fix(helmfile): Merge .yaml and .gotmpl files for Services, Provisioning, Cryptpad, Intercom-Service and Element

helmfile/apps/cryptpad/helmfile.yaml

@@ -20,8 +20,7 @@ releases:
     chart: "cryptpad-repo/{{ .Values.charts.cryptpad.name }}"
     version: "{{ .Values.charts.cryptpad.version }}"
     values:
-      - "values.yaml"
+      - "values.yaml.gotmpl"
-      - "values.gotmpl"
     installed: {{ .Values.cryptpad.enabled }}
 
 commonLabels:

helmfile/apps/cryptpad/values.gotmpl

@@ -1,33 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-image:
-  repository: "{{ .Values.global.imageRegistry | default .Values.images.cryptpad.registry }}/{{ .Values.images.cryptpad.repository }}"
-  tag: {{ .Values.images.cryptpad.tag | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-imagePullSecrets:
-{{- range .Values.global.imagePullSecrets }}
-  - name: {{ . | quote }}
-{{- end }}
-
-ingress:
-  enabled: {{ .Values.ingress.enabled }}
-  className: {{ .Values.ingress.ingressClassName | quote }}
-  hosts:
-    - host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
-      paths:
-        - path: "/"
-          pathType: "ImplementationSpecific"
-  tls:
-    - secretName: {{ .Values.ingress.tls.secretName | quote }}
-      hosts:
-        - "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
-
-replicaCount: {{ .Values.replicas.cryptpad }}
-
-resources:
-  {{ .Values.resources.cryptpad | toYaml | nindent 2 }}
-...

helmfile/apps/cryptpad/values.yaml.gotmpl

@@ -22,9 +22,30 @@ enableEmbedding: true
 
 fullnameOverride: "cryptpad"
 
+image:
+  repository: "{{ .Values.global.imageRegistry | default .Values.images.cryptpad.registry }}/{{ .Values.images.cryptpad.repository }}"
+  tag: {{ .Values.images.cryptpad.tag | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . | quote }}
+{{- end }}
+
 ingress:
+  enabled: {{ .Values.ingress.enabled }}
   annotations:
     nginx.org/websocket-services: "cryptpad"
+  className: {{ .Values.ingress.ingressClassName | quote }}
+  hosts:
+    - host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
+      paths:
+        - path: "/"
+          pathType: "ImplementationSpecific"
+  tls:
+    - secretName: {{ .Values.ingress.tls.secretName | quote }}
+      hosts:
+        - "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
 
 persistence:
   enabled: false
@@ -32,6 +53,11 @@ persistence:
 podSecurityContext:
   fsGroup: 4001
 
+replicaCount: {{ .Values.replicas.cryptpad }}
+
+resources:
+  {{ .Values.resources.cryptpad | toYaml | nindent 2 }}
+
 securityContext:
   allowPrivilegeEscalation: false
   capabilities:
@@ -48,4 +74,5 @@ serviceAccount:
   create: true
 
 workloadStateful: false
+
 ...

helmfile/apps/element/helmfile.yaml

@@ -88,8 +88,7 @@ releases:
     chart: "element-repo/{{ .Values.charts.element.name }}"
     version: "{{ .Values.charts.element.version }}"
     values:
-      - "values-element.yaml"
+      - "values-element.yaml.gotmpl"
-      - "values-element.gotmpl"
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
@@ -97,8 +96,7 @@ releases:
     chart: "element-well-known-repo/{{ .Values.charts.elementWellKnown.name }}"
     version: "{{ .Values.charts.elementWellKnown.version }}"
     values:
-      - "values-well-known.yaml"
+      - "values-well-known.yaml.gotmpl"
-      - "values-well-known.gotmpl"
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
@@ -106,8 +104,7 @@ releases:
     chart: "synapse-web-repo/{{ .Values.charts.synapseWeb.name }}"
     version: "{{ .Values.charts.synapseWeb.version }}"
     values:
-      - "values-synapse-web.yaml"
+      - "values-synapse-web.yaml.gotmpl"
-      - "values-synapse-web.gotmpl"
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
@@ -115,8 +112,7 @@ releases:
     chart: "synapse-repo/{{ .Values.charts.synapse.name }}"
     version: "{{ .Values.charts.synapse.version }}"
     values:
-      - "values-synapse.yaml"
+      - "values-synapse.yaml.gotmpl"
-      - "values-synapse.gotmpl"
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
@@ -124,8 +120,7 @@ releases:
     chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
     version: "{{ .Values.charts.synapseCreateAccount.version }}"
     values:
-      - "values-matrix-user-verification-service-bootstrap.yaml"
+      - "values-matrix-user-verification-service-bootstrap.yaml.gotmpl"
-      - "values-matrix-user-verification-service-bootstrap.gotmpl"
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
@@ -133,8 +128,7 @@ releases:
     chart: "matrix-user-verification-service-repo/{{ .Values.charts.matrixUserVerificationService.name }}"
     version: "{{ .Values.charts.matrixUserVerificationService.version }}"
     values:
-      - "values-matrix-user-verification-service.yaml"
+      - "values-matrix-user-verification-service.yaml.gotmpl"
-      - "values-matrix-user-verification-service.gotmpl"
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
@@ -142,8 +136,7 @@ releases:
     chart: "matrix-neoboard-widget-repo/{{ .Values.charts.matrixNeoboardWidget.name }}"
     version: "{{ .Values.charts.matrixNeoboardWidget.version }}"
     values:
-      - "values-matrix-neoboard-widget.yaml"
+      - "values-matrix-neoboard-widget.yaml.gotmpl"
-      - "values-matrix-neoboard-widget.gotmpl"
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
@@ -151,8 +144,7 @@ releases:
     chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiseWidget.name }}"
     version: "{{ .Values.charts.matrixNeochoiseWidget.version }}"
     values:
-      - "values-matrix-neochoice-widget.yaml"
+      - "values-matrix-neochoice-widget.yaml.gotmpl"
-      - "values-matrix-neochoice-widget.gotmpl"
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
@@ -160,8 +152,7 @@ releases:
     chart: "matrix-neodatefix-widget-repo/{{ .Values.charts.matrixNeodatefixWidget.name }}"
     version: "{{ .Values.charts.matrixNeodatefixWidget.version }}"
     values:
-      - "values-matrix-neodatefix-widget.yaml"
+      - "values-matrix-neodatefix-widget.yaml.gotmpl"
-      - "values-matrix-neodatefix-widget.gotmpl"
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
@@ -169,8 +160,7 @@ releases:
     chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
     version: "{{ .Values.charts.synapseCreateAccount.version }}"
     values:
-      - "values-matrix-neodatefix-bot-bootstrap.yaml"
+      - "values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl"
-      - "values-matrix-neodatefix-bot-bootstrap.gotmpl"
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
@@ -178,8 +168,7 @@ releases:
     chart: "matrix-neodatefix-bot-repo/{{ .Values.charts.matrixNeodatefixBot.name }}"
     version: "{{ .Values.charts.matrixNeodatefixBot.version }}"
     values:
-      - "values-matrix-neodatefix-bot.yaml"
+      - "values-matrix-neodatefix-bot.yaml.gotmpl"
-      - "values-matrix-neodatefix-bot.gotmpl"
     installed: {{ .Values.element.enabled }}
     timeout: 900
 

helmfile/apps/element/values-element.yaml

@@ -1,21 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-...

helmfile/apps/element/values-element.yaml.gotmpl

@@ -1,15 +1,6 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
 configuration:
   additionalConfiguration:
     logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
@@ -105,6 +96,27 @@ configuration:
 
   welcomeUserId: "@meetings-bot:{{ .Values.global.domain }}"
 
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
 image:
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   registry: {{ .Values.global.imageRegistry | default .Values.images.element.registry | quote }}
@@ -119,11 +131,16 @@ ingress:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 
-theme:
+podSecurityContext:
-  {{ .Values.theme | toYaml | nindent 2 }}
+  enabled: true
+  fsGroup: 101
 
 replicaCount: {{ .Values.replicas.element }}
 
 resources:
   {{ .Values.resources.element | toYaml | nindent 2 }}
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
+
 ...

helmfile/apps/element/values-matrix-neoboard-widget.yaml

@@ -1,21 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-...

helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl

@@ -1,8 +1,20 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
 global:
   domain: {{ .Values.global.domain | quote }}
   hosts:
@@ -23,11 +35,16 @@ ingress:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 
-theme:
+podSecurityContext:
-  {{ .Values.theme | toYaml | nindent 2 }}
+  enabled: true
+  fsGroup: 101
 
 replicaCount: {{ .Values.replicas.matrixNeoBoardWidget }}
 
 resources:
   {{ .Values.resources.matrixNeoBoardWidget | toYaml | nindent 2 }}
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
+
 ...

helmfile/apps/element/values-matrix-neochoice-widget.yaml

@@ -1,21 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-...

helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl

@@ -1,8 +1,20 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
 global:
   domain: {{ .Values.global.domain | quote }}
   hosts:
@@ -23,11 +35,16 @@ ingress:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 
-theme:
+podSecurityContext:
-  {{ .Values.theme | toYaml | nindent 2 }}
+  enabled: true
+  fsGroup: 101
 
 replicaCount: {{ .Values.replicas.matrixNeoChoiceWidget }}
 
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
+
 resources:
   {{ .Values.resources.matrixNeoChoiceWidget | toYaml | nindent 2 }}
+
 ...

helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml

@@ -1,8 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-configuration:
-  username: "meetings-bot"
-  pod: "opendesk-synapse-0"
-  secretName: "matrix-neodatefix-bot-account"
-...

helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl

@@ -1,22 +1,24 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
-global:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
 cleanup:
   deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
   deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
 
 configuration:
+  username: "meetings-bot"
+  pod: "opendesk-synapse-0"
+  secretName: "matrix-neodatefix-bot-account"
   password: {{ .Values.secrets.matrixNeoDateFixBot.password | quote }}
 
+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }}
   url: {{ .Values.images.synapseCreateUser.repository | quote }}
   tag: {{ .Values.images.synapseCreateUser.tag | quote }}
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
 ...

helmfile/apps/element/values-matrix-neodatefix-bot.gotmpl

@@ -1,37 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-configuration:
-  openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
-
-image:
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoDateFixBot.registry | quote }}
-  repository: {{ .Values.images.matrixNeoDateFixBot.repository | quote }}
-  tag: {{ .Values.images.matrixNeoDateFixBot.tag | quote }}
-
-ingress:
-  enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
-  tls:
-    enabled: {{ .Values.ingress.tls.enabled }}
-    secretName: {{ .Values.ingress.tls.secretName | quote }}
-
-persistence:
-  size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
-  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-
-replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}
-
-resources:
-  {{ .Values.resources.matrixNeoDateFixBot | toYaml | nindent 2 }}
-...

helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl

@@ -1,11 +1,18 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
 configuration:
   bot:
     username: "meetings-bot"
     displayname: "Terminplaner Bot"
-
+  openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
   strings:
     breakoutSessionWidgetName: "Breakoutsessions"
     calendarRoomName: "Terminplaner"
@@ -36,10 +43,27 @@ extraEnvVars:
         name: "matrix-neodatefix-bot-account"
         key: "access_token"
 
+image:
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoDateFixBot.registry | quote }}
+  repository: {{ .Values.images.matrixNeoDateFixBot.repository | quote }}
+  tag: {{ .Values.images.matrixNeoDateFixBot.tag | quote }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  tls:
+    enabled: {{ .Values.ingress.tls.enabled }}
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+
 # TODO: The health endpoint does not work with the haproxy configuration, yet
 livenessProbe:
   enabled: false
 
+persistence:
+  size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+
 podSecurityContext:
   enabled: true
   fsGroup: 101
@@ -47,4 +71,10 @@ podSecurityContext:
 # TODO: The health endpoint does not work with the haproxy configuration, yet
 readinessProbe:
   enabled: false
+
+replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}
+
+resources:
+  {{ .Values.resources.matrixNeoDateFixBot | toYaml | nindent 2 }}
+
 ...

helmfile/apps/element/values-matrix-neodatefix-widget.yaml

@@ -1,25 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-configuration:
-  bot:
-    username: "meetings-bot"
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-...

helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl

@@ -1,8 +1,24 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
+configuration:
+  bot:
+    username: "meetings-bot"
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
 global:
   domain: {{ .Values.global.domain | quote }}
   hosts:
@@ -23,11 +39,16 @@ ingress:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 
-theme:
+podSecurityContext:
-  {{ .Values.theme | toYaml | nindent 2 }}
+  enabled: true
+  fsGroup: 101
 
 replicaCount: {{ .Values.replicas.matrixNeoDateFixWidget }}
 
 resources:
   {{ .Values.resources.matrixNeoDateFixWidget | toYaml | nindent 2 }}
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
+
 ...

helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml

@@ -1,8 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-configuration:
-  username: "uvs"
-  pod: "opendesk-synapse-0"
-  secretName: "opendesk-matrix-user-verification-service-account"
-...

helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl

@@ -1,22 +1,24 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
-global:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
 cleanup:
   deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
   deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
 
 configuration:
+  username: "uvs"
+  pod: "opendesk-synapse-0"
+  secretName: "opendesk-matrix-user-verification-service-account"
   password: {{ .Values.secrets.matrixUserVerificationService.password | quote }}
 
+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }}
   url: {{ .Values.images.synapseCreateUser.repository | quote }}
   tag: {{ .Values.images.synapseCreateUser.tag | quote }}
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
 ...

helmfile/apps/element/values-matrix-user-verification-service.gotmpl

@@ -1,23 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixUserVerificationService.registry | quote }}
-  repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
-  tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
-
-replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
-
-resources:
-  {{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
-...

helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl

@@ -25,7 +25,26 @@ extraEnvVars:
   - name: "UVS_DISABLE_IP_BLACKLIST"
     value: "true"
 
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixUserVerificationService.registry | quote }}
+  repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
+  tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
+
 podSecurityContext:
   enabled: true
   fsGroup: 101
+
+replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
+
+resources:
+  {{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
+
 ...

helmfile/apps/element/values-synapse-web.yaml

@@ -1,21 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-...

helmfile/apps/element/values-synapse-web.yaml.gotmpl

@@ -1,8 +1,20 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
 global:
   domain: {{ .Values.global.domain | quote }}
   hosts:
@@ -24,8 +36,13 @@ ingress:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+
 replicaCount: {{ .Values.replicas.synapseWeb }}
 
 resources:
   {{ .Values.resources.synapseWeb | toYaml | nindent 2 }}
+
 ...

helmfile/apps/element/values-synapse.yaml

@@ -1,52 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-configuration:
-  additionalConfiguration:
-    user_directory:
-      enabled: true
-      search_all_users: true
-    room_prejoin_state:
-      additional_event_types:
-        - "m.space.parent"
-        - "net.nordeck.meetings.metadata"
-        - "m.room.power_levels"
-    # When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
-    # interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
-    # https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
-    rc_login:
-      account:
-        per_second: 2
-        burst_count: 8
-      address:
-        per_second: 2
-        burst_count: 12
-
-  homeserver:
-    guestModule:
-      enabled: true
-    oidc:
-      clientId: "opendesk-matrix"
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-  runAsUser: 10991
-  seccompProfile:
-    type: "RuntimeDefault"
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 10991
-
-readinessProbe:
-  initialDelaySeconds: 15
-  periodSeconds: 5
-
-...

helmfile/apps/element/values-synapse.yaml.gotmpl

@@ -1,22 +1,27 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ .Values.global.imageRegistry | default .Values.images.synapse.registry | quote }}
-  repository: {{ .Values.images.synapse.repository | quote }}
-  tag: {{ .Values.images.synapse.tag | quote }}
-
 configuration:
+  additionalConfiguration:
+    user_directory:
+      enabled: true
+      search_all_users: true
+    room_prejoin_state:
+      additional_event_types:
+        - "m.space.parent"
+        - "net.nordeck.meetings.metadata"
+        - "m.room.power_levels"
+    # When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
+    # interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
+    # https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
+    rc_login:
+      account:
+        per_second: 2
+        burst_count: 8
+      address:
+        per_second: 2
+        burst_count: 12
+
   database:
     host: {{ .Values.databases.synapse.host | quote }}
     name: {{ .Values.databases.synapse.name | quote }}
@@ -36,6 +41,7 @@ configuration:
         sender_localpart: intercom-service
 
     oidc:
+      clientId: "opendesk-matrix"
       clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
       issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
 
@@ -53,18 +59,54 @@ configuration:
         {{- end }}
 
     guestModule:
+      enabled: true
       image:
         imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
         registry: {{ .Values.global.imageRegistry | default .Values.images.synapseGuestModule.registry | quote }}
         repository: {{ .Values.images.synapseGuestModule.repository | quote }}
         tag: {{ .Values.images.synapseGuestModule.tag | quote }}
 
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 10991
+  seccompProfile:
+    type: "RuntimeDefault"
+
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.synapse.registry | quote }}
+  repository: {{ .Values.images.synapse.repository | quote }}
+  tag: {{ .Values.images.synapse.tag | quote }}
+
 persistence:
   size: {{ .Values.persistence.size.synapse | quote }}
   storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 
+podSecurityContext:
+  enabled: true
+  fsGroup: 10991
+
+readinessProbe:
+  initialDelaySeconds: 15
+  periodSeconds: 5
+
 replicaCount: {{ .Values.replicas.synapse }}
 
 resources:
   {{ .Values.resources.synapse | toYaml | nindent 2 }}
+
 ...

helmfile/apps/element/values-well-known.yaml

@@ -1,25 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-configuration:
-  e2ee:
-    forceDisable: true
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-...

helmfile/apps/element/values-well-known.yaml.gotmpl

@@ -1,8 +1,24 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
+configuration:
+  e2ee:
+    forceDisable: true
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
 global:
   domain: {{ .Values.global.domain | quote }}
   hosts:
@@ -24,8 +40,13 @@ ingress:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+
 replicaCount: {{ .Values.replicas.wellKnown }}
 
 resources:
   {{ .Values.resources.wellKnown | toYaml | nindent 2 }}
+
 ...

helmfile/apps/intercom-service/helmfile.yaml

@@ -20,8 +20,7 @@ releases:
     chart: "intercom-service-repo/{{ .Values.charts.intercomService.name }}"
     version: "{{ .Values.charts.intercomService.version }}"
     values:
-      - "values.yaml"
+      - "values.yaml.gotmpl"
-      - "values.gotmpl"
     installed: {{ .Values.intercom.enabled }}
 
 commonLabels:

helmfile/apps/intercom-service/values.yaml

@@ -1,26 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-
-ics:
-  oidc:
-    id: "opendesk-intercom"
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  runAsUser: 1000
-  runAsGroup: 1000
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 1000
-  fsGroupChangePolicy: "Always"
-...

helmfile/apps/intercom-service/values.yaml.gotmpl

@@ -1,8 +1,19 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 1000
+  runAsGroup: 1000
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
 global:
   domain: {{ .Values.global.domain | quote }}
   hosts:
@@ -19,6 +30,7 @@ ics:
   default:
     domain: {{ .Values.global.domain | quote }}
   oidc:
+    id: "opendesk-intercom"
     secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
   matrix:
     asSecret: {{ .Values.secrets.intercom.synapseAsToken | quote }}
@@ -52,8 +64,14 @@ ingress:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+  fsGroupChangePolicy: "Always"
+
 replicaCount: {{ .Values.replicas.intercomService }}
 
 resources:
   {{ .Values.resources.intercomService | toYaml | nindent 2 }}
+
 ...

helmfile/apps/provisioning/helmfile.yaml

@@ -17,8 +17,7 @@ releases:
     chart: "ox-connector-repo/{{ .Values.charts.oxConnector.name }}"
     version: "{{ .Values.charts.oxConnector.version }}"
     values:
-      - "values-oxconnector.yaml"
+      - "values-oxconnector.yaml.gotmpl"
-      - "values-oxconnector.gotmpl"
     installed: {{ .Values.oxConnector.enabled }}
 
 commonLabels:

helmfile/apps/provisioning/values-oxconnector.yaml

@@ -1,41 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-ingress:
-  enabled: false
-
-oxConnector:
-  ldapBaseDn: "dc=swp-ldap,dc=internal"
-  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
-  tlsMode: "off"
-  caCert: "ucctempldapstring"
-  debugLevel: "5"
-  oxDefaultContext: "1"
-  oxLocalTimezone: "Europe/Berlin"
-  oxLanguage: "de_DE"
-  oxSmtpServer: "smtp://127.0.0.1:587"
-  oxImapServer: "imap://127.0.0.1:143"
-
-## Container deployment probes
-probes:
-  liveness:
-    enabled: true
-    initialDelaySeconds: 120
-    timeoutSeconds: 3
-    periodSeconds: 30
-    failureThreshold: 3
-    successThreshold: 1
-
-  readiness:
-    enabled: true
-    initialDelaySeconds: 30
-    timeoutSeconds: 3
-    periodSeconds: 15
-    failureThreshold: 30
-    successThreshold: 1
-
-
-serviceAccount:
-  create: true
-
-...

helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl

@@ -1,7 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.oxConnector.registry | quote }}
@@ -14,21 +12,54 @@ imagePullSecrets:
   - name: {{ . | quote }}
 {{- end }}
 
-persistence:
+ingress:
-  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+  enabled: false
 
 oxConnector:
+  caCert: "ucctempldapstring"
+  debugLevel: "5"
   domainName: {{ .Values.global.domain | quote }}
   ldapHost: {{ .Values.ldap.host | quote }}
-  notifierServer: {{ .Values.ldap.notifierHost | quote }}
   logLevel: {{ .Values.debug.logLevel | quote }}
-  #oxMasterAdmin: "(( .Values.appsuite.core-mw.masterAdmin ))"
+  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  ldapBaseDn: "dc=swp-ldap,dc=internal"
+  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
+  tlsMode: "off"
+  notifierServer: {{ .Values.ldap.notifierHost | quote }}
+  oxDefaultContext: "1"
+  oxImapServer: "imap://127.0.0.1:143"
+  oxLocalTimezone: "Europe/Berlin"
+  oxLanguage: "de_DE"
   oxMasterAdmin: "admin"
   oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
+  oxSmtpServer: "smtp://127.0.0.1:587"
   oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
-  oxDefaultContext: "1"
-  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
 
 resources:
   {{ .Values.resources.oxConnector | toYaml | nindent 2 }}
+
+persistence:
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+
+## Container deployment probes
+probes:
+  liveness:
+    enabled: true
+    initialDelaySeconds: 120
+    timeoutSeconds: 3
+    periodSeconds: 30
+    failureThreshold: 3
+    successThreshold: 1
+
+  readiness:
+    enabled: true
+    initialDelaySeconds: 30
+    timeoutSeconds: 3
+    periodSeconds: 15
+    failureThreshold: 30
+    successThreshold: 1
+
+serviceAccount:
+  create: true
+
 ...

helmfile/apps/services/helmfile.yaml

@@ -111,7 +111,7 @@ releases:
     chart: "otterize-repo/{{ .Values.charts.otterize.name }}"
     version: "{{ .Values.charts.otterize.version }}"
     values:
-      - "values-otterize.gotmpl"
+      - "values-otterize.yaml.gotmpl"
     installed: {{ .Values.security.otterizeIntents.enabled }}
     timeout: 900
 
@@ -119,7 +119,7 @@ releases:
     chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
     version: "{{ .Values.charts.certificates.version }}"
     values:
-      - "values-certificates.gotmpl"
+      - "values-certificates.yaml.gotmpl"
     installed: {{ .Values.certificates.enabled }}
     timeout: 900
 
@@ -127,8 +127,7 @@ releases:
     chart: "redis-repo/{{ .Values.charts.redis.name }}"
     version: "{{ .Values.charts.redis.version }}"
     values:
-      - "values-redis.gotmpl"
+      - "values-redis.yaml.gotmpl"
-      - "values-redis.yaml"
     installed: {{ .Values.redis.enabled }}
     timeout: 900
 
@@ -136,8 +135,7 @@ releases:
     chart: "memcached-repo/{{ .Values.charts.memcached.name }}"
     version: "{{ .Values.charts.memcached.version }}"
     values:
-      - "values-memcached.yaml"
+      - "values-memcached.yaml.gotmpl"
-      - "values-memcached.gotmpl"
     installed: {{ .Values.memcached.enabled }}
     timeout: 900
 
@@ -145,8 +143,7 @@ releases:
     chart: "postgresql-repo/{{ .Values.charts.postgresql.name }}"
     version: "{{ .Values.charts.postgresql.version }}"
     values:
-      - "values-postgresql.yaml"
+      - "values-postgresql.yaml.gotmpl"
-      - "values-postgresql.gotmpl"
     installed: {{ .Values.postgresql.enabled }}
     timeout: 900
 
@@ -154,8 +151,7 @@ releases:
     chart: "mariadb-repo/{{ .Values.charts.mariadb.name }}"
     version: "{{ .Values.charts.mariadb.version }}"
     values:
-      - "values-mariadb.yaml"
+      - "values-mariadb.yaml.gotmpl"
-      - "values-mariadb.gotmpl"
     installed: {{ .Values.mariadb.enabled }}
     timeout: 900
 
@@ -163,8 +159,7 @@ releases:
     chart: "postfix-repo/{{ .Values.charts.postfix.name }}"
     version: "{{ .Values.charts.postfix.version }}"
     values:
-      - "values-postfix.yaml"
+      - "values-postfix.yaml.gotmpl"
-      - "values-postfix.gotmpl"
     installed: {{ .Values.postfix.enabled }}
     timeout: 900
 
@@ -172,8 +167,7 @@ releases:
     chart: "clamav-repo/{{ .Values.charts.clamav.name }}"
     version: "{{ .Values.charts.clamav.version }}"
     values:
-      - "values-clamav-distributed.yaml"
+      - "values-clamav-distributed.yaml.gotmpl"
-      - "values-clamav-distributed.gotmpl"
     installed: {{ .Values.clamavDistributed.enabled }}
     timeout: 900
 
@@ -181,8 +175,7 @@ releases:
     chart: "clamav-simple-repo/{{ .Values.charts.clamavSimple.name }}"
     version: "{{ .Values.charts.clamavSimple.version }}"
     values:
-      - "values-clamav-simple.yaml"
+      - "values-clamav-simple.yaml.gotmpl"
-      - "values-clamav-simple.gotmpl"
     installed: {{ .Values.clamavSimple.enabled }}
     timeout: 900
 
@@ -190,8 +183,7 @@ releases:
     chart: "istio-resources-repo/{{ .Values.charts.istioResources.name }}"
     version: "{{ .Values.charts.istioResources.version }}"
     values:
-      - "values-istio-gateway.yaml"
+      - "values-istio-gateway.yaml.gotmpl"
-      - "values-istio-gateway.gotmpl"
     installed: {{ .Values.istio.enabled }}
     timeout: 900
 
@@ -199,8 +191,7 @@ releases:
     chart: "minio-repo/{{ .Values.charts.minio.name }}"
     version: "{{ .Values.charts.minio.version }}"
     values:
-      - "values-minio.yaml"
+      - "values-minio.yaml.gotmpl"
-      - "values-minio.gotmpl"
     installed: {{ .Values.minio.enabled }}
     timeout: 900
 

helmfile/apps/services/values-clamav-distributed.yaml

@@ -1,80 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  enabled: true
-  readOnlyRootFilesystem: true
-
-clamd:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 100
-    runAsGroup: 101
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-  podSecurityContext:
-    enabled: true
-    fsGroup: 101
-    fsGroupChangePolicy: "Always"
-
-freshclam:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 100
-    runAsGroup: 101
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-  podSecurityContext:
-    enabled: true
-    fsGroup: 101
-    fsGroupChangePolicy: "Always"
-
-icap:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 100
-    runAsGroup: 101
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-  podSecurityContext:
-    enabled: true
-    fsGroup: 101
-    fsGroupChangePolicy: "Always"
-
-milter:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 100
-    runAsGroup: 101
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-  podSecurityContext:
-    enabled: true
-    fsGroup: 101
-    fsGroupChangePolicy: "Always"
-...

helmfile/apps/services/values-clamav-distributed.yaml.gotmpl

@@ -1,27 +1,60 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
 clamd:
-  podSecurityContext:
+  containerSecurityContext:
-  replicaCount: {{ .Values.replicas.clamd }}
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }}
     repository: {{ .Values.images.clamd.repository | quote }}
     tag: {{ .Values.images.clamd.tag | quote }}
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+  replicaCount: {{ .Values.replicas.clamd }}
   resources:
     {{ .Values.resources.clamd | toYaml | nindent 4 }}
 
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  enabled: true
+  readOnlyRootFilesystem: true
+
 freshclam:
-  podSecurityContext:
+  containerSecurityContext:
-  replicaCount: {{ .Values.replicas.freshclam }}
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.freshclam.registry | quote }}
     repository: {{ .Values.images.freshclam.repository | quote }}
     tag: {{ .Values.images.freshclam.tag | quote }}
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+  replicaCount: {{ .Values.replicas.freshclam }}
   resources:
     {{ .Values.resources.freshclam | toYaml | nindent 4 }}
 
@@ -30,23 +63,54 @@ global:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 icap:
-  replicaCount: {{ .Values.replicas.icap }}
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }}
     repository: {{ .Values.images.icap.repository | quote }}
     tag: {{ .Values.images.icap.tag | quote }}
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+  replicaCount: {{ .Values.replicas.icap }}
   resources:
     {{ .Values.resources.icap | toYaml | nindent 4 }}
 
 milter:
-  podSecurityContext:
+  containerSecurityContext:
-  replicaCount: {{ .Values.replicas.milter }}
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.milter.registry | quote }}
     repository: {{ .Values.images.milter.repository | quote }}
     tag: {{ .Values.images.milter.tag | quote }}
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+  replicaCount: {{ .Values.replicas.milter }}
   resources:
     {{ .Values.resources.milter | toYaml | nindent 4 }}
 

helmfile/apps/services/values-clamav-simple.yaml

@@ -1,19 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  runAsUser: 100
-  runAsGroup: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-  fsGroupChangePolicy: "Always"
-...

helmfile/apps/services/values-clamav-simple.yaml.gotmpl

@@ -1,9 +1,20 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
-replicaCount: {{ .Values.replicas.clamav }}
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 100
+  runAsGroup: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
   clamav:
@@ -17,14 +28,18 @@ image:
     tag: {{ .Values.images.icap.tag | quote }}
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
-resources:
-  {{ .Values.resources.clamd | toYaml | nindent 4 }}
-
-global:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
 persistence:
   storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
   size: {{ .Values.persistence.size.clamav | quote }}
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+  fsGroupChangePolicy: "Always"
+
+replicaCount: {{ .Values.replicas.clamav }}
+
+resources:
+  {{ .Values.resources.clamd | toYaml | nindent 4 }}
+
 ...

helmfile/apps/services/values-istio-gateway.gotmpl

@@ -1,13 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
-  domain: {{ .Values.istio.domain | quote }}
-  hosts:
-    openxchange: {{ .Values.global.hosts.openxchange | quote }}
-
-tls:
-  secretName: "{{ .Values.istio.domain }}-tls"
-...

helmfile/apps/services/values-istio-gateway.yaml.gotmpl

@@ -1,6 +1,12 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+global:
+  domain: {{ .Values.istio.domain | quote }}
+  hosts:
+    openxchange: {{ .Values.global.hosts.openxchange | quote }}
+
 tls:
   httpsRedirect: false
+  secretName: "{{ .Values.istio.domain }}-tls"
 ...

helmfile/apps/services/values-mariadb.yaml

@@ -1,27 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  runAsUser: 1001
-  runAsGroup: 1001
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-
-job:
-  enabled: true
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 1001
-  fsGroupChangePolicy: "OnRootMismatch"
-
-replicaCount: 1
-...

helmfile/apps/services/values-mariadb.yaml.gotmpl

@@ -1,24 +1,35 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  runAsUser: 1001
+  runAsGroup: 1001
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
 global:
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
-cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.mariadb.registry | quote }}
   repository: {{ .Values.images.mariadb.repository | quote }}
   tag: {{ .Values.images.mariadb.tag | quote }}
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
-# Open-Xchange and XWiki require the permission to create database schemas, so they use the `root` account anyway.
-# Please refer to `databases.yaml` for details.
 job:
+  enabled: true
   retries: 10
   wait: 30
   users:
@@ -43,6 +54,14 @@ persistence:
   storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
   size: {{ .Values.persistence.size.mariadb | quote }}
 
+podSecurityContext:
+  enabled: true
+  fsGroup: 1001
+  fsGroupChangePolicy: "OnRootMismatch"
+
+replicaCount: 1
+
 resources:
   {{ .Values.resources.mariadb | toYaml | nindent 2 }}
+
 ...

helmfile/apps/services/values-memcached.yaml

@@ -1,18 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  runAsUser: 1001
-  runAsNonRoot: true
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
-
-serviceAccount:
-  create: true
-...

helmfile/apps/services/values-memcached.yaml.gotmpl

@@ -1,8 +1,18 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 1001
+  runAsNonRoot: true
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+
 global:
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -17,4 +27,7 @@ replicaCount: {{ .Values.replicas.memcached }}
 
 resources:
   {{ .Values.resources.memcached | toYaml | nindent 2 }}
+
+serviceAccount:
+  create: true
 ...

helmfile/apps/services/values-minio.gotmpl

@@ -1,79 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.minio.registry | quote }}
-  repository: "{{ .Values.images.minio.repository }}"
-  tag: "{{ .Values.images.minio.tag }}"
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
-
-auth:
-  rootPassword: {{ .Values.secrets.minio.rootPassword | quote }}
-
-statefulset:
-  replicaCount: {{ .Values.replicas.minioDistributed }}
-
-resources:
-  {{ .Values.resources.minio | toYaml | nindent 2 }}
-
-ingress:
-  enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: {{ .Values.ingress.ingressClassName }}
-  hostname: "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
-  extraTls:
-    - hosts:
-      - "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
-      secretName: "{{ .Values.ingress.tls.secretName }}"
-
-apiIngress:
-  enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: {{ .Values.ingress.ingressClassName }}
-  hostname: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
-  extraTls:
-    - hosts:
-      - "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
-      secretName: "{{ .Values.ingress.tls.secretName }}"
-
-metrics:
-  serviceMonitor:
-    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
-  prometheusRule:
-    enabled: {{ .Values.prometheus.prometheusRules.enabled }}
-
-persistence:
-  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
-  size: "{{ .Values.persistence.size.minio }}"
-
-provisioning:
-  users:
-    - username: "openproject_user"
-      password: {{ .Values.secrets.minio.openprojectUser | quote }}
-      disabled: false
-      policies:
-        - "openproject-bucket-policy"
-      setPolicies: true
-    - username: "openxchange_user"
-      password: {{ .Values.secrets.minio.openxchangeUser | quote }}
-      disabled: false
-      policies:
-        - "openxchange-bucket-policy"
-      setPolicies: true
-    - username: "ums_user"
-      password: {{ .Values.secrets.minio.umsUser | quote }}
-      disabled: false
-      policies:
-        - "ums-bucket-policy"
-      setPolicies: true
-    - username: "nextcloud_user"
-      password: {{ .Values.secrets.minio.nextcloudUser | quote }}
-      disabled: false
-      policies:
-        - "nextcloud-bucket-policy"
-      setPolicies: true
-...

helmfile/apps/services/values-minio.yaml.gotmpl

@@ -1,11 +1,20 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-mode: "standalone"
+apiIngress:
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+  hostname: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
+  extraTls:
+    - hosts:
+      - "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
+      secretName: "{{ .Values.ingress.tls.secretName }}"
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: "4G"
+    nginx.org/client-max-body-size: "4G"
 
-podSecurityContext:
+auth:
-  enabled: true
+  rootPassword: {{ .Values.secrets.minio.rootPassword | quote }}
-  fsGroup: 1000
 
 containerSecurityContext:
   enabled: true
@@ -19,19 +28,53 @@ containerSecurityContext:
   seccompProfile:
     type: "RuntimeDefault"
 
+defaultBuckets: "openproject,openxchange,ums,nextcloud"
+
+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.minio.registry | quote }}
+  repository: "{{ .Values.images.minio.repository }}"
+  tag: "{{ .Values.images.minio.tag }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+
 ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+  hostname: "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
+  extraTls:
+    - hosts:
+      - "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
+      secretName: "{{ .Values.ingress.tls.secretName }}"
   annotations:
     nginx.org/websocket-services: "minio"
 
-apiIngress:
+livenessProbe:
-  annotations:
+  enabled: true
-    nginx.ingress.kubernetes.io/proxy-body-size: "4G"
+  initialDelaySeconds: 5
-    nginx.org/client-max-body-size: "4G"
+  periodSeconds: 10
+  timeoutSeconds: 10
+
+mode: "standalone"
+
+metrics:
+  serviceMonitor:
+    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+  prometheusRule:
+    enabled: {{ .Values.prometheus.prometheusRules.enabled }}
 
 networkPolicy:
   enabled: false
 
-defaultBuckets: "openproject,openxchange,ums,nextcloud"
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+
+persistence:
+  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  size: "{{ .Values.persistence.size.minio }}"
 
 provisioning:
   enabled: true
@@ -99,12 +142,31 @@ provisioning:
           effect: "Allow"
           actions:
             - "s3:*"
-
+  users:
-livenessProbe:
+    - username: "openproject_user"
-  enabled: true
+      password: {{ .Values.secrets.minio.openprojectUser | quote }}
-  initialDelaySeconds: 5
+      disabled: false
-  periodSeconds: 10
+      policies:
-  timeoutSeconds: 10
+        - "openproject-bucket-policy"
+      setPolicies: true
+    - username: "openxchange_user"
+      password: {{ .Values.secrets.minio.openxchangeUser | quote }}
+      disabled: false
+      policies:
+        - "openxchange-bucket-policy"
+      setPolicies: true
+    - username: "ums_user"
+      password: {{ .Values.secrets.minio.umsUser | quote }}
+      disabled: false
+      policies:
+        - "ums-bucket-policy"
+      setPolicies: true
+    - username: "nextcloud_user"
+      password: {{ .Values.secrets.minio.nextcloudUser | quote }}
+      disabled: false
+      policies:
+        - "nextcloud-bucket-policy"
+      setPolicies: true
 
 readinessProbe:
   enabled: true
@@ -112,8 +174,15 @@ readinessProbe:
   periodSeconds: 10
   timeoutSeconds: 10
 
+resources:
+  {{ .Values.resources.minio | toYaml | nindent 2 }}
+
 startupProbe:
   enabled: true
   periodSeconds: 10
   timeoutSeconds: 10
+
+statefulset:
+  replicaCount: {{ .Values.replicas.minioDistributed }}
+
 ...

helmfile/apps/services/values-postfix.yaml

@@ -1,37 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-certificate:
-  request:
-    enabled: false
-
-containerSecurityContext:
-  allowPrivilegeEscalation: true
-  capabilities: {}
-  enabled: true
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsNonRoot: false
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-
-postfix:
-  hostname: "postfix"
-  inetProtocols: "ipv4"
-  smtpSASLAuthEnable: "yes"
-  smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
-  smtpUseTLS: "yes"
-  smtpdSASLAuthEnable: "no"
-  smtpdSASLSecurityOptions: "noanonymous"
-  smtpdSASLType: "dovecot"
-  smtpdUseTLS: "yes"
-  smtpdTLSCertFile: "/etc/tls/tls.crt"
-  smtpdKeyFile: "/etc/tls/tls.key"
-  milterDefaultAction: "accept"
-  rspamdHost: ""
-  amavisHost: ""
-  amavisPortIn: ""
-...

helmfile/apps/services/values-postfix.yaml.gotmpl

@@ -1,8 +1,20 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
+certificate:
+  secretName: {{ .Values.ingress.tls.secretName | quote }}
+  request:
+    enabled: false
+
+containerSecurityContext:
+  allowPrivilegeEscalation: true
+  capabilities: {}
+  enabled: true
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsNonRoot: false
+
 global:
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -13,29 +25,45 @@ image:
   tag: {{ .Values.images.postfix.tag | quote }}
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
-certificate:
+persistence:
-  secretName: {{ .Values.ingress.tls.secretName | quote }}
+  size: {{ .Values.persistence.size.postfix | quote }}
+  storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote}}
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
 
 postfix:
+  amavisHost: ""
+  amavisPortIn: ""
   domain: {{ .Values.global.domain | quote }}
-  virtualMailboxDomains: {{ .Values.global.domain | quote }}
+  hostname: "postfix"
+  inetProtocols: "ipv4"
+  milterDefaultAction: "accept"
   overrides:
     - fileName: "sasl_passwd.map"
       content:
         - {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
+  rspamdHost: ""
   relayHost: {{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}
   relayNets: {{ .Values.cluster.networking.cidr | quote}}
-  virtualTransport: "lmtps:dovecot:24"
+  smtpSASLAuthEnable: "yes"
+  smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
+  smtpUseTLS: "yes"
+  smtpdSASLAuthEnable: "no"
+  smtpdSASLSecurityOptions: "noanonymous"
+  smtpdSASLType: "dovecot"
+  smtpdUseTLS: "yes"
+  smtpdTLSCertFile: "/etc/tls/tls.crt"
+  smtpdKeyFile: "/etc/tls/tls.key"
   smtpdSASLPath: "inet:dovecot:3659"
   {{- if .Values.clamavDistributed.enabled }}
   smtpdMilters: "inet:clamav-milter:7357"
   {{- else if .Values.clamavSimple.enabled }}
   smtpdMilters: "inet:clamav-simple:7357"
   {{- end }}
-
+  virtualMailboxDomains: {{ .Values.global.domain | quote }}
-persistence:
+  virtualTransport: "lmtps:dovecot:24"
-  size: {{ .Values.persistence.size.postfix | quote }}
-  storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote}}
 
 replicaCount: {{ .Values.replicas.postfix }}
 

helmfile/apps/services/values-postgresql.yaml

@@ -1,30 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  runAsUser: 1001
-  runAsGroup: 1001
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-
-job:
-  image:
-    digest: "sha256:de7451b563ef79eb6acb2851dbadd18388e6436cd757b65d275a3dc60dbb0b73"
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 1001
-  fsGroupChangePolicy: "OnRootMismatch"
-
-postgres:
-  user: "postgres"
-
-replicaCount: 1
-...

helmfile/apps/services/values-postgresql.yaml.gotmpl

@@ -1,8 +1,31 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 1001
+  runAsGroup: 1001
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
+job:
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1001
+  fsGroupChangePolicy: "OnRootMismatch"
+
+postgres:
+  user: "postgres"
+
+replicaCount: 1
+
 global:
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -12,6 +35,8 @@ image:
   repository: {{ .Values.images.postgresql.repository | quote }}
   tag: {{ .Values.images.postgresql.tag | quote }}
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  image:
+    digest: "sha256:de7451b563ef79eb6acb2851dbadd18388e6436cd757b65d275a3dc60dbb0b73"
 
 job:
   users:

helmfile/apps/services/values-redis.yaml

@@ -1,15 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-architecture: "standalone"
-
-sentinel:
-  enabled: false
-
-metrics:
-  enabled: false
-
-master:
-  containerSecurityContext:
-    readOnlyRootFilesystem: true
-...

helmfile/apps/services/values-redis.yaml.gotmpl

@@ -1,8 +1,8 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
+architecture: "standalone"
+
 auth:
   password: {{ .Values.secrets.redis.password | quote }}
 
@@ -18,10 +18,18 @@ image:
   pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 master:
+  containerSecurityContext:
+    readOnlyRootFilesystem: true
   count: {{ .Values.replicas.redis }}
   persistence:
     size: {{ .Values.persistence.size.redis | quote }}
-
   resources:
     {{ .Values.resources.redis | toYaml | nindent 4 }}
+
+metrics:
+  enabled: false
+
+sentinel:
+  enabled: false
+
 ...

helmfile/apps/univention-management-stack/helmfile.yaml

@@ -215,8 +215,7 @@ releases:
     chart: "nginx-repo/{{ .Values.charts.nginx.name }}"
     version: "{{ .Values.charts.nginx.version }}"
     values:
-      - "values-ums-stack-gateway.gotmpl"
+      - "values-ums-stack-gateway.yaml.gotmpl"
-      - "values-ums-stack-gateway.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
     timeout: 900
 
@@ -224,10 +223,8 @@ releases:
     chart: "ums-store-dav-repo/{{ .Values.charts.umsStoreDav.name }}"
     version: "{{ .Values.charts.umsStoreDav.version }}"
     values:
-      - "values-common.gotmpl"
+      - "values-common.yaml.gotmpl"
-      - "values-common.yaml"
+      - "values-store-dav.yaml.gotmpl"
-      - "values-store-dav.gotmpl"
-      - "values-store-dav.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
     timeout: 900
 
@@ -235,10 +232,8 @@ releases:
     chart: "ums-ldap-server-repo/{{ .Values.charts.umsLdapServer.name }}"
     version: "{{ .Values.charts.umsLdapServer.version }}"
     values:
-      - "values-common.gotmpl"
+      - "values-common.yaml.gotmpl"
-      - "values-common.yaml"
+      - "values-ldap-server.yaml.gotmpl"
-      - "values-ldap-server.gotmpl"
-      - "values-ldap-server.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
     timeout: 900
 
@@ -246,10 +241,8 @@ releases:
     chart: "ums-ldap-notifier-repo/{{ .Values.charts.umsLdapNotifier.name }}"
     version: "{{ .Values.charts.umsLdapNotifier.version }}"
     values:
-      - "values-common.gotmpl"
+      - "values-common.yaml.gotmpl"
-      - "values-common.yaml"
+      - "values-ldap-notifier.yaml.gotmpl"
-      - "values-ldap-notifier.gotmpl"
-      - "values-ldap-notifier.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
     timeout: 900
 
@@ -257,10 +250,8 @@ releases:
     chart: "ums-udm-rest-api-repo/{{ .Values.charts.umsUdmRestApi.name }}"
     version: "{{ .Values.charts.umsUdmRestApi.version }}"
     values:
-      - "values-common.gotmpl"
+      - "values-common.yaml.gotmpl"
-      - "values-common.yaml"
+      - "values-udm-rest-api.yaml.gotmpl"
-      - "values-udm-rest-api.gotmpl"
-      - "values-udm-rest-api.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
     timeout: 900
 
@@ -268,10 +259,8 @@ releases:
     chart: "ums-stack-data-ums-repo/{{ .Values.charts.umsStackDataUms.name }}"
     version: "{{ .Values.charts.umsStackDataUms.version }}"
     values:
-      - "values-common.gotmpl"
+      - "values-common.yaml.gotmpl"
-      - "values-common.yaml"
+      - "values-stack-data-ums.yaml.gotmpl"
-      - "values-stack-data-ums.gotmpl"
-      - "values-stack-data-ums.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
     timeout: 900
 
@@ -279,10 +268,8 @@ releases:
     chart: "ums-stack-data-swp-repo/{{ .Values.charts.umsStackDataSwp.name }}"
     version: "{{ .Values.charts.umsStackDataSwp.version }}"
     values:
-      - "values-common.gotmpl"
+      - "values-common.yaml.gotmpl"
-      - "values-common.yaml"
+      - "values-stack-data-swp.yaml.gotmpl"
-      - "values-stack-data-swp.gotmpl"
-      - "values-stack-data-swp.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
     timeout: 900
 
@@ -290,10 +277,8 @@ releases:
     chart: "ums-portal-server-repo/{{ .Values.charts.umsPortalServer.name }}"
     version: "{{ .Values.charts.umsPortalServer.version }}"
     values:
-      - "values-common.gotmpl"
+      - "values-common.yaml.gotmpl"
-      - "values-common.yaml"
+      - "values-portal-server.yaml.gotmpl"
-      - "values-portal-server.gotmpl"
-      - "values-portal-server.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
     timeout: 900
 
@@ -301,10 +286,8 @@ releases:
     chart: "ums-notifications-api-repo/{{ .Values.charts.umsNotificationsApi.name }}"
     version: "{{ .Values.charts.umsNotificationsApi.version }}"
     values:
-      - "values-common.gotmpl"
+      - "values-common.yaml.gotmpl"
-      - "values-common.yaml"
+      - "values-notifications-api.yaml.gotmpl"
-      - "values-notifications-api.gotmpl"
-      - "values-notifications-api.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
     timeout: 900
 
@@ -312,10 +295,8 @@ releases:
     chart: "ums-portal-listener-repo/{{ .Values.charts.umsPortalListener.name }}"
     version: "{{ .Values.charts.umsPortalListener.version }}"
     values:
-      - "values-common.gotmpl"
+      - "values-common.yaml.gotmpl"
-      - "values-common.yaml"
+      - "values-portal-listener.yaml.gotmpl"
-      - "values-portal-listener.gotmpl"
-      - "values-portal-listener.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
     timeout: 900
 
@@ -323,10 +304,8 @@ releases:
     chart: "ums-portal-frontend-repo/{{ .Values.charts.umsPortalFrontend.name }}"
     version: "{{ .Values.charts.umsPortalFrontend.version }}"
     values:
-      - "values-common.gotmpl"
+      - "values-common.yaml.gotmpl"
-      - "values-common.yaml"
+      - "values-portal-frontend.yaml.gotmpl"
-      - "values-portal-frontend.gotmpl"
-      - "values-portal-frontend.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
     timeout: 900
 
@@ -334,10 +313,8 @@ releases:
     chart: "ums-umc-gateway-repo/{{ .Values.charts.umsUmcGateway.name }}"
     version: "{{ .Values.charts.umsUmcGateway.version }}"
     values:
-      - "values-common.gotmpl"
+      - "values-common.yaml.gotmpl"
-      - "values-common.yaml"
+      - "values-umc-gateway.yaml.gotmpl"
-      - "values-umc-gateway.gotmpl"
-      - "values-umc-gateway.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
     timeout: 900
 
@@ -345,10 +322,8 @@ releases:
     chart: "ums-umc-server-repo/{{ .Values.charts.umsUmcServer.name }}"
     version: "{{ .Values.charts.umsUmcServer.version }}"
     values:
-      - "values-common.gotmpl"
+      - "values-common.yaml.gotmpl"
-      - "values-common.yaml"
+      - "values-umc-server.yaml.gotmpl"
-      - "values-umc-server.gotmpl"
-      - "values-umc-server.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
     timeout: 900
 
@@ -356,10 +331,8 @@ releases:
     chart: "ums-selfservice-listener-repo/{{ .Values.charts.umsSelfserviceListener.name }}"
     version: "{{ .Values.charts.umsSelfserviceListener.version }}"
     values:
-      - "values-common.gotmpl"
+      - "values-common.yaml.gotmpl"
-      - "values-common.yaml"
+      - "values-selfservice-listener.yaml.gotmpl"
-      - "values-selfservice-listener.gotmpl"
-      - "values-selfservice-listener.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
     timeout: 900
 
@@ -367,10 +340,8 @@ releases:
     chart: "ums-provisioning-repo/{{ .Values.charts.umsProvisioning.name }}"
     version: "{{ .Values.charts.umsProvisioning.version }}"
     values:
-      - "values-common.gotmpl"
+      - "values-common.yaml.gotmpl"
-      - "values-common.yaml"
+      - "values-provisioning.yaml.gotmpl"
-      - "values-provisioning.gotmpl"
-      - "values-provisioning.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
     timeout: 900
 
@@ -378,10 +349,8 @@ releases:
     chart: "ums-guardian-management-api-repo/{{ .Values.charts.umsGuardianManagementApi.name }}"
     version: "{{ .Values.charts.umsGuardianManagementApi.version }}"
     values:
-      - "values-common.gotmpl"
+      - "values-common.yaml.gotmpl"
-      - "values-common.yaml"
+      - "values-guardian-management-api.yaml.gotmpl"
-      - "values-guardian-management-api.gotmpl"
-      - "values-guardian-management-api.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
     timeout: 900
 
@@ -389,10 +358,8 @@ releases:
     chart: "ums-guardian-management-ui-repo/{{ .Values.charts.umsGuardianManagementUi.name }}"
     version: "{{ .Values.charts.umsGuardianManagementUi.version }}"
     values:
-      - "values-common.gotmpl"
+      - "values-common.yaml.gotmpl"
-      - "values-common.yaml"
+      - "values-guardian-management-ui.yaml.gotmpl"
-      - "values-guardian-management-ui.gotmpl"
-      - "values-guardian-management-ui.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
     timeout: 900
 
@@ -400,10 +367,8 @@ releases:
     chart: "ums-guardian-authorization-api-repo/{{ .Values.charts.umsGuardianAuthorizationApi.name }}"
     version: "{{ .Values.charts.umsGuardianAuthorizationApi.version }}"
     values:
-      - "values-common.gotmpl"
+      - "values-common.yaml.gotmpl"
-      - "values-common.yaml"
+      - "values-guardian-authorization-api.yaml.gotmpl"
-      - "values-guardian-authorization-api.gotmpl"
-      - "values-guardian-authorization-api.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
     timeout: 900
 
@@ -411,10 +376,8 @@ releases:
     chart: "ums-open-policy-agent-repo/{{ .Values.charts.umsOpenPolicyAgent.name }}"
     version: "{{ .Values.charts.umsOpenPolicyAgent.version }}"
     values:
-      - "values-common.gotmpl"
+      - "values-common.yaml.gotmpl"
-      - "values-common.yaml"
+      - "values-open-policy-agent.yaml.gotmpl"
-      - "values-open-policy-agent.gotmpl"
-      - "values-open-policy-agent.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
     timeout: 900
 

helmfile/apps/univention-management-stack/values-common.gotmpl

@@ -1,10 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-ingress:
-  host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
-  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
-
-...

helmfile/apps/univention-management-stack/values-common.yaml.gotmpl

@@ -12,6 +12,8 @@ ingress:
   # controller. Those are encapsulated into the release "stack-gateway" so that
   # the compatibility with all ingress controllers is increased.
   enabled: false
+  host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
   tls:
     # The TLS configuration is on the "master" Ingress, see "portal-frontend"
     enabled: false

helmfile/apps/univention-management-stack/values-guardian-authorization-api.gotmpl

@@ -1,21 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-guardianAuthorizationApi:
-  udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianAuthorizationApi.registry | quote }}
-  repository: {{ .Values.images.umsGuardianAuthorizationApi.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsGuardianAuthorizationApi.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-resources:
-  {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 2 }}
-...

helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl

@@ -2,19 +2,34 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 guardianAuthorizationApi:
-  home: "/guardian_service_dir"
   guardianAuthzCorsAllowedOrigins: "*"
   guardianAuthzAdapterSettingsPort: "env"
   guardianAuthzAdapterAppPersistencePort: "udm_data"
   guardianAuthzAdapterPolicyPort: "opa"
   guardianAuthzAdapterAuthenticationPort: "fast_api_oauth"
-  isUniventionAppCenter: 0
+  guardianAuthzLoggingLevel: {{ .Values.debug.logLevel | quote }}
-  udmDataAdapterUrl: "http://ums-udm-rest-api/udm/"
-  udmDataAdapterUsername: "cn=admin"
-  opaAdapterUrl: "http://ums-open-policy-agent/"
-  guardianAuthzLoggingLevel: "DEBUG"
   guardianAuthzLoggingStructured: false
   guardianAuthzLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
+  home: "/guardian_service_dir"
+  isUniventionAppCenter: 0
+  oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
+  opaAdapterUrl: "http://ums-open-policy-agent/"
+  udmDataAdapterUrl: "http://ums-udm-rest-api/udm/"
+  udmDataAdapterUsername: "cn=admin"
+  udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianAuthorizationApi.registry | quote }}
+  repository: {{ .Values.images.umsGuardianAuthorizationApi.repository | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.umsGuardianAuthorizationApi.tag | quote }}
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . | quote }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 2 }}
 
 securityContext:
   allowPrivilegeEscalation: false
@@ -36,4 +51,5 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+
 ...

helmfile/apps/univention-management-stack/values-guardian-management-api.gotmpl

@@ -1,32 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-guardianManagementApi:
-  oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
-  oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
-
-postgresql:
-  bundled: false
-  connection:
-    host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
-    port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
-  auth:
-    username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
-    database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
-    password: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementApi.registry | quote }}
-  repository: {{ .Values.images.umsGuardianManagementApi.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsGuardianManagementApi.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-resources:
-  {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 2 }}
-...

helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl

@@ -3,6 +3,7 @@
 ---
 guardianManagementApi:
   home: "/guardian_service_dir"
+  isUniventionAppCenter: 0
   guardianManagementCorsAllowedOrigins: "*"
   guardianManagementAdapterSettingsPort: "env"
   guardianManagementAdapterAppPersistencePort: "sql"
@@ -15,14 +16,38 @@ guardianManagementApi:
   guardianManagementAdapterAuthenticationPort: "fast_api_oauth"
   guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization"
   guardianManagementAdapterResourceAuthorizationPort: "always"
-  isUniventionAppCenter: 0
-  sqlPersistenceAdapterDialect: "postgresql"
-  sqlPersistenceAdapterDbName: "postgres"
-  oauthAdapterM2mSecretFile: "/var/secrets/oauthAdapterM2mSecret"
   guardianManagementLoggingLevel: "DEBUG"
   guardianManagementLoggingStructured: false
   guardianManagementLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
   guardianManagementBaseUrl: "http://0.0.0.0:8000"
+  oauthAdapterM2mSecretFile: "/var/secrets/oauthAdapterM2mSecret"
+  oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
+  oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
+  sqlPersistenceAdapterDialect: "postgresql"
+  sqlPersistenceAdapterDbName: "postgres"
+
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementApi.registry | quote }}
+  repository: {{ .Values.images.umsGuardianManagementApi.repository | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.umsGuardianManagementApi.tag | quote }}
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . | quote }}
+    {{- end }}
+
+postgresql:
+  bundled: false
+  connection:
+    host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
+    port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
+  auth:
+    username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
+    database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
+    password: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
+
+resources:
+  {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 2 }}
 
 securityContext:
   allowPrivilegeEscalation: false
@@ -44,4 +69,5 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+
 ...

helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml

@@ -1,29 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-guardianManagementUi:
-  viteManagementUiAdapterAuthenticationPort: "keycloak"
-  viteManagementUiAdapterDataPort: "api"
-  viteKeycloakAuthenticationAdapterClientId: "guardian-ui"
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-...

helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl

@@ -1,9 +1,10 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
 guardianManagementUi:
+  viteManagementUiAdapterAuthenticationPort: "keycloak"
+  viteManagementUiAdapterDataPort: "api"
+  viteKeycloakAuthenticationAdapterClientId: "guardian-ui"
   viteApiDataAdapterUri: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/management"
   viteKeycloakAuthenticationAdapterSsoUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
   viteKeycloakAuthenticationAdapterRealm: {{ .Values.platform.realm | quote }}
@@ -20,4 +21,26 @@ image:
 
 resources:
   {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 2 }}
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+
 ...

helmfile/apps/univention-management-stack/values-ldap-notifier.yaml

@@ -1,18 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-
-volumes:
-  claims:
-    shared-data: "shared-data-ums-ldap-server-0"
-    shared-run: "shared-run-ums-ldap-server-0"
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-...

helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl

@@ -1,7 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapNotifier.registry | quote }}
@@ -15,4 +13,19 @@ image:
 
 resources:
   {{ .Values.resources.umsLdapNotifier | toYaml | nindent 2 }}
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+
+volumes:
+  claims:
+    shared-data: "shared-data-ums-ldap-server-0"
+    shared-run: "shared-run-ums-ldap-server-0"
+
 ...

helmfile/apps/univention-management-stack/values-ldap-server.gotmpl

@@ -1,36 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-ldapServer:
-  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
-  repository: {{ .Values.images.umsLdapServer.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsLdapServer.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-  waitForDependency:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
-    repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
-
-persistence:
-  data:
-    storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
-  shared:
-    storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
-
-resources:
-  {{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}
-...

helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl

@@ -1,13 +1,6 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-
-ldapServer:
-  waitForSamlMetadata: true
-
-service:
-  type: "ClusterIP"
-
 extraVolumes:
   - name: "opendesk-schemas"
     configMap:
@@ -30,6 +23,34 @@ extraVolumeMounts:
     mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema"
     subPath: "opendeskProjectmanagement.schema"
 
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
+  repository: {{ .Values.images.umsLdapServer.repository | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.umsLdapServer.tag | quote }}
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . | quote }}
+    {{- end }}
+
+  waitForDependency:
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
+    repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
+
+ldapServer:
+  waitForSamlMetadata: true
+  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
+
+persistence:
+  data:
+    storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
+    size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
+  shared:
+    storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
+    size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
 
 securityContext:
   allowPrivilegeEscalation: false
@@ -51,4 +72,11 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+
+service:
+  type: "ClusterIP"
+
+resources:
+  {{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}
+
 ...

helmfile/apps/univention-management-stack/values-notifications-api.yaml

@@ -1,20 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-notificationsapi:
-  apply_database_migrations: "True"
-  dev_mode: "False"
-  environment: "staging"
-  log_level: "DEBUG"
-  sql_echo: "False"
-  api_prefix: "/univention/portal/notifications-api"
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-...

helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl

@@ -1,18 +1,6 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
-postgresql:
-  bundled: false
-  connection:
-    host: {{ .Values.databases.umsNotificationsApi.host | quote }}
-    port: {{ .Values.databases.umsNotificationsApi.port | quote }}
-  auth:
-    username: {{ .Values.databases.umsNotificationsApi.username | quote }}
-    database: {{ .Values.databases.umsNotificationsApi.name | quote }}
-    password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
-
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.umsNotificationsApi.registry | quote }}
   repository: {{ .Values.images.umsNotificationsApi.repository }}
@@ -23,6 +11,34 @@ image:
     - name: {{ . | quote }}
     {{- end }}
 
+notificationsapi:
+  apply_database_migrations: "True"
+  dev_mode: "False"
+  environment: "staging"
+  log_level: "DEBUG"
+  sql_echo: "False"
+  api_prefix: "/univention/portal/notifications-api"
+
+postgresql:
+  bundled: false
+  connection:
+    host: {{ .Values.databases.umsNotificationsApi.host | quote }}
+    port: {{ .Values.databases.umsNotificationsApi.port | quote }}
+  auth:
+    username: {{ .Values.databases.umsNotificationsApi.username | quote }}
+    database: {{ .Values.databases.umsNotificationsApi.name | quote }}
+    password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
+
 resources:
   {{ .Values.resources.umsNotificationsApi | toYaml | nindent 2 }}
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+
 ...

helmfile/apps/univention-management-stack/values-open-policy-agent.gotmpl

@@ -1,18 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsOpenPolicyAgent.registry | quote }}
-  repository: {{ .Values.images.umsOpenPolicyAgent.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsOpenPolicyAgent.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-resources:
-  {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 2 }}
-...

helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl

@@ -1,6 +1,16 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsOpenPolicyAgent.registry | quote }}
+  repository: {{ .Values.images.umsOpenPolicyAgent.repository | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.umsOpenPolicyAgent.tag | quote }}
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . | quote }}
+    {{- end }}
+
 openPolicyAgent:
   isUniventionAppCenter: 0
   opaDataBundle: "bundles/GuardianDataBundle.tar.gz"
@@ -9,6 +19,9 @@ openPolicyAgent:
   opaPollingMaxDelay: 15
   opaGuardianManagementUrl: "http://ums-guardian-management-api/guardian/management"
 
+resources:
+  {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 2 }}
+
 securityContext:
   allowPrivilegeEscalation: false
   capabilities:
@@ -29,4 +42,5 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+
 ...

helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl

@@ -1,24 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalFrontend.registry | quote }}
-  repository: {{ .Values.images.umsPortalFrontend.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsPortalFrontend.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-extraIngresses:
-  master:
-    tls:
-      enabled: {{ .Values.ingress.tls.enabled }}
-      secretName: {{ .Values.ingress.tls.secretName | quote }}
-
-resources:
-  {{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }}
-...

helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl

@@ -12,6 +12,9 @@ extraIngresses:
   master:
     # Using "stack-gateway" currently.
     enabled: false
+    tls:
+      enabled: {{ .Values.ingress.tls.enabled }}
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
 
   # See "extraVolumeMounts" below
   custom-favicon:
@@ -24,27 +27,6 @@ extraIngresses:
         path: "/favicon.ico"
     tls: {}
 
-  # See "extraVolumeMounts" below
-  custom-branding:
-    # Using "stack-gateway" at the moment
-    enabled: false
-    annotations:
-      nginx.ingress.kubernetes.io/configuration-snippet: |
-        rewrite ^/univention/portal(/.*)$ $1 break;
-      nginx.org/location-snippets: |
-        rewrite ^/univention/portal(/.*)$ $1 break;
-      nginx.org/mergeable-ingress-type: "minion"
-    paths:
-      # This relies on the correct implementation of the matching for paths of
-      # type "Prefix" since "/univention/portal/icons/entries/" is owned by
-      # store-dav.
-      # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches
-      - pathType: "Prefix"
-        path: "/univention/portal/icons/"
-      - pathType: "Prefix"
-        path: "/univention/portal/custom/"
-    tls: {}
-
 extraVolumes:
   - name: "opendesk-branding"
     configMap:
@@ -70,6 +52,40 @@ extraVolumeMounts:
     mountPath: "/var/www/html/custom/portal_background_image.svg"
     subPath: "portal_background_image.svg"
 
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalFrontend.registry | quote }}
+  repository: {{ .Values.images.umsPortalFrontend.repository | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.umsPortalFrontend.tag | quote }}
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . | quote }}
+    {{- end }}
+
+  # See "extraVolumeMounts" below
+  custom-branding:
+    # Using "stack-gateway" at the moment
+    enabled: false
+    annotations:
+      nginx.ingress.kubernetes.io/configuration-snippet: |
+        rewrite ^/univention/portal(/.*)$ $1 break;
+      nginx.org/location-snippets: |
+        rewrite ^/univention/portal(/.*)$ $1 break;
+      nginx.org/mergeable-ingress-type: "minion"
+    paths:
+      # This relies on the correct implementation of the matching for paths of
+      # type "Prefix" since "/univention/portal/icons/entries/" is owned by
+      # store-dav.
+      # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches
+      - pathType: "Prefix"
+        path: "/univention/portal/icons/"
+      - pathType: "Prefix"
+        path: "/univention/portal/custom/"
+    tls: {}
+
+resources:
+  {{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }}
+
 securityContext:
   allowPrivilegeEscalation: false
   capabilities:
@@ -90,4 +106,5 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+
 ...

helmfile/apps/univention-management-stack/values-portal-listener.yaml

@@ -1,36 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-
-portalListener:
-  debugLevel: "4"
-  tlsMode: "off"
-  udmApiUrl: "http://ums-udm-rest-api/udm/"
-  udmApiUsername: "cn=admin"
-  umcGetUrl: "http://ums-umc-server/get"
-  umcSessionUrl: "http://ums-umc-server/get/session-info"
-
-store-dav:
-  bundled: false
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-...

helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl

@@ -1,24 +1,6 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
-portalListener:
-  adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
-  assetsRoot: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-assets/" | quote }}
-  ucsInternalUrl: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-data" | quote }}
-
-  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-  ldapHost: {{ .Values.ldap.host | quote }}
-  ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
-  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  notifierServer: {{ .Values.ldap.notifierHost | quote }}
-  portalDefaultDn: {{ printf "%s,%s" "cn=domain,cn=portal,cn=portals,cn=univention" .Values.ldap.baseDn | quote }}
-  udmApiUrl: "http://ums-udm-rest-api/udm/"
-  udmApiUsername: "cn=admin"
-
-
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalListener.registry | quote }}
   repository: {{ .Values.images.umsPortalListener.repository | quote }}
@@ -39,9 +21,55 @@ persistence:
   storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
   size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }}
 
+portalListener:
+  adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
+  assetsRoot: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-assets/" | quote }}
+  ucsInternalUrl: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-data" | quote }}
+
+  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
+  ldapHost: {{ .Values.ldap.host | quote }}
+  ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
+  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  notifierServer: {{ .Values.ldap.notifierHost | quote }}
+  portalDefaultDn: {{ printf "%s,%s" "cn=domain,cn=portal,cn=portals,cn=univention" .Values.ldap.baseDn | quote }}
+  udmApiUrl: "http://ums-udm-rest-api/udm/"
+  udmApiUsername: "cn=admin"
+  debugLevel: "4"
+  tlsMode: "off"
+  udmApiUrl: "http://ums-udm-rest-api/udm/"
+  udmApiUsername: "cn=admin"
+  umcGetUrl: "http://ums-umc-server/get"
+  umcSessionUrl: "http://ums-umc-server/get/session-info"
+
 resources:
   {{ .Values.resources.umsPortalListener | toYaml | nindent 2 }}
 
 resourcesDependencyWaiter:
   {{ .Values.resources.umsPortalListenerDependencies | toYaml | nindent 2 }}
+
+store-dav:
+  bundled: false
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+
 ...

helmfile/apps/univention-management-stack/values-portal-server.yaml

@@ -1,33 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-
-portalServer:
-  authMode: "saml"
-  editable: "false"
-  umcGetUrl: "http://ums-umc-server/get"
-  umcSessionUrl: "http://ums-umc-server/get/session-info"
-  centralNavigation:
-    enabled: true
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-...

helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl

@@ -1,15 +1,6 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
-portalServer:
-  logLevel: {{ .Values.debug.logLevel | quote }}
-  adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
-  ucsInternalUrl: {{ printf "%s%s%s" "http://portal-server:" .Values.secrets.univentionManagementStack.storeDavUsers.portalServer "@ums-store-dav/portal-data" | quote }}
-  centralNavigation:
-    authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
-
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalServer.registry | quote }}
   repository: {{ .Values.images.umsPortalServer.repository | quote }}
@@ -20,6 +11,40 @@ image:
     - name: {{ . | quote }}
     {{- end }}
 
+portalServer:
+  authMode: "saml"
+  editable: "false"
+  umcGetUrl: "http://ums-umc-server/get"
+  umcSessionUrl: "http://ums-umc-server/get/session-info"
+  logLevel: {{ .Values.debug.logLevel | quote }}
+  adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
+  ucsInternalUrl: {{ printf "%s%s%s" "http://portal-server:" .Values.secrets.univentionManagementStack.storeDavUsers.portalServer "@ums-store-dav/portal-data" | quote }}
+  centralNavigation:
+    enabled: true
+    authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+
 resources:
   {{ .Values.resources.umsPortalServer | toYaml | nindent 2 }}
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+
 ...

helmfile/apps/univention-management-stack/values-provisioning.yaml

@@ -1,15 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-provisioningApi:
-  rootPath: "/univention/provisioning-api"
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-...

helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl

@@ -1,9 +1,6 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
-
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioning.registry | quote }}
   repository: {{ .Values.images.umsProvisioning.repository | quote }}
@@ -14,6 +11,18 @@ image:
     - name: {{ . | quote }}
     {{- end }}
 
+provisioningApi:
+  rootPath: "/univention/provisioning-api"
+
 resources:
   {{ .Values.resources.umsProvisioning | toYaml | nindent 2 }}
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
 ...

helmfile/apps/univention-management-stack/values-selfservice-listener.yaml

@@ -1,31 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-
-selfserviceListener:
-  debugLevel: "4"
-  tlsMode: "off"
-  umcServerUrl: "http://ums-umc-server"
-  umcAdminUser: "default.admin"
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-...

helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl

@@ -3,16 +3,6 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-selfserviceListener:
-
-  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-  ldapHost: {{ .Values.ldap.host | quote }}
-  ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
-  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  notifierServer: {{ .Values.ldap.notifierHost | quote }}
-  umcAdminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
-
 image:
   pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   pullSecrets:
@@ -45,4 +35,39 @@ resources:
 
 resourcesDependencyWaiter:
   {{ .Values.resources.umsSelfserviceListenerDependencies | toYaml | nindent 2 }}
+
+selfserviceListener:
+  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
+  ldapHost: {{ .Values.ldap.host | quote }}
+  ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
+  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  notifierServer: {{ .Values.ldap.notifierHost | quote }}
+  umcAdminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
+  debugLevel: "4"
+  tlsMode: "off"
+  umcServerUrl: "http://ums-umc-server"
+  umcAdminUser: "default.admin"
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+
 ...

helmfile/apps/univention-management-stack/values-stack-data-swp.yaml

@@ -1,25 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-stackDataSwp:
-  udmApiUser: "cn=admin"
-  udmApiUrl: "http://ums-udm-rest-api/udm/"
-  loadDevData: true
-
-stackDataContext:
-  ldapBase: "dc=swp-ldap,dc=internal"
-  oxDefaultContext: "1"
-  smtpStartTls: true
-
-additionalAnnotations:
-  intents.otterize.com/service-name: "ums-stack-data-swp"
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-...

helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl

@@ -1,15 +1,35 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
-stackDataSwp:
+additionalAnnotations:
-  udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  intents.otterize.com/service-name: "ums-stack-data-swp"
-  systemInformation:
+
-    deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
+image:
-    releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsDataLoader.registry | quote }}
+  repository: {{ .Values.images.umsDataLoader.repository | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.umsDataLoader.tag | quote }}
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . | quote }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsStackDataSwp | toYaml | nindent 2 }}
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
 
 stackDataContext:
+  ldapBase: "dc=swp-ldap,dc=internal"
+  oxDefaultContext: "1"
+  smtpStartTls: true
   ldapSearchUsers:
     {{- range $username, $password := .Values.secrets.univentionManagementStack.ldapSearch }}
     - username: {{ printf "ldapsearch_%s" $username | quote }}
@@ -36,16 +56,13 @@ stackDataContext:
   userPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.userPassword | quote }}
   adminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
 
-image:
+stackDataSwp:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsDataLoader.registry | quote }}
+  udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  repository: {{ .Values.images.umsDataLoader.repository | quote }}
+  systemInformation:
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
-  tag: {{ .Values.images.umsDataLoader.tag | quote }}
+    releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
-  pullSecrets:
+  udmApiUser: "cn=admin"
-    {{- range .Values.global.imagePullSecrets }}
+  udmApiUrl: "http://ums-udm-rest-api/udm/"
-    - name: {{ . | quote }}
+  loadDevData: true
-    {{- end }}
 
-resources:
-  {{ .Values.resources.umsStackDataSwp | toYaml | nindent 2 }}
 ...

helmfile/apps/univention-management-stack/values-stack-data-ums.yaml

@@ -1,26 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-stackDataUms:
-  loadDevData: true
-  udmApiUrl: "http://ums-udm-rest-api/udm/"
-  udmApiUser: "cn=admin"
-
-stackDataContext:
-  idpSamlMetadataUrlInternal: null
-  umcSamlSchemes: "https"
-  # The openDesk configuration brings its own UMC policies.
-  installUmcPolicies: false
-
-additionalAnnotations:
-  intents.otterize.com/service-name: "ums-stack-data-ums"
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-...

helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl

@@ -1,25 +1,8 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
-stackDataUms:
+additionalAnnotations:
-  udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  intents.otterize.com/service-name: "ums-stack-data-ums"
-
-stackDataContext:
-  domainname: {{ .Values.global.domain | quote }}
-  externalMailDomain: {{ .Values.global.domain | quote }}
-  hostname: {{ .Values.global.hosts.univentionManagementStack | quote }}
-  ldapHost: {{ .Values.ldap.host | quote }}
-  ldapBase: {{ .Values.ldap.baseDn | quote }}
-  ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
-
-  idpSamlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
-  umcSamlSpFqdn: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
-  idpFqdn: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
-  ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
-
-  initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
 
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.umsDataLoader.registry | quote }}
@@ -33,4 +16,38 @@ image:
 
 resources:
   {{ .Values.resources.umsStackDataUms | toYaml | nindent 2 }}
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+
+stackDataContext:
+  idpSamlMetadataUrlInternal: null
+  umcSamlSchemes: "https"
+  # The openDesk configuration brings its own UMC policies.
+  installUmcPolicies: false
+  domainname: {{ .Values.global.domain | quote }}
+  externalMailDomain: {{ .Values.global.domain | quote }}
+  hostname: {{ .Values.global.hosts.univentionManagementStack | quote }}
+  ldapHost: {{ .Values.ldap.host | quote }}
+  ldapBase: {{ .Values.ldap.baseDn | quote }}
+  ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
+  idpSamlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
+  umcSamlSpFqdn: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
+  idpFqdn: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
+  ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
+  initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
+
+
+stackDataUms:
+  loadDevData: true
+  udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  udmApiUrl: "http://ums-udm-rest-api/udm/"
+  udmApiUser: "cn=admin"
+
 ...

helmfile/apps/univention-management-stack/values-store-dav.yaml

@@ -1,24 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-...

helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl

@@ -1,13 +1,6 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
-storeDav:
-  auth:
-    basicAuth:
-      portal-listener: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener | quote }}
-      portal-server: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer | quote }}
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.umsStoreDav.registry | quote }}
   repository: {{ .Values.images.umsStoreDav.repository | quote }}
@@ -34,4 +27,32 @@ persistence:
 
 resources:
   {{ .Values.resources.umsStoreDav | toYaml | nindent 2 }}
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+
+storeDav:
+  auth:
+    basicAuth:
+      portal-listener: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener | quote }}
+      portal-server: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer | quote }}
+
 ...

helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl

@@ -1,24 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-udmRestApi:
-  # TODO: Secret should be entered without b64enc
-  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
-  # TODO: Secret should be entered without b64enc
-  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsUdmRestApi.registry | quote }}
-  repository: {{ .Values.images.umsUdmRestApi.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsUdmRestApi.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-resources:
-  {{ .Values.resources.umsUdmRestApi | toYaml | nindent 2 }}
-...

helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl

@@ -1,10 +1,6 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-udmRestApi:
-  # TODO: Stub value currently
-  caCert: ""
-
 extraVolumes:
   - name: "attribute-to-group-mapper-hook"
     configMap:
@@ -18,6 +14,19 @@ extraVolumeMounts:
     mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
     subPath: "flag_to_group_mapping.json"
 
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsUdmRestApi.registry | quote }}
+  repository: {{ .Values.images.umsUdmRestApi.repository | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.umsUdmRestApi.tag | quote }}
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . | quote }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsUdmRestApi | toYaml | nindent 2 }}
+
 securityContext:
   allowPrivilegeEscalation: false
   capabilities:
@@ -38,4 +47,13 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+
+udmRestApi:
+  # TODO: Stub value currently
+  caCert: ""
+  # TODO: Secret should be entered without b64enc
+  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
+  # TODO: Secret should be entered without b64enc
+  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
+
 ...

helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl

@@ -1,18 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcGateway.registry | quote }}
-  repository: {{ .Values.images.umsUmcGateway.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsUmcGateway.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-resources:
-  {{ .Values.resources.umsUmcGateway | toYaml | nindent 2 }}
-...

helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl

@@ -21,6 +21,19 @@ extraVolumeMounts:
       /umc/icons/16x16/udm-portals-announcement.png"
     subPath: "udm-portals-announcement.png"
 
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcGateway.registry | quote }}
+  repository: {{ .Values.images.umsUmcGateway.repository | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.umsUmcGateway.tag | quote }}
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . | quote }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsUmcGateway | toYaml | nindent 2 }}
+
 securityContext:
   allowPrivilegeEscalation: false
   capabilities:
@@ -41,4 +54,5 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+
 ...

helmfile/apps/univention-management-stack/values-umc-server.gotmpl

@@ -1,39 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-umcServer:
-  # TODO: Secret should be entered without b64enc
-  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
-  # TODO: Secret should be entered without b64enc
-  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
-
-  smtpSecret: {{ .Values.smtp.password | quote }}
-
-postgresql:
-  connection:
-    host: {{ .Values.databases.umsSelfservice.host | quote }}
-    port: {{ .Values.databases.umsSelfservice.port | quote }}
-  auth:
-    username: {{ .Values.databases.umsSelfservice.username | quote }}
-    database: {{ .Values.databases.umsSelfservice.name | quote }}
-    password: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
-    postgresPassword: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
-
-memcached:
-  server: {{ .Values.cache.umsSelfservice.host | quote }}
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcServer.registry | quote }}
-  repository: {{ .Values.images.umsUmcServer.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsUmcServer.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-resources:
-  {{ .Values.resources.umsUmcServer | toYaml | nindent 2 }}
-...

helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl

@@ -1,10 +1,6 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-umcServer:
-  certPemFile: "/var/secrets/ssl/tls.crt"
-  privateKeyFile: "/var/secrets/ssl/tls.key"
-
 extraVolumes:
   - name: "certificates"
     secret:
@@ -43,14 +39,36 @@ extraVolumeMounts:
     mountPath: "/usr/share/univention-management-console/modules/udm-portals-announcement.xml"
     subPath: "udm-portals-announcement.xml"
 
-postgresql:
+image:
-  bundled: false
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcServer.registry | quote }}
+  repository: {{ .Values.images.umsUmcServer.repository | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.umsUmcServer.tag | quote }}
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . | quote }}
+    {{- end }}
 
 memcached:
   bundled: false
   auth:
     username: null
     password: null
+  server: {{ .Values.cache.umsSelfservice.host | quote }}
+
+postgresql:
+  bundled: false
+  auth:
+    username: {{ .Values.databases.umsSelfservice.username | quote }}
+    database: {{ .Values.databases.umsSelfservice.name | quote }}
+    password: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
+    postgresPassword: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
+  connection:
+    host: {{ .Values.databases.umsSelfservice.host | quote }}
+    port: {{ .Values.databases.umsSelfservice.port | quote }}
+
+resources:
+  {{ .Values.resources.umsUmcServer | toYaml | nindent 2 }}
 
 securityContext:
   allowPrivilegeEscalation: false
@@ -72,4 +90,14 @@ securityContext:
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"
+
+umcServer:
+  certPemFile: "/var/secrets/ssl/tls.crt"
+  # TODO: Secret should be entered without b64enc
+  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
+  # TODO: Secret should be entered without b64enc
+  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
+  smtpSecret: {{ .Values.smtp.password | quote }}
+  privateKeyFile: "/var/secrets/ssl/tls.key"
+
 ...

helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl

@@ -1,19 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsStackGateway.registry | quote }}
-  repository: {{ .Values.images.umsStackGateway.repository | quote }}
-  tag: {{ .Values.images.umsStackGateway.tag | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-ingress:
-  enabled: {{ .Values.ingress.enabled }}
-  hostname: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
-  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
-  extraTls:
-    - hosts:
-        - {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
-      secretName: {{ .Values.ingress.tls.secretName | quote }}
-...

helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl

@@ -1,18 +1,45 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+fullnameOverride: "ums-stack-gateway"
+
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsStackGateway.registry | quote }}
+  repository: {{ .Values.images.umsStackGateway.repository | quote }}
+  tag: {{ .Values.images.umsStackGateway.tag | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
 ingress:
   annotations:
     # Ensure that the ingress controller can handle responses with plenty of
     # headers. This is a requirement from the UDM Rest API.
     nginx.org/proxy-buffer-size: "64k"
     nginx.org/proxy-buffers: "4 128k"
+  enabled: {{ .Values.ingress.enabled }}
+  extraTls:
+    - hosts:
+        - {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
+  hostname: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
   tls: false
 
-service:
+podSecurityContext:
-  type: "ClusterIP"
+  enabled: true
+  fsGroup: 1001
 
-fullnameOverride: "ums-stack-gateway"
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: false
+  runAsUser: 1001
+  runAsNonRoot: true
+  seccompProfile:
+    type: "RuntimeDefault"
 
 # The content of the "serverBlock" does resemble the Ingress configuration of
 # the UMS components. The "location" entries do intentionally reflect precisely
@@ -260,20 +287,7 @@ serverBlock: |
 
   }
 
-podSecurityContext:
+service:
-  enabled: true
+  type: "ClusterIP"
-  fsGroup: 1001
 
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: false
-  runAsUser: 1001
-  runAsNonRoot: true
-  seccompProfile:
-    type: "RuntimeDefault"
 ...