69,17 +82,20 @@ nubusPortalConsumer: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalConsumer.registry | quote }} repository: {{ .Values.images.nubusPortalConsumer.repository }} tag: {{ .Values.images.nubusPortalConsumer.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} waitForDependency: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }} repository: {{ .Values.images.nubusWaitForDependency.repository }} tag: {{ .Values.images.nubusWaitForDependency.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} nubusPortalServer: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalServer.registry | quote }} repository: {{ .Values.images.nubusPortalServer.repository }} tag: {{ .Values.images.nubusPortalServer.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} nubusProvisioning: api: @@ -87,72 +103,84 @@ nubusProvisioning: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }} repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }} tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} dispatcher: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningDispatcher.registry | quote }} repository: {{ .Values.images.nubusProvisioningDispatcher.repository }} tag: {{ .Values.images.nubusProvisioningDispatcher.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} udmTransformer: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmTransformer.registry | quote }} repository: {{ .Values.images.nubusProvisioningUdmTransformer.repository }} tag: {{ .Values.images.nubusProvisioningUdmTransformer.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} prefill: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }} repository: {{ .Values.images.nubusProvisioningPrefill.repository }} tag: {{ .Values.images.nubusProvisioningPrefill.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} registerConsumers: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }} repository: {{ .Values.images.nubusWaitForDependency.repository }} tag: {{ .Values.images.nubusWaitForDependency.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} nats: nats: - image: - registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNats.registry | quote }} - repository: {{ .Values.images.nubusNats.repository }} - tag: {{ .Values.images.nubusNats.tag }} + image: + registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNats.registry | quote }} + repository: {{ .Values.images.nubusNats.repository }} + tag: {{ .Values.images.nubusNats.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} reloader: - image: - registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsReloader.registry | quote }} - repository: {{ .Values.images.nubusNatsReloader.repository }} - tag: {{ .Values.images.nubusNatsReloader.tag }} + image: + registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsReloader.registry | quote }} + repository: {{ .Values.images.nubusNatsReloader.repository }} + tag: {{ .Values.images.nubusNatsReloader.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} natsBox: - image: - registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsBox.registry | quote }} - repository: {{ .Values.images.nubusNatsBox.repository }} - tag: {{ .Values.images.nubusNatsBox.tag }} + image: + registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsBox.registry | quote }} + repository: {{ .Values.images.nubusNatsBox.repository }} + tag: {{ .Values.images.nubusNatsBox.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} nubusProvisioningEventsAndConsumerApi: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }} repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }} tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} nubusProvisioningPrefill: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }} repository: {{ .Values.images.nubusProvisioningPrefill.repository }} tag: {{ .Values.images.nubusProvisioningPrefill.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} nubusUdmListener: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmListener.registry | quote }} repository: {{ .Values.images.nubusProvisioningUdmListener.repository }} tag: {{ .Values.images.nubusProvisioningUdmListener.tag }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} -nubusSelfServiceListener: - selfserviceInvitation: - image: - registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfserviceInvitation.registry | quote }} - repository: {{ .Values.images.nubusSelfserviceInvitation.repository }} - tag: {{ .Values.images.nubusSelfserviceInvitation.tag }} +nubusSelfServiceConsumer: + image: + registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfServiceConsumer.registry | quote }} + repository: {{ .Values.images.nubusSelfServiceConsumer.repository }} + tag: {{ .Values.images.nubusSelfServiceConsumer.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} waitForDependency: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }} repository: {{ .Values.images.nubusWaitForDependency.repository }} tag: {{ .Values.images.nubusWaitForDependency.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} nubusUdmRestApi: udmRestApi: @@ -160,24 +188,36 @@ nubusUdmRestApi: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUdmRestApi.registry | quote }} repository: {{ .Values.images.nubusUdmRestApi.repository }} tag: {{ .Values.images.nubusUdmRestApi.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} nubusUmcGateway: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcGateway.registry | quote }} repository: {{ .Values.images.nubusUmcGateway.repository }} tag: {{ .Values.images.nubusUmcGateway.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} nubusUmcServer: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcServer.registry | quote }} repository: {{ .Values.images.nubusUmcServer.repository }} tag: {{ .Values.images.nubusUmcServer.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + proxy: + image: + registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusUmcServerProxy.registry | quote }} + repository: {{ .Values.images.nubusUmcServerProxy.repository }} + tag: {{ .Values.images.nubusUmcServerProxy.tag }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} nubusWaitForDependency: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }} repository: {{ .Values.images.nubusWaitForDependency.repository }} tag: {{ .Values.images.nubusWaitForDependency.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} nubusGuardian: @@ -186,29 +226,35 @@ nubusGuardian: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianProvisioning.registry | quote }} repository: {{ .Values.images.nubusGuardianProvisioning.repository }} tag: {{ .Values.images.nubusGuardianProvisioning.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} authorizationApi: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianAuthorizationApi.registry | quote }} repository: {{ .Values.images.nubusGuardianAuthorizationApi.repository }} tag: {{ .Values.images.nubusGuardianAuthorizationApi.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} managementApi: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementApi.registry | quote }} repository: {{ .Values.images.nubusGuardianManagementApi.repository }} tag: {{ .Values.images.nubusGuardianManagementApi.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} managementUi: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementUi.registry | quote }} repository: {{ .Values.images.nubusGuardianManagementUi.repository }} tag: {{ .Values.images.nubusGuardianManagementUi.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} openPolicyAgent: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpenPolicyAgent.registry | quote }} repository: {{ .Values.images.nubusOpenPolicyAgent.repository }} tag: {{ .Values.images.nubusOpenPolicyAgent.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} nubusStackDataUms: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }} repository: {{ .Values.images.nubusDataLoader.repository }} tag: {{ .Values.images.nubusDataLoader.tag }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} diff --git a/helmfile/environments/default/images.yaml b/helmfile/environments/default/images.yaml index 9a010c0d..c3aa470e 100644 --- a/helmfile/environments/default/images.yaml +++ b/helmfile/environments/default/images.yaml @@ -480,7 +480,7 @@ images: registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer" tag: "0.39.0@sha256:64166fae60856da544698b601b70037a93239e9f6072ced890cd5965fab148dc" - nubusSelfserviceInvitation: + nubusSelfServiceConsumer: # providerCategory: "Supplier" # providerResponsible: "Univention" # upstreamRegistry: "https://artifacts.software-univention.de" @@ -489,7 +489,7 @@ images: # upstreamMirrorStartFrom: ["0", "3", "2"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation" - tag: "0.7.2@sha256:a204a74575d4aed5f343d4ab4838fd6b11b4ae0d1a61e5cc464a5fde6d16ec37" + tag: "0.7.3@sha256:7eb99ca8e7b5af321c45a515d7999ec421a3644e34c47028e90b627e8af9d39d" nubusUdmRestApi: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -520,6 +520,14 @@ images: registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server" tag: "0.30.0@sha256:78e20377a8cb3f6c5efa004a52aee444345e71d91e02e414c86c2a2631de5822" + nubusUmcServerProxy: + # providerCategory: "Supplier" + # providerResponsible: "Univention" + # upstreamRegistry: "https://registry-1.docker.io" + # upstreamRepository: "traefik" + registry: "registry-1.docker.io" + repository: "traefik" + tag: "3.0@sha256:a208c74fd80a566d4ea376053bff73d31616d7af3f1465a7747b8b89ee34d97e" nubusWaitForDependency: # providerCategory: "Supplier" # providerResponsible: "Univention" diff --git a/helmfile/environments/default/replicas.yaml b/helmfile/environments/default/replicas.yaml index 4eb683c5..aa23c87b 100644 --- a/helmfile/environments/default/replicas.yaml +++ b/helmfile/environments/default/replicas.yaml @@ -75,6 +75,8 @@ replicas: umsGuardianManagementUi: 1 # -- scalable: tbd umsGuardianOpenPolicyAgent: 1 + # -- scalable: tbd + umsKeycloak: 1 # -- scalable: false # -- comment: Should not be scaled, is an async process. umsKeycloakExtensionsHandler: 1 @@ -97,16 +99,30 @@ replicas: umsPortalConsumer: 1 # -- scalable: true umsPortalServer: 1 + # -- scalable: tdb + umsProvisioningApi: 1 + # -- scalable: false + umsProvisioningDispatcher: 1 + # -- scalable: tdb + umsProvisioningNats: 1 + # -- scalable: tdb + umsProvisioningPrefill: 1 + # -- scalable: false + umsProvisioningUdmTransformer: 1 # -- scalable: tbd umsSelfserviceConsumer: 1 # -- scalable: tbd umsStackGateway: 1 # -- scalable: true + umsUdmListener: 1 + # -- scalable: tbd umsUdmRestApi: 1 # -- scalable: tbd umsUmcGateway: 1 # -- scalable: tbd umsUmcServer: 1 + # -- scalable: tbd + umsUmcServerProxy: 1 # -- component: Video conference (Jitsi) # -- scalable: tbd diff --git a/helmfile/environments/default/resources.yaml b/helmfile/environments/default/resources.yaml index 173cfa8d..7520dee8 100644 --- a/helmfile/environments/default/resources.yaml +++ b/helmfile/environments/default/resources.yaml @@ -513,20 +513,6 @@ resources: requests: cpu: 0.1 memory: "256Mi" - umsPortalConsumer: - limits: - cpu: 99 - memory: "1Gi" - requests: - cpu: 0.1 - memory: "256Mi" - umsPortalConsumerDependencies: - limits: - cpu: 99 - memory: "1Gi" - requests: - cpu: 0.1 - memory: "256Mi" umsPortalServer: limits: cpu: 99 @@ -597,6 +583,13 @@ resources: requests: cpu: 0.1 memory: "16Mi" + umsUdmListener: + limits: + cpu: 99 + memory: "1Gi" + requests: + cpu: 0.1 + memory: "256Mi" umsUdmRestApi: limits: cpu: 99 diff --git a/helmfile/environments/default/selinux.yaml b/helmfile/environments/default/selinux.yaml index c243fda2..9aa770d1 100644 --- a/helmfile/environments/default/selinux.yaml +++ b/helmfile/environments/default/selinux.yaml @@ -68,6 +68,7 @@ seLinuxOptions: umsGuardianAuthorizationApi: ~ umsGuardianManagementApi: ~ umsGuardianManagementUi: ~ + umsGuardianOpenPolicyAgent: ~ umsKeycloak: ~ umsKeycloakBootstrap: ~ umsKeycloakExtensionHandler: ~ @@ -75,20 +76,16 @@ seLinuxOptions: umsLdapNotifier: ~ umsLdapServer: ~ umsNotificationsApi: ~ - umsOpenPolicyAgent: ~ umsPortalFrontend: ~ umsPortalConsumer: ~ umsPortalServer: ~ - umsProvisioningDispatcher: ~ - umsProvisioningEventsAndConsumerApi: ~ + umsProvisioning: ~ umsProvisioningNats: ~ - umsProvisioningNatsBox: ~ - umsProvisioningNatsReloader: ~ - umsProvisioningUdmListener: ~ umsSelfserviceInvitation: ~ umsSelfserviceConsumer: ~ umsStackGateway: ~ umsStoreDav: ~ + umsUdmListener: ~ umsUdmRestApi: ~ umsUmcGateway: ~ umsUmcServer: ~