diff --git a/helmfile/apps/cryptpad/helmfile.yaml b/helmfile/apps/cryptpad/helmfile.yaml
index dd7a83aa..40d3e25a 100644
--- a/helmfile/apps/cryptpad/helmfile.yaml
+++ b/helmfile/apps/cryptpad/helmfile.yaml
@@ -20,8 +20,7 @@ releases:
chart: "cryptpad-repo/{{ .Values.charts.cryptpad.name }}"
version: "{{ .Values.charts.cryptpad.version }}"
values:
- - "values.yaml"
- - "values.gotmpl"
+ - "values.yaml.gotmpl"
installed: {{ .Values.cryptpad.enabled }}
commonLabels:
diff --git a/helmfile/apps/cryptpad/values.gotmpl b/helmfile/apps/cryptpad/values.gotmpl
deleted file mode 100644
index 5600da7a..00000000
--- a/helmfile/apps/cryptpad/values.gotmpl
+++ /dev/null
@@ -1,33 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-image:
- repository: "{{ .Values.global.imageRegistry | default .Values.images.cryptpad.registry }}/{{ .Values.images.cryptpad.repository }}"
- tag: {{ .Values.images.cryptpad.tag | quote }}
- pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-imagePullSecrets:
-{{- range .Values.global.imagePullSecrets }}
- - name: {{ . | quote }}
-{{- end }}
-
-ingress:
- enabled: {{ .Values.ingress.enabled }}
- className: {{ .Values.ingress.ingressClassName | quote }}
- hosts:
- - host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
- paths:
- - path: "/"
- pathType: "ImplementationSpecific"
- tls:
- - secretName: {{ .Values.ingress.tls.secretName | quote }}
- hosts:
- - "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
-
-replicaCount: {{ .Values.replicas.cryptpad }}
-
-resources:
- {{ .Values.resources.cryptpad | toYaml | nindent 2 }}
-...
diff --git a/helmfile/apps/cryptpad/values.yaml b/helmfile/apps/cryptpad/values.yaml.gotmpl
similarity index 55%
rename from helmfile/apps/cryptpad/values.yaml
rename to helmfile/apps/cryptpad/values.yaml.gotmpl
index 7959b2b7..138f5b36 100644
--- a/helmfile/apps/cryptpad/values.yaml
+++ b/helmfile/apps/cryptpad/values.yaml.gotmpl
@@ -22,9 +22,30 @@ enableEmbedding: true
fullnameOverride: "cryptpad"
+image:
+ repository: "{{ .Values.global.imageRegistry | default .Values.images.cryptpad.registry }}/{{ .Values.images.cryptpad.repository }}"
+ tag: {{ .Values.images.cryptpad.tag | quote }}
+ pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+ - name: {{ . | quote }}
+{{- end }}
+
ingress:
+ enabled: {{ .Values.ingress.enabled }}
annotations:
nginx.org/websocket-services: "cryptpad"
+ className: {{ .Values.ingress.ingressClassName | quote }}
+ hosts:
+ - host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
+ paths:
+ - path: "/"
+ pathType: "ImplementationSpecific"
+ tls:
+ - secretName: {{ .Values.ingress.tls.secretName | quote }}
+ hosts:
+ - "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
persistence:
enabled: false
@@ -32,6 +53,11 @@ persistence:
podSecurityContext:
fsGroup: 4001
+replicaCount: {{ .Values.replicas.cryptpad }}
+
+resources:
+ {{ .Values.resources.cryptpad | toYaml | nindent 2 }}
+
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -48,4 +74,5 @@ serviceAccount:
create: true
workloadStateful: false
+
...
diff --git a/helmfile/apps/element/helmfile.yaml b/helmfile/apps/element/helmfile.yaml
index 08f18d26..b91d44b5 100644
--- a/helmfile/apps/element/helmfile.yaml
+++ b/helmfile/apps/element/helmfile.yaml
@@ -88,8 +88,7 @@ releases:
chart: "element-repo/{{ .Values.charts.element.name }}"
version: "{{ .Values.charts.element.version }}"
values:
- - "values-element.yaml"
- - "values-element.gotmpl"
+ - "values-element.yaml.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
@@ -97,8 +96,7 @@ releases:
chart: "element-well-known-repo/{{ .Values.charts.elementWellKnown.name }}"
version: "{{ .Values.charts.elementWellKnown.version }}"
values:
- - "values-well-known.yaml"
- - "values-well-known.gotmpl"
+ - "values-well-known.yaml.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
@@ -106,8 +104,7 @@ releases:
chart: "synapse-web-repo/{{ .Values.charts.synapseWeb.name }}"
version: "{{ .Values.charts.synapseWeb.version }}"
values:
- - "values-synapse-web.yaml"
- - "values-synapse-web.gotmpl"
+ - "values-synapse-web.yaml.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
@@ -115,8 +112,7 @@ releases:
chart: "synapse-repo/{{ .Values.charts.synapse.name }}"
version: "{{ .Values.charts.synapse.version }}"
values:
- - "values-synapse.yaml"
- - "values-synapse.gotmpl"
+ - "values-synapse.yaml.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
@@ -124,8 +120,7 @@ releases:
chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
version: "{{ .Values.charts.synapseCreateAccount.version }}"
values:
- - "values-matrix-user-verification-service-bootstrap.yaml"
- - "values-matrix-user-verification-service-bootstrap.gotmpl"
+ - "values-matrix-user-verification-service-bootstrap.yaml.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
@@ -133,8 +128,7 @@ releases:
chart: "matrix-user-verification-service-repo/{{ .Values.charts.matrixUserVerificationService.name }}"
version: "{{ .Values.charts.matrixUserVerificationService.version }}"
values:
- - "values-matrix-user-verification-service.yaml"
- - "values-matrix-user-verification-service.gotmpl"
+ - "values-matrix-user-verification-service.yaml.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
@@ -142,8 +136,7 @@ releases:
chart: "matrix-neoboard-widget-repo/{{ .Values.charts.matrixNeoboardWidget.name }}"
version: "{{ .Values.charts.matrixNeoboardWidget.version }}"
values:
- - "values-matrix-neoboard-widget.yaml"
- - "values-matrix-neoboard-widget.gotmpl"
+ - "values-matrix-neoboard-widget.yaml.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
@@ -151,8 +144,7 @@ releases:
chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiseWidget.name }}"
version: "{{ .Values.charts.matrixNeochoiseWidget.version }}"
values:
- - "values-matrix-neochoice-widget.yaml"
- - "values-matrix-neochoice-widget.gotmpl"
+ - "values-matrix-neochoice-widget.yaml.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
@@ -160,8 +152,7 @@ releases:
chart: "matrix-neodatefix-widget-repo/{{ .Values.charts.matrixNeodatefixWidget.name }}"
version: "{{ .Values.charts.matrixNeodatefixWidget.version }}"
values:
- - "values-matrix-neodatefix-widget.yaml"
- - "values-matrix-neodatefix-widget.gotmpl"
+ - "values-matrix-neodatefix-widget.yaml.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
@@ -169,8 +160,7 @@ releases:
chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
version: "{{ .Values.charts.synapseCreateAccount.version }}"
values:
- - "values-matrix-neodatefix-bot-bootstrap.yaml"
- - "values-matrix-neodatefix-bot-bootstrap.gotmpl"
+ - "values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
@@ -178,8 +168,7 @@ releases:
chart: "matrix-neodatefix-bot-repo/{{ .Values.charts.matrixNeodatefixBot.name }}"
version: "{{ .Values.charts.matrixNeodatefixBot.version }}"
values:
- - "values-matrix-neodatefix-bot.yaml"
- - "values-matrix-neodatefix-bot.gotmpl"
+ - "values-matrix-neodatefix-bot.yaml.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
diff --git a/helmfile/apps/element/values-element.yaml b/helmfile/apps/element/values-element.yaml
deleted file mode 100644
index 2e1906bb..00000000
--- a/helmfile/apps/element/values-element.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- enabled: true
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 101
- runAsNonRoot: true
- runAsUser: 101
- seccompProfile:
- type: "RuntimeDefault"
-
-podSecurityContext:
- enabled: true
- fsGroup: 101
-...
diff --git a/helmfile/apps/element/values-element.gotmpl b/helmfile/apps/element/values-element.yaml.gotmpl
similarity index 93%
rename from helmfile/apps/element/values-element.gotmpl
rename to helmfile/apps/element/values-element.yaml.gotmpl
index 38e8e760..80b81f69 100644
--- a/helmfile/apps/element/values-element.gotmpl
+++ b/helmfile/apps/element/values-element.yaml.gotmpl
@@ -1,15 +1,6 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
-global:
- domain: {{ .Values.global.domain | quote }}
- hosts:
- {{ .Values.global.hosts | toYaml | nindent 4 }}
- imagePullSecrets:
- {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
configuration:
additionalConfiguration:
logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
@@ -105,6 +96,27 @@ configuration:
welcomeUserId: "@meetings-bot:{{ .Values.global.domain }}"
+containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ enabled: true
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 101
+ runAsNonRoot: true
+ runAsUser: 101
+ seccompProfile:
+ type: "RuntimeDefault"
+
+global:
+ domain: {{ .Values.global.domain | quote }}
+ hosts:
+ {{ .Values.global.hosts | toYaml | nindent 4 }}
+ imagePullSecrets:
+ {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
image:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | default .Values.images.element.registry | quote }}
@@ -119,11 +131,16 @@ ingress:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
-theme:
- {{ .Values.theme | toYaml | nindent 2 }}
+podSecurityContext:
+ enabled: true
+ fsGroup: 101
replicaCount: {{ .Values.replicas.element }}
resources:
{{ .Values.resources.element | toYaml | nindent 2 }}
+
+theme:
+ {{ .Values.theme | toYaml | nindent 2 }}
+
...
diff --git a/helmfile/apps/element/values-matrix-neoboard-widget.yaml b/helmfile/apps/element/values-matrix-neoboard-widget.yaml
deleted file mode 100644
index 2e1906bb..00000000
--- a/helmfile/apps/element/values-matrix-neoboard-widget.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- enabled: true
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 101
- runAsNonRoot: true
- runAsUser: 101
- seccompProfile:
- type: "RuntimeDefault"
-
-podSecurityContext:
- enabled: true
- fsGroup: 101
-...
diff --git a/helmfile/apps/element/values-matrix-neoboard-widget.gotmpl b/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
similarity index 66%
rename from helmfile/apps/element/values-matrix-neoboard-widget.gotmpl
rename to helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
index 369656f9..67b46f34 100644
--- a/helmfile/apps/element/values-matrix-neoboard-widget.gotmpl
+++ b/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
@@ -1,8 +1,20 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
+containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ enabled: true
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 101
+ runAsNonRoot: true
+ runAsUser: 101
+ seccompProfile:
+ type: "RuntimeDefault"
+
global:
domain: {{ .Values.global.domain | quote }}
hosts:
@@ -23,11 +35,16 @@ ingress:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
-theme:
- {{ .Values.theme | toYaml | nindent 2 }}
+podSecurityContext:
+ enabled: true
+ fsGroup: 101
replicaCount: {{ .Values.replicas.matrixNeoBoardWidget }}
resources:
{{ .Values.resources.matrixNeoBoardWidget | toYaml | nindent 2 }}
+
+theme:
+ {{ .Values.theme | toYaml | nindent 2 }}
+
...
diff --git a/helmfile/apps/element/values-matrix-neochoice-widget.yaml b/helmfile/apps/element/values-matrix-neochoice-widget.yaml
deleted file mode 100644
index 2e1906bb..00000000
--- a/helmfile/apps/element/values-matrix-neochoice-widget.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- enabled: true
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 101
- runAsNonRoot: true
- runAsUser: 101
- seccompProfile:
- type: "RuntimeDefault"
-
-podSecurityContext:
- enabled: true
- fsGroup: 101
-...
diff --git a/helmfile/apps/element/values-matrix-neochoice-widget.gotmpl b/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
similarity index 66%
rename from helmfile/apps/element/values-matrix-neochoice-widget.gotmpl
rename to helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
index 0c3f57cc..e1ff1269 100644
--- a/helmfile/apps/element/values-matrix-neochoice-widget.gotmpl
+++ b/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
@@ -1,8 +1,20 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
+containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ enabled: true
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 101
+ runAsNonRoot: true
+ runAsUser: 101
+ seccompProfile:
+ type: "RuntimeDefault"
+
global:
domain: {{ .Values.global.domain | quote }}
hosts:
@@ -23,11 +35,16 @@ ingress:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
-theme:
- {{ .Values.theme | toYaml | nindent 2 }}
+podSecurityContext:
+ enabled: true
+ fsGroup: 101
replicaCount: {{ .Values.replicas.matrixNeoChoiceWidget }}
+theme:
+ {{ .Values.theme | toYaml | nindent 2 }}
+
resources:
{{ .Values.resources.matrixNeoChoiceWidget | toYaml | nindent 2 }}
+
...
diff --git a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml
deleted file mode 100644
index 77d6b050..00000000
--- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-configuration:
- username: "meetings-bot"
- pod: "opendesk-synapse-0"
- secretName: "matrix-neodatefix-bot-account"
-...
diff --git a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.gotmpl b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
similarity index 71%
rename from helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.gotmpl
rename to helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
index 22557ef6..d238851a 100644
--- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
@@ -1,22 +1,24 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
-global:
- imagePullSecrets:
- {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
configuration:
+ username: "meetings-bot"
+ pod: "opendesk-synapse-0"
+ secretName: "matrix-neodatefix-bot-account"
password: {{ .Values.secrets.matrixNeoDateFixBot.password | quote }}
+global:
+ imagePullSecrets:
+ {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }}
url: {{ .Values.images.synapseCreateUser.repository | quote }}
tag: {{ .Values.images.synapseCreateUser.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
...
diff --git a/helmfile/apps/element/values-matrix-neodatefix-bot.gotmpl b/helmfile/apps/element/values-matrix-neodatefix-bot.gotmpl
deleted file mode 100644
index 25eb6f64..00000000
--- a/helmfile/apps/element/values-matrix-neodatefix-bot.gotmpl
+++ /dev/null
@@ -1,37 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
- domain: {{ .Values.global.domain | quote }}
- hosts:
- {{ .Values.global.hosts | toYaml | nindent 4 }}
- imagePullSecrets:
- {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-configuration:
- openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
-
-image:
- imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
- registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoDateFixBot.registry | quote }}
- repository: {{ .Values.images.matrixNeoDateFixBot.repository | quote }}
- tag: {{ .Values.images.matrixNeoDateFixBot.tag | quote }}
-
-ingress:
- enabled: {{ .Values.ingress.enabled }}
- ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
- tls:
- enabled: {{ .Values.ingress.tls.enabled }}
- secretName: {{ .Values.ingress.tls.secretName | quote }}
-
-persistence:
- size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
- storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-
-replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}
-
-resources:
- {{ .Values.resources.matrixNeoDateFixBot | toYaml | nindent 2 }}
-...
diff --git a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
similarity index 52%
rename from helmfile/apps/element/values-matrix-neodatefix-bot.yaml
rename to helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
index 50438bb1..615bd5ad 100644
--- a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
@@ -1,11 +1,18 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
+global:
+ domain: {{ .Values.global.domain | quote }}
+ hosts:
+ {{ .Values.global.hosts | toYaml | nindent 4 }}
+ imagePullSecrets:
+ {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
configuration:
bot:
username: "meetings-bot"
displayname: "Terminplaner Bot"
-
+ openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
strings:
breakoutSessionWidgetName: "Breakoutsessions"
calendarRoomName: "Terminplaner"
@@ -36,10 +43,27 @@ extraEnvVars:
name: "matrix-neodatefix-bot-account"
key: "access_token"
+image:
+ imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoDateFixBot.registry | quote }}
+ repository: {{ .Values.images.matrixNeoDateFixBot.repository | quote }}
+ tag: {{ .Values.images.matrixNeoDateFixBot.tag | quote }}
+
+ingress:
+ enabled: {{ .Values.ingress.enabled }}
+ ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+ tls:
+ enabled: {{ .Values.ingress.tls.enabled }}
+ secretName: {{ .Values.ingress.tls.secretName | quote }}
+
# TODO: The health endpoint does not work with the haproxy configuration, yet
livenessProbe:
enabled: false
+persistence:
+ size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
+ storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+
podSecurityContext:
enabled: true
fsGroup: 101
@@ -47,4 +71,10 @@ podSecurityContext:
# TODO: The health endpoint does not work with the haproxy configuration, yet
readinessProbe:
enabled: false
+
+replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}
+
+resources:
+ {{ .Values.resources.matrixNeoDateFixBot | toYaml | nindent 2 }}
+
...
diff --git a/helmfile/apps/element/values-matrix-neodatefix-widget.yaml b/helmfile/apps/element/values-matrix-neodatefix-widget.yaml
deleted file mode 100644
index 879e17a7..00000000
--- a/helmfile/apps/element/values-matrix-neodatefix-widget.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-configuration:
- bot:
- username: "meetings-bot"
-
-containerSecurityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- enabled: true
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 101
- runAsNonRoot: true
- runAsUser: 101
- seccompProfile:
- type: "RuntimeDefault"
-
-podSecurityContext:
- enabled: true
- fsGroup: 101
-...
diff --git a/helmfile/apps/element/values-matrix-neodatefix-widget.gotmpl b/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
similarity index 64%
rename from helmfile/apps/element/values-matrix-neodatefix-widget.gotmpl
rename to helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
index 77d08046..6c2b6a60 100644
--- a/helmfile/apps/element/values-matrix-neodatefix-widget.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
@@ -1,8 +1,24 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
+configuration:
+ bot:
+ username: "meetings-bot"
+
+containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ enabled: true
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 101
+ runAsNonRoot: true
+ runAsUser: 101
+ seccompProfile:
+ type: "RuntimeDefault"
+
global:
domain: {{ .Values.global.domain | quote }}
hosts:
@@ -23,11 +39,16 @@ ingress:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
-theme:
- {{ .Values.theme | toYaml | nindent 2 }}
+podSecurityContext:
+ enabled: true
+ fsGroup: 101
replicaCount: {{ .Values.replicas.matrixNeoDateFixWidget }}
resources:
{{ .Values.resources.matrixNeoDateFixWidget | toYaml | nindent 2 }}
+
+theme:
+ {{ .Values.theme | toYaml | nindent 2 }}
+
...
diff --git a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml
deleted file mode 100644
index 217f5e1a..00000000
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-configuration:
- username: "uvs"
- pod: "opendesk-synapse-0"
- secretName: "opendesk-matrix-user-verification-service-account"
-...
diff --git a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.gotmpl b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
similarity index 70%
rename from helmfile/apps/element/values-matrix-user-verification-service-bootstrap.gotmpl
rename to helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
index c689e82f..57367e04 100644
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
@@ -1,22 +1,24 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
-global:
- imagePullSecrets:
- {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
configuration:
+ username: "uvs"
+ pod: "opendesk-synapse-0"
+ secretName: "opendesk-matrix-user-verification-service-account"
password: {{ .Values.secrets.matrixUserVerificationService.password | quote }}
+global:
+ imagePullSecrets:
+ {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }}
url: {{ .Values.images.synapseCreateUser.repository | quote }}
tag: {{ .Values.images.synapseCreateUser.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
...
diff --git a/helmfile/apps/element/values-matrix-user-verification-service.gotmpl b/helmfile/apps/element/values-matrix-user-verification-service.gotmpl
deleted file mode 100644
index 8fffae14..00000000
--- a/helmfile/apps/element/values-matrix-user-verification-service.gotmpl
+++ /dev/null
@@ -1,23 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
- domain: {{ .Values.global.domain | quote }}
- hosts:
- {{ .Values.global.hosts | toYaml | nindent 4 }}
- imagePullSecrets:
- {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
- imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
- registry: {{ .Values.global.imageRegistry | default .Values.images.matrixUserVerificationService.registry | quote }}
- repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
- tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
-
-replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
-
-resources:
- {{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
-...
diff --git a/helmfile/apps/element/values-matrix-user-verification-service.yaml b/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
similarity index 53%
rename from helmfile/apps/element/values-matrix-user-verification-service.yaml
rename to helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
index 30886298..a13fb9c1 100644
--- a/helmfile/apps/element/values-matrix-user-verification-service.yaml
+++ b/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
@@ -25,7 +25,26 @@ extraEnvVars:
- name: "UVS_DISABLE_IP_BLACKLIST"
value: "true"
+global:
+ domain: {{ .Values.global.domain | quote }}
+ hosts:
+ {{ .Values.global.hosts | toYaml | nindent 4 }}
+ imagePullSecrets:
+ {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+ imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ registry: {{ .Values.global.imageRegistry | default .Values.images.matrixUserVerificationService.registry | quote }}
+ repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
+ tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
+
podSecurityContext:
enabled: true
fsGroup: 101
+
+replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
+
+resources:
+ {{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
+
...
diff --git a/helmfile/apps/element/values-synapse-web.yaml b/helmfile/apps/element/values-synapse-web.yaml
deleted file mode 100644
index 2e1906bb..00000000
--- a/helmfile/apps/element/values-synapse-web.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- enabled: true
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 101
- runAsNonRoot: true
- runAsUser: 101
- seccompProfile:
- type: "RuntimeDefault"
-
-podSecurityContext:
- enabled: true
- fsGroup: 101
-...
diff --git a/helmfile/apps/element/values-synapse-web.gotmpl b/helmfile/apps/element/values-synapse-web.yaml.gotmpl
similarity index 65%
rename from helmfile/apps/element/values-synapse-web.gotmpl
rename to helmfile/apps/element/values-synapse-web.yaml.gotmpl
index 7bb96f85..7373bb8e 100644
--- a/helmfile/apps/element/values-synapse-web.gotmpl
+++ b/helmfile/apps/element/values-synapse-web.yaml.gotmpl
@@ -1,8 +1,20 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
+containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ enabled: true
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 101
+ runAsNonRoot: true
+ runAsUser: 101
+ seccompProfile:
+ type: "RuntimeDefault"
+
global:
domain: {{ .Values.global.domain | quote }}
hosts:
@@ -24,8 +36,13 @@ ingress:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
+podSecurityContext:
+ enabled: true
+ fsGroup: 101
+
replicaCount: {{ .Values.replicas.synapseWeb }}
resources:
{{ .Values.resources.synapseWeb | toYaml | nindent 2 }}
+
...
diff --git a/helmfile/apps/element/values-synapse.yaml b/helmfile/apps/element/values-synapse.yaml
deleted file mode 100644
index f43b4f11..00000000
--- a/helmfile/apps/element/values-synapse.yaml
+++ /dev/null
@@ -1,52 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-configuration:
- additionalConfiguration:
- user_directory:
- enabled: true
- search_all_users: true
- room_prejoin_state:
- additional_event_types:
- - "m.space.parent"
- - "net.nordeck.meetings.metadata"
- - "m.room.power_levels"
- # When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
- # interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
- # https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
- rc_login:
- account:
- per_second: 2
- burst_count: 8
- address:
- per_second: 2
- burst_count: 12
-
- homeserver:
- guestModule:
- enabled: true
- oidc:
- clientId: "opendesk-matrix"
-
-containerSecurityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- enabled: true
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- runAsUser: 10991
- seccompProfile:
- type: "RuntimeDefault"
-
-podSecurityContext:
- enabled: true
- fsGroup: 10991
-
-readinessProbe:
- initialDelaySeconds: 15
- periodSeconds: 5
-
-...
diff --git a/helmfile/apps/element/values-synapse.gotmpl b/helmfile/apps/element/values-synapse.yaml.gotmpl
similarity index 65%
rename from helmfile/apps/element/values-synapse.gotmpl
rename to helmfile/apps/element/values-synapse.yaml.gotmpl
index f01af2e8..0c7394fb 100644
--- a/helmfile/apps/element/values-synapse.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -1,22 +1,27 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
-global:
- domain: {{ .Values.global.domain | quote }}
- hosts:
- {{ .Values.global.hosts | toYaml | nindent 4 }}
- imagePullSecrets:
- {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
- imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
- registry: {{ .Values.global.imageRegistry | default .Values.images.synapse.registry | quote }}
- repository: {{ .Values.images.synapse.repository | quote }}
- tag: {{ .Values.images.synapse.tag | quote }}
-
configuration:
+ additionalConfiguration:
+ user_directory:
+ enabled: true
+ search_all_users: true
+ room_prejoin_state:
+ additional_event_types:
+ - "m.space.parent"
+ - "net.nordeck.meetings.metadata"
+ - "m.room.power_levels"
+ # When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
+ # interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
+ # https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
+ rc_login:
+ account:
+ per_second: 2
+ burst_count: 8
+ address:
+ per_second: 2
+ burst_count: 12
+
database:
host: {{ .Values.databases.synapse.host | quote }}
name: {{ .Values.databases.synapse.name | quote }}
@@ -36,6 +41,7 @@ configuration:
sender_localpart: intercom-service
oidc:
+ clientId: "opendesk-matrix"
clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
@@ -53,18 +59,54 @@ configuration:
{{- end }}
guestModule:
+ enabled: true
image:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | default .Values.images.synapseGuestModule.registry | quote }}
repository: {{ .Values.images.synapseGuestModule.repository | quote }}
tag: {{ .Values.images.synapseGuestModule.tag | quote }}
+containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ enabled: true
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 10991
+ seccompProfile:
+ type: "RuntimeDefault"
+
+global:
+ domain: {{ .Values.global.domain | quote }}
+ hosts:
+ {{ .Values.global.hosts | toYaml | nindent 4 }}
+ imagePullSecrets:
+ {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+ imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ registry: {{ .Values.global.imageRegistry | default .Values.images.synapse.registry | quote }}
+ repository: {{ .Values.images.synapse.repository | quote }}
+ tag: {{ .Values.images.synapse.tag | quote }}
+
persistence:
size: {{ .Values.persistence.size.synapse | quote }}
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+podSecurityContext:
+ enabled: true
+ fsGroup: 10991
+
+readinessProbe:
+ initialDelaySeconds: 15
+ periodSeconds: 5
+
replicaCount: {{ .Values.replicas.synapse }}
resources:
{{ .Values.resources.synapse | toYaml | nindent 2 }}
+
...
diff --git a/helmfile/apps/element/values-well-known.yaml b/helmfile/apps/element/values-well-known.yaml
deleted file mode 100644
index caaa0614..00000000
--- a/helmfile/apps/element/values-well-known.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-configuration:
- e2ee:
- forceDisable: true
-
-containerSecurityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- enabled: true
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 101
- runAsNonRoot: true
- runAsUser: 101
- seccompProfile:
- type: "RuntimeDefault"
-
-podSecurityContext:
- enabled: true
- fsGroup: 101
-...
diff --git a/helmfile/apps/element/values-well-known.gotmpl b/helmfile/apps/element/values-well-known.yaml.gotmpl
similarity index 62%
rename from helmfile/apps/element/values-well-known.gotmpl
rename to helmfile/apps/element/values-well-known.yaml.gotmpl
index 780e9b56..267fc14f 100644
--- a/helmfile/apps/element/values-well-known.gotmpl
+++ b/helmfile/apps/element/values-well-known.yaml.gotmpl
@@ -1,8 +1,24 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
+configuration:
+ e2ee:
+ forceDisable: true
+
+containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ enabled: true
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 101
+ runAsNonRoot: true
+ runAsUser: 101
+ seccompProfile:
+ type: "RuntimeDefault"
+
global:
domain: {{ .Values.global.domain | quote }}
hosts:
@@ -24,8 +40,13 @@ ingress:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
+podSecurityContext:
+ enabled: true
+ fsGroup: 101
+
replicaCount: {{ .Values.replicas.wellKnown }}
resources:
{{ .Values.resources.wellKnown | toYaml | nindent 2 }}
+
...
diff --git a/helmfile/apps/intercom-service/helmfile.yaml b/helmfile/apps/intercom-service/helmfile.yaml
index fd52cbab..d4a0738a 100644
--- a/helmfile/apps/intercom-service/helmfile.yaml
+++ b/helmfile/apps/intercom-service/helmfile.yaml
@@ -20,8 +20,7 @@ releases:
chart: "intercom-service-repo/{{ .Values.charts.intercomService.name }}"
version: "{{ .Values.charts.intercomService.version }}"
values:
- - "values.yaml"
- - "values.gotmpl"
+ - "values.yaml.gotmpl"
installed: {{ .Values.intercom.enabled }}
commonLabels:
diff --git a/helmfile/apps/intercom-service/values.yaml b/helmfile/apps/intercom-service/values.yaml
deleted file mode 100644
index 3d8e7299..00000000
--- a/helmfile/apps/intercom-service/values.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-
-ics:
- oidc:
- id: "opendesk-intercom"
-
-containerSecurityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- enabled: true
- runAsUser: 1000
- runAsGroup: 1000
- seccompProfile:
- type: "RuntimeDefault"
- readOnlyRootFilesystem: true
- runAsNonRoot: true
-
-podSecurityContext:
- enabled: true
- fsGroup: 1000
- fsGroupChangePolicy: "Always"
-...
diff --git a/helmfile/apps/intercom-service/values.gotmpl b/helmfile/apps/intercom-service/values.yaml.gotmpl
similarity index 80%
rename from helmfile/apps/intercom-service/values.gotmpl
rename to helmfile/apps/intercom-service/values.yaml.gotmpl
index f3c45133..a721ed65 100644
--- a/helmfile/apps/intercom-service/values.gotmpl
+++ b/helmfile/apps/intercom-service/values.yaml.gotmpl
@@ -1,8 +1,19 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
+containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ enabled: true
+ runAsUser: 1000
+ runAsGroup: 1000
+ seccompProfile:
+ type: "RuntimeDefault"
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+
global:
domain: {{ .Values.global.domain | quote }}
hosts:
@@ -19,6 +30,7 @@ ics:
default:
domain: {{ .Values.global.domain | quote }}
oidc:
+ id: "opendesk-intercom"
secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
matrix:
asSecret: {{ .Values.secrets.intercom.synapseAsToken | quote }}
@@ -52,8 +64,14 @@ ingress:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
+podSecurityContext:
+ enabled: true
+ fsGroup: 1000
+ fsGroupChangePolicy: "Always"
+
replicaCount: {{ .Values.replicas.intercomService }}
resources:
{{ .Values.resources.intercomService | toYaml | nindent 2 }}
+
...
diff --git a/helmfile/apps/provisioning/helmfile.yaml b/helmfile/apps/provisioning/helmfile.yaml
index 4e437555..cc7a9e4f 100644
--- a/helmfile/apps/provisioning/helmfile.yaml
+++ b/helmfile/apps/provisioning/helmfile.yaml
@@ -17,8 +17,7 @@ releases:
chart: "ox-connector-repo/{{ .Values.charts.oxConnector.name }}"
version: "{{ .Values.charts.oxConnector.version }}"
values:
- - "values-oxconnector.yaml"
- - "values-oxconnector.gotmpl"
+ - "values-oxconnector.yaml.gotmpl"
installed: {{ .Values.oxConnector.enabled }}
commonLabels:
diff --git a/helmfile/apps/provisioning/values-oxconnector.yaml b/helmfile/apps/provisioning/values-oxconnector.yaml
deleted file mode 100644
index 62ba6129..00000000
--- a/helmfile/apps/provisioning/values-oxconnector.yaml
+++ /dev/null
@@ -1,41 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-ingress:
- enabled: false
-
-oxConnector:
- ldapBaseDn: "dc=swp-ldap,dc=internal"
- ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
- tlsMode: "off"
- caCert: "ucctempldapstring"
- debugLevel: "5"
- oxDefaultContext: "1"
- oxLocalTimezone: "Europe/Berlin"
- oxLanguage: "de_DE"
- oxSmtpServer: "smtp://127.0.0.1:587"
- oxImapServer: "imap://127.0.0.1:143"
-
-## Container deployment probes
-probes:
- liveness:
- enabled: true
- initialDelaySeconds: 120
- timeoutSeconds: 3
- periodSeconds: 30
- failureThreshold: 3
- successThreshold: 1
-
- readiness:
- enabled: true
- initialDelaySeconds: 30
- timeoutSeconds: 3
- periodSeconds: 15
- failureThreshold: 30
- successThreshold: 1
-
-
-serviceAccount:
- create: true
-
-...
diff --git a/helmfile/apps/provisioning/values-oxconnector.gotmpl b/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
similarity index 55%
rename from helmfile/apps/provisioning/values-oxconnector.gotmpl
rename to helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
index f2b2754b..a4ae476e 100644
--- a/helmfile/apps/provisioning/values-oxconnector.gotmpl
+++ b/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
@@ -1,7 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.oxConnector.registry | quote }}
@@ -14,21 +12,54 @@ imagePullSecrets:
- name: {{ . | quote }}
{{- end }}
-persistence:
- storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+ingress:
+ enabled: false
oxConnector:
+ caCert: "ucctempldapstring"
+ debugLevel: "5"
domainName: {{ .Values.global.domain | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
- notifierServer: {{ .Values.ldap.notifierHost | quote }}
logLevel: {{ .Values.debug.logLevel | quote }}
- #oxMasterAdmin: "(( .Values.appsuite.core-mw.masterAdmin ))"
+ ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+ ldapBaseDn: "dc=swp-ldap,dc=internal"
+ ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
+ tlsMode: "off"
+ notifierServer: {{ .Values.ldap.notifierHost | quote }}
+ oxDefaultContext: "1"
+ oxImapServer: "imap://127.0.0.1:143"
+ oxLocalTimezone: "Europe/Berlin"
+ oxLanguage: "de_DE"
oxMasterAdmin: "admin"
oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
+ oxSmtpServer: "smtp://127.0.0.1:587"
oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
- oxDefaultContext: "1"
- ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
resources:
{{ .Values.resources.oxConnector | toYaml | nindent 2 }}
+
+persistence:
+ storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+
+## Container deployment probes
+probes:
+ liveness:
+ enabled: true
+ initialDelaySeconds: 120
+ timeoutSeconds: 3
+ periodSeconds: 30
+ failureThreshold: 3
+ successThreshold: 1
+
+ readiness:
+ enabled: true
+ initialDelaySeconds: 30
+ timeoutSeconds: 3
+ periodSeconds: 15
+ failureThreshold: 30
+ successThreshold: 1
+
+serviceAccount:
+ create: true
+
...
diff --git a/helmfile/apps/services/helmfile.yaml b/helmfile/apps/services/helmfile.yaml
index a3daf785..f84b228e 100644
--- a/helmfile/apps/services/helmfile.yaml
+++ b/helmfile/apps/services/helmfile.yaml
@@ -111,7 +111,7 @@ releases:
chart: "otterize-repo/{{ .Values.charts.otterize.name }}"
version: "{{ .Values.charts.otterize.version }}"
values:
- - "values-otterize.gotmpl"
+ - "values-otterize.yaml.gotmpl"
installed: {{ .Values.security.otterizeIntents.enabled }}
timeout: 900
@@ -119,7 +119,7 @@ releases:
chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
version: "{{ .Values.charts.certificates.version }}"
values:
- - "values-certificates.gotmpl"
+ - "values-certificates.yaml.gotmpl"
installed: {{ .Values.certificates.enabled }}
timeout: 900
@@ -127,8 +127,7 @@ releases:
chart: "redis-repo/{{ .Values.charts.redis.name }}"
version: "{{ .Values.charts.redis.version }}"
values:
- - "values-redis.gotmpl"
- - "values-redis.yaml"
+ - "values-redis.yaml.gotmpl"
installed: {{ .Values.redis.enabled }}
timeout: 900
@@ -136,8 +135,7 @@ releases:
chart: "memcached-repo/{{ .Values.charts.memcached.name }}"
version: "{{ .Values.charts.memcached.version }}"
values:
- - "values-memcached.yaml"
- - "values-memcached.gotmpl"
+ - "values-memcached.yaml.gotmpl"
installed: {{ .Values.memcached.enabled }}
timeout: 900
@@ -145,8 +143,7 @@ releases:
chart: "postgresql-repo/{{ .Values.charts.postgresql.name }}"
version: "{{ .Values.charts.postgresql.version }}"
values:
- - "values-postgresql.yaml"
- - "values-postgresql.gotmpl"
+ - "values-postgresql.yaml.gotmpl"
installed: {{ .Values.postgresql.enabled }}
timeout: 900
@@ -154,8 +151,7 @@ releases:
chart: "mariadb-repo/{{ .Values.charts.mariadb.name }}"
version: "{{ .Values.charts.mariadb.version }}"
values:
- - "values-mariadb.yaml"
- - "values-mariadb.gotmpl"
+ - "values-mariadb.yaml.gotmpl"
installed: {{ .Values.mariadb.enabled }}
timeout: 900
@@ -163,8 +159,7 @@ releases:
chart: "postfix-repo/{{ .Values.charts.postfix.name }}"
version: "{{ .Values.charts.postfix.version }}"
values:
- - "values-postfix.yaml"
- - "values-postfix.gotmpl"
+ - "values-postfix.yaml.gotmpl"
installed: {{ .Values.postfix.enabled }}
timeout: 900
@@ -172,8 +167,7 @@ releases:
chart: "clamav-repo/{{ .Values.charts.clamav.name }}"
version: "{{ .Values.charts.clamav.version }}"
values:
- - "values-clamav-distributed.yaml"
- - "values-clamav-distributed.gotmpl"
+ - "values-clamav-distributed.yaml.gotmpl"
installed: {{ .Values.clamavDistributed.enabled }}
timeout: 900
@@ -181,8 +175,7 @@ releases:
chart: "clamav-simple-repo/{{ .Values.charts.clamavSimple.name }}"
version: "{{ .Values.charts.clamavSimple.version }}"
values:
- - "values-clamav-simple.yaml"
- - "values-clamav-simple.gotmpl"
+ - "values-clamav-simple.yaml.gotmpl"
installed: {{ .Values.clamavSimple.enabled }}
timeout: 900
@@ -190,8 +183,7 @@ releases:
chart: "istio-resources-repo/{{ .Values.charts.istioResources.name }}"
version: "{{ .Values.charts.istioResources.version }}"
values:
- - "values-istio-gateway.yaml"
- - "values-istio-gateway.gotmpl"
+ - "values-istio-gateway.yaml.gotmpl"
installed: {{ .Values.istio.enabled }}
timeout: 900
@@ -199,8 +191,7 @@ releases:
chart: "minio-repo/{{ .Values.charts.minio.name }}"
version: "{{ .Values.charts.minio.version }}"
values:
- - "values-minio.yaml"
- - "values-minio.gotmpl"
+ - "values-minio.yaml.gotmpl"
installed: {{ .Values.minio.enabled }}
timeout: 900
diff --git a/helmfile/apps/services/values-certificates.gotmpl b/helmfile/apps/services/values-certificates.yaml.gotmpl
similarity index 100%
rename from helmfile/apps/services/values-certificates.gotmpl
rename to helmfile/apps/services/values-certificates.yaml.gotmpl
diff --git a/helmfile/apps/services/values-clamav-distributed.yaml b/helmfile/apps/services/values-clamav-distributed.yaml
deleted file mode 100644
index 61a30edd..00000000
--- a/helmfile/apps/services/values-clamav-distributed.yaml
+++ /dev/null
@@ -1,80 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
- allowPrivilegeEscalation: false
- enabled: true
- readOnlyRootFilesystem: true
-
-clamd:
- containerSecurityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- enabled: true
- runAsUser: 100
- runAsGroup: 101
- seccompProfile:
- type: "RuntimeDefault"
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- podSecurityContext:
- enabled: true
- fsGroup: 101
- fsGroupChangePolicy: "Always"
-
-freshclam:
- containerSecurityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- enabled: true
- runAsUser: 100
- runAsGroup: 101
- seccompProfile:
- type: "RuntimeDefault"
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- podSecurityContext:
- enabled: true
- fsGroup: 101
- fsGroupChangePolicy: "Always"
-
-icap:
- containerSecurityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- enabled: true
- runAsUser: 100
- runAsGroup: 101
- seccompProfile:
- type: "RuntimeDefault"
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- podSecurityContext:
- enabled: true
- fsGroup: 101
- fsGroupChangePolicy: "Always"
-
-milter:
- containerSecurityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- enabled: true
- runAsUser: 100
- runAsGroup: 101
- seccompProfile:
- type: "RuntimeDefault"
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- podSecurityContext:
- enabled: true
- fsGroup: 101
- fsGroupChangePolicy: "Always"
-...
diff --git a/helmfile/apps/services/values-clamav-distributed.gotmpl b/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
similarity index 53%
rename from helmfile/apps/services/values-clamav-distributed.gotmpl
rename to helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
index 944177cf..2ba55b4d 100644
--- a/helmfile/apps/services/values-clamav-distributed.gotmpl
+++ b/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
@@ -1,27 +1,60 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
clamd:
- podSecurityContext:
- replicaCount: {{ .Values.replicas.clamd }}
+ containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ enabled: true
+ runAsUser: 100
+ runAsGroup: 101
+ seccompProfile:
+ type: "RuntimeDefault"
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }}
repository: {{ .Values.images.clamd.repository | quote }}
tag: {{ .Values.images.clamd.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ podSecurityContext:
+ enabled: true
+ fsGroup: 101
+ fsGroupChangePolicy: "Always"
+ replicaCount: {{ .Values.replicas.clamd }}
resources:
{{ .Values.resources.clamd | toYaml | nindent 4 }}
+containerSecurityContext:
+ allowPrivilegeEscalation: false
+ enabled: true
+ readOnlyRootFilesystem: true
+
freshclam:
- podSecurityContext:
- replicaCount: {{ .Values.replicas.freshclam }}
+ containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ enabled: true
+ runAsUser: 100
+ runAsGroup: 101
+ seccompProfile:
+ type: "RuntimeDefault"
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.freshclam.registry | quote }}
repository: {{ .Values.images.freshclam.repository | quote }}
tag: {{ .Values.images.freshclam.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ podSecurityContext:
+ enabled: true
+ fsGroup: 101
+ fsGroupChangePolicy: "Always"
+ replicaCount: {{ .Values.replicas.freshclam }}
resources:
{{ .Values.resources.freshclam | toYaml | nindent 4 }}
@@ -30,23 +63,54 @@ global:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
icap:
- replicaCount: {{ .Values.replicas.icap }}
+ containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ enabled: true
+ runAsUser: 100
+ runAsGroup: 101
+ seccompProfile:
+ type: "RuntimeDefault"
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }}
repository: {{ .Values.images.icap.repository | quote }}
tag: {{ .Values.images.icap.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ podSecurityContext:
+ enabled: true
+ fsGroup: 101
+ fsGroupChangePolicy: "Always"
+ replicaCount: {{ .Values.replicas.icap }}
resources:
{{ .Values.resources.icap | toYaml | nindent 4 }}
milter:
- podSecurityContext:
- replicaCount: {{ .Values.replicas.milter }}
+ containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ enabled: true
+ runAsUser: 100
+ runAsGroup: 101
+ seccompProfile:
+ type: "RuntimeDefault"
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.milter.registry | quote }}
repository: {{ .Values.images.milter.repository | quote }}
tag: {{ .Values.images.milter.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ podSecurityContext:
+ enabled: true
+ fsGroup: 101
+ fsGroupChangePolicy: "Always"
+ replicaCount: {{ .Values.replicas.milter }}
resources:
{{ .Values.resources.milter | toYaml | nindent 4 }}
diff --git a/helmfile/apps/services/values-clamav-simple.yaml b/helmfile/apps/services/values-clamav-simple.yaml
deleted file mode 100644
index 5cc9444f..00000000
--- a/helmfile/apps/services/values-clamav-simple.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- enabled: true
- runAsUser: 100
- runAsGroup: 101
- seccompProfile:
- type: "RuntimeDefault"
-
-podSecurityContext:
- enabled: true
- fsGroup: 101
- fsGroupChangePolicy: "Always"
-...
diff --git a/helmfile/apps/services/values-clamav-simple.gotmpl b/helmfile/apps/services/values-clamav-simple.yaml.gotmpl
similarity index 67%
rename from helmfile/apps/services/values-clamav-simple.gotmpl
rename to helmfile/apps/services/values-clamav-simple.yaml.gotmpl
index 08b7392d..22998bde 100644
--- a/helmfile/apps/services/values-clamav-simple.gotmpl
+++ b/helmfile/apps/services/values-clamav-simple.yaml.gotmpl
@@ -1,9 +1,20 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
-replicaCount: {{ .Values.replicas.clamav }}
+containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ enabled: true
+ runAsUser: 100
+ runAsGroup: 101
+ seccompProfile:
+ type: "RuntimeDefault"
+
+global:
+ imagePullSecrets:
+ {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
clamav:
@@ -17,14 +28,18 @@ image:
tag: {{ .Values.images.icap.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-resources:
- {{ .Values.resources.clamd | toYaml | nindent 4 }}
-
-global:
- imagePullSecrets:
- {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
persistence:
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.clamav | quote }}
+
+podSecurityContext:
+ enabled: true
+ fsGroup: 101
+ fsGroupChangePolicy: "Always"
+
+replicaCount: {{ .Values.replicas.clamav }}
+
+resources:
+ {{ .Values.resources.clamd | toYaml | nindent 4 }}
+
...
diff --git a/helmfile/apps/services/values-istio-gateway.gotmpl b/helmfile/apps/services/values-istio-gateway.gotmpl
deleted file mode 100644
index e1826580..00000000
--- a/helmfile/apps/services/values-istio-gateway.gotmpl
+++ /dev/null
@@ -1,13 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
- domain: {{ .Values.istio.domain | quote }}
- hosts:
- openxchange: {{ .Values.global.hosts.openxchange | quote }}
-
-tls:
- secretName: "{{ .Values.istio.domain }}-tls"
-...
diff --git a/helmfile/apps/services/values-istio-gateway.yaml b/helmfile/apps/services/values-istio-gateway.yaml.gotmpl
similarity index 52%
rename from helmfile/apps/services/values-istio-gateway.yaml
rename to helmfile/apps/services/values-istio-gateway.yaml.gotmpl
index f0125863..cafa3e8f 100644
--- a/helmfile/apps/services/values-istio-gateway.yaml
+++ b/helmfile/apps/services/values-istio-gateway.yaml.gotmpl
@@ -1,6 +1,12 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
+global:
+ domain: {{ .Values.istio.domain | quote }}
+ hosts:
+ openxchange: {{ .Values.global.hosts.openxchange | quote }}
+
tls:
httpsRedirect: false
+ secretName: "{{ .Values.istio.domain }}-tls"
...
diff --git a/helmfile/apps/services/values-mariadb.yaml b/helmfile/apps/services/values-mariadb.yaml
deleted file mode 100644
index 99f40a2f..00000000
--- a/helmfile/apps/services/values-mariadb.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- enabled: true
- privileged: false
- runAsUser: 1001
- runAsGroup: 1001
- seccompProfile:
- type: "RuntimeDefault"
- readOnlyRootFilesystem: true
- runAsNonRoot: true
-
-job:
- enabled: true
-
-podSecurityContext:
- enabled: true
- fsGroup: 1001
- fsGroupChangePolicy: "OnRootMismatch"
-
-replicaCount: 1
-...
diff --git a/helmfile/apps/services/values-mariadb.gotmpl b/helmfile/apps/services/values-mariadb.yaml.gotmpl
similarity index 69%
rename from helmfile/apps/services/values-mariadb.gotmpl
rename to helmfile/apps/services/values-mariadb.yaml.gotmpl
index efca6146..153501f1 100644
--- a/helmfile/apps/services/values-mariadb.gotmpl
+++ b/helmfile/apps/services/values-mariadb.yaml.gotmpl
@@ -1,24 +1,35 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
+cleanup:
+ deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+
+containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ enabled: true
+ privileged: false
+ runAsUser: 1001
+ runAsGroup: 1001
+ seccompProfile:
+ type: "RuntimeDefault"
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-cleanup:
- deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.mariadb.registry | quote }}
repository: {{ .Values.images.mariadb.repository | quote }}
tag: {{ .Values.images.mariadb.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-# Open-Xchange and XWiki require the permission to create database schemas, so they use the `root` account anyway.
-# Please refer to `databases.yaml` for details.
job:
+ enabled: true
retries: 10
wait: 30
users:
@@ -43,6 +54,14 @@ persistence:
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.mariadb | quote }}
+podSecurityContext:
+ enabled: true
+ fsGroup: 1001
+ fsGroupChangePolicy: "OnRootMismatch"
+
+replicaCount: 1
+
resources:
{{ .Values.resources.mariadb | toYaml | nindent 2 }}
+
...
diff --git a/helmfile/apps/services/values-memcached.yaml b/helmfile/apps/services/values-memcached.yaml
deleted file mode 100644
index 17c46a86..00000000
--- a/helmfile/apps/services/values-memcached.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- enabled: true
- runAsUser: 1001
- runAsNonRoot: true
- seccompProfile:
- type: "RuntimeDefault"
- readOnlyRootFilesystem: true
-
-serviceAccount:
- create: true
-...
diff --git a/helmfile/apps/services/values-memcached.gotmpl b/helmfile/apps/services/values-memcached.yaml.gotmpl
similarity index 53%
rename from helmfile/apps/services/values-memcached.gotmpl
rename to helmfile/apps/services/values-memcached.yaml.gotmpl
index 36e81e61..dc095440 100644
--- a/helmfile/apps/services/values-memcached.gotmpl
+++ b/helmfile/apps/services/values-memcached.yaml.gotmpl
@@ -1,8 +1,18 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
+containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ enabled: true
+ runAsUser: 1001
+ runAsNonRoot: true
+ seccompProfile:
+ type: "RuntimeDefault"
+ readOnlyRootFilesystem: true
+
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -17,4 +27,7 @@ replicaCount: {{ .Values.replicas.memcached }}
resources:
{{ .Values.resources.memcached | toYaml | nindent 2 }}
+
+serviceAccount:
+ create: true
...
diff --git a/helmfile/apps/services/values-minio.gotmpl b/helmfile/apps/services/values-minio.gotmpl
deleted file mode 100644
index 74557b12..00000000
--- a/helmfile/apps/services/values-minio.gotmpl
+++ /dev/null
@@ -1,79 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
- imagePullSecrets:
- {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
- registry: {{ .Values.global.imageRegistry | default .Values.images.minio.registry | quote }}
- repository: "{{ .Values.images.minio.repository }}"
- tag: "{{ .Values.images.minio.tag }}"
- pullPolicy: "{{ .Values.global.imagePullPolicy }}"
-
-auth:
- rootPassword: {{ .Values.secrets.minio.rootPassword | quote }}
-
-statefulset:
- replicaCount: {{ .Values.replicas.minioDistributed }}
-
-resources:
- {{ .Values.resources.minio | toYaml | nindent 2 }}
-
-ingress:
- enabled: {{ .Values.ingress.enabled }}
- ingressClassName: {{ .Values.ingress.ingressClassName }}
- hostname: "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
- extraTls:
- - hosts:
- - "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
- secretName: "{{ .Values.ingress.tls.secretName }}"
-
-apiIngress:
- enabled: {{ .Values.ingress.enabled }}
- ingressClassName: {{ .Values.ingress.ingressClassName }}
- hostname: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
- extraTls:
- - hosts:
- - "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
- secretName: "{{ .Values.ingress.tls.secretName }}"
-
-metrics:
- serviceMonitor:
- enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
- prometheusRule:
- enabled: {{ .Values.prometheus.prometheusRules.enabled }}
-
-persistence:
- storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
- size: "{{ .Values.persistence.size.minio }}"
-
-provisioning:
- users:
- - username: "openproject_user"
- password: {{ .Values.secrets.minio.openprojectUser | quote }}
- disabled: false
- policies:
- - "openproject-bucket-policy"
- setPolicies: true
- - username: "openxchange_user"
- password: {{ .Values.secrets.minio.openxchangeUser | quote }}
- disabled: false
- policies:
- - "openxchange-bucket-policy"
- setPolicies: true
- - username: "ums_user"
- password: {{ .Values.secrets.minio.umsUser | quote }}
- disabled: false
- policies:
- - "ums-bucket-policy"
- setPolicies: true
- - username: "nextcloud_user"
- password: {{ .Values.secrets.minio.nextcloudUser | quote }}
- disabled: false
- policies:
- - "nextcloud-bucket-policy"
- setPolicies: true
-...
diff --git a/helmfile/apps/services/values-minio.yaml b/helmfile/apps/services/values-minio.yaml.gotmpl
similarity index 53%
rename from helmfile/apps/services/values-minio.yaml
rename to helmfile/apps/services/values-minio.yaml.gotmpl
index 216b862e..ae4e80d0 100644
--- a/helmfile/apps/services/values-minio.yaml
+++ b/helmfile/apps/services/values-minio.yaml.gotmpl
@@ -1,11 +1,20 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
-mode: "standalone"
+apiIngress:
+ enabled: {{ .Values.ingress.enabled }}
+ ingressClassName: {{ .Values.ingress.ingressClassName }}
+ hostname: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
+ extraTls:
+ - hosts:
+ - "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
+ secretName: "{{ .Values.ingress.tls.secretName }}"
+ annotations:
+ nginx.ingress.kubernetes.io/proxy-body-size: "4G"
+ nginx.org/client-max-body-size: "4G"
-podSecurityContext:
- enabled: true
- fsGroup: 1000
+auth:
+ rootPassword: {{ .Values.secrets.minio.rootPassword | quote }}
containerSecurityContext:
enabled: true
@@ -19,19 +28,53 @@ containerSecurityContext:
seccompProfile:
type: "RuntimeDefault"
+defaultBuckets: "openproject,openxchange,ums,nextcloud"
+
+global:
+ imagePullSecrets:
+ {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+ registry: {{ .Values.global.imageRegistry | default .Values.images.minio.registry | quote }}
+ repository: "{{ .Values.images.minio.repository }}"
+ tag: "{{ .Values.images.minio.tag }}"
+ pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+
ingress:
+ enabled: {{ .Values.ingress.enabled }}
+ ingressClassName: {{ .Values.ingress.ingressClassName }}
+ hostname: "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
+ extraTls:
+ - hosts:
+ - "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
+ secretName: "{{ .Values.ingress.tls.secretName }}"
annotations:
nginx.org/websocket-services: "minio"
-apiIngress:
- annotations:
- nginx.ingress.kubernetes.io/proxy-body-size: "4G"
- nginx.org/client-max-body-size: "4G"
+livenessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 10
+
+mode: "standalone"
+
+metrics:
+ serviceMonitor:
+ enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+ prometheusRule:
+ enabled: {{ .Values.prometheus.prometheusRules.enabled }}
networkPolicy:
enabled: false
-defaultBuckets: "openproject,openxchange,ums,nextcloud"
+podSecurityContext:
+ enabled: true
+ fsGroup: 1000
+
+persistence:
+ storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+ size: "{{ .Values.persistence.size.minio }}"
provisioning:
enabled: true
@@ -99,12 +142,31 @@ provisioning:
effect: "Allow"
actions:
- "s3:*"
-
-livenessProbe:
- enabled: true
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 10
+ users:
+ - username: "openproject_user"
+ password: {{ .Values.secrets.minio.openprojectUser | quote }}
+ disabled: false
+ policies:
+ - "openproject-bucket-policy"
+ setPolicies: true
+ - username: "openxchange_user"
+ password: {{ .Values.secrets.minio.openxchangeUser | quote }}
+ disabled: false
+ policies:
+ - "openxchange-bucket-policy"
+ setPolicies: true
+ - username: "ums_user"
+ password: {{ .Values.secrets.minio.umsUser | quote }}
+ disabled: false
+ policies:
+ - "ums-bucket-policy"
+ setPolicies: true
+ - username: "nextcloud_user"
+ password: {{ .Values.secrets.minio.nextcloudUser | quote }}
+ disabled: false
+ policies:
+ - "nextcloud-bucket-policy"
+ setPolicies: true
readinessProbe:
enabled: true
@@ -112,8 +174,15 @@ readinessProbe:
periodSeconds: 10
timeoutSeconds: 10
+resources:
+ {{ .Values.resources.minio | toYaml | nindent 2 }}
+
startupProbe:
enabled: true
periodSeconds: 10
timeoutSeconds: 10
+
+statefulset:
+ replicaCount: {{ .Values.replicas.minioDistributed }}
+
...
diff --git a/helmfile/apps/services/values-otterize.gotmpl b/helmfile/apps/services/values-otterize.yaml.gotmpl
similarity index 100%
rename from helmfile/apps/services/values-otterize.gotmpl
rename to helmfile/apps/services/values-otterize.yaml.gotmpl
diff --git a/helmfile/apps/services/values-postfix.yaml b/helmfile/apps/services/values-postfix.yaml
deleted file mode 100644
index 624151db..00000000
--- a/helmfile/apps/services/values-postfix.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-certificate:
- request:
- enabled: false
-
-containerSecurityContext:
- allowPrivilegeEscalation: true
- capabilities: {}
- enabled: true
- seccompProfile:
- type: "RuntimeDefault"
- readOnlyRootFilesystem: false
- runAsNonRoot: false
-
-podSecurityContext:
- enabled: true
- fsGroup: 101
-
-postfix:
- hostname: "postfix"
- inetProtocols: "ipv4"
- smtpSASLAuthEnable: "yes"
- smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
- smtpUseTLS: "yes"
- smtpdSASLAuthEnable: "no"
- smtpdSASLSecurityOptions: "noanonymous"
- smtpdSASLType: "dovecot"
- smtpdUseTLS: "yes"
- smtpdTLSCertFile: "/etc/tls/tls.crt"
- smtpdKeyFile: "/etc/tls/tls.key"
- milterDefaultAction: "accept"
- rspamdHost: ""
- amavisHost: ""
- amavisPortIn: ""
-...
diff --git a/helmfile/apps/services/values-postfix.gotmpl b/helmfile/apps/services/values-postfix.yaml.gotmpl
similarity index 61%
rename from helmfile/apps/services/values-postfix.gotmpl
rename to helmfile/apps/services/values-postfix.yaml.gotmpl
index aacfbda1..266bb520 100644
--- a/helmfile/apps/services/values-postfix.gotmpl
+++ b/helmfile/apps/services/values-postfix.yaml.gotmpl
@@ -1,8 +1,20 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
+certificate:
+ secretName: {{ .Values.ingress.tls.secretName | quote }}
+ request:
+ enabled: false
+
+containerSecurityContext:
+ allowPrivilegeEscalation: true
+ capabilities: {}
+ enabled: true
+ seccompProfile:
+ type: "RuntimeDefault"
+ readOnlyRootFilesystem: false
+ runAsNonRoot: false
+
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -13,29 +25,45 @@ image:
tag: {{ .Values.images.postfix.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-certificate:
- secretName: {{ .Values.ingress.tls.secretName | quote }}
+persistence:
+ size: {{ .Values.persistence.size.postfix | quote }}
+ storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote}}
+
+podSecurityContext:
+ enabled: true
+ fsGroup: 101
postfix:
+ amavisHost: ""
+ amavisPortIn: ""
domain: {{ .Values.global.domain | quote }}
- virtualMailboxDomains: {{ .Values.global.domain | quote }}
+ hostname: "postfix"
+ inetProtocols: "ipv4"
+ milterDefaultAction: "accept"
overrides:
- fileName: "sasl_passwd.map"
content:
- {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
+ rspamdHost: ""
relayHost: {{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}
relayNets: {{ .Values.cluster.networking.cidr | quote}}
- virtualTransport: "lmtps:dovecot:24"
+ smtpSASLAuthEnable: "yes"
+ smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
+ smtpUseTLS: "yes"
+ smtpdSASLAuthEnable: "no"
+ smtpdSASLSecurityOptions: "noanonymous"
+ smtpdSASLType: "dovecot"
+ smtpdUseTLS: "yes"
+ smtpdTLSCertFile: "/etc/tls/tls.crt"
+ smtpdKeyFile: "/etc/tls/tls.key"
smtpdSASLPath: "inet:dovecot:3659"
{{- if .Values.clamavDistributed.enabled }}
smtpdMilters: "inet:clamav-milter:7357"
{{- else if .Values.clamavSimple.enabled }}
smtpdMilters: "inet:clamav-simple:7357"
{{- end }}
-
-persistence:
- size: {{ .Values.persistence.size.postfix | quote }}
- storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote}}
+ virtualMailboxDomains: {{ .Values.global.domain | quote }}
+ virtualTransport: "lmtps:dovecot:24"
replicaCount: {{ .Values.replicas.postfix }}
diff --git a/helmfile/apps/services/values-postgresql.yaml b/helmfile/apps/services/values-postgresql.yaml
deleted file mode 100644
index 45dc5d3f..00000000
--- a/helmfile/apps/services/values-postgresql.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- enabled: true
- runAsUser: 1001
- runAsGroup: 1001
- seccompProfile:
- type: "RuntimeDefault"
- readOnlyRootFilesystem: true
- runAsNonRoot: true
-
-job:
- image:
- digest: "sha256:de7451b563ef79eb6acb2851dbadd18388e6436cd757b65d275a3dc60dbb0b73"
-
-podSecurityContext:
- enabled: true
- fsGroup: 1001
- fsGroupChangePolicy: "OnRootMismatch"
-
-postgres:
- user: "postgres"
-
-replicaCount: 1
-...
diff --git a/helmfile/apps/services/values-postgresql.gotmpl b/helmfile/apps/services/values-postgresql.yaml.gotmpl
similarity index 75%
rename from helmfile/apps/services/values-postgresql.gotmpl
rename to helmfile/apps/services/values-postgresql.yaml.gotmpl
index e8d5230d..3bd17048 100644
--- a/helmfile/apps/services/values-postgresql.gotmpl
+++ b/helmfile/apps/services/values-postgresql.yaml.gotmpl
@@ -1,8 +1,31 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
+containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ enabled: true
+ runAsUser: 1001
+ runAsGroup: 1001
+ seccompProfile:
+ type: "RuntimeDefault"
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+
+job:
+
+podSecurityContext:
+ enabled: true
+ fsGroup: 1001
+ fsGroupChangePolicy: "OnRootMismatch"
+
+postgres:
+ user: "postgres"
+
+replicaCount: 1
+
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -12,6 +35,8 @@ image:
repository: {{ .Values.images.postgresql.repository | quote }}
tag: {{ .Values.images.postgresql.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ image:
+ digest: "sha256:de7451b563ef79eb6acb2851dbadd18388e6436cd757b65d275a3dc60dbb0b73"
job:
users:
diff --git a/helmfile/apps/services/values-redis.yaml b/helmfile/apps/services/values-redis.yaml
deleted file mode 100644
index 235e6331..00000000
--- a/helmfile/apps/services/values-redis.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-architecture: "standalone"
-
-sentinel:
- enabled: false
-
-metrics:
- enabled: false
-
-master:
- containerSecurityContext:
- readOnlyRootFilesystem: true
-...
diff --git a/helmfile/apps/services/values-redis.gotmpl b/helmfile/apps/services/values-redis.yaml.gotmpl
similarity index 69%
rename from helmfile/apps/services/values-redis.gotmpl
rename to helmfile/apps/services/values-redis.yaml.gotmpl
index 68717792..7063efae 100644
--- a/helmfile/apps/services/values-redis.gotmpl
+++ b/helmfile/apps/services/values-redis.yaml.gotmpl
@@ -1,8 +1,8 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
+architecture: "standalone"
+
auth:
password: {{ .Values.secrets.redis.password | quote }}
@@ -18,10 +18,18 @@ image:
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
master:
+ containerSecurityContext:
+ readOnlyRootFilesystem: true
count: {{ .Values.replicas.redis }}
persistence:
size: {{ .Values.persistence.size.redis | quote }}
-
resources:
{{ .Values.resources.redis | toYaml | nindent 4 }}
+
+metrics:
+ enabled: false
+
+sentinel:
+ enabled: false
+
...
diff --git a/helmfile/apps/univention-management-stack/helmfile.yaml b/helmfile/apps/univention-management-stack/helmfile.yaml
index b391e374..ba403438 100644
--- a/helmfile/apps/univention-management-stack/helmfile.yaml
+++ b/helmfile/apps/univention-management-stack/helmfile.yaml
@@ -215,8 +215,7 @@ releases:
chart: "nginx-repo/{{ .Values.charts.nginx.name }}"
version: "{{ .Values.charts.nginx.version }}"
values:
- - "values-ums-stack-gateway.gotmpl"
- - "values-ums-stack-gateway.yaml"
+ - "values-ums-stack-gateway.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -224,10 +223,8 @@ releases:
chart: "ums-store-dav-repo/{{ .Values.charts.umsStoreDav.name }}"
version: "{{ .Values.charts.umsStoreDav.version }}"
values:
- - "values-common.gotmpl"
- - "values-common.yaml"
- - "values-store-dav.gotmpl"
- - "values-store-dav.yaml"
+ - "values-common.yaml.gotmpl"
+ - "values-store-dav.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -235,10 +232,8 @@ releases:
chart: "ums-ldap-server-repo/{{ .Values.charts.umsLdapServer.name }}"
version: "{{ .Values.charts.umsLdapServer.version }}"
values:
- - "values-common.gotmpl"
- - "values-common.yaml"
- - "values-ldap-server.gotmpl"
- - "values-ldap-server.yaml"
+ - "values-common.yaml.gotmpl"
+ - "values-ldap-server.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -246,10 +241,8 @@ releases:
chart: "ums-ldap-notifier-repo/{{ .Values.charts.umsLdapNotifier.name }}"
version: "{{ .Values.charts.umsLdapNotifier.version }}"
values:
- - "values-common.gotmpl"
- - "values-common.yaml"
- - "values-ldap-notifier.gotmpl"
- - "values-ldap-notifier.yaml"
+ - "values-common.yaml.gotmpl"
+ - "values-ldap-notifier.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -257,10 +250,8 @@ releases:
chart: "ums-udm-rest-api-repo/{{ .Values.charts.umsUdmRestApi.name }}"
version: "{{ .Values.charts.umsUdmRestApi.version }}"
values:
- - "values-common.gotmpl"
- - "values-common.yaml"
- - "values-udm-rest-api.gotmpl"
- - "values-udm-rest-api.yaml"
+ - "values-common.yaml.gotmpl"
+ - "values-udm-rest-api.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -268,10 +259,8 @@ releases:
chart: "ums-stack-data-ums-repo/{{ .Values.charts.umsStackDataUms.name }}"
version: "{{ .Values.charts.umsStackDataUms.version }}"
values:
- - "values-common.gotmpl"
- - "values-common.yaml"
- - "values-stack-data-ums.gotmpl"
- - "values-stack-data-ums.yaml"
+ - "values-common.yaml.gotmpl"
+ - "values-stack-data-ums.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -279,10 +268,8 @@ releases:
chart: "ums-stack-data-swp-repo/{{ .Values.charts.umsStackDataSwp.name }}"
version: "{{ .Values.charts.umsStackDataSwp.version }}"
values:
- - "values-common.gotmpl"
- - "values-common.yaml"
- - "values-stack-data-swp.gotmpl"
- - "values-stack-data-swp.yaml"
+ - "values-common.yaml.gotmpl"
+ - "values-stack-data-swp.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -290,10 +277,8 @@ releases:
chart: "ums-portal-server-repo/{{ .Values.charts.umsPortalServer.name }}"
version: "{{ .Values.charts.umsPortalServer.version }}"
values:
- - "values-common.gotmpl"
- - "values-common.yaml"
- - "values-portal-server.gotmpl"
- - "values-portal-server.yaml"
+ - "values-common.yaml.gotmpl"
+ - "values-portal-server.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -301,10 +286,8 @@ releases:
chart: "ums-notifications-api-repo/{{ .Values.charts.umsNotificationsApi.name }}"
version: "{{ .Values.charts.umsNotificationsApi.version }}"
values:
- - "values-common.gotmpl"
- - "values-common.yaml"
- - "values-notifications-api.gotmpl"
- - "values-notifications-api.yaml"
+ - "values-common.yaml.gotmpl"
+ - "values-notifications-api.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -312,10 +295,8 @@ releases:
chart: "ums-portal-listener-repo/{{ .Values.charts.umsPortalListener.name }}"
version: "{{ .Values.charts.umsPortalListener.version }}"
values:
- - "values-common.gotmpl"
- - "values-common.yaml"
- - "values-portal-listener.gotmpl"
- - "values-portal-listener.yaml"
+ - "values-common.yaml.gotmpl"
+ - "values-portal-listener.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -323,10 +304,8 @@ releases:
chart: "ums-portal-frontend-repo/{{ .Values.charts.umsPortalFrontend.name }}"
version: "{{ .Values.charts.umsPortalFrontend.version }}"
values:
- - "values-common.gotmpl"
- - "values-common.yaml"
- - "values-portal-frontend.gotmpl"
- - "values-portal-frontend.yaml"
+ - "values-common.yaml.gotmpl"
+ - "values-portal-frontend.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -334,10 +313,8 @@ releases:
chart: "ums-umc-gateway-repo/{{ .Values.charts.umsUmcGateway.name }}"
version: "{{ .Values.charts.umsUmcGateway.version }}"
values:
- - "values-common.gotmpl"
- - "values-common.yaml"
- - "values-umc-gateway.gotmpl"
- - "values-umc-gateway.yaml"
+ - "values-common.yaml.gotmpl"
+ - "values-umc-gateway.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -345,10 +322,8 @@ releases:
chart: "ums-umc-server-repo/{{ .Values.charts.umsUmcServer.name }}"
version: "{{ .Values.charts.umsUmcServer.version }}"
values:
- - "values-common.gotmpl"
- - "values-common.yaml"
- - "values-umc-server.gotmpl"
- - "values-umc-server.yaml"
+ - "values-common.yaml.gotmpl"
+ - "values-umc-server.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -356,10 +331,8 @@ releases:
chart: "ums-selfservice-listener-repo/{{ .Values.charts.umsSelfserviceListener.name }}"
version: "{{ .Values.charts.umsSelfserviceListener.version }}"
values:
- - "values-common.gotmpl"
- - "values-common.yaml"
- - "values-selfservice-listener.gotmpl"
- - "values-selfservice-listener.yaml"
+ - "values-common.yaml.gotmpl"
+ - "values-selfservice-listener.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -367,10 +340,8 @@ releases:
chart: "ums-provisioning-repo/{{ .Values.charts.umsProvisioning.name }}"
version: "{{ .Values.charts.umsProvisioning.version }}"
values:
- - "values-common.gotmpl"
- - "values-common.yaml"
- - "values-provisioning.gotmpl"
- - "values-provisioning.yaml"
+ - "values-common.yaml.gotmpl"
+ - "values-provisioning.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -378,10 +349,8 @@ releases:
chart: "ums-guardian-management-api-repo/{{ .Values.charts.umsGuardianManagementApi.name }}"
version: "{{ .Values.charts.umsGuardianManagementApi.version }}"
values:
- - "values-common.gotmpl"
- - "values-common.yaml"
- - "values-guardian-management-api.gotmpl"
- - "values-guardian-management-api.yaml"
+ - "values-common.yaml.gotmpl"
+ - "values-guardian-management-api.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -389,10 +358,8 @@ releases:
chart: "ums-guardian-management-ui-repo/{{ .Values.charts.umsGuardianManagementUi.name }}"
version: "{{ .Values.charts.umsGuardianManagementUi.version }}"
values:
- - "values-common.gotmpl"
- - "values-common.yaml"
- - "values-guardian-management-ui.gotmpl"
- - "values-guardian-management-ui.yaml"
+ - "values-common.yaml.gotmpl"
+ - "values-guardian-management-ui.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -400,10 +367,8 @@ releases:
chart: "ums-guardian-authorization-api-repo/{{ .Values.charts.umsGuardianAuthorizationApi.name }}"
version: "{{ .Values.charts.umsGuardianAuthorizationApi.version }}"
values:
- - "values-common.gotmpl"
- - "values-common.yaml"
- - "values-guardian-authorization-api.gotmpl"
- - "values-guardian-authorization-api.yaml"
+ - "values-common.yaml.gotmpl"
+ - "values-guardian-authorization-api.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -411,10 +376,8 @@ releases:
chart: "ums-open-policy-agent-repo/{{ .Values.charts.umsOpenPolicyAgent.name }}"
version: "{{ .Values.charts.umsOpenPolicyAgent.version }}"
values:
- - "values-common.gotmpl"
- - "values-common.yaml"
- - "values-open-policy-agent.gotmpl"
- - "values-open-policy-agent.yaml"
+ - "values-common.yaml.gotmpl"
+ - "values-open-policy-agent.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
diff --git a/helmfile/apps/univention-management-stack/values-common.gotmpl b/helmfile/apps/univention-management-stack/values-common.gotmpl
deleted file mode 100644
index 7483f350..00000000
--- a/helmfile/apps/univention-management-stack/values-common.gotmpl
+++ /dev/null
@@ -1,10 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-ingress:
- host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
- ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
-
-...
diff --git a/helmfile/apps/univention-management-stack/values-common.yaml b/helmfile/apps/univention-management-stack/values-common.yaml.gotmpl
similarity index 81%
rename from helmfile/apps/univention-management-stack/values-common.yaml
rename to helmfile/apps/univention-management-stack/values-common.yaml.gotmpl
index e5edfe91..8dee2fc9 100644
--- a/helmfile/apps/univention-management-stack/values-common.yaml
+++ b/helmfile/apps/univention-management-stack/values-common.yaml.gotmpl
@@ -12,6 +12,8 @@ ingress:
# controller. Those are encapsulated into the release "stack-gateway" so that
# the compatibility with all ingress controllers is increased.
enabled: false
+ host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
+ ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
# The TLS configuration is on the "master" Ingress, see "portal-frontend"
enabled: false
diff --git a/helmfile/apps/univention-management-stack/values-guardian-authorization-api.gotmpl b/helmfile/apps/univention-management-stack/values-guardian-authorization-api.gotmpl
deleted file mode 100644
index 9420d14e..00000000
--- a/helmfile/apps/univention-management-stack/values-guardian-authorization-api.gotmpl
+++ /dev/null
@@ -1,21 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-guardianAuthorizationApi:
- udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
- oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
-image:
- registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianAuthorizationApi.registry | quote }}
- repository: {{ .Values.images.umsGuardianAuthorizationApi.repository | quote }}
- pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
- tag: {{ .Values.images.umsGuardianAuthorizationApi.tag | quote }}
- pullSecrets:
- {{- range .Values.global.imagePullSecrets }}
- - name: {{ . | quote }}
- {{- end }}
-
-resources:
- {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 2 }}
-...
diff --git a/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml b/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
similarity index 57%
rename from helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml
rename to helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
index c6b44cb4..82fe35b6 100644
--- a/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml
+++ b/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
@@ -2,19 +2,34 @@
# SPDX-License-Identifier: Apache-2.0
---
guardianAuthorizationApi:
- home: "/guardian_service_dir"
guardianAuthzCorsAllowedOrigins: "*"
guardianAuthzAdapterSettingsPort: "env"
guardianAuthzAdapterAppPersistencePort: "udm_data"
guardianAuthzAdapterPolicyPort: "opa"
guardianAuthzAdapterAuthenticationPort: "fast_api_oauth"
- isUniventionAppCenter: 0
- udmDataAdapterUrl: "http://ums-udm-rest-api/udm/"
- udmDataAdapterUsername: "cn=admin"
- opaAdapterUrl: "http://ums-open-policy-agent/"
- guardianAuthzLoggingLevel: "DEBUG"
+ guardianAuthzLoggingLevel: {{ .Values.debug.logLevel | quote }}
guardianAuthzLoggingStructured: false
guardianAuthzLoggingFormat: "{time:YYYY-MM-DD HH:mm:ss.SSS ZZ} | {level} | {message} | {extra}"
+ home: "/guardian_service_dir"
+ isUniventionAppCenter: 0
+ oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
+ opaAdapterUrl: "http://ums-open-policy-agent/"
+ udmDataAdapterUrl: "http://ums-udm-rest-api/udm/"
+ udmDataAdapterUsername: "cn=admin"
+ udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+
+image:
+ registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianAuthorizationApi.registry | quote }}
+ repository: {{ .Values.images.umsGuardianAuthorizationApi.repository | quote }}
+ pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ tag: {{ .Values.images.umsGuardianAuthorizationApi.tag | quote }}
+ pullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . | quote }}
+ {{- end }}
+
+resources:
+ {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
@@ -36,4 +51,5 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
+
...
diff --git a/helmfile/apps/univention-management-stack/values-guardian-management-api.gotmpl b/helmfile/apps/univention-management-stack/values-guardian-management-api.gotmpl
deleted file mode 100644
index 5a981d5d..00000000
--- a/helmfile/apps/univention-management-stack/values-guardian-management-api.gotmpl
+++ /dev/null
@@ -1,32 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-guardianManagementApi:
- oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
- oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
-
-postgresql:
- bundled: false
- connection:
- host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
- port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
- auth:
- username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
- database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
- password: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
-
-image:
- registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementApi.registry | quote }}
- repository: {{ .Values.images.umsGuardianManagementApi.repository | quote }}
- pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
- tag: {{ .Values.images.umsGuardianManagementApi.tag | quote }}
- pullSecrets:
- {{- range .Values.global.imagePullSecrets }}
- - name: {{ . | quote }}
- {{- end }}
-
-resources:
- {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 2 }}
-...
diff --git a/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml b/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
similarity index 58%
rename from helmfile/apps/univention-management-stack/values-guardian-management-api.yaml
rename to helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
index 1922dc52..4b5a4799 100644
--- a/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
@@ -3,6 +3,7 @@
---
guardianManagementApi:
home: "/guardian_service_dir"
+ isUniventionAppCenter: 0
guardianManagementCorsAllowedOrigins: "*"
guardianManagementAdapterSettingsPort: "env"
guardianManagementAdapterAppPersistencePort: "sql"
@@ -15,14 +16,38 @@ guardianManagementApi:
guardianManagementAdapterAuthenticationPort: "fast_api_oauth"
guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization"
guardianManagementAdapterResourceAuthorizationPort: "always"
- isUniventionAppCenter: 0
- sqlPersistenceAdapterDialect: "postgresql"
- sqlPersistenceAdapterDbName: "postgres"
- oauthAdapterM2mSecretFile: "/var/secrets/oauthAdapterM2mSecret"
guardianManagementLoggingLevel: "DEBUG"
guardianManagementLoggingStructured: false
guardianManagementLoggingFormat: "{time:YYYY-MM-DD HH:mm:ss.SSS ZZ} | {level} | {message} | {extra}"
guardianManagementBaseUrl: "http://0.0.0.0:8000"
+ oauthAdapterM2mSecretFile: "/var/secrets/oauthAdapterM2mSecret"
+ oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
+ oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
+ sqlPersistenceAdapterDialect: "postgresql"
+ sqlPersistenceAdapterDbName: "postgres"
+
+image:
+ registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementApi.registry | quote }}
+ repository: {{ .Values.images.umsGuardianManagementApi.repository | quote }}
+ pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ tag: {{ .Values.images.umsGuardianManagementApi.tag | quote }}
+ pullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . | quote }}
+ {{- end }}
+
+postgresql:
+ bundled: false
+ connection:
+ host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
+ port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
+ auth:
+ username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
+ database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
+ password: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
+
+resources:
+ {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
@@ -44,4 +69,5 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
+
...
diff --git a/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml b/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml
deleted file mode 100644
index 5674ae30..00000000
--- a/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-guardianManagementUi:
- viteManagementUiAdapterAuthenticationPort: "keycloak"
- viteManagementUiAdapterDataPort: "api"
- viteKeycloakAuthenticationAdapterClientId: "guardian-ui"
-
-securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- add:
- - "CHOWN"
- - "DAC_OVERRIDE"
- - "FOWNER"
- - "FSETID"
- - "KILL"
- - "SETGID"
- - "SETUID"
- - "SETPCAP"
- - "NET_BIND_SERVICE"
- - "NET_RAW"
- - "SYS_CHROOT"
- privileged: false
- seccompProfile:
- type: "RuntimeDefault"
-...
diff --git a/helmfile/apps/univention-management-stack/values-guardian-management-ui.gotmpl b/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl
similarity index 55%
rename from helmfile/apps/univention-management-stack/values-guardian-management-ui.gotmpl
rename to helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl
index 25879bdd..bfe560c9 100644
--- a/helmfile/apps/univention-management-stack/values-guardian-management-ui.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl
@@ -1,9 +1,10 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
guardianManagementUi:
+ viteManagementUiAdapterAuthenticationPort: "keycloak"
+ viteManagementUiAdapterDataPort: "api"
+ viteKeycloakAuthenticationAdapterClientId: "guardian-ui"
viteApiDataAdapterUri: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/management"
viteKeycloakAuthenticationAdapterSsoUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
viteKeycloakAuthenticationAdapterRealm: {{ .Values.platform.realm | quote }}
@@ -20,4 +21,26 @@ image:
resources:
{{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 2 }}
+
+securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ add:
+ - "CHOWN"
+ - "DAC_OVERRIDE"
+ - "FOWNER"
+ - "FSETID"
+ - "KILL"
+ - "SETGID"
+ - "SETUID"
+ - "SETPCAP"
+ - "NET_BIND_SERVICE"
+ - "NET_RAW"
+ - "SYS_CHROOT"
+ privileged: false
+ seccompProfile:
+ type: "RuntimeDefault"
+
...
diff --git a/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml b/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml
deleted file mode 100644
index 5e3122a9..00000000
--- a/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-
-volumes:
- claims:
- shared-data: "shared-data-ums-ldap-server-0"
- shared-run: "shared-run-ums-ldap-server-0"
-
-securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- privileged: false
- seccompProfile:
- type: "RuntimeDefault"
-...
diff --git a/helmfile/apps/univention-management-stack/values-ldap-notifier.gotmpl b/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl
similarity index 52%
rename from helmfile/apps/univention-management-stack/values-ldap-notifier.gotmpl
rename to helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl
index 989edb89..74827c07 100644
--- a/helmfile/apps/univention-management-stack/values-ldap-notifier.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl
@@ -1,7 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapNotifier.registry | quote }}
@@ -15,4 +13,19 @@ image:
resources:
{{ .Values.resources.umsLdapNotifier | toYaml | nindent 2 }}
+
+securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ privileged: false
+ seccompProfile:
+ type: "RuntimeDefault"
+
+volumes:
+ claims:
+ shared-data: "shared-data-ums-ldap-server-0"
+ shared-run: "shared-run-ums-ldap-server-0"
+
...
diff --git a/helmfile/apps/univention-management-stack/values-ldap-server.gotmpl b/helmfile/apps/univention-management-stack/values-ldap-server.gotmpl
deleted file mode 100644
index fe44476a..00000000
--- a/helmfile/apps/univention-management-stack/values-ldap-server.gotmpl
+++ /dev/null
@@ -1,36 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-ldapServer:
- ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
- ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-
-image:
- registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
- repository: {{ .Values.images.umsLdapServer.repository | quote }}
- pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
- tag: {{ .Values.images.umsLdapServer.tag | quote }}
- pullSecrets:
- {{- range .Values.global.imagePullSecrets }}
- - name: {{ . | quote }}
- {{- end }}
-
- waitForDependency:
- registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
- repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
- imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
- tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
-
-persistence:
- data:
- storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
- size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
- shared:
- storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
- size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
-
-resources:
- {{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}
-...
diff --git a/helmfile/apps/univention-management-stack/values-ldap-server.yaml b/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
similarity index 54%
rename from helmfile/apps/univention-management-stack/values-ldap-server.yaml
rename to helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
index 7d75da47..0e2b9b8c 100644
--- a/helmfile/apps/univention-management-stack/values-ldap-server.yaml
+++ b/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
@@ -1,13 +1,6 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
-
-ldapServer:
- waitForSamlMetadata: true
-
-service:
- type: "ClusterIP"
-
extraVolumes:
- name: "opendesk-schemas"
configMap:
@@ -30,6 +23,34 @@ extraVolumeMounts:
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema"
subPath: "opendeskProjectmanagement.schema"
+image:
+ registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
+ repository: {{ .Values.images.umsLdapServer.repository | quote }}
+ pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ tag: {{ .Values.images.umsLdapServer.tag | quote }}
+ pullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . | quote }}
+ {{- end }}
+
+ waitForDependency:
+ registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
+ repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
+ imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
+
+ldapServer:
+ waitForSamlMetadata: true
+ ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+ ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
+
+persistence:
+ data:
+ storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
+ size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
+ shared:
+ storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
+ size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
securityContext:
allowPrivilegeEscalation: false
@@ -51,4 +72,11 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
+
+service:
+ type: "ClusterIP"
+
+resources:
+ {{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}
+
...
diff --git a/helmfile/apps/univention-management-stack/values-notifications-api.yaml b/helmfile/apps/univention-management-stack/values-notifications-api.yaml
deleted file mode 100644
index fd314b06..00000000
--- a/helmfile/apps/univention-management-stack/values-notifications-api.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-notificationsapi:
- apply_database_migrations: "True"
- dev_mode: "False"
- environment: "staging"
- log_level: "DEBUG"
- sql_echo: "False"
- api_prefix: "/univention/portal/notifications-api"
-
-securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- privileged: false
- seccompProfile:
- type: "RuntimeDefault"
-...
diff --git a/helmfile/apps/univention-management-stack/values-notifications-api.gotmpl b/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl
similarity index 64%
rename from helmfile/apps/univention-management-stack/values-notifications-api.gotmpl
rename to helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl
index 110b06a6..4a89f7d2 100644
--- a/helmfile/apps/univention-management-stack/values-notifications-api.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl
@@ -1,18 +1,6 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
-postgresql:
- bundled: false
- connection:
- host: {{ .Values.databases.umsNotificationsApi.host | quote }}
- port: {{ .Values.databases.umsNotificationsApi.port | quote }}
- auth:
- username: {{ .Values.databases.umsNotificationsApi.username | quote }}
- database: {{ .Values.databases.umsNotificationsApi.name | quote }}
- password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
-
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsNotificationsApi.registry | quote }}
repository: {{ .Values.images.umsNotificationsApi.repository }}
@@ -23,6 +11,34 @@ image:
- name: {{ . | quote }}
{{- end }}
+notificationsapi:
+ apply_database_migrations: "True"
+ dev_mode: "False"
+ environment: "staging"
+ log_level: "DEBUG"
+ sql_echo: "False"
+ api_prefix: "/univention/portal/notifications-api"
+
+postgresql:
+ bundled: false
+ connection:
+ host: {{ .Values.databases.umsNotificationsApi.host | quote }}
+ port: {{ .Values.databases.umsNotificationsApi.port | quote }}
+ auth:
+ username: {{ .Values.databases.umsNotificationsApi.username | quote }}
+ database: {{ .Values.databases.umsNotificationsApi.name | quote }}
+ password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
+
resources:
{{ .Values.resources.umsNotificationsApi | toYaml | nindent 2 }}
+
+securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ privileged: false
+ seccompProfile:
+ type: "RuntimeDefault"
+
...
diff --git a/helmfile/apps/univention-management-stack/values-open-policy-agent.gotmpl b/helmfile/apps/univention-management-stack/values-open-policy-agent.gotmpl
deleted file mode 100644
index 10d3bcdb..00000000
--- a/helmfile/apps/univention-management-stack/values-open-policy-agent.gotmpl
+++ /dev/null
@@ -1,18 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-image:
- registry: {{ .Values.global.imageRegistry | default .Values.images.umsOpenPolicyAgent.registry | quote }}
- repository: {{ .Values.images.umsOpenPolicyAgent.repository | quote }}
- pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
- tag: {{ .Values.images.umsOpenPolicyAgent.tag | quote }}
- pullSecrets:
- {{- range .Values.global.imagePullSecrets }}
- - name: {{ . | quote }}
- {{- end }}
-
-resources:
- {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 2 }}
-...
diff --git a/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml b/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl
similarity index 62%
rename from helmfile/apps/univention-management-stack/values-open-policy-agent.yaml
rename to helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl
index eafae8a9..f962d241 100644
--- a/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml
+++ b/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl
@@ -1,6 +1,16 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
+image:
+ registry: {{ .Values.global.imageRegistry | default .Values.images.umsOpenPolicyAgent.registry | quote }}
+ repository: {{ .Values.images.umsOpenPolicyAgent.repository | quote }}
+ pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ tag: {{ .Values.images.umsOpenPolicyAgent.tag | quote }}
+ pullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . | quote }}
+ {{- end }}
+
openPolicyAgent:
isUniventionAppCenter: 0
opaDataBundle: "bundles/GuardianDataBundle.tar.gz"
@@ -9,6 +19,9 @@ openPolicyAgent:
opaPollingMaxDelay: 15
opaGuardianManagementUrl: "http://ums-guardian-management-api/guardian/management"
+resources:
+ {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 2 }}
+
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -29,4 +42,5 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
+
...
diff --git a/helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl b/helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl
deleted file mode 100644
index f58c3aa4..00000000
--- a/helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl
+++ /dev/null
@@ -1,24 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-image:
- registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalFrontend.registry | quote }}
- repository: {{ .Values.images.umsPortalFrontend.repository | quote }}
- pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
- tag: {{ .Values.images.umsPortalFrontend.tag | quote }}
- pullSecrets:
- {{- range .Values.global.imagePullSecrets }}
- - name: {{ . | quote }}
- {{- end }}
-
-extraIngresses:
- master:
- tls:
- enabled: {{ .Values.ingress.tls.enabled }}
- secretName: {{ .Values.ingress.tls.secretName | quote }}
-
-resources:
- {{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }}
-...
diff --git a/helmfile/apps/univention-management-stack/values-portal-frontend.yaml b/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl
similarity index 81%
rename from helmfile/apps/univention-management-stack/values-portal-frontend.yaml
rename to helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl
index d60aaae8..103aff73 100644
--- a/helmfile/apps/univention-management-stack/values-portal-frontend.yaml
+++ b/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl
@@ -12,6 +12,9 @@ extraIngresses:
master:
# Using "stack-gateway" currently.
enabled: false
+ tls:
+ enabled: {{ .Values.ingress.tls.enabled }}
+ secretName: {{ .Values.ingress.tls.secretName | quote }}
# See "extraVolumeMounts" below
custom-favicon:
@@ -24,27 +27,6 @@ extraIngresses:
path: "/favicon.ico"
tls: {}
- # See "extraVolumeMounts" below
- custom-branding:
- # Using "stack-gateway" at the moment
- enabled: false
- annotations:
- nginx.ingress.kubernetes.io/configuration-snippet: |
- rewrite ^/univention/portal(/.*)$ $1 break;
- nginx.org/location-snippets: |
- rewrite ^/univention/portal(/.*)$ $1 break;
- nginx.org/mergeable-ingress-type: "minion"
- paths:
- # This relies on the correct implementation of the matching for paths of
- # type "Prefix" since "/univention/portal/icons/entries/" is owned by
- # store-dav.
- # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches
- - pathType: "Prefix"
- path: "/univention/portal/icons/"
- - pathType: "Prefix"
- path: "/univention/portal/custom/"
- tls: {}
-
extraVolumes:
- name: "opendesk-branding"
configMap:
@@ -70,6 +52,40 @@ extraVolumeMounts:
mountPath: "/var/www/html/custom/portal_background_image.svg"
subPath: "portal_background_image.svg"
+image:
+ registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalFrontend.registry | quote }}
+ repository: {{ .Values.images.umsPortalFrontend.repository | quote }}
+ pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ tag: {{ .Values.images.umsPortalFrontend.tag | quote }}
+ pullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . | quote }}
+ {{- end }}
+
+ # See "extraVolumeMounts" below
+ custom-branding:
+ # Using "stack-gateway" at the moment
+ enabled: false
+ annotations:
+ nginx.ingress.kubernetes.io/configuration-snippet: |
+ rewrite ^/univention/portal(/.*)$ $1 break;
+ nginx.org/location-snippets: |
+ rewrite ^/univention/portal(/.*)$ $1 break;
+ nginx.org/mergeable-ingress-type: "minion"
+ paths:
+ # This relies on the correct implementation of the matching for paths of
+ # type "Prefix" since "/univention/portal/icons/entries/" is owned by
+ # store-dav.
+ # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches
+ - pathType: "Prefix"
+ path: "/univention/portal/icons/"
+ - pathType: "Prefix"
+ path: "/univention/portal/custom/"
+ tls: {}
+
+resources:
+ {{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }}
+
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -90,4 +106,5 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
+
...
diff --git a/helmfile/apps/univention-management-stack/values-portal-listener.yaml b/helmfile/apps/univention-management-stack/values-portal-listener.yaml
deleted file mode 100644
index 2ce04b23..00000000
--- a/helmfile/apps/univention-management-stack/values-portal-listener.yaml
+++ /dev/null
@@ -1,36 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-
-portalListener:
- debugLevel: "4"
- tlsMode: "off"
- udmApiUrl: "http://ums-udm-rest-api/udm/"
- udmApiUsername: "cn=admin"
- umcGetUrl: "http://ums-umc-server/get"
- umcSessionUrl: "http://ums-umc-server/get/session-info"
-
-store-dav:
- bundled: false
-
-securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- add:
- - "CHOWN"
- - "DAC_OVERRIDE"
- - "FOWNER"
- - "FSETID"
- - "KILL"
- - "SETGID"
- - "SETUID"
- - "SETPCAP"
- - "NET_BIND_SERVICE"
- - "NET_RAW"
- - "SYS_CHROOT"
- privileged: false
- seccompProfile:
- type: "RuntimeDefault"
-...
diff --git a/helmfile/apps/univention-management-stack/values-portal-listener.gotmpl b/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
similarity index 73%
rename from helmfile/apps/univention-management-stack/values-portal-listener.gotmpl
rename to helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
index f4f58620..d25f8feb 100644
--- a/helmfile/apps/univention-management-stack/values-portal-listener.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
@@ -1,24 +1,6 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
-portalListener:
- adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
- assetsRoot: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-assets/" | quote }}
- ucsInternalUrl: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-data" | quote }}
-
- ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
- ldapHost: {{ .Values.ldap.host | quote }}
- ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
- ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
- machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
- notifierServer: {{ .Values.ldap.notifierHost | quote }}
- portalDefaultDn: {{ printf "%s,%s" "cn=domain,cn=portal,cn=portals,cn=univention" .Values.ldap.baseDn | quote }}
- udmApiUrl: "http://ums-udm-rest-api/udm/"
- udmApiUsername: "cn=admin"
-
-
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalListener.registry | quote }}
repository: {{ .Values.images.umsPortalListener.repository | quote }}
@@ -39,9 +21,55 @@ persistence:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }}
+portalListener:
+ adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
+ assetsRoot: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-assets/" | quote }}
+ ucsInternalUrl: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-data" | quote }}
+
+ ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
+ ldapHost: {{ .Values.ldap.host | quote }}
+ ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
+ ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+ machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+ notifierServer: {{ .Values.ldap.notifierHost | quote }}
+ portalDefaultDn: {{ printf "%s,%s" "cn=domain,cn=portal,cn=portals,cn=univention" .Values.ldap.baseDn | quote }}
+ udmApiUrl: "http://ums-udm-rest-api/udm/"
+ udmApiUsername: "cn=admin"
+ debugLevel: "4"
+ tlsMode: "off"
+ udmApiUrl: "http://ums-udm-rest-api/udm/"
+ udmApiUsername: "cn=admin"
+ umcGetUrl: "http://ums-umc-server/get"
+ umcSessionUrl: "http://ums-umc-server/get/session-info"
+
resources:
{{ .Values.resources.umsPortalListener | toYaml | nindent 2 }}
resourcesDependencyWaiter:
{{ .Values.resources.umsPortalListenerDependencies | toYaml | nindent 2 }}
+
+store-dav:
+ bundled: false
+
+securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ add:
+ - "CHOWN"
+ - "DAC_OVERRIDE"
+ - "FOWNER"
+ - "FSETID"
+ - "KILL"
+ - "SETGID"
+ - "SETUID"
+ - "SETPCAP"
+ - "NET_BIND_SERVICE"
+ - "NET_RAW"
+ - "SYS_CHROOT"
+ privileged: false
+ seccompProfile:
+ type: "RuntimeDefault"
+
...
diff --git a/helmfile/apps/univention-management-stack/values-portal-server.yaml b/helmfile/apps/univention-management-stack/values-portal-server.yaml
deleted file mode 100644
index fca2dc10..00000000
--- a/helmfile/apps/univention-management-stack/values-portal-server.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-
-portalServer:
- authMode: "saml"
- editable: "false"
- umcGetUrl: "http://ums-umc-server/get"
- umcSessionUrl: "http://ums-umc-server/get/session-info"
- centralNavigation:
- enabled: true
-
-securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- add:
- - "CHOWN"
- - "DAC_OVERRIDE"
- - "FOWNER"
- - "FSETID"
- - "KILL"
- - "SETGID"
- - "SETUID"
- - "SETPCAP"
- - "NET_BIND_SERVICE"
- - "NET_RAW"
- - "SYS_CHROOT"
- privileged: false
- seccompProfile:
- type: "RuntimeDefault"
-...
diff --git a/helmfile/apps/univention-management-stack/values-portal-server.gotmpl b/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
similarity index 57%
rename from helmfile/apps/univention-management-stack/values-portal-server.gotmpl
rename to helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
index b603c066..a189ee5a 100644
--- a/helmfile/apps/univention-management-stack/values-portal-server.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
@@ -1,15 +1,6 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
-portalServer:
- logLevel: {{ .Values.debug.logLevel | quote }}
- adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
- ucsInternalUrl: {{ printf "%s%s%s" "http://portal-server:" .Values.secrets.univentionManagementStack.storeDavUsers.portalServer "@ums-store-dav/portal-data" | quote }}
- centralNavigation:
- authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
-
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalServer.registry | quote }}
repository: {{ .Values.images.umsPortalServer.repository | quote }}
@@ -20,6 +11,40 @@ image:
- name: {{ . | quote }}
{{- end }}
+portalServer:
+ authMode: "saml"
+ editable: "false"
+ umcGetUrl: "http://ums-umc-server/get"
+ umcSessionUrl: "http://ums-umc-server/get/session-info"
+ logLevel: {{ .Values.debug.logLevel | quote }}
+ adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
+ ucsInternalUrl: {{ printf "%s%s%s" "http://portal-server:" .Values.secrets.univentionManagementStack.storeDavUsers.portalServer "@ums-store-dav/portal-data" | quote }}
+ centralNavigation:
+ enabled: true
+ authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+
resources:
{{ .Values.resources.umsPortalServer | toYaml | nindent 2 }}
+
+securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ add:
+ - "CHOWN"
+ - "DAC_OVERRIDE"
+ - "FOWNER"
+ - "FSETID"
+ - "KILL"
+ - "SETGID"
+ - "SETUID"
+ - "SETPCAP"
+ - "NET_BIND_SERVICE"
+ - "NET_RAW"
+ - "SYS_CHROOT"
+ privileged: false
+ seccompProfile:
+ type: "RuntimeDefault"
+
...
diff --git a/helmfile/apps/univention-management-stack/values-provisioning.yaml b/helmfile/apps/univention-management-stack/values-provisioning.yaml
deleted file mode 100644
index 6284c83e..00000000
--- a/helmfile/apps/univention-management-stack/values-provisioning.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-provisioningApi:
- rootPath: "/univention/provisioning-api"
-
-securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- privileged: false
- seccompProfile:
- type: "RuntimeDefault"
-...
diff --git a/helmfile/apps/univention-management-stack/values-provisioning.gotmpl b/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
similarity index 56%
rename from helmfile/apps/univention-management-stack/values-provisioning.gotmpl
rename to helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
index fcb3be6a..2fceebfa 100644
--- a/helmfile/apps/univention-management-stack/values-provisioning.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
@@ -1,9 +1,6 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
-
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioning.registry | quote }}
repository: {{ .Values.images.umsProvisioning.repository | quote }}
@@ -14,6 +11,18 @@ image:
- name: {{ . | quote }}
{{- end }}
+provisioningApi:
+ rootPath: "/univention/provisioning-api"
+
resources:
{{ .Values.resources.umsProvisioning | toYaml | nindent 2 }}
+
+securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ privileged: false
+ seccompProfile:
+ type: "RuntimeDefault"
...
diff --git a/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml b/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml
deleted file mode 100644
index 658cd91d..00000000
--- a/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-
-selfserviceListener:
- debugLevel: "4"
- tlsMode: "off"
- umcServerUrl: "http://ums-umc-server"
- umcAdminUser: "default.admin"
-
-securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- add:
- - "CHOWN"
- - "DAC_OVERRIDE"
- - "FOWNER"
- - "FSETID"
- - "KILL"
- - "SETGID"
- - "SETUID"
- - "SETPCAP"
- - "NET_BIND_SERVICE"
- - "NET_RAW"
- - "SYS_CHROOT"
- privileged: false
- seccompProfile:
- type: "RuntimeDefault"
-...
diff --git a/helmfile/apps/univention-management-stack/values-selfservice-listener.gotmpl b/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl
similarity index 81%
rename from helmfile/apps/univention-management-stack/values-selfservice-listener.gotmpl
rename to helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl
index d3e97ca5..6a879d3d 100644
--- a/helmfile/apps/univention-management-stack/values-selfservice-listener.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl
@@ -3,16 +3,6 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
SPDX-License-Identifier: Apache-2.0
*/}}
---
-selfserviceListener:
-
- ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
- ldapHost: {{ .Values.ldap.host | quote }}
- ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
- ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
- machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
- notifierServer: {{ .Values.ldap.notifierHost | quote }}
- umcAdminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
-
image:
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
pullSecrets:
@@ -45,4 +35,39 @@ resources:
resourcesDependencyWaiter:
{{ .Values.resources.umsSelfserviceListenerDependencies | toYaml | nindent 2 }}
+
+selfserviceListener:
+ ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
+ ldapHost: {{ .Values.ldap.host | quote }}
+ ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
+ ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+ machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+ notifierServer: {{ .Values.ldap.notifierHost | quote }}
+ umcAdminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
+ debugLevel: "4"
+ tlsMode: "off"
+ umcServerUrl: "http://ums-umc-server"
+ umcAdminUser: "default.admin"
+
+securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ add:
+ - "CHOWN"
+ - "DAC_OVERRIDE"
+ - "FOWNER"
+ - "FSETID"
+ - "KILL"
+ - "SETGID"
+ - "SETUID"
+ - "SETPCAP"
+ - "NET_BIND_SERVICE"
+ - "NET_RAW"
+ - "SYS_CHROOT"
+ privileged: false
+ seccompProfile:
+ type: "RuntimeDefault"
+
...
diff --git a/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml b/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml
deleted file mode 100644
index fa0b1296..00000000
--- a/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-stackDataSwp:
- udmApiUser: "cn=admin"
- udmApiUrl: "http://ums-udm-rest-api/udm/"
- loadDevData: true
-
-stackDataContext:
- ldapBase: "dc=swp-ldap,dc=internal"
- oxDefaultContext: "1"
- smtpStartTls: true
-
-additionalAnnotations:
- intents.otterize.com/service-name: "ums-stack-data-swp"
-
-securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- privileged: false
- seccompProfile:
- type: "RuntimeDefault"
-...
diff --git a/helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl b/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl
similarity index 80%
rename from helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl
rename to helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl
index 92bd00ca..f375a1b5 100644
--- a/helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl
@@ -1,15 +1,35 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
-stackDataSwp:
- udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
- systemInformation:
- deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
- releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
+additionalAnnotations:
+ intents.otterize.com/service-name: "ums-stack-data-swp"
+
+image:
+ registry: {{ .Values.global.imageRegistry | default .Values.images.umsDataLoader.registry | quote }}
+ repository: {{ .Values.images.umsDataLoader.repository | quote }}
+ pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ tag: {{ .Values.images.umsDataLoader.tag | quote }}
+ pullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . | quote }}
+ {{- end }}
+
+resources:
+ {{ .Values.resources.umsStackDataSwp | toYaml | nindent 2 }}
+
+securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ privileged: false
+ seccompProfile:
+ type: "RuntimeDefault"
stackDataContext:
+ ldapBase: "dc=swp-ldap,dc=internal"
+ oxDefaultContext: "1"
+ smtpStartTls: true
ldapSearchUsers:
{{- range $username, $password := .Values.secrets.univentionManagementStack.ldapSearch }}
- username: {{ printf "ldapsearch_%s" $username | quote }}
@@ -36,16 +56,13 @@ stackDataContext:
userPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.userPassword | quote }}
adminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
-image:
- registry: {{ .Values.global.imageRegistry | default .Values.images.umsDataLoader.registry | quote }}
- repository: {{ .Values.images.umsDataLoader.repository | quote }}
- pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
- tag: {{ .Values.images.umsDataLoader.tag | quote }}
- pullSecrets:
- {{- range .Values.global.imagePullSecrets }}
- - name: {{ . | quote }}
- {{- end }}
+stackDataSwp:
+ udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+ systemInformation:
+ deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
+ releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
+ udmApiUser: "cn=admin"
+ udmApiUrl: "http://ums-udm-rest-api/udm/"
+ loadDevData: true
-resources:
- {{ .Values.resources.umsStackDataSwp | toYaml | nindent 2 }}
...
diff --git a/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml b/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml
deleted file mode 100644
index c0e3a599..00000000
--- a/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-stackDataUms:
- loadDevData: true
- udmApiUrl: "http://ums-udm-rest-api/udm/"
- udmApiUser: "cn=admin"
-
-stackDataContext:
- idpSamlMetadataUrlInternal: null
- umcSamlSchemes: "https"
- # The openDesk configuration brings its own UMC policies.
- installUmcPolicies: false
-
-additionalAnnotations:
- intents.otterize.com/service-name: "ums-stack-data-ums"
-
-securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- privileged: false
- seccompProfile:
- type: "RuntimeDefault"
-...
diff --git a/helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl b/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl
similarity index 71%
rename from helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl
rename to helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl
index ce0984eb..d5fbdca2 100644
--- a/helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl
@@ -1,25 +1,8 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
-stackDataUms:
- udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-
-stackDataContext:
- domainname: {{ .Values.global.domain | quote }}
- externalMailDomain: {{ .Values.global.domain | quote }}
- hostname: {{ .Values.global.hosts.univentionManagementStack | quote }}
- ldapHost: {{ .Values.ldap.host | quote }}
- ldapBase: {{ .Values.ldap.baseDn | quote }}
- ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
-
- idpSamlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
- umcSamlSpFqdn: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
- idpFqdn: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
- ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
-
- initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
+additionalAnnotations:
+ intents.otterize.com/service-name: "ums-stack-data-ums"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsDataLoader.registry | quote }}
@@ -33,4 +16,38 @@ image:
resources:
{{ .Values.resources.umsStackDataUms | toYaml | nindent 2 }}
+
+securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ privileged: false
+ seccompProfile:
+ type: "RuntimeDefault"
+
+stackDataContext:
+ idpSamlMetadataUrlInternal: null
+ umcSamlSchemes: "https"
+ # The openDesk configuration brings its own UMC policies.
+ installUmcPolicies: false
+ domainname: {{ .Values.global.domain | quote }}
+ externalMailDomain: {{ .Values.global.domain | quote }}
+ hostname: {{ .Values.global.hosts.univentionManagementStack | quote }}
+ ldapHost: {{ .Values.ldap.host | quote }}
+ ldapBase: {{ .Values.ldap.baseDn | quote }}
+ ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
+ idpSamlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
+ umcSamlSpFqdn: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
+ idpFqdn: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
+ ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
+ initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
+
+
+stackDataUms:
+ loadDevData: true
+ udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+ udmApiUrl: "http://ums-udm-rest-api/udm/"
+ udmApiUser: "cn=admin"
+
...
diff --git a/helmfile/apps/univention-management-stack/values-store-dav.yaml b/helmfile/apps/univention-management-stack/values-store-dav.yaml
deleted file mode 100644
index d0dfd454..00000000
--- a/helmfile/apps/univention-management-stack/values-store-dav.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- add:
- - "CHOWN"
- - "DAC_OVERRIDE"
- - "FOWNER"
- - "FSETID"
- - "KILL"
- - "SETGID"
- - "SETUID"
- - "SETPCAP"
- - "NET_BIND_SERVICE"
- - "NET_RAW"
- - "SYS_CHROOT"
- privileged: false
- seccompProfile:
- type: "RuntimeDefault"
-...
diff --git a/helmfile/apps/univention-management-stack/values-store-dav.gotmpl b/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl
similarity index 71%
rename from helmfile/apps/univention-management-stack/values-store-dav.gotmpl
rename to helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl
index 644675ac..dc3c7029 100644
--- a/helmfile/apps/univention-management-stack/values-store-dav.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl
@@ -1,13 +1,6 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
---
-storeDav:
- auth:
- basicAuth:
- portal-listener: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener | quote }}
- portal-server: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer | quote }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsStoreDav.registry | quote }}
repository: {{ .Values.images.umsStoreDav.repository | quote }}
@@ -34,4 +27,32 @@ persistence:
resources:
{{ .Values.resources.umsStoreDav | toYaml | nindent 2 }}
+
+securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ add:
+ - "CHOWN"
+ - "DAC_OVERRIDE"
+ - "FOWNER"
+ - "FSETID"
+ - "KILL"
+ - "SETGID"
+ - "SETUID"
+ - "SETPCAP"
+ - "NET_BIND_SERVICE"
+ - "NET_RAW"
+ - "SYS_CHROOT"
+ privileged: false
+ seccompProfile:
+ type: "RuntimeDefault"
+
+storeDav:
+ auth:
+ basicAuth:
+ portal-listener: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener | quote }}
+ portal-server: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer | quote }}
+
...
diff --git a/helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl b/helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl
deleted file mode 100644
index 8e58aba1..00000000
--- a/helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl
+++ /dev/null
@@ -1,24 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-udmRestApi:
- # TODO: Secret should be entered without b64enc
- ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
- # TODO: Secret should be entered without b64enc
- machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
-
-image:
- registry: {{ .Values.global.imageRegistry | default .Values.images.umsUdmRestApi.registry | quote }}
- repository: {{ .Values.images.umsUdmRestApi.repository | quote }}
- pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
- tag: {{ .Values.images.umsUdmRestApi.tag | quote }}
- pullSecrets:
- {{- range .Values.global.imagePullSecrets }}
- - name: {{ . | quote }}
- {{- end }}
-
-resources:
- {{ .Values.resources.umsUdmRestApi | toYaml | nindent 2 }}
-...
diff --git a/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml b/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl
similarity index 59%
rename from helmfile/apps/univention-management-stack/values-udm-rest-api.yaml
rename to helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl
index c9d0780d..4893a6b0 100644
--- a/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml
+++ b/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl
@@ -1,10 +1,6 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
-udmRestApi:
- # TODO: Stub value currently
- caCert: ""
-
extraVolumes:
- name: "attribute-to-group-mapper-hook"
configMap:
@@ -18,6 +14,19 @@ extraVolumeMounts:
mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
subPath: "flag_to_group_mapping.json"
+image:
+ registry: {{ .Values.global.imageRegistry | default .Values.images.umsUdmRestApi.registry | quote }}
+ repository: {{ .Values.images.umsUdmRestApi.repository | quote }}
+ pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ tag: {{ .Values.images.umsUdmRestApi.tag | quote }}
+ pullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . | quote }}
+ {{- end }}
+
+resources:
+ {{ .Values.resources.umsUdmRestApi | toYaml | nindent 2 }}
+
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -38,4 +47,13 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
+
+udmRestApi:
+ # TODO: Stub value currently
+ caCert: ""
+ # TODO: Secret should be entered without b64enc
+ ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
+ # TODO: Secret should be entered without b64enc
+ machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
+
...
diff --git a/helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl b/helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl
deleted file mode 100644
index df9399ba..00000000
--- a/helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl
+++ /dev/null
@@ -1,18 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-image:
- registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcGateway.registry | quote }}
- repository: {{ .Values.images.umsUmcGateway.repository | quote }}
- pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
- tag: {{ .Values.images.umsUmcGateway.tag | quote }}
- pullSecrets:
- {{- range .Values.global.imagePullSecrets }}
- - name: {{ . | quote }}
- {{- end }}
-
-resources:
- {{ .Values.resources.umsUmcGateway | toYaml | nindent 2 }}
-...
diff --git a/helmfile/apps/univention-management-stack/values-umc-gateway.yaml b/helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl
similarity index 71%
rename from helmfile/apps/univention-management-stack/values-umc-gateway.yaml
rename to helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl
index 90df2d4c..dc8db89e 100644
--- a/helmfile/apps/univention-management-stack/values-umc-gateway.yaml
+++ b/helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl
@@ -21,6 +21,19 @@ extraVolumeMounts:
/umc/icons/16x16/udm-portals-announcement.png"
subPath: "udm-portals-announcement.png"
+image:
+ registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcGateway.registry | quote }}
+ repository: {{ .Values.images.umsUmcGateway.repository | quote }}
+ pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ tag: {{ .Values.images.umsUmcGateway.tag | quote }}
+ pullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . | quote }}
+ {{- end }}
+
+resources:
+ {{ .Values.resources.umsUmcGateway | toYaml | nindent 2 }}
+
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -41,4 +54,5 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
+
...
diff --git a/helmfile/apps/univention-management-stack/values-umc-server.gotmpl b/helmfile/apps/univention-management-stack/values-umc-server.gotmpl
deleted file mode 100644
index ed81826d..00000000
--- a/helmfile/apps/univention-management-stack/values-umc-server.gotmpl
+++ /dev/null
@@ -1,39 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-umcServer:
- # TODO: Secret should be entered without b64enc
- ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
- # TODO: Secret should be entered without b64enc
- machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
-
- smtpSecret: {{ .Values.smtp.password | quote }}
-
-postgresql:
- connection:
- host: {{ .Values.databases.umsSelfservice.host | quote }}
- port: {{ .Values.databases.umsSelfservice.port | quote }}
- auth:
- username: {{ .Values.databases.umsSelfservice.username | quote }}
- database: {{ .Values.databases.umsSelfservice.name | quote }}
- password: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
- postgresPassword: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
-
-memcached:
- server: {{ .Values.cache.umsSelfservice.host | quote }}
-
-image:
- registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcServer.registry | quote }}
- repository: {{ .Values.images.umsUmcServer.repository | quote }}
- pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
- tag: {{ .Values.images.umsUmcServer.tag | quote }}
- pullSecrets:
- {{- range .Values.global.imagePullSecrets }}
- - name: {{ . | quote }}
- {{- end }}
-
-resources:
- {{ .Values.resources.umsUmcServer | toYaml | nindent 2 }}
-...
diff --git a/helmfile/apps/univention-management-stack/values-umc-server.yaml b/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl
similarity index 61%
rename from helmfile/apps/univention-management-stack/values-umc-server.yaml
rename to helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl
index 2e4d3152..65e7ecd0 100644
--- a/helmfile/apps/univention-management-stack/values-umc-server.yaml
+++ b/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl
@@ -1,10 +1,6 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
-umcServer:
- certPemFile: "/var/secrets/ssl/tls.crt"
- privateKeyFile: "/var/secrets/ssl/tls.key"
-
extraVolumes:
- name: "certificates"
secret:
@@ -43,14 +39,36 @@ extraVolumeMounts:
mountPath: "/usr/share/univention-management-console/modules/udm-portals-announcement.xml"
subPath: "udm-portals-announcement.xml"
-postgresql:
- bundled: false
+image:
+ registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcServer.registry | quote }}
+ repository: {{ .Values.images.umsUmcServer.repository | quote }}
+ pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ tag: {{ .Values.images.umsUmcServer.tag | quote }}
+ pullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . | quote }}
+ {{- end }}
memcached:
bundled: false
auth:
username: null
password: null
+ server: {{ .Values.cache.umsSelfservice.host | quote }}
+
+postgresql:
+ bundled: false
+ auth:
+ username: {{ .Values.databases.umsSelfservice.username | quote }}
+ database: {{ .Values.databases.umsSelfservice.name | quote }}
+ password: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
+ postgresPassword: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
+ connection:
+ host: {{ .Values.databases.umsSelfservice.host | quote }}
+ port: {{ .Values.databases.umsSelfservice.port | quote }}
+
+resources:
+ {{ .Values.resources.umsUmcServer | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
@@ -72,4 +90,14 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
+
+umcServer:
+ certPemFile: "/var/secrets/ssl/tls.crt"
+ # TODO: Secret should be entered without b64enc
+ ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
+ # TODO: Secret should be entered without b64enc
+ machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
+ smtpSecret: {{ .Values.smtp.password | quote }}
+ privateKeyFile: "/var/secrets/ssl/tls.key"
+
...
diff --git a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl
deleted file mode 100644
index c0ae03cc..00000000
--- a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl
+++ /dev/null
@@ -1,19 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-
-image:
- registry: {{ .Values.global.imageRegistry | default .Values.images.umsStackGateway.registry | quote }}
- repository: {{ .Values.images.umsStackGateway.repository | quote }}
- tag: {{ .Values.images.umsStackGateway.tag | quote }}
- pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-ingress:
- enabled: {{ .Values.ingress.enabled }}
- hostname: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
- ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
- extraTls:
- - hosts:
- - {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
- secretName: {{ .Values.ingress.tls.secretName | quote }}
-...
diff --git a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
similarity index 92%
rename from helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml
rename to helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
index 2cbb6438..2c6d2a49 100644
--- a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml
+++ b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
@@ -1,18 +1,45 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
+fullnameOverride: "ums-stack-gateway"
+
+image:
+ registry: {{ .Values.global.imageRegistry | default .Values.images.umsStackGateway.registry | quote }}
+ repository: {{ .Values.images.umsStackGateway.repository | quote }}
+ tag: {{ .Values.images.umsStackGateway.tag | quote }}
+ pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
ingress:
annotations:
# Ensure that the ingress controller can handle responses with plenty of
# headers. This is a requirement from the UDM Rest API.
nginx.org/proxy-buffer-size: "64k"
nginx.org/proxy-buffers: "4 128k"
+ enabled: {{ .Values.ingress.enabled }}
+ extraTls:
+ - hosts:
+ - {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
+ secretName: {{ .Values.ingress.tls.secretName | quote }}
+ hostname: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
+ ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls: false
-service:
- type: "ClusterIP"
+podSecurityContext:
+ enabled: true
+ fsGroup: 1001
-fullnameOverride: "ums-stack-gateway"
+securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ enabled: true
+ privileged: false
+ readOnlyRootFilesystem: false
+ runAsUser: 1001
+ runAsNonRoot: true
+ seccompProfile:
+ type: "RuntimeDefault"
# The content of the "serverBlock" does resemble the Ingress configuration of
# the UMS components. The "location" entries do intentionally reflect precisely
@@ -260,20 +287,7 @@ serverBlock: |
}
-podSecurityContext:
- enabled: true
- fsGroup: 1001
+service:
+ type: "ClusterIP"
-securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
- enabled: true
- privileged: false
- readOnlyRootFilesystem: false
- runAsUser: 1001
- runAsNonRoot: true
- seccompProfile:
- type: "RuntimeDefault"
...