sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 15:31:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(helmfile): Merge .yaml and .gotmpl files for Services, Provisioning, Cryptpad, Intercom-Service and Element

Browse Source
This commit is contained in:
Thorsten Roßner
2024-01-15 10:44:32 +01:00
parent db0a544155
commit a49daa6fa2
94 changed files with 1304 additions and 1643 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
helmfile/apps/cryptpad/helmfile.yaml
View File

@@ -20,8 +20,7 @@ releases:
chart: "cryptpad-repo/{{ .Values.charts.cryptpad.name }}"
version: "{{ .Values.charts.cryptpad.version }}"
values:
- "values.yaml"
- "values.gotmpl"
- "values.yaml.gotmpl"
installed: {{ .Values.cryptpad.enabled }}
commonLabels:

33
helmfile/apps/cryptpad/values.gotmpl
View File

@@ -1,33 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
repository: "{{ .Values.global.imageRegistry | default .Values.images.cryptpad.registry }}/{{ .Values.images.cryptpad.repository }}"
tag: {{ .Values.images.cryptpad.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
ingress:
enabled: {{ .Values.ingress.enabled }}
className: {{ .Values.ingress.ingressClassName | quote }}
hosts:
- host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
paths:
- path: "/"
pathType: "ImplementationSpecific"
tls:
- secretName: {{ .Values.ingress.tls.secretName | quote }}
hosts:
- "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
replicaCount: {{ .Values.replicas.cryptpad }}
resources:
{{ .Values.resources.cryptpad | toYaml | nindent 2 }}
...

27
helmfile/apps/cryptpad/values.yaml → helmfile/apps/cryptpad/values.yaml.gotmpl
View File

@@ -22,9 +22,30 @@ enableEmbedding: true
fullnameOverride: "cryptpad"
image:
repository: "{{ .Values.global.imageRegistry | default .Values.images.cryptpad.registry }}/{{ .Values.images.cryptpad.repository }}"
tag: {{ .Values.images.cryptpad.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
ingress:
enabled: {{ .Values.ingress.enabled }}
annotations:
nginx.org/websocket-services: "cryptpad"
className: {{ .Values.ingress.ingressClassName | quote }}
hosts:
- host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
paths:
- path: "/"
pathType: "ImplementationSpecific"
tls:
- secretName: {{ .Values.ingress.tls.secretName | quote }}
hosts:
- "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
persistence:
enabled: false
@@ -32,6 +53,11 @@ persistence:
podSecurityContext:
fsGroup: 4001
replicaCount: {{ .Values.replicas.cryptpad }}
resources:
{{ .Values.resources.cryptpad | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -48,4 +74,5 @@ serviceAccount:
create: true
workloadStateful: false
...

33
helmfile/apps/element/helmfile.yaml
View File

@@ -88,8 +88,7 @@ releases:
chart: "element-repo/{{ .Values.charts.element.name }}"
version: "{{ .Values.charts.element.version }}"
values:
- "values-element.yaml"
- "values-element.gotmpl"
- "values-element.yaml.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
@@ -97,8 +96,7 @@ releases:
chart: "element-well-known-repo/{{ .Values.charts.elementWellKnown.name }}"
version: "{{ .Values.charts.elementWellKnown.version }}"
values:
- "values-well-known.yaml"
- "values-well-known.gotmpl"
- "values-well-known.yaml.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
@@ -106,8 +104,7 @@ releases:
chart: "synapse-web-repo/{{ .Values.charts.synapseWeb.name }}"
version: "{{ .Values.charts.synapseWeb.version }}"
values:
- "values-synapse-web.yaml"
- "values-synapse-web.gotmpl"
- "values-synapse-web.yaml.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
@@ -115,8 +112,7 @@ releases:
chart: "synapse-repo/{{ .Values.charts.synapse.name }}"
version: "{{ .Values.charts.synapse.version }}"
values:
- "values-synapse.yaml"
- "values-synapse.gotmpl"
- "values-synapse.yaml.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
@@ -124,8 +120,7 @@ releases:
chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
version: "{{ .Values.charts.synapseCreateAccount.version }}"
values:
- "values-matrix-user-verification-service-bootstrap.yaml"
- "values-matrix-user-verification-service-bootstrap.gotmpl"
- "values-matrix-user-verification-service-bootstrap.yaml.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
@@ -133,8 +128,7 @@ releases:
chart: "matrix-user-verification-service-repo/{{ .Values.charts.matrixUserVerificationService.name }}"
version: "{{ .Values.charts.matrixUserVerificationService.version }}"
values:
- "values-matrix-user-verification-service.yaml"
- "values-matrix-user-verification-service.gotmpl"
- "values-matrix-user-verification-service.yaml.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
@@ -142,8 +136,7 @@ releases:
chart: "matrix-neoboard-widget-repo/{{ .Values.charts.matrixNeoboardWidget.name }}"
version: "{{ .Values.charts.matrixNeoboardWidget.version }}"
values:
- "values-matrix-neoboard-widget.yaml"
- "values-matrix-neoboard-widget.gotmpl"
- "values-matrix-neoboard-widget.yaml.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
@@ -151,8 +144,7 @@ releases:
chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiseWidget.name }}"
version: "{{ .Values.charts.matrixNeochoiseWidget.version }}"
values:
- "values-matrix-neochoice-widget.yaml"
- "values-matrix-neochoice-widget.gotmpl"
- "values-matrix-neochoice-widget.yaml.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
@@ -160,8 +152,7 @@ releases:
chart: "matrix-neodatefix-widget-repo/{{ .Values.charts.matrixNeodatefixWidget.name }}"
version: "{{ .Values.charts.matrixNeodatefixWidget.version }}"
values:
- "values-matrix-neodatefix-widget.yaml"
- "values-matrix-neodatefix-widget.gotmpl"
- "values-matrix-neodatefix-widget.yaml.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
@@ -169,8 +160,7 @@ releases:
chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
version: "{{ .Values.charts.synapseCreateAccount.version }}"
values:
- "values-matrix-neodatefix-bot-bootstrap.yaml"
- "values-matrix-neodatefix-bot-bootstrap.gotmpl"
- "values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
@@ -178,8 +168,7 @@ releases:
chart: "matrix-neodatefix-bot-repo/{{ .Values.charts.matrixNeodatefixBot.name }}"
version: "{{ .Values.charts.matrixNeodatefixBot.version }}"
values:
- "values-matrix-neodatefix-bot.yaml"
- "values-matrix-neodatefix-bot.gotmpl"
- "values-matrix-neodatefix-bot.yaml.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900

21
helmfile/apps/element/values-element.yaml
View File

@@ -1,21 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
...

43
helmfile/apps/element/values-element.gotmpl → helmfile/apps/element/values-element.yaml.gotmpl
View File

@@ -1,15 +1,6 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
configuration:
additionalConfiguration:
logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
@@ -105,6 +96,27 @@ configuration:
welcomeUserId: "@meetings-bot:{{ .Values.global.domain }}"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | default .Values.images.element.registry | quote }}
@@ -119,11 +131,16 @@ ingress:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}
podSecurityContext:
enabled: true
fsGroup: 101
replicaCount: {{ .Values.replicas.element }}
resources:
{{ .Values.resources.element | toYaml | nindent 2 }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}
...

21
helmfile/apps/element/values-matrix-neoboard-widget.yaml
View File

@@ -1,21 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
...

29
helmfile/apps/element/values-matrix-neoboard-widget.gotmpl → helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
View File

@@ -1,8 +1,20 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
global:
domain: {{ .Values.global.domain | quote }}
hosts:
@@ -23,11 +35,16 @@ ingress:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}
podSecurityContext:
enabled: true
fsGroup: 101
replicaCount: {{ .Values.replicas.matrixNeoBoardWidget }}
resources:
{{ .Values.resources.matrixNeoBoardWidget | toYaml | nindent 2 }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}
...

21
helmfile/apps/element/values-matrix-neochoice-widget.yaml
View File

@@ -1,21 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
...

29
helmfile/apps/element/values-matrix-neochoice-widget.gotmpl → helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
View File

@@ -1,8 +1,20 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
global:
domain: {{ .Values.global.domain | quote }}
hosts:
@@ -23,11 +35,16 @@ ingress:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}
podSecurityContext:
enabled: true
fsGroup: 101
replicaCount: {{ .Values.replicas.matrixNeoChoiceWidget }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}
resources:
{{ .Values.resources.matrixNeoChoiceWidget | toYaml | nindent 2 }}
...

8
helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml
View File

@@ -1,8 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
configuration:
username: "meetings-bot"
pod: "opendesk-synapse-0"
secretName: "matrix-neodatefix-bot-account"
...

18
helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.gotmpl → helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
View File

@@ -1,22 +1,24 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
configuration:
username: "meetings-bot"
pod: "opendesk-synapse-0"
secretName: "matrix-neodatefix-bot-account"
password: {{ .Values.secrets.matrixNeoDateFixBot.password | quote }}
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }}
url: {{ .Values.images.synapseCreateUser.repository | quote }}
tag: {{ .Values.images.synapseCreateUser.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
...

37
helmfile/apps/element/values-matrix-neodatefix-bot.gotmpl
View File

@@ -1,37 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
configuration:
openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
image:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoDateFixBot.registry | quote }}
repository: {{ .Values.images.matrixNeoDateFixBot.repository | quote }}
tag: {{ .Values.images.matrixNeoDateFixBot.tag | quote }}
ingress:
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
persistence:
size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}
resources:
{{ .Values.resources.matrixNeoDateFixBot | toYaml | nindent 2 }}
...

32
helmfile/apps/element/values-matrix-neodatefix-bot.yaml → helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
View File

@@ -1,11 +1,18 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
configuration:
bot:
username: "meetings-bot"
displayname: "Terminplaner Bot"
openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
strings:
breakoutSessionWidgetName: "Breakoutsessions"
calendarRoomName: "Terminplaner"
@@ -36,10 +43,27 @@ extraEnvVars:
name: "matrix-neodatefix-bot-account"
key: "access_token"
image:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoDateFixBot.registry | quote }}
repository: {{ .Values.images.matrixNeoDateFixBot.repository | quote }}
tag: {{ .Values.images.matrixNeoDateFixBot.tag | quote }}
ingress:
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
# TODO: The health endpoint does not work with the haproxy configuration, yet
livenessProbe:
enabled: false
persistence:
size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
podSecurityContext:
enabled: true
fsGroup: 101
@@ -47,4 +71,10 @@ podSecurityContext:
# TODO: The health endpoint does not work with the haproxy configuration, yet
readinessProbe:
enabled: false
replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}
resources:
{{ .Values.resources.matrixNeoDateFixBot | toYaml | nindent 2 }}
...

25
helmfile/apps/element/values-matrix-neodatefix-widget.yaml
View File

@@ -1,25 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
configuration:
bot:
username: "meetings-bot"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
...

33
helmfile/apps/element/values-matrix-neodatefix-widget.gotmpl → helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
View File

@@ -1,8 +1,24 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
configuration:
bot:
username: "meetings-bot"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
global:
domain: {{ .Values.global.domain | quote }}
hosts:
@@ -23,11 +39,16 @@ ingress:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}
podSecurityContext:
enabled: true
fsGroup: 101
replicaCount: {{ .Values.replicas.matrixNeoDateFixWidget }}
resources:
{{ .Values.resources.matrixNeoDateFixWidget | toYaml | nindent 2 }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}
...

8
helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml
View File

@@ -1,8 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
configuration:
username: "uvs"
pod: "opendesk-synapse-0"
secretName: "opendesk-matrix-user-verification-service-account"
...

18
helmfile/apps/element/values-matrix-user-verification-service-bootstrap.gotmpl → helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
View File

@@ -1,22 +1,24 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
configuration:
username: "uvs"
pod: "opendesk-synapse-0"
secretName: "opendesk-matrix-user-verification-service-account"
password: {{ .Values.secrets.matrixUserVerificationService.password | quote }}
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }}
url: {{ .Values.images.synapseCreateUser.repository | quote }}
tag: {{ .Values.images.synapseCreateUser.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
...

23
helmfile/apps/element/values-matrix-user-verification-service.gotmpl
View File

@@ -1,23 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | default .Values.images.matrixUserVerificationService.registry | quote }}
repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
resources:
{{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
...

19
helmfile/apps/element/values-matrix-user-verification-service.yaml → helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
View File

@@ -25,7 +25,26 @@ extraEnvVars:
- name: "UVS_DISABLE_IP_BLACKLIST"
value: "true"
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | default .Values.images.matrixUserVerificationService.registry | quote }}
repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
podSecurityContext:
enabled: true
fsGroup: 101
replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
resources:
{{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
...

21
helmfile/apps/element/values-synapse-web.yaml
View File

@@ -1,21 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
...

25
helmfile/apps/element/values-synapse-web.gotmpl → helmfile/apps/element/values-synapse-web.yaml.gotmpl
View File

@@ -1,8 +1,20 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
global:
domain: {{ .Values.global.domain | quote }}
hosts:
@@ -24,8 +36,13 @@ ingress:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
podSecurityContext:
enabled: true
fsGroup: 101
replicaCount: {{ .Values.replicas.synapseWeb }}
resources:
{{ .Values.resources.synapseWeb | toYaml | nindent 2 }}
...

52
helmfile/apps/element/values-synapse.yaml
View File

@@ -1,52 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
configuration:
additionalConfiguration:
user_directory:
enabled: true
search_all_users: true
room_prejoin_state:
additional_event_types:
- "m.space.parent"
- "net.nordeck.meetings.metadata"
- "m.room.power_levels"
# When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
# interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
# https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
rc_login:
account:
per_second: 2
burst_count: 8
address:
per_second: 2
burst_count: 12
homeserver:
guestModule:
enabled: true
oidc:
clientId: "opendesk-matrix"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 10991
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 10991
readinessProbe:
initialDelaySeconds: 15
periodSeconds: 5
...

76
helmfile/apps/element/values-synapse.gotmpl → helmfile/apps/element/values-synapse.yaml.gotmpl
View File

@@ -1,22 +1,27 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | default .Values.images.synapse.registry | quote }}
repository: {{ .Values.images.synapse.repository | quote }}
tag: {{ .Values.images.synapse.tag | quote }}
configuration:
additionalConfiguration:
user_directory:
enabled: true
search_all_users: true
room_prejoin_state:
additional_event_types:
- "m.space.parent"
- "net.nordeck.meetings.metadata"
- "m.room.power_levels"
# When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
# interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
# https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
rc_login:
account:
per_second: 2
burst_count: 8
address:
per_second: 2
burst_count: 12
database:
host: {{ .Values.databases.synapse.host | quote }}
name: {{ .Values.databases.synapse.name | quote }}
@@ -36,6 +41,7 @@ configuration:
sender_localpart: intercom-service
oidc:
clientId: "opendesk-matrix"
clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
@@ -53,18 +59,54 @@ configuration:
{{- end }}
guestModule:
enabled: true
image:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | default .Values.images.synapseGuestModule.registry | quote }}
repository: {{ .Values.images.synapseGuestModule.repository | quote }}
tag: {{ .Values.images.synapseGuestModule.tag | quote }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 10991
seccompProfile:
type: "RuntimeDefault"
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | default .Values.images.synapse.registry | quote }}
repository: {{ .Values.images.synapse.repository | quote }}
tag: {{ .Values.images.synapse.tag | quote }}
persistence:
size: {{ .Values.persistence.size.synapse | quote }}
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
podSecurityContext:
enabled: true
fsGroup: 10991
readinessProbe:
initialDelaySeconds: 15
periodSeconds: 5
replicaCount: {{ .Values.replicas.synapse }}
resources:
{{ .Values.resources.synapse | toYaml | nindent 2 }}
...

25
helmfile/apps/element/values-well-known.yaml
View File

@@ -1,25 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
configuration:
e2ee:
forceDisable: true
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
...

29
helmfile/apps/element/values-well-known.gotmpl → helmfile/apps/element/values-well-known.yaml.gotmpl
View File

@@ -1,8 +1,24 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
configuration:
e2ee:
forceDisable: true
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
global:
domain: {{ .Values.global.domain | quote }}
hosts:
@@ -24,8 +40,13 @@ ingress:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
podSecurityContext:
enabled: true
fsGroup: 101
replicaCount: {{ .Values.replicas.wellKnown }}
resources:
{{ .Values.resources.wellKnown | toYaml | nindent 2 }}
...

3
helmfile/apps/intercom-service/helmfile.yaml
View File

@@ -20,8 +20,7 @@ releases:
chart: "intercom-service-repo/{{ .Values.charts.intercomService.name }}"
version: "{{ .Values.charts.intercomService.version }}"
values:
- "values.yaml"
- "values.gotmpl"
- "values.yaml.gotmpl"
installed: {{ .Values.intercom.enabled }}
commonLabels:

26
helmfile/apps/intercom-service/values.yaml
View File

@@ -1,26 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
ics:
oidc:
id: "opendesk-intercom"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
podSecurityContext:
enabled: true
fsGroup: 1000
fsGroupChangePolicy: "Always"
...

26
helmfile/apps/intercom-service/values.gotmpl → helmfile/apps/intercom-service/values.yaml.gotmpl
View File

@@ -1,8 +1,19 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
global:
domain: {{ .Values.global.domain | quote }}
hosts:
@@ -19,6 +30,7 @@ ics:
default:
domain: {{ .Values.global.domain | quote }}
oidc:
id: "opendesk-intercom"
secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
matrix:
asSecret: {{ .Values.secrets.intercom.synapseAsToken | quote }}
@@ -52,8 +64,14 @@ ingress:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
podSecurityContext:
enabled: true
fsGroup: 1000
fsGroupChangePolicy: "Always"
replicaCount: {{ .Values.replicas.intercomService }}
resources:
{{ .Values.resources.intercomService | toYaml | nindent 2 }}
...

3
helmfile/apps/provisioning/helmfile.yaml
View File

@@ -17,8 +17,7 @@ releases:
chart: "ox-connector-repo/{{ .Values.charts.oxConnector.name }}"
version: "{{ .Values.charts.oxConnector.version }}"
values:
- "values-oxconnector.yaml"
- "values-oxconnector.gotmpl"
- "values-oxconnector.yaml.gotmpl"
installed: {{ .Values.oxConnector.enabled }}
commonLabels:

41
helmfile/apps/provisioning/values-oxconnector.yaml
View File

@@ -1,41 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
ingress:
enabled: false
oxConnector:
ldapBaseDn: "dc=swp-ldap,dc=internal"
ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
tlsMode: "off"
caCert: "ucctempldapstring"
debugLevel: "5"
oxDefaultContext: "1"
oxLocalTimezone: "Europe/Berlin"
oxLanguage: "de_DE"
oxSmtpServer: "smtp://127.0.0.1:587"
oxImapServer: "imap://127.0.0.1:143"
## Container deployment probes
probes:
liveness:
enabled: true
initialDelaySeconds: 120
timeoutSeconds: 3
periodSeconds: 30
failureThreshold: 3
successThreshold: 1
readiness:
enabled: true
initialDelaySeconds: 30
timeoutSeconds: 3
periodSeconds: 15
failureThreshold: 30
successThreshold: 1
serviceAccount:
create: true
...

51
helmfile/apps/provisioning/values-oxconnector.gotmpl → helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
View File

@@ -1,7 +1,5 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.oxConnector.registry | quote }}
@@ -14,21 +12,54 @@ imagePullSecrets:
- name: {{ . | quote }}
{{- end }}
persistence:
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
ingress:
enabled: false
oxConnector:
caCert: "ucctempldapstring"
debugLevel: "5"
domainName: {{ .Values.global.domain | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
notifierServer: {{ .Values.ldap.notifierHost | quote }}
logLevel: {{ .Values.debug.logLevel | quote }}
#oxMasterAdmin: "(( .Values.appsuite.core-mw.masterAdmin ))"
ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
ldapBaseDn: "dc=swp-ldap,dc=internal"
ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
tlsMode: "off"
notifierServer: {{ .Values.ldap.notifierHost | quote }}
oxDefaultContext: "1"
oxImapServer: "imap://127.0.0.1:143"
oxLocalTimezone: "Europe/Berlin"
oxLanguage: "de_DE"
oxMasterAdmin: "admin"
oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
oxSmtpServer: "smtp://127.0.0.1:587"
oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
oxDefaultContext: "1"
ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
resources:
{{ .Values.resources.oxConnector | toYaml | nindent 2 }}
persistence:
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
## Container deployment probes
probes:
liveness:
enabled: true
initialDelaySeconds: 120
timeoutSeconds: 3
periodSeconds: 30
failureThreshold: 3
successThreshold: 1
readiness:
enabled: true
initialDelaySeconds: 30
timeoutSeconds: 3
periodSeconds: 15
failureThreshold: 30
successThreshold: 1
serviceAccount:
create: true
...

31
helmfile/apps/services/helmfile.yaml
View File

@@ -111,7 +111,7 @@ releases:
chart: "otterize-repo/{{ .Values.charts.otterize.name }}"
version: "{{ .Values.charts.otterize.version }}"
values:
- "values-otterize.gotmpl"
- "values-otterize.yaml.gotmpl"
installed: {{ .Values.security.otterizeIntents.enabled }}
timeout: 900
@@ -119,7 +119,7 @@ releases:
chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
version: "{{ .Values.charts.certificates.version }}"
values:
- "values-certificates.gotmpl"
- "values-certificates.yaml.gotmpl"
installed: {{ .Values.certificates.enabled }}
timeout: 900
@@ -127,8 +127,7 @@ releases:
chart: "redis-repo/{{ .Values.charts.redis.name }}"
version: "{{ .Values.charts.redis.version }}"
values:
- "values-redis.gotmpl"
- "values-redis.yaml"
- "values-redis.yaml.gotmpl"
installed: {{ .Values.redis.enabled }}
timeout: 900
@@ -136,8 +135,7 @@ releases:
chart: "memcached-repo/{{ .Values.charts.memcached.name }}"
version: "{{ .Values.charts.memcached.version }}"
values:
- "values-memcached.yaml"
- "values-memcached.gotmpl"
- "values-memcached.yaml.gotmpl"
installed: {{ .Values.memcached.enabled }}
timeout: 900
@@ -145,8 +143,7 @@ releases:
chart: "postgresql-repo/{{ .Values.charts.postgresql.name }}"
version: "{{ .Values.charts.postgresql.version }}"
values:
- "values-postgresql.yaml"
- "values-postgresql.gotmpl"
- "values-postgresql.yaml.gotmpl"
installed: {{ .Values.postgresql.enabled }}
timeout: 900
@@ -154,8 +151,7 @@ releases:
chart: "mariadb-repo/{{ .Values.charts.mariadb.name }}"
version: "{{ .Values.charts.mariadb.version }}"
values:
- "values-mariadb.yaml"
- "values-mariadb.gotmpl"
- "values-mariadb.yaml.gotmpl"
installed: {{ .Values.mariadb.enabled }}
timeout: 900
@@ -163,8 +159,7 @@ releases:
chart: "postfix-repo/{{ .Values.charts.postfix.name }}"
version: "{{ .Values.charts.postfix.version }}"
values:
- "values-postfix.yaml"
- "values-postfix.gotmpl"
- "values-postfix.yaml.gotmpl"
installed: {{ .Values.postfix.enabled }}
timeout: 900
@@ -172,8 +167,7 @@ releases:
chart: "clamav-repo/{{ .Values.charts.clamav.name }}"
version: "{{ .Values.charts.clamav.version }}"
values:
- "values-clamav-distributed.yaml"
- "values-clamav-distributed.gotmpl"
- "values-clamav-distributed.yaml.gotmpl"
installed: {{ .Values.clamavDistributed.enabled }}
timeout: 900
@@ -181,8 +175,7 @@ releases:
chart: "clamav-simple-repo/{{ .Values.charts.clamavSimple.name }}"
version: "{{ .Values.charts.clamavSimple.version }}"
values:
- "values-clamav-simple.yaml"
- "values-clamav-simple.gotmpl"
- "values-clamav-simple.yaml.gotmpl"
installed: {{ .Values.clamavSimple.enabled }}
timeout: 900
@@ -190,8 +183,7 @@ releases:
chart: "istio-resources-repo/{{ .Values.charts.istioResources.name }}"
version: "{{ .Values.charts.istioResources.version }}"
values:
- "values-istio-gateway.yaml"
- "values-istio-gateway.gotmpl"
- "values-istio-gateway.yaml.gotmpl"
installed: {{ .Values.istio.enabled }}
timeout: 900
@@ -199,8 +191,7 @@ releases:
chart: "minio-repo/{{ .Values.charts.minio.name }}"
version: "{{ .Values.charts.minio.version }}"
values:
- "values-minio.yaml"
- "values-minio.gotmpl"
- "values-minio.yaml.gotmpl"
installed: {{ .Values.minio.enabled }}
timeout: 900

0
helmfile/apps/services/values-certificates.gotmpl → helmfile/apps/services/values-certificates.yaml.gotmpl
View File

80
helmfile/apps/services/values-clamav-distributed.yaml
View File

@@ -1,80 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
enabled: true
readOnlyRootFilesystem: true
clamd:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
freshclam:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
icap:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
milter:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
...

86
helmfile/apps/services/values-clamav-distributed.gotmpl → helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
View File

@@ -1,27 +1,60 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
clamd:
podSecurityContext:
replicaCount: {{ .Values.replicas.clamd }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }}
repository: {{ .Values.images.clamd.repository | quote }}
tag: {{ .Values.images.clamd.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
replicaCount: {{ .Values.replicas.clamd }}
resources:
{{ .Values.resources.clamd | toYaml | nindent 4 }}
containerSecurityContext:
allowPrivilegeEscalation: false
enabled: true
readOnlyRootFilesystem: true
freshclam:
podSecurityContext:
replicaCount: {{ .Values.replicas.freshclam }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.freshclam.registry | quote }}
repository: {{ .Values.images.freshclam.repository | quote }}
tag: {{ .Values.images.freshclam.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
replicaCount: {{ .Values.replicas.freshclam }}
resources:
{{ .Values.resources.freshclam | toYaml | nindent 4 }}
@@ -30,23 +63,54 @@ global:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
icap:
replicaCount: {{ .Values.replicas.icap }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }}
repository: {{ .Values.images.icap.repository | quote }}
tag: {{ .Values.images.icap.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
replicaCount: {{ .Values.replicas.icap }}
resources:
{{ .Values.resources.icap | toYaml | nindent 4 }}
milter:
podSecurityContext:
replicaCount: {{ .Values.replicas.milter }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.milter.registry | quote }}
repository: {{ .Values.images.milter.repository | quote }}
tag: {{ .Values.images.milter.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
replicaCount: {{ .Values.replicas.milter }}
resources:
{{ .Values.resources.milter | toYaml | nindent 4 }}

19
helmfile/apps/services/values-clamav-simple.yaml
View File

@@ -1,19 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
...

39
helmfile/apps/services/values-clamav-simple.gotmpl → helmfile/apps/services/values-clamav-simple.yaml.gotmpl
View File

@@ -1,9 +1,20 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
replicaCount: {{ .Values.replicas.clamav }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
clamav:
@@ -17,14 +28,18 @@ image:
tag: {{ .Values.images.icap.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.clamd | toYaml | nindent 4 }}
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
persistence:
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.clamav | quote }}
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
replicaCount: {{ .Values.replicas.clamav }}
resources:
{{ .Values.resources.clamd | toYaml | nindent 4 }}
...

13
helmfile/apps/services/values-istio-gateway.gotmpl
View File

@@ -1,13 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: {{ .Values.istio.domain | quote }}
hosts:
openxchange: {{ .Values.global.hosts.openxchange | quote }}
tls:
secretName: "{{ .Values.istio.domain }}-tls"
...

6
helmfile/apps/services/values-istio-gateway.yaml → helmfile/apps/services/values-istio-gateway.yaml.gotmpl
View File

@@ -1,6 +1,12 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
global:
domain: {{ .Values.istio.domain | quote }}
hosts:
openxchange: {{ .Values.global.hosts.openxchange | quote }}
tls:
httpsRedirect: false
secretName: "{{ .Values.istio.domain }}-tls"
...

27
helmfile/apps/services/values-mariadb.yaml
View File

@@ -1,27 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1001
runAsGroup: 1001
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
job:
enabled: true
podSecurityContext:
enabled: true
fsGroup: 1001
fsGroupChangePolicy: "OnRootMismatch"
replicaCount: 1
...

37
helmfile/apps/services/values-mariadb.gotmpl → helmfile/apps/services/values-mariadb.yaml.gotmpl
View File

@@ -1,24 +1,35 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1001
runAsGroup: 1001
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.mariadb.registry | quote }}
repository: {{ .Values.images.mariadb.repository | quote }}
tag: {{ .Values.images.mariadb.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
# Open-Xchange and XWiki require the permission to create database schemas, so they use the `root` account anyway.
# Please refer to `databases.yaml` for details.
job:
enabled: true
retries: 10
wait: 30
users:
@@ -43,6 +54,14 @@ persistence:
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.mariadb | quote }}
podSecurityContext:
enabled: true
fsGroup: 1001
fsGroupChangePolicy: "OnRootMismatch"
replicaCount: 1
resources:
{{ .Values.resources.mariadb | toYaml | nindent 2 }}
...

18
helmfile/apps/services/values-memcached.yaml
View File

@@ -1,18 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1001
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
serviceAccount:
create: true
...

21
helmfile/apps/services/values-memcached.gotmpl → helmfile/apps/services/values-memcached.yaml.gotmpl
View File

@@ -1,8 +1,18 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1001
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -17,4 +27,7 @@ replicaCount: {{ .Values.replicas.memcached }}
resources:
{{ .Values.resources.memcached | toYaml | nindent 2 }}
serviceAccount:
create: true
...

79
helmfile/apps/services/values-minio.gotmpl
View File

@@ -1,79 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.minio.registry | quote }}
repository: "{{ .Values.images.minio.repository }}"
tag: "{{ .Values.images.minio.tag }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
auth:
rootPassword: {{ .Values.secrets.minio.rootPassword | quote }}
statefulset:
replicaCount: {{ .Values.replicas.minioDistributed }}
resources:
{{ .Values.resources.minio | toYaml | nindent 2 }}
ingress:
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
hostname: "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
extraTls:
- hosts:
- "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
apiIngress:
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
hostname: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
extraTls:
- hosts:
- "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
metrics:
serviceMonitor:
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
prometheusRule:
enabled: {{ .Values.prometheus.prometheusRules.enabled }}
persistence:
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.minio }}"
provisioning:
users:
- username: "openproject_user"
password: {{ .Values.secrets.minio.openprojectUser | quote }}
disabled: false
policies:
- "openproject-bucket-policy"
setPolicies: true
- username: "openxchange_user"
password: {{ .Values.secrets.minio.openxchangeUser | quote }}
disabled: false
policies:
- "openxchange-bucket-policy"
setPolicies: true
- username: "ums_user"
password: {{ .Values.secrets.minio.umsUser | quote }}
disabled: false
policies:
- "ums-bucket-policy"
setPolicies: true
- username: "nextcloud_user"
password: {{ .Values.secrets.minio.nextcloudUser | quote }}
disabled: false
policies:
- "nextcloud-bucket-policy"
setPolicies: true
...

99
helmfile/apps/services/values-minio.yaml → helmfile/apps/services/values-minio.yaml.gotmpl
View File

@@ -1,11 +1,20 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
mode: "standalone"
apiIngress:
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
hostname: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
extraTls:
- hosts:
- "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "4G"
nginx.org/client-max-body-size: "4G"
podSecurityContext:
enabled: true
fsGroup: 1000
auth:
rootPassword: {{ .Values.secrets.minio.rootPassword | quote }}
containerSecurityContext:
enabled: true
@@ -19,19 +28,53 @@ containerSecurityContext:
seccompProfile:
type: "RuntimeDefault"
defaultBuckets: "openproject,openxchange,ums,nextcloud"
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.minio.registry | quote }}
repository: "{{ .Values.images.minio.repository }}"
tag: "{{ .Values.images.minio.tag }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
ingress:
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
hostname: "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
extraTls:
- hosts:
- "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
annotations:
nginx.org/websocket-services: "minio"
apiIngress:
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "4G"
nginx.org/client-max-body-size: "4G"
livenessProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 10
mode: "standalone"
metrics:
serviceMonitor:
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
prometheusRule:
enabled: {{ .Values.prometheus.prometheusRules.enabled }}
networkPolicy:
enabled: false
defaultBuckets: "openproject,openxchange,ums,nextcloud"
podSecurityContext:
enabled: true
fsGroup: 1000
persistence:
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.minio }}"
provisioning:
enabled: true
@@ -99,12 +142,31 @@ provisioning:
effect: "Allow"
actions:
- "s3:*"
livenessProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 10
users:
- username: "openproject_user"
password: {{ .Values.secrets.minio.openprojectUser | quote }}
disabled: false
policies:
- "openproject-bucket-policy"
setPolicies: true
- username: "openxchange_user"
password: {{ .Values.secrets.minio.openxchangeUser | quote }}
disabled: false
policies:
- "openxchange-bucket-policy"
setPolicies: true
- username: "ums_user"
password: {{ .Values.secrets.minio.umsUser | quote }}
disabled: false
policies:
- "ums-bucket-policy"
setPolicies: true
- username: "nextcloud_user"
password: {{ .Values.secrets.minio.nextcloudUser | quote }}
disabled: false
policies:
- "nextcloud-bucket-policy"
setPolicies: true
readinessProbe:
enabled: true
@@ -112,8 +174,15 @@ readinessProbe:
periodSeconds: 10
timeoutSeconds: 10
resources:
{{ .Values.resources.minio | toYaml | nindent 2 }}
startupProbe:
enabled: true
periodSeconds: 10
timeoutSeconds: 10
statefulset:
replicaCount: {{ .Values.replicas.minioDistributed }}
...

0
helmfile/apps/services/values-otterize.gotmpl → helmfile/apps/services/values-otterize.yaml.gotmpl
View File

37
helmfile/apps/services/values-postfix.yaml
View File

@@ -1,37 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
certificate:
request:
enabled: false
containerSecurityContext:
allowPrivilegeEscalation: true
capabilities: {}
enabled: true
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsNonRoot: false
podSecurityContext:
enabled: true
fsGroup: 101
postfix:
hostname: "postfix"
inetProtocols: "ipv4"
smtpSASLAuthEnable: "yes"
smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
smtpUseTLS: "yes"
smtpdSASLAuthEnable: "no"
smtpdSASLSecurityOptions: "noanonymous"
smtpdSASLType: "dovecot"
smtpdUseTLS: "yes"
smtpdTLSCertFile: "/etc/tls/tls.crt"
smtpdKeyFile: "/etc/tls/tls.key"
milterDefaultAction: "accept"
rspamdHost: ""
amavisHost: ""
amavisPortIn: ""
...

52
helmfile/apps/services/values-postfix.gotmpl → helmfile/apps/services/values-postfix.yaml.gotmpl
View File

@@ -1,8 +1,20 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
certificate:
secretName: {{ .Values.ingress.tls.secretName | quote }}
request:
enabled: false
containerSecurityContext:
allowPrivilegeEscalation: true
capabilities: {}
enabled: true
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsNonRoot: false
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -13,29 +25,45 @@ image:
tag: {{ .Values.images.postfix.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
certificate:
secretName: {{ .Values.ingress.tls.secretName | quote }}
persistence:
size: {{ .Values.persistence.size.postfix | quote }}
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote}}
podSecurityContext:
enabled: true
fsGroup: 101
postfix:
amavisHost: ""
amavisPortIn: ""
domain: {{ .Values.global.domain | quote }}
virtualMailboxDomains: {{ .Values.global.domain | quote }}
hostname: "postfix"
inetProtocols: "ipv4"
milterDefaultAction: "accept"
overrides:
- fileName: "sasl_passwd.map"
content:
- {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
rspamdHost: ""
relayHost: {{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}
relayNets: {{ .Values.cluster.networking.cidr | quote}}
virtualTransport: "lmtps:dovecot:24"
smtpSASLAuthEnable: "yes"
smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
smtpUseTLS: "yes"
smtpdSASLAuthEnable: "no"
smtpdSASLSecurityOptions: "noanonymous"
smtpdSASLType: "dovecot"
smtpdUseTLS: "yes"
smtpdTLSCertFile: "/etc/tls/tls.crt"
smtpdKeyFile: "/etc/tls/tls.key"
smtpdSASLPath: "inet:dovecot:3659"
{{- if .Values.clamavDistributed.enabled }}
smtpdMilters: "inet:clamav-milter:7357"
{{- else if .Values.clamavSimple.enabled }}
smtpdMilters: "inet:clamav-simple:7357"
{{- end }}
persistence:
size: {{ .Values.persistence.size.postfix | quote }}
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote}}
virtualMailboxDomains: {{ .Values.global.domain | quote }}
virtualTransport: "lmtps:dovecot:24"
replicaCount: {{ .Values.replicas.postfix }}

30
helmfile/apps/services/values-postgresql.yaml
View File

@@ -1,30 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1001
runAsGroup: 1001
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
job:
image:
digest: "sha256:de7451b563ef79eb6acb2851dbadd18388e6436cd757b65d275a3dc60dbb0b73"
podSecurityContext:
enabled: true
fsGroup: 1001
fsGroupChangePolicy: "OnRootMismatch"
postgres:
user: "postgres"
replicaCount: 1
...

33
helmfile/apps/services/values-postgresql.gotmpl → helmfile/apps/services/values-postgresql.yaml.gotmpl
View File

@@ -1,8 +1,31 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1001
runAsGroup: 1001
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
job:
podSecurityContext:
enabled: true
fsGroup: 1001
fsGroupChangePolicy: "OnRootMismatch"
postgres:
user: "postgres"
replicaCount: 1
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -12,6 +35,8 @@ image:
repository: {{ .Values.images.postgresql.repository | quote }}
tag: {{ .Values.images.postgresql.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
image:
digest: "sha256:de7451b563ef79eb6acb2851dbadd18388e6436cd757b65d275a3dc60dbb0b73"
job:
users:

15
helmfile/apps/services/values-redis.yaml
View File

@@ -1,15 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
architecture: "standalone"
sentinel:
enabled: false
metrics:
enabled: false
master:
containerSecurityContext:
readOnlyRootFilesystem: true
...

18
helmfile/apps/services/values-redis.gotmpl → helmfile/apps/services/values-redis.yaml.gotmpl
View File

@@ -1,8 +1,8 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
architecture: "standalone"
auth:
password: {{ .Values.secrets.redis.password | quote }}
@@ -18,10 +18,18 @@ image:
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
master:
containerSecurityContext:
readOnlyRootFilesystem: true
count: {{ .Values.replicas.redis }}
persistence:
size: {{ .Values.persistence.size.redis | quote }}
resources:
{{ .Values.resources.redis | toYaml | nindent 4 }}
metrics:
enabled: false
sentinel:
enabled: false
...

111
helmfile/apps/univention-management-stack/helmfile.yaml
View File

@@ -215,8 +215,7 @@ releases:
chart: "nginx-repo/{{ .Values.charts.nginx.name }}"
version: "{{ .Values.charts.nginx.version }}"
values:
- "values-ums-stack-gateway.gotmpl"
- "values-ums-stack-gateway.yaml"
- "values-ums-stack-gateway.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -224,10 +223,8 @@ releases:
chart: "ums-store-dav-repo/{{ .Values.charts.umsStoreDav.name }}"
version: "{{ .Values.charts.umsStoreDav.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-store-dav.gotmpl"
- "values-store-dav.yaml"
- "values-common.yaml.gotmpl"
- "values-store-dav.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -235,10 +232,8 @@ releases:
chart: "ums-ldap-server-repo/{{ .Values.charts.umsLdapServer.name }}"
version: "{{ .Values.charts.umsLdapServer.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-ldap-server.gotmpl"
- "values-ldap-server.yaml"
- "values-common.yaml.gotmpl"
- "values-ldap-server.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -246,10 +241,8 @@ releases:
chart: "ums-ldap-notifier-repo/{{ .Values.charts.umsLdapNotifier.name }}"
version: "{{ .Values.charts.umsLdapNotifier.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-ldap-notifier.gotmpl"
- "values-ldap-notifier.yaml"
- "values-common.yaml.gotmpl"
- "values-ldap-notifier.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -257,10 +250,8 @@ releases:
chart: "ums-udm-rest-api-repo/{{ .Values.charts.umsUdmRestApi.name }}"
version: "{{ .Values.charts.umsUdmRestApi.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-udm-rest-api.gotmpl"
- "values-udm-rest-api.yaml"
- "values-common.yaml.gotmpl"
- "values-udm-rest-api.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -268,10 +259,8 @@ releases:
chart: "ums-stack-data-ums-repo/{{ .Values.charts.umsStackDataUms.name }}"
version: "{{ .Values.charts.umsStackDataUms.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-stack-data-ums.gotmpl"
- "values-stack-data-ums.yaml"
- "values-common.yaml.gotmpl"
- "values-stack-data-ums.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -279,10 +268,8 @@ releases:
chart: "ums-stack-data-swp-repo/{{ .Values.charts.umsStackDataSwp.name }}"
version: "{{ .Values.charts.umsStackDataSwp.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-stack-data-swp.gotmpl"
- "values-stack-data-swp.yaml"
- "values-common.yaml.gotmpl"
- "values-stack-data-swp.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -290,10 +277,8 @@ releases:
chart: "ums-portal-server-repo/{{ .Values.charts.umsPortalServer.name }}"
version: "{{ .Values.charts.umsPortalServer.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-portal-server.gotmpl"
- "values-portal-server.yaml"
- "values-common.yaml.gotmpl"
- "values-portal-server.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -301,10 +286,8 @@ releases:
chart: "ums-notifications-api-repo/{{ .Values.charts.umsNotificationsApi.name }}"
version: "{{ .Values.charts.umsNotificationsApi.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-notifications-api.gotmpl"
- "values-notifications-api.yaml"
- "values-common.yaml.gotmpl"
- "values-notifications-api.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -312,10 +295,8 @@ releases:
chart: "ums-portal-listener-repo/{{ .Values.charts.umsPortalListener.name }}"
version: "{{ .Values.charts.umsPortalListener.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-portal-listener.gotmpl"
- "values-portal-listener.yaml"
- "values-common.yaml.gotmpl"
- "values-portal-listener.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -323,10 +304,8 @@ releases:
chart: "ums-portal-frontend-repo/{{ .Values.charts.umsPortalFrontend.name }}"
version: "{{ .Values.charts.umsPortalFrontend.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-portal-frontend.gotmpl"
- "values-portal-frontend.yaml"
- "values-common.yaml.gotmpl"
- "values-portal-frontend.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -334,10 +313,8 @@ releases:
chart: "ums-umc-gateway-repo/{{ .Values.charts.umsUmcGateway.name }}"
version: "{{ .Values.charts.umsUmcGateway.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-umc-gateway.gotmpl"
- "values-umc-gateway.yaml"
- "values-common.yaml.gotmpl"
- "values-umc-gateway.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -345,10 +322,8 @@ releases:
chart: "ums-umc-server-repo/{{ .Values.charts.umsUmcServer.name }}"
version: "{{ .Values.charts.umsUmcServer.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-umc-server.gotmpl"
- "values-umc-server.yaml"
- "values-common.yaml.gotmpl"
- "values-umc-server.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -356,10 +331,8 @@ releases:
chart: "ums-selfservice-listener-repo/{{ .Values.charts.umsSelfserviceListener.name }}"
version: "{{ .Values.charts.umsSelfserviceListener.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-selfservice-listener.gotmpl"
- "values-selfservice-listener.yaml"
- "values-common.yaml.gotmpl"
- "values-selfservice-listener.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -367,10 +340,8 @@ releases:
chart: "ums-provisioning-repo/{{ .Values.charts.umsProvisioning.name }}"
version: "{{ .Values.charts.umsProvisioning.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-provisioning.gotmpl"
- "values-provisioning.yaml"
- "values-common.yaml.gotmpl"
- "values-provisioning.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -378,10 +349,8 @@ releases:
chart: "ums-guardian-management-api-repo/{{ .Values.charts.umsGuardianManagementApi.name }}"
version: "{{ .Values.charts.umsGuardianManagementApi.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-guardian-management-api.gotmpl"
- "values-guardian-management-api.yaml"
- "values-common.yaml.gotmpl"
- "values-guardian-management-api.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -389,10 +358,8 @@ releases:
chart: "ums-guardian-management-ui-repo/{{ .Values.charts.umsGuardianManagementUi.name }}"
version: "{{ .Values.charts.umsGuardianManagementUi.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-guardian-management-ui.gotmpl"
- "values-guardian-management-ui.yaml"
- "values-common.yaml.gotmpl"
- "values-guardian-management-ui.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -400,10 +367,8 @@ releases:
chart: "ums-guardian-authorization-api-repo/{{ .Values.charts.umsGuardianAuthorizationApi.name }}"
version: "{{ .Values.charts.umsGuardianAuthorizationApi.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-guardian-authorization-api.gotmpl"
- "values-guardian-authorization-api.yaml"
- "values-common.yaml.gotmpl"
- "values-guardian-authorization-api.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
@@ -411,10 +376,8 @@ releases:
chart: "ums-open-policy-agent-repo/{{ .Values.charts.umsOpenPolicyAgent.name }}"
version: "{{ .Values.charts.umsOpenPolicyAgent.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-open-policy-agent.gotmpl"
- "values-open-policy-agent.yaml"
- "values-common.yaml.gotmpl"
- "values-open-policy-agent.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900

10
helmfile/apps/univention-management-stack/values-common.gotmpl
View File

@@ -1,10 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
ingress:
host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
...

2
helmfile/apps/univention-management-stack/values-common.yaml → helmfile/apps/univention-management-stack/values-common.yaml.gotmpl
View File

@@ -12,6 +12,8 @@ ingress:
# controller. Those are encapsulated into the release "stack-gateway" so that
# the compatibility with all ingress controllers is increased.
enabled: false
host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
# The TLS configuration is on the "master" Ingress, see "portal-frontend"
enabled: false

21
helmfile/apps/univention-management-stack/values-guardian-authorization-api.gotmpl
View File

@@ -1,21 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
guardianAuthorizationApi:
udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianAuthorizationApi.registry | quote }}
repository: {{ .Values.images.umsGuardianAuthorizationApi.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsGuardianAuthorizationApi.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 2 }}
...

28
helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml → helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
View File

@@ -2,19 +2,34 @@
# SPDX-License-Identifier: Apache-2.0
---
guardianAuthorizationApi:
home: "/guardian_service_dir"
guardianAuthzCorsAllowedOrigins: "*"
guardianAuthzAdapterSettingsPort: "env"
guardianAuthzAdapterAppPersistencePort: "udm_data"
guardianAuthzAdapterPolicyPort: "opa"
guardianAuthzAdapterAuthenticationPort: "fast_api_oauth"
isUniventionAppCenter: 0
udmDataAdapterUrl: "http://ums-udm-rest-api/udm/"
udmDataAdapterUsername: "cn=admin"
opaAdapterUrl: "http://ums-open-policy-agent/"
guardianAuthzLoggingLevel: "DEBUG"
guardianAuthzLoggingLevel: {{ .Values.debug.logLevel | quote }}
guardianAuthzLoggingStructured: false
guardianAuthzLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
home: "/guardian_service_dir"
isUniventionAppCenter: 0
oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
opaAdapterUrl: "http://ums-open-policy-agent/"
udmDataAdapterUrl: "http://ums-udm-rest-api/udm/"
udmDataAdapterUsername: "cn=admin"
udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianAuthorizationApi.registry | quote }}
repository: {{ .Values.images.umsGuardianAuthorizationApi.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsGuardianAuthorizationApi.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
@@ -36,4 +51,5 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

32
helmfile/apps/univention-management-stack/values-guardian-management-api.gotmpl
View File

@@ -1,32 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
guardianManagementApi:
oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
postgresql:
bundled: false
connection:
host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
auth:
username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
password: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementApi.registry | quote }}
repository: {{ .Values.images.umsGuardianManagementApi.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsGuardianManagementApi.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 2 }}
...

34
helmfile/apps/univention-management-stack/values-guardian-management-api.yaml → helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
View File

@@ -3,6 +3,7 @@
---
guardianManagementApi:
home: "/guardian_service_dir"
isUniventionAppCenter: 0
guardianManagementCorsAllowedOrigins: "*"
guardianManagementAdapterSettingsPort: "env"
guardianManagementAdapterAppPersistencePort: "sql"
@@ -15,14 +16,38 @@ guardianManagementApi:
guardianManagementAdapterAuthenticationPort: "fast_api_oauth"
guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization"
guardianManagementAdapterResourceAuthorizationPort: "always"
isUniventionAppCenter: 0
sqlPersistenceAdapterDialect: "postgresql"
sqlPersistenceAdapterDbName: "postgres"
oauthAdapterM2mSecretFile: "/var/secrets/oauthAdapterM2mSecret"
guardianManagementLoggingLevel: "DEBUG"
guardianManagementLoggingStructured: false
guardianManagementLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
guardianManagementBaseUrl: "http://0.0.0.0:8000"
oauthAdapterM2mSecretFile: "/var/secrets/oauthAdapterM2mSecret"
oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
sqlPersistenceAdapterDialect: "postgresql"
sqlPersistenceAdapterDbName: "postgres"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementApi.registry | quote }}
repository: {{ .Values.images.umsGuardianManagementApi.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsGuardianManagementApi.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
postgresql:
bundled: false
connection:
host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
auth:
username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
password: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
resources:
{{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
@@ -44,4 +69,5 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

29
helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml
View File

@@ -1,29 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
guardianManagementUi:
viteManagementUiAdapterAuthenticationPort: "keycloak"
viteManagementUiAdapterDataPort: "api"
viteKeycloakAuthenticationAdapterClientId: "guardian-ui"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

31
helmfile/apps/univention-management-stack/values-guardian-management-ui.gotmpl → helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl
View File

@@ -1,9 +1,10 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
guardianManagementUi:
viteManagementUiAdapterAuthenticationPort: "keycloak"
viteManagementUiAdapterDataPort: "api"
viteKeycloakAuthenticationAdapterClientId: "guardian-ui"
viteApiDataAdapterUri: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/management"
viteKeycloakAuthenticationAdapterSsoUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
viteKeycloakAuthenticationAdapterRealm: {{ .Values.platform.realm | quote }}
@@ -20,4 +21,26 @@ image:
resources:
{{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

18
helmfile/apps/univention-management-stack/values-ldap-notifier.yaml
View File

@@ -1,18 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
volumes:
claims:
shared-data: "shared-data-ums-ldap-server-0"
shared-run: "shared-run-ums-ldap-server-0"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

21
helmfile/apps/univention-management-stack/values-ldap-notifier.gotmpl → helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl
View File

@@ -1,7 +1,5 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapNotifier.registry | quote }}
@@ -15,4 +13,19 @@ image:
resources:
{{ .Values.resources.umsLdapNotifier | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
volumes:
claims:
shared-data: "shared-data-ums-ldap-server-0"
shared-run: "shared-run-ums-ldap-server-0"
...

36
helmfile/apps/univention-management-stack/values-ldap-server.gotmpl
View File

@@ -1,36 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
ldapServer:
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
repository: {{ .Values.images.umsLdapServer.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsLdapServer.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
waitForDependency:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
persistence:
data:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
shared:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
resources:
{{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}
...

42
helmfile/apps/univention-management-stack/values-ldap-server.yaml → helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
View File

@@ -1,13 +1,6 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
ldapServer:
waitForSamlMetadata: true
service:
type: "ClusterIP"
extraVolumes:
- name: "opendesk-schemas"
configMap:
@@ -30,6 +23,34 @@ extraVolumeMounts:
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema"
subPath: "opendeskProjectmanagement.schema"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
repository: {{ .Values.images.umsLdapServer.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsLdapServer.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
waitForDependency:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
ldapServer:
waitForSamlMetadata: true
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
persistence:
data:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
shared:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
securityContext:
allowPrivilegeEscalation: false
@@ -51,4 +72,11 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
service:
type: "ClusterIP"
resources:
{{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}
...

20
helmfile/apps/univention-management-stack/values-notifications-api.yaml
View File

@@ -1,20 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
notificationsapi:
apply_database_migrations: "True"
dev_mode: "False"
environment: "staging"
log_level: "DEBUG"
sql_echo: "False"
api_prefix: "/univention/portal/notifications-api"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

44
helmfile/apps/univention-management-stack/values-notifications-api.gotmpl → helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl
View File

@@ -1,18 +1,6 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
postgresql:
bundled: false
connection:
host: {{ .Values.databases.umsNotificationsApi.host | quote }}
port: {{ .Values.databases.umsNotificationsApi.port | quote }}
auth:
username: {{ .Values.databases.umsNotificationsApi.username | quote }}
database: {{ .Values.databases.umsNotificationsApi.name | quote }}
password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsNotificationsApi.registry | quote }}
repository: {{ .Values.images.umsNotificationsApi.repository }}
@@ -23,6 +11,34 @@ image:
- name: {{ . | quote }}
{{- end }}
notificationsapi:
apply_database_migrations: "True"
dev_mode: "False"
environment: "staging"
log_level: "DEBUG"
sql_echo: "False"
api_prefix: "/univention/portal/notifications-api"
postgresql:
bundled: false
connection:
host: {{ .Values.databases.umsNotificationsApi.host | quote }}
port: {{ .Values.databases.umsNotificationsApi.port | quote }}
auth:
username: {{ .Values.databases.umsNotificationsApi.username | quote }}
database: {{ .Values.databases.umsNotificationsApi.name | quote }}
password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
resources:
{{ .Values.resources.umsNotificationsApi | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

18
helmfile/apps/univention-management-stack/values-open-policy-agent.gotmpl
View File

@@ -1,18 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsOpenPolicyAgent.registry | quote }}
repository: {{ .Values.images.umsOpenPolicyAgent.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsOpenPolicyAgent.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 2 }}
...

14
helmfile/apps/univention-management-stack/values-open-policy-agent.yaml → helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl
View File

@@ -1,6 +1,16 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsOpenPolicyAgent.registry | quote }}
repository: {{ .Values.images.umsOpenPolicyAgent.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsOpenPolicyAgent.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
openPolicyAgent:
isUniventionAppCenter: 0
opaDataBundle: "bundles/GuardianDataBundle.tar.gz"
@@ -9,6 +19,9 @@ openPolicyAgent:
opaPollingMaxDelay: 15
opaGuardianManagementUrl: "http://ums-guardian-management-api/guardian/management"
resources:
{{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -29,4 +42,5 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

24
helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl
View File

@@ -1,24 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalFrontend.registry | quote }}
repository: {{ .Values.images.umsPortalFrontend.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsPortalFrontend.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
extraIngresses:
master:
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
resources:
{{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }}
...

59
helmfile/apps/univention-management-stack/values-portal-frontend.yaml → helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl
View File

@@ -12,6 +12,9 @@ extraIngresses:
master:
# Using "stack-gateway" currently.
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
# See "extraVolumeMounts" below
custom-favicon:
@@ -24,27 +27,6 @@ extraIngresses:
path: "/favicon.ico"
tls: {}
# See "extraVolumeMounts" below
custom-branding:
# Using "stack-gateway" at the moment
enabled: false
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
rewrite ^/univention/portal(/.*)$ $1 break;
nginx.org/location-snippets: |
rewrite ^/univention/portal(/.*)$ $1 break;
nginx.org/mergeable-ingress-type: "minion"
paths:
# This relies on the correct implementation of the matching for paths of
# type "Prefix" since "/univention/portal/icons/entries/" is owned by
# store-dav.
# See: https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches
- pathType: "Prefix"
path: "/univention/portal/icons/"
- pathType: "Prefix"
path: "/univention/portal/custom/"
tls: {}
extraVolumes:
- name: "opendesk-branding"
configMap:
@@ -70,6 +52,40 @@ extraVolumeMounts:
mountPath: "/var/www/html/custom/portal_background_image.svg"
subPath: "portal_background_image.svg"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalFrontend.registry | quote }}
repository: {{ .Values.images.umsPortalFrontend.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsPortalFrontend.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
# See "extraVolumeMounts" below
custom-branding:
# Using "stack-gateway" at the moment
enabled: false
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
rewrite ^/univention/portal(/.*)$ $1 break;
nginx.org/location-snippets: |
rewrite ^/univention/portal(/.*)$ $1 break;
nginx.org/mergeable-ingress-type: "minion"
paths:
# This relies on the correct implementation of the matching for paths of
# type "Prefix" since "/univention/portal/icons/entries/" is owned by
# store-dav.
# See: https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches
- pathType: "Prefix"
path: "/univention/portal/icons/"
- pathType: "Prefix"
path: "/univention/portal/custom/"
tls: {}
resources:
{{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -90,4 +106,5 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

36
helmfile/apps/univention-management-stack/values-portal-listener.yaml
View File

@@ -1,36 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
portalListener:
debugLevel: "4"
tlsMode: "off"
udmApiUrl: "http://ums-udm-rest-api/udm/"
udmApiUsername: "cn=admin"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
store-dav:
bundled: false
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

68
helmfile/apps/univention-management-stack/values-portal-listener.gotmpl → helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
View File

@@ -1,24 +1,6 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
portalListener:
adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
assetsRoot: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-assets/" | quote }}
ucsInternalUrl: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-data" | quote }}
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
notifierServer: {{ .Values.ldap.notifierHost | quote }}
portalDefaultDn: {{ printf "%s,%s" "cn=domain,cn=portal,cn=portals,cn=univention" .Values.ldap.baseDn | quote }}
udmApiUrl: "http://ums-udm-rest-api/udm/"
udmApiUsername: "cn=admin"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalListener.registry | quote }}
repository: {{ .Values.images.umsPortalListener.repository | quote }}
@@ -39,9 +21,55 @@ persistence:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }}
portalListener:
adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
assetsRoot: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-assets/" | quote }}
ucsInternalUrl: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-data" | quote }}
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
notifierServer: {{ .Values.ldap.notifierHost | quote }}
portalDefaultDn: {{ printf "%s,%s" "cn=domain,cn=portal,cn=portals,cn=univention" .Values.ldap.baseDn | quote }}
udmApiUrl: "http://ums-udm-rest-api/udm/"
udmApiUsername: "cn=admin"
debugLevel: "4"
tlsMode: "off"
udmApiUrl: "http://ums-udm-rest-api/udm/"
udmApiUsername: "cn=admin"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
resources:
{{ .Values.resources.umsPortalListener | toYaml | nindent 2 }}
resourcesDependencyWaiter:
{{ .Values.resources.umsPortalListenerDependencies | toYaml | nindent 2 }}
store-dav:
bundled: false
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

33
helmfile/apps/univention-management-stack/values-portal-server.yaml
View File

@@ -1,33 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
portalServer:
authMode: "saml"
editable: "false"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
centralNavigation:
enabled: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

47
helmfile/apps/univention-management-stack/values-portal-server.gotmpl → helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
View File

@@ -1,15 +1,6 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
portalServer:
logLevel: {{ .Values.debug.logLevel | quote }}
adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
ucsInternalUrl: {{ printf "%s%s%s" "http://portal-server:" .Values.secrets.univentionManagementStack.storeDavUsers.portalServer "@ums-store-dav/portal-data" | quote }}
centralNavigation:
authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalServer.registry | quote }}
repository: {{ .Values.images.umsPortalServer.repository | quote }}
@@ -20,6 +11,40 @@ image:
- name: {{ . | quote }}
{{- end }}
portalServer:
authMode: "saml"
editable: "false"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
logLevel: {{ .Values.debug.logLevel | quote }}
adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
ucsInternalUrl: {{ printf "%s%s%s" "http://portal-server:" .Values.secrets.univentionManagementStack.storeDavUsers.portalServer "@ums-store-dav/portal-data" | quote }}
centralNavigation:
enabled: true
authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
resources:
{{ .Values.resources.umsPortalServer | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

15
helmfile/apps/univention-management-stack/values-provisioning.yaml
View File

@@ -1,15 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
provisioningApi:
rootPath: "/univention/provisioning-api"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

19
helmfile/apps/univention-management-stack/values-provisioning.gotmpl → helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
View File

@@ -1,9 +1,6 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioning.registry | quote }}
repository: {{ .Values.images.umsProvisioning.repository | quote }}
@@ -14,6 +11,18 @@ image:
- name: {{ . | quote }}
{{- end }}
provisioningApi:
rootPath: "/univention/provisioning-api"
resources:
{{ .Values.resources.umsProvisioning | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

31
helmfile/apps/univention-management-stack/values-selfservice-listener.yaml
View File

@@ -1,31 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
selfserviceListener:
debugLevel: "4"
tlsMode: "off"
umcServerUrl: "http://ums-umc-server"
umcAdminUser: "default.admin"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

45
helmfile/apps/univention-management-stack/values-selfservice-listener.gotmpl → helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl
View File

@@ -3,16 +3,6 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
SPDX-License-Identifier: Apache-2.0
*/}}
---
selfserviceListener:
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
notifierServer: {{ .Values.ldap.notifierHost | quote }}
umcAdminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
image:
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
pullSecrets:
@@ -45,4 +35,39 @@ resources:
resourcesDependencyWaiter:
{{ .Values.resources.umsSelfserviceListenerDependencies | toYaml | nindent 2 }}
selfserviceListener:
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
notifierServer: {{ .Values.ldap.notifierHost | quote }}
umcAdminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
debugLevel: "4"
tlsMode: "off"
umcServerUrl: "http://ums-umc-server"
umcAdminUser: "default.admin"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

25
helmfile/apps/univention-management-stack/values-stack-data-swp.yaml
View File

@@ -1,25 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
stackDataSwp:
udmApiUser: "cn=admin"
udmApiUrl: "http://ums-udm-rest-api/udm/"
loadDevData: true
stackDataContext:
ldapBase: "dc=swp-ldap,dc=internal"
oxDefaultContext: "1"
smtpStartTls: true
additionalAnnotations:
intents.otterize.com/service-name: "ums-stack-data-swp"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

57
helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl → helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl
View File

@@ -1,15 +1,35 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
stackDataSwp:
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
systemInformation:
deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
additionalAnnotations:
intents.otterize.com/service-name: "ums-stack-data-swp"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsDataLoader.registry | quote }}
repository: {{ .Values.images.umsDataLoader.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsDataLoader.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsStackDataSwp | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
stackDataContext:
ldapBase: "dc=swp-ldap,dc=internal"
oxDefaultContext: "1"
smtpStartTls: true
ldapSearchUsers:
{{- range $username, $password := .Values.secrets.univentionManagementStack.ldapSearch }}
- username: {{ printf "ldapsearch_%s" $username | quote }}
@@ -36,16 +56,13 @@ stackDataContext:
userPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.userPassword | quote }}
adminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsDataLoader.registry | quote }}
repository: {{ .Values.images.umsDataLoader.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsDataLoader.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
stackDataSwp:
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
systemInformation:
deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
udmApiUser: "cn=admin"
udmApiUrl: "http://ums-udm-rest-api/udm/"
loadDevData: true
resources:
{{ .Values.resources.umsStackDataSwp | toYaml | nindent 2 }}
...

26
helmfile/apps/univention-management-stack/values-stack-data-ums.yaml
View File

@@ -1,26 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
stackDataUms:
loadDevData: true
udmApiUrl: "http://ums-udm-rest-api/udm/"
udmApiUser: "cn=admin"
stackDataContext:
idpSamlMetadataUrlInternal: null
umcSamlSchemes: "https"
# The openDesk configuration brings its own UMC policies.
installUmcPolicies: false
additionalAnnotations:
intents.otterize.com/service-name: "ums-stack-data-ums"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

59
helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl → helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl
View File

@@ -1,25 +1,8 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
stackDataUms:
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
stackDataContext:
domainname: {{ .Values.global.domain | quote }}
externalMailDomain: {{ .Values.global.domain | quote }}
hostname: {{ .Values.global.hosts.univentionManagementStack | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
ldapBase: {{ .Values.ldap.baseDn | quote }}
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
idpSamlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
umcSamlSpFqdn: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
idpFqdn: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
additionalAnnotations:
intents.otterize.com/service-name: "ums-stack-data-ums"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsDataLoader.registry | quote }}
@@ -33,4 +16,38 @@ image:
resources:
{{ .Values.resources.umsStackDataUms | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
stackDataContext:
idpSamlMetadataUrlInternal: null
umcSamlSchemes: "https"
# The openDesk configuration brings its own UMC policies.
installUmcPolicies: false
domainname: {{ .Values.global.domain | quote }}
externalMailDomain: {{ .Values.global.domain | quote }}
hostname: {{ .Values.global.hosts.univentionManagementStack | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
ldapBase: {{ .Values.ldap.baseDn | quote }}
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
idpSamlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
umcSamlSpFqdn: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
idpFqdn: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
stackDataUms:
loadDevData: true
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
udmApiUrl: "http://ums-udm-rest-api/udm/"
udmApiUser: "cn=admin"
...

24
helmfile/apps/univention-management-stack/values-store-dav.yaml
View File

@@ -1,24 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

39
helmfile/apps/univention-management-stack/values-store-dav.gotmpl → helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl
View File

@@ -1,13 +1,6 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
storeDav:
auth:
basicAuth:
portal-listener: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener | quote }}
portal-server: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer | quote }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsStoreDav.registry | quote }}
repository: {{ .Values.images.umsStoreDav.repository | quote }}
@@ -34,4 +27,32 @@ persistence:
resources:
{{ .Values.resources.umsStoreDav | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
storeDav:
auth:
basicAuth:
portal-listener: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener | quote }}
portal-server: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer | quote }}
...

24
helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl
View File

@@ -1,24 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
udmRestApi:
# TODO: Secret should be entered without b64enc
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
# TODO: Secret should be entered without b64enc
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsUdmRestApi.registry | quote }}
repository: {{ .Values.images.umsUdmRestApi.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsUdmRestApi.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsUdmRestApi | toYaml | nindent 2 }}
...

26
helmfile/apps/univention-management-stack/values-udm-rest-api.yaml → helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl
View File

@@ -1,10 +1,6 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
udmRestApi:
# TODO: Stub value currently
caCert: ""
extraVolumes:
- name: "attribute-to-group-mapper-hook"
configMap:
@@ -18,6 +14,19 @@ extraVolumeMounts:
mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
subPath: "flag_to_group_mapping.json"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsUdmRestApi.registry | quote }}
repository: {{ .Values.images.umsUdmRestApi.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsUdmRestApi.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsUdmRestApi | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -38,4 +47,13 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
udmRestApi:
# TODO: Stub value currently
caCert: ""
# TODO: Secret should be entered without b64enc
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
# TODO: Secret should be entered without b64enc
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
...

18
helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl
View File

@@ -1,18 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcGateway.registry | quote }}
repository: {{ .Values.images.umsUmcGateway.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsUmcGateway.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsUmcGateway | toYaml | nindent 2 }}
...

14
helmfile/apps/univention-management-stack/values-umc-gateway.yaml → helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl
View File

@@ -21,6 +21,19 @@ extraVolumeMounts:
/umc/icons/16x16/udm-portals-announcement.png"
subPath: "udm-portals-announcement.png"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcGateway.registry | quote }}
repository: {{ .Values.images.umsUmcGateway.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsUmcGateway.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsUmcGateway | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -41,4 +54,5 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

39
helmfile/apps/univention-management-stack/values-umc-server.gotmpl
View File

@@ -1,39 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
umcServer:
# TODO: Secret should be entered without b64enc
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
# TODO: Secret should be entered without b64enc
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
smtpSecret: {{ .Values.smtp.password | quote }}
postgresql:
connection:
host: {{ .Values.databases.umsSelfservice.host | quote }}
port: {{ .Values.databases.umsSelfservice.port | quote }}
auth:
username: {{ .Values.databases.umsSelfservice.username | quote }}
database: {{ .Values.databases.umsSelfservice.name | quote }}
password: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
postgresPassword: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
memcached:
server: {{ .Values.cache.umsSelfservice.host | quote }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcServer.registry | quote }}
repository: {{ .Values.images.umsUmcServer.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsUmcServer.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsUmcServer | toYaml | nindent 2 }}
...

40
helmfile/apps/univention-management-stack/values-umc-server.yaml → helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl
View File

@@ -1,10 +1,6 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
umcServer:
certPemFile: "/var/secrets/ssl/tls.crt"
privateKeyFile: "/var/secrets/ssl/tls.key"
extraVolumes:
- name: "certificates"
secret:
@@ -43,14 +39,36 @@ extraVolumeMounts:
mountPath: "/usr/share/univention-management-console/modules/udm-portals-announcement.xml"
subPath: "udm-portals-announcement.xml"
postgresql:
bundled: false
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcServer.registry | quote }}
repository: {{ .Values.images.umsUmcServer.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsUmcServer.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
memcached:
bundled: false
auth:
username: null
password: null
server: {{ .Values.cache.umsSelfservice.host | quote }}
postgresql:
bundled: false
auth:
username: {{ .Values.databases.umsSelfservice.username | quote }}
database: {{ .Values.databases.umsSelfservice.name | quote }}
password: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
postgresPassword: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
connection:
host: {{ .Values.databases.umsSelfservice.host | quote }}
port: {{ .Values.databases.umsSelfservice.port | quote }}
resources:
{{ .Values.resources.umsUmcServer | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
@@ -72,4 +90,14 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
umcServer:
certPemFile: "/var/secrets/ssl/tls.crt"
# TODO: Secret should be entered without b64enc
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
# TODO: Secret should be entered without b64enc
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
smtpSecret: {{ .Values.smtp.password | quote }}
privateKeyFile: "/var/secrets/ssl/tls.key"
...

19
helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl
View File

@@ -1,19 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsStackGateway.registry | quote }}
repository: {{ .Values.images.umsStackGateway.repository | quote }}
tag: {{ .Values.images.umsStackGateway.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
ingress:
enabled: {{ .Values.ingress.enabled }}
hostname: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
extraTls:
- hosts:
- {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
...

50
helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml → helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
View File

@@ -1,18 +1,45 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
fullnameOverride: "ums-stack-gateway"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsStackGateway.registry | quote }}
repository: {{ .Values.images.umsStackGateway.repository | quote }}
tag: {{ .Values.images.umsStackGateway.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
ingress:
annotations:
# Ensure that the ingress controller can handle responses with plenty of
# headers. This is a requirement from the UDM Rest API.
nginx.org/proxy-buffer-size: "64k"
nginx.org/proxy-buffers: "4 128k"
enabled: {{ .Values.ingress.enabled }}
extraTls:
- hosts:
- {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
hostname: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls: false
service:
type: "ClusterIP"
podSecurityContext:
enabled: true
fsGroup: 1001
fullnameOverride: "ums-stack-gateway"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: false
runAsUser: 1001
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
# The content of the "serverBlock" does resemble the Ingress configuration of
# the UMS components. The "location" entries do intentionally reflect precisely
@@ -260,20 +287,7 @@ serverBlock: |
}
podSecurityContext:
enabled: true
fsGroup: 1001
service:
type: "ClusterIP"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: false
runAsUser: 1001
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
...