fix(univention-management-stack): Add Helm charts

helmfile/apps/univention-management-stack/helmfile.yaml

@@ -1,3 +1,86 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+
+repositories:
+  - name: "univention"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable" }}
+
+releases:
+  - name: "store-dav"
+    chart: "univention/store-dav"
+    version: "0.2.0"
+    values:
+      - "values-store-dav.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  - name: "ldap-server"
+    chart: "univention/ldap-server"
+    version: "0.1.0"
+    values:
+      - "values-ldap-server.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  - name: "ldap-notifier"
+    chart: "univention/ldap-notifier"
+    version: "0.1.0"
+    values:
+      - "values-ldap-notifier.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  - name: "udm-rest-api"
+    chart: "univention/udm-rest-api"
+    version: "0.1.0"
+    values:
+      - "values-udm-rest-api.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  - name: "stack-data-ums"
+    chart: "univention/stack-data-ums"
+    version: "0.1.0"
+    values:
+      - "values-stack-data-ums.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  - name: "stack-data-swp"
+    chart: "univention/stack-data-swp"
+    version: "0.1.0"
+    values:
+      - "values-stack-data-swp.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  - name: "portal-server"
+    chart: "univention/portal-server"
+    version: "0.1.0"
+    values:
+      - "values-portal-server.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  - name: "notifications-api"
+    chart: "univention/notifications-api"
+    version: "0.1.0"
+    values:
+      - "values-notifications-api.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  - name: "portal-listener"
+    chart: "univention/portal-listener"
+    version: "0.1.0"
+    values:
+      - "values-portal-listener.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  - name: "portal-frontend"
+    chart: "univention/portal-frontend"
+    version: "0.1.0"
+    values:
+      - "values-portal-frontend.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  - name: "umc-gateway"
+    chart: "univention/umc-gateway"
+    version: "0.1.0"
+    values:
+      - "values-umc-gateway.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  - name: "umc-server"
+    chart: "univention/umc-server"
+    version: "0.1.0"
+    values:
+      - "values-umc-server.gotmpl"
+    condition: "univentionManagementStack.enabled"
+
+bases:
+  - "../../bases/environments.yaml"

helmfile/apps/univention-management-stack/values-ldap-notifier.gotmpl

@@ -0,0 +1,17 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsLdapNotifier.repository }}"
+  pullPolicy: "Always"
+  tag: "{{ .Values.images.umsLdapNotifier.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+...

helmfile/apps/univention-management-stack/values-ldap-server.gotmpl

@@ -0,0 +1,30 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+ldapServer:
+  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+
+  # TODO: Certificates handling
+  # caCert: ""
+  # certPem: ""
+  # privateKey: ""
+  # dhParam: ""
+  tlsMode: "off"
+
+  # TODO: SAML integration
+  # samlMetadataUrl: "http://localhost:8097/realms/ucs/protocol/saml/descriptor"
+  # samlMetadataUrlInternal: "http://keycloak.default/realms/ucs/protocol/saml/descriptor"
+  # serviceProviders: "http://localhost:8000/univention/saml/metadata,http://localhost:8000/auth/realms/ucs"
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsLdapServer.repository }}"
+  pullPolicy: "Always"
+  tag: "{{ .Values.images.umsLdapServer.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+...

helmfile/apps/univention-management-stack/values-notifications-api.gotmpl

@@ -0,0 +1,35 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+notificationsapi:
+  apply_database_migrations: "True"
+  dev_mode: "False"
+  environment: "staging"
+  log_level: "DEBUG"
+  sql_echo: "False"
+  api_prefix: "/univention/portal/notifications-api"
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsNotificationsApi.repository }}"
+  pullPolicy: "Always"
+  tag: "{{ .Values.images.umsNotificationsApi.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+istio:
+  host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  enabled: {{ .Values.istio.enabled }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: {{ .Values.ingress.tls.enabled }}
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+...

helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl

@@ -0,0 +1,40 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+portalFrontend:
+  environment: "staging"
+  log_level: "INFO"
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsPortalFrontend.repository }}"
+  pullPolicy: "Always"
+  tag: "{{ .Values.images.umsPortalFrontend.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: {{ .Values.ingress.tls.enabled }}
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+ingressRoot:
+  enabled: {{ .Values.ingress.enabled }}
+  host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: {{ .Values.ingress.tls.enabled }}
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+istio:
+  host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  enabled: {{ .Values.istio.enabled }}
+
+...

helmfile/apps/univention-management-stack/values-portal-listener.gotmpl

@@ -0,0 +1,42 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+portalListener:
+  adminGroup: "cn=Domain Admins,cn=groups,dc=univention-organization,dc=intranet"
+  environment: "staging"
+  debugLevel: "4"
+  # TODO: using this in server without the pending slash, fix
+  # ucsInternalUrl: "http://portal-listener:univention@store-dav/portal-data/"
+  assetsRoot: "http://portal-listener:univention@store-dav/portal-assets/"
+  ucsInternalUrl: "http://portal-listener:univention@store-dav/portal-data/"
+  umcGetUrl: "http://umc-server/get"
+  umcSessionUrl: "http://umc-server/get/session-info"
+
+  ldapBaseDn: "dc=univention-organization,dc=intranet"
+  ldapHost: "ldap-server"
+  ldapHostDn: "cn=admin,dc=univention-organization,dc=intranet"
+  ldapSecret: "univention"
+  machineSecret: "univention"
+  notifierServer: "ldap-notifier"
+  portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,dc=univention-organization,dc=intranet"
+  udmApiUrl: "http://udm-rest-api/udm/"
+  udmApiUsername: "cn=admin"
+
+  tlsMode: "off"
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsPortalListener.repository }}"
+  pullPolicy: "Always"
+  tag: "{{ .Values.images.umsPortalListener.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+store-dav:
+  bundled: false
+
+...

helmfile/apps/univention-management-stack/values-portal-server.gotmpl

@@ -0,0 +1,38 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+portalServer:
+  adminGroup: "cn=Domain Admins,cn=groups,dc=univention,dc=intranet"
+  authMode: "saml"
+  environment: "staging"
+  editable: "true"
+  logLevel: "DEBUG"
+  ucsInternalUrl: "http://portal-server:univention@store-dav/portal-data"
+  umcGetUrl: "http://umc-server/get"
+  umcSessionUrl: "http://umc-server/get/session-info"
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsPortalServer.repository }}"
+  pullPolicy: "Always"
+  tag: "{{ .Values.images.umsPortalServer.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+istio:
+  host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  enabled: {{ .Values.istio.enabled }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: {{ .Values.ingress.tls.enabled }}
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+...

helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl

@@ -0,0 +1,20 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+stackDataSwp:
+  udmApiPassword: "univention"
+  loadDevData: true
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsDataLoader.repository }}"
+  pullPolicy: "Always"
+  tag: "{{ .Values.images.umsDataLoader.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+...

helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl

@@ -0,0 +1,26 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+stackDataUms:
+  udmApiPassword: "univention"
+  loadDevData: true
+
+stackDataContext:
+  initialPasswordAdministrator: "univention"
+
+  # The SWP configuration brings its own UMC policies.
+  installUmcPolicies: false
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsDataLoader.repository }}"
+  pullPolicy: "Always"
+  tag: "{{ .Values.images.umsDataLoader.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+...

helmfile/apps/univention-management-stack/values-store-dav.gotmpl

@@ -0,0 +1,44 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+storeDav:
+  auth:
+    basicAuth:
+      # TODO: Secrets management
+      portal-server: "univention"
+      portal-listener: "univention"
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsStoreDav.repository }}"
+  pullPolicy: "Always"
+  tag: "{{ .Values.images.umsStoreDav.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+  configHtpasswd:
+    registry: "{{ .Values.global.imageRegistry }}"
+    repository: "{{ .Values.images.umsConfigHtpasswd.repository }}"
+    pullPolicy: "Always"
+    tag: "{{ .Values.images.umsConfigHtpasswd.tag }}"
+    pullSecrets:
+      {{- range .Values.global.imagePullSecrets }}
+      - name: {{ . }}
+      {{- end }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: {{ .Values.ingress.tls.enabled }}
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+istio:
+  host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  enabled: {{ .Values.istio.enabled }}
+...

helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl

@@ -0,0 +1,57 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+udmRestApi:
+  apiLogLevel: "4"
+  authGroups:
+    dcBackup: "cn=DC Backup Hosts,cn=groups,dc=univention-organization,dc=intranet"
+    dcSlaves: "cn=DC Slave Hosts,cn=groups,dc=univention-organization,dc=intranet"
+    domainAdmins: "cn=Domain Admins,cn=groups,dc=univention-organization,dc=intranet"
+  environment: "staging"
+  ldapHost: "ldap-server"
+  ldapBaseDn: "dc=univention-organization,dc=intranet"
+  # TODO: This should not be required, the machine account is not there
+  # ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=univention-organization,dc=intranet
+  ldapHostDn: "cn=admin,dc=univention-organization,dc=intranet"
+  # TODO: Secret should be entered without b64enc
+  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
+  # TODO: There is on machine secret on the container
+  # TODO: Secret should be entered without b64enc
+  machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
+  # TODO: why do we need this many subprocesses?
+  numberOfSubprocesses: 8
+  # TODO: Stub value currently
+  caCert: ""
+  # TODO: This should not be part of the udm-rest-api anymore
+  loadJoinData:
+    enabled: true
+  # TODO: probably to INFO
+  logLevel: "DEBUG"
+  # TODO: configurable
+  tlsMode: "off"
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsUdmRestApi.repository }}"
+  pullPolicy: "Always"
+  tag: "{{ .Values.images.umsUdmRestApi.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: {{ .Values.ingress.tls.enabled }}
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+istio:
+  host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  enabled: {{ .Values.istio.enabled }}
+
+...

helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl

@@ -0,0 +1,33 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+umcGateway:
+  domainname: "{{ .Values.global.domain }}"
+  hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
+  ssoFqdn: "localhost:8097"
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsUmcGateway.repository }}"
+  pullPolicy: "Always"
+  tag: "{{ .Values.images.umsUmcGateway.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+istio:
+  host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  enabled: {{ .Values.istio.enabled }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: {{ .Values.ingress.tls.enabled }}
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+...

helmfile/apps/univention-management-stack/values-umc-server.gotmpl

@@ -0,0 +1,52 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+umcServer:
+  domainname: "{{ .Values.global.domain }}"
+  hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
+  ldapHost: "ldap-server"
+  ldapBaseDn: "dc=univention-organization,dc=intranet"
+  # TODO: This should not be required, the machine account is not there
+  # ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=univention-organization,dc=intranet
+  ldapHostDn: cn=admin,dc=univention-organization,dc=intranet
+  enforceSessionCookie: "true"
+
+  samlEnabled: false
+  samlMetadataUrl: "http://localhost:8097/realms/ucs/protocol/saml/descriptor"
+  samlMetadataUrlInternal: "http://keycloak/realms/ucs/protocol/saml/descriptor"
+  samlSpServer: "localhost:8000"
+  samlSchemes: "http"
+
+  tlsMode: "off"
+
+  # TODO: Secret should be entered without b64enc
+  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
+  # TODO: There is on machine secret on the container
+  # TODO: Secret should be entered without b64enc
+  machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsUmcServer.repository }}"
+  pullPolicy: "Always"
+  tag: "{{ .Values.images.umsUmcServer.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+istio:
+  host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  enabled: {{ .Values.istio.enabled }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: {{ .Values.ingress.tls.enabled }}
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+...