diff --git a/helmfile/apps/nubus/helmfile-child.yaml.gotmpl b/helmfile/apps/nubus/helmfile-child.yaml.gotmpl index 58fb46d8..f679029b 100644 --- a/helmfile/apps/nubus/helmfile-child.yaml.gotmpl +++ b/helmfile/apps/nubus/helmfile-child.yaml.gotmpl @@ -28,6 +28,15 @@ repositories: password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/{{ .Values.charts.opendeskKeycloakBootstrap.repository }}" + # openDesk 2FA Helpdesk Chart + - name: "opendesk-2fa-helpdesk-repo" + keyring: "../../files/gpg-pubkeys/opencode.gpg" + verify: {{ .Values.charts.opendesk2FAHelpdesk.verify }} + username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} + password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} + oci: true + # url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.opendesk2FAHelpdesk.registry }}/{{ .Values.charts.opendesk2FAHelpdesk.repository }}" + url: "{{ .Values.charts.opendesk2FAHelpdesk.registry }}/{{ .Values.charts.opendesk2FAHelpdesk.repository }}" # NGINX S3 Gateway Chart - name: "nginx-s3-gateway-repo" keyring: "../../files/gpg-pubkeys/opencode.gpg" @@ -74,6 +83,18 @@ releases: installed: {{ .Values.apps.nubus.enabled }} timeout: 900 + # openDesk 2FA Helpdesk Chart + - name: "opendesk-2fa-helpdesk-backend" + chart: "opendesk-2fa-helpdesk-repo/{{ .Values.charts.opendesk2FAHelpdesk.name }}" + version: "{{ .Values.charts.opendesk2FAHelpdesk.version }}" + values: + - "values-opendesk-2fa-helpdesk.yaml.gotmpl" + {{- range .Values.customization.release.opendesk2FAHelpdesk}} + - {{ . }} + {{- end }} + installed: {{ .Values.apps.nubus.enabled }} + timeout: 900 + # NGINX S3 Gateway (when cluster minio is not used) - name: "nubus" chart: "nginx-s3-gateway-repo/{{ .Values.charts.nginxS3Gateway.name }}" diff --git a/helmfile/apps/nubus/values-opendesk-2fa-helpdesk.yaml.gotmpl b/helmfile/apps/nubus/values-opendesk-2fa-helpdesk.yaml.gotmpl new file mode 100644 index 00000000..3b29594d --- /dev/null +++ b/helmfile/apps/nubus/values-opendesk-2fa-helpdesk.yaml.gotmpl @@ -0,0 +1,770 @@ +{{/* +SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + domain: "{{ .Values.global.domain }}" + hosts: + {{ .Values.global.hosts | toYaml | nindent 4 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +image: + registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.opendesk2FAHelpdesk.registry | quote }} + repository: {{ .Values.images.opendesk2FAHelpdesk.repository | quote }} + tag: {{ .Values.images.opendesk2FAHelpdesk.tag | quote }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} + +cleanup: + deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }} + keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }} + +config: + clientAccessRestrictions: + {{- if .Values.apps.element.enabled }} + matrix: + client: "opendesk-matrix" + scope: "opendesk-matrix-scope" + role: "opendesk-matrix-access-control" + group: "managed-by-attribute-Livecollaboration" + {{- end }} + {{- if .Values.apps.jitsi.enabled }} + jitsi: + client: "opendesk-jitsi" + scope: "opendesk-jitsi-scope" + role: "opendesk-jitsi-access-control" + group: "managed-by-attribute-Videoconference" + {{- end }} + {{- if .Values.apps.xwiki.enabled }} + xwiki: + client: "opendesk-xwiki" + scope: "opendesk-xwiki-scope" + role: "opendesk-xwiki-access-control" + group: "managed-by-attribute-Knowledgemanagement" + {{- end }} + {{- if .Values.apps.openproject.enabled }} + openproject: + client: "opendesk-openproject" + scope: "opendesk-openproject-scope" + role: "opendesk-openproject-access-control" + group: "managed-by-attribute-Projectmanagement" + {{- end }} + {{- if .Values.apps.nextcloud.enabled }} + nextcloud: + client: "opendesk-nextcloud" + scope: "opendesk-nextcloud-scope" + role: "opendesk-nextcloud-access-control" + group: "managed-by-attribute-Fileshare" + {{- end }} + {{- if .Values.apps.oxAppSuite.enabled }} + oxAppSuite: + client: "opendesk-oxappsuite" + scope: "opendesk-oxappsuite-scope" + role: "opendesk-oxappsuite-access-control" + group: "managed-by-attribute-Groupware" + dovecot: + client: "opendesk-dovecot" + scope: "opendesk-dovecot-scope" + role: "opendesk-dovecot-access-control" + group: "managed-by-attribute-Groupware" + {{- end }} + {{- if .Values.apps.notes.enabled }} + notes: + client: "opendesk-notes" + scope: "opendesk-notes-scope" + role: "opendesk-notes-access-control" + group: "managed-by-attribute-Notes" + {{- end }} + + custom: + clientScopes: + {{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }} + clients: + {{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }} + managed: + clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list', + 'offline_access', 'roles', 'address', 'phone' ] + clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}', + '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', + '${client_security-admin-console}' ] + # keycloak: + # adminUser: "kcadmin" + # adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }} + # realm: {{ .Values.platform.realm | quote }} + # intraCluster: + # enabled: true + # internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080" + # twoFactorSettings: + # additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }} + # precreateGroups: [ 'Domain Admins', 'Domain Users', '2fa-users', 'IAM API - Full Access', + # {{ if .Values.apps.nextcloud.enabled }}'managed-by-attribute-Fileshare', 'managed-by-attribute-FileshareAdmin',{{ end }} + # {{ if .Values.apps.xwiki.enabled }}'managed-by-attribute-Knowledgemanagement', 'managed-by-attribute-KnowledgemanagementAdmin',{{ end }} + # {{ if .Values.apps.element.enabled }}'managed-by-attribute-Livecollaboration', 'managed-by-attribute-LivecollaborationAdmin',{{ end }} + # {{ if .Values.apps.openproject.enabled }}'managed-by-attribute-Projectmanagement', 'managed-by-attribute-ProjectmanagementAdmin',{{ end }} + # {{ if .Values.apps.jitsi.enabled }}'managed-by-attribute-Videoconference',{{ end }} + # {{ if .Values.apps.oxAppSuite.enabled }}'managed-by-attribute-Groupware',{{ end }} + # {{ if .Values.apps.notes.enabled }}'managed-by-attribute-Notes',{{ end }} + # ] + + opendesk: + # We use client specific scopes as we bind them to Keycloak role membership which itself is linked + # to LDAP group membership to ensure a user cannot access an application without the required + # group membership. + clientScopes: + - name: "read_contacts" + protocol: "openid-connect" + - name: "write_contacts" + protocol: "openid-connect" + {{ if .Values.apps.openproject.enabled }} + - name: "opendesk-openproject-scope" + description: "Scope for the claims required by openDesk's OpenProject instance." + protocol: "openid-connect" + protocolMappers: + - name: "opendesk_useruuid" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "entryUUID" + id.token.claim: true + access.token.claim: true + claim.name: "opendesk_useruuid" + jsonType.label: "String" + - name: "opendesk_username" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "uid" + id.token.claim: true + access.token.claim: true + claim.name: "opendesk_username" + jsonType.label: "String" + - name: "opendeskProjectmanagementAdmin" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "opendeskProjectmanagementAdmin" + id.token.claim: true + access.token.claim: true + claim.name: "openproject_admin" + jsonType.label: "String" + - name: "email" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + introspection.token.claim: true + userinfo.token.claim: true + user.attribute: "email" + id.token.claim: true + access.token.claim: true + claim.name: "email" + jsonType.label: "String" + - name: "given name" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + introspection.token.claim: true + userinfo.token.claim: true + user.attribute: "firstName" + id.token.claim: true + access.token.claim: true + claim.name: "given_name" + jsonType.label: "String" + - name: "family name" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + introspection.token.claim: true + userinfo.token.claim: true + user.attribute: "lastName" + id.token.claim: true + access.token.claim: true + claim.name: "family_name" + jsonType.label: "String" + {{ end }} + {{ if .Values.apps.jitsi.enabled }} + - name: "opendesk-jitsi-scope" + description: "Scope for the claims required by openDesk's Jitsi instance." + protocol: "openid-connect" + protocolMappers: + - name: "opendesk_useruuid" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "entryUUID" + id.token.claim: true + access.token.claim: true + claim.name: "opendesk_useruuid" + jsonType.label: "String" + - name: "opendesk_username" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "uid" + id.token.claim: true + access.token.claim: true + claim.name: "opendesk_username" + jsonType.label: "String" + - name: "full name" + protocol: "openid-connect" + protocolMapper: "oidc-full-name-mapper" + consentRequired: false + config: + id.token.claim: true + introspection.token.claim: true + access.token.claim: true + userinfo.token.claim: true + - name: "email" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + introspection.token.claim: true + userinfo.token.claim: true + user.attribute: "email" + id.token.claim: true + access.token.claim: true + claim.name: "email" + jsonType.label: "String" + {{ end }} + {{ if .Values.apps.nextcloud.enabled }} + - name: "opendesk-nextcloud-scope" + description: "Scope for the claims required by openDesk's Nextcloud instance." + protocol: "openid-connect" + protocolMappers: + - name: "opendesk_useruuid" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "entryUUID" + id.token.claim: true + access.token.claim: true + claim.name: "opendesk_useruuid" + jsonType.label: "String" + - name: "opendesk_username" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "uid" + id.token.claim: true + access.token.claim: true + claim.name: "opendesk_username" + jsonType.label: "String" + - name: "email" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + introspection.token.claim: true + userinfo.token.claim: true + user.attribute: "email" + id.token.claim: true + access.token.claim: true + claim.name: "email" + jsonType.label: "String" + - name: "context" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "oxContextIDNum" + id.token.claim: true + access.token.claim: true + claim.name: "context" + jsonType.label: "String" + {{ end }} + {{ if .Values.apps.element.enabled }} + - name: "opendesk-matrix-scope" + description: "Scope for the claims required by openDesk's Matrix instance." + protocol: "openid-connect" + protocolMappers: + - name: "opendesk_useruuid" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "entryUUID" + id.token.claim: true + access.token.claim: true + claim.name: "opendesk_useruuid" + jsonType.label: "String" + - name: "opendesk_username" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "uid" + id.token.claim: true + access.token.claim: true + claim.name: "opendesk_username" + jsonType.label: "String" + - name: "full name" + protocol: "openid-connect" + protocolMapper: "oidc-full-name-mapper" + consentRequired: false + config: + id.token.claim: true + introspection.token.claim: true + access.token.claim: true + userinfo.token.claim: true + - name: "email" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + introspection.token.claim: true + userinfo.token.claim: true + user.attribute: "email" + id.token.claim: true + access.token.claim: true + claim.name: "email" + jsonType.label: "String" + {{ end }} + {{ if .Values.apps.xwiki.enabled }} + - name: "opendesk-xwiki-scope" + description: "Scope for the claims required by openDesk's XWiki instance." + protocol: "openid-connect" + protocolMappers: + - name: "opendesk_useruuid" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "entryUUID" + id.token.claim: true + access.token.claim: true + claim.name: "opendesk_useruuid" + jsonType.label: "String" + - name: "opendesk_username" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "uid" + id.token.claim: true + access.token.claim: true + claim.name: "opendesk_username" + jsonType.label: "String" + - name: "full name" + protocol: "openid-connect" + protocolMapper: "oidc-full-name-mapper" + consentRequired: false + config: + id.token.claim: true + introspection.token.claim: true + access.token.claim: true + userinfo.token.claim: true + - name: "email" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + introspection.token.claim: true + userinfo.token.claim: true + user.attribute: "email" + id.token.claim: true + access.token.claim: true + claim.name: "email" + jsonType.label: "String" + {{ end }} + {{ if .Values.apps.oxAppSuite.enabled }} + - name: "opendesk-dovecot-scope" + description: "Scope for the claims required by openDesk's Dovecot instance." + protocol: "openid-connect" + protocolMappers: + - name: "opendesk_useruuid" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "entryUUID" + id.token.claim: true + access.token.claim: true + claim.name: "opendesk_useruuid" + jsonType.label: "String" + - name: "opendesk_username" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "uid" + id.token.claim: true + access.token.claim: true + claim.name: "opendesk_username" + jsonType.label: "String" + - name: "opendesk-oxappsuite-scope" + description: "Scope for the claims required by openDesk's OX Appuite instance." + protocol: "openid-connect" + protocolMappers: + - name: "context" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "oxContextIDNum" + id.token.claim: true + access.token.claim: true + claim.name: "context" + jsonType.label: "String" + - name: "opendesk_useruuid" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "entryUUID" + id.token.claim: true + access.token.claim: true + claim.name: "opendesk_useruuid" + jsonType.label: "String" + - name: "opendesk_username" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "uid" + id.token.claim: true + access.token.claim: true + claim.name: "opendesk_username" + jsonType.label: "String" + {{ end }} + {{ if .Values.apps.notes.enabled }} + - name: "opendesk-notes-scope" + description: "Scope for the claims required by openDesk's Notes instance." + protocol: "openid-connect" + protocolMappers: + - name: "email" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + introspection.token.claim: true + userinfo.token.claim: true + user.attribute: "email" + id.token.claim: true + access.token.claim: true + claim.name: "email" + jsonType.label: "String" + - name: "given name" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + introspection.token.claim: true + userinfo.token.claim: true + user.attribute: "firstName" + id.token.claim: true + access.token.claim: true + claim.name: "given_name" + jsonType.label: "String" + - name: "family name" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + introspection.token.claim: true + userinfo.token.claim: true + user.attribute: "lastName" + id.token.claim: true + access.token.claim: true + claim.name: "family_name" + jsonType.label: "String" + {{ end }} + clients: + - name: "opendesk-intercom" + clientId: "opendesk-intercom" + protocol: "openid-connect" + clientAuthenticatorType: "client-secret" + secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }} + redirectUris: + - "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback" + consentRequired: false + frontchannelLogout: false + publicClient: false + authorizationServicesEnabled: false + attributes: + backchannel.logout.session.required: true + backchannel.logout.revoke.offline.tokens: true + backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout" + protocolMappers: + - name: "intercom-audience" + protocol: "openid-connect" + protocolMapper: "oidc-audience-mapper" + consentRequired: false + config: + included.client.audience: "opendesk-intercom" + id.token.claim: false + access.token.claim: true + - name: "opendesk_username" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "uid" + id.token.claim: true + access.token.claim: true + claim.name: "opendesk_username" + jsonType.label: "String" + - name: "opendesk_useruuid" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "entryUUID" + id.token.claim: true + access.token.claim: true + claim.name: "opendesk_useruuid" + jsonType.label: "String" + defaultClientScopes: + - "offline_access" + {{ if .Values.apps.notes.enabled }} + - name: "opendesk-notes" + clientId: "opendesk-notes" + protocol: "openid-connect" + clientAuthenticatorType: "client-secret" + secret: {{ .Values.secrets.keycloak.clientSecret.notes | quote }} + redirectUris: + - "https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/api/v1.0/callback/" + standardFlowEnabled: true + implicitFlowEnabled: false + alwaysDisplayInConsole: false + bearerOnly: false + directAccessGrantsEnabled: true + serviceAccountsEnabled: false + consentRequired: false + frontchannelLogout: false + publicClient: false + authorizationServicesEnabled: false + surrogateAuthRequired: false + attributes: + backchannel.logout.revoke.offline.tokens: false + backchannel.logout.session.required: false + client.introspection.response.allow.jwt.claim.enabled: false + client.use.lightweight.access.token.enabled: false + client_credentials.use_refresh_token: false + display.on.consent.screen: false + oauth2.device.authorization.grant.enabled: false + oidc.ciba.grant.enabled: false + post.logout.redirect.uris: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/*" + require.pushed.authorization.requests: false + tls.client.certificate.bound.access.tokens: false + token.response.type.bearer.lower-case: false + use.jwks.url: false + use.refresh.tokens: false + # it is probably not even required to set this value explicitly. + user.info.response.signature.alg: "RS256" + defaultClientScopes: + - "opendesk-notes-scope" + {{ end }} + {{ if .Values.apps.oxAppSuite.enabled }} + - name: "opendesk-dovecot" + clientId: "opendesk-dovecot" + protocol: "openid-connect" + clientAuthenticatorType: "client-secret" + secret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }} + consentRequired: false + frontchannelLogout: false + publicClient: false + authorizationServicesEnabled: false + attributes: + backchannel.logout.session.required: false + defaultClientScopes: + - "opendesk-dovecot-scope" + - name: "opendesk-oxappsuite" + clientId: "opendesk-oxappsuite" + protocol: "openid-connect" + clientAuthenticatorType: "client-secret" + secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }} + redirectUris: + - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*" + - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*" + consentRequired: false + frontchannelLogout: false + publicClient: false + authorizationServicesEnabled: false + attributes: + backchannel.logout.session.required: true + backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout" + post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*" + defaultClientScopes: + - "opendesk-oxappsuite-scope" + - "read_contacts" + - "write_contacts" + {{ end }} + {{ if .Values.apps.jitsi.enabled }} + - name: "opendesk-jitsi" + clientId: "opendesk-jitsi" + protocol: "openid-connect" + clientAuthenticatorType: "client-secret" + redirectUris: + - "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}/*" + consentRequired: false + frontchannelLogout: false + publicClient: true + fullScopeAllowed: true + authorizationServicesEnabled: false + defaultClientScopes: + - "opendesk-jitsi-scope" + {{ end }} + {{ if .Values.apps.element.enabled }} + - name: "opendesk-matrix" + clientId: "opendesk-matrix" + protocol: "openid-connect" + clientAuthenticatorType: "client-secret" + secret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }} + redirectUris: + - "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*" + - "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*" + - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*" + standardFlowEnabled: true + directAccessGrantsEnabled: true + serviceAccountsEnabled: true + consentRequired: false + frontchannelLogout: false + publicClient: false + authorizationServicesEnabled: false + attributes: + backchannel.logout.session.required: true + backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout" + post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*" + defaultClientScopes: + - "opendesk-matrix-scope" + {{ end }} + {{ if .Values.apps.nextcloud.enabled }} + - name: "opendesk-nextcloud" + clientId: "opendesk-nextcloud" + protocol: "openid-connect" + clientAuthenticatorType: "client-secret" + secret: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }} + redirectUris: + - "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*" + - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*" + consentRequired: false + frontchannelLogout: false + publicClient: false + authorizationServicesEnabled: false + attributes: + backchannel.logout.session.required: true + backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/user_oidc/backchannel-logout/opendesk" + post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*" + defaultClientScopes: + - "opendesk-nextcloud-scope" + - "read_contacts" + - "write_contacts" + {{ end }} + {{ if .Values.apps.openproject.enabled }} + - name: "opendesk-openproject" + clientId: "opendesk-openproject" + protocol: "openid-connect" + clientAuthenticatorType: "client-secret" + secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }} + redirectUris: + - "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*" + - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*" + consentRequired: false + frontchannelLogout: false + publicClient: false + serviceAccountsEnabled: true + authorizationServicesEnabled: false + attributes: + backchannel.logout.session.required: true + backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout" + post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*" + defaultClientScopes: + - "opendesk-openproject-scope" + {{ end }} + {{ if .Values.apps.xwiki.enabled }} + - name: "opendesk-xwiki" + clientId: "opendesk-xwiki" + protocol: "openid-connect" + clientAuthenticatorType: "client-secret" + secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }} + redirectUris: + - "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*" + - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*" + consentRequired: false + frontchannelLogout: false + publicClient: false + authorizationServicesEnabled: false + attributes: + backchannel.logout.session.required: false + backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout" + post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*" + defaultClientScopes: + - "opendesk-xwiki-scope" + {{ end }} + +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + enabled: true + privileged: false + runAsUser: 1000 + runAsGroup: 1000 + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: true + runAsNonRoot: true + seLinuxOptions: + {{ .Values.seLinuxOptions.opendesk2FAHelpdesk | toYaml | nindent 4 }} + +additionalAnnotations: + argocd.argoproj.io/hook: "Sync" + argocd.argoproj.io/hook-delete-policy: "BeforeHookCreation" + +podAnnotations: + intents.otterize.com/service-name: "ums-keycloak-bootstrap" + +podSecurityContext: + enabled: true + fsGroup: 1000 + fsGroupChangePolicy: "OnRootMismatch" + +resources: + {{ .Values.resources.opendesk2FAHelpdesk | toYaml | nindent 2 }} + +{{- if .Values.certificate.selfSigned }} +extraVolumes: + - name: "trusted-cert-secret-volume" + secret: + secretName: "opendesk-certificates-ca-tls" + items: + - key: "ca.crt" + path: "ca-certificates.crt" +extraVolumeMounts: + - name: "trusted-cert-secret-volume" + mountPath: "/etc/ssl/certs/ca-certificates.crt" + subPath: "ca-certificates.crt" +{{- end }} + +... diff --git a/helmfile/environments/default/charts.yaml.gotmpl b/helmfile/environments/default/charts.yaml.gotmpl index 6ee9eb22..c253506c 100644 --- a/helmfile/environments/default/charts.yaml.gotmpl +++ b/helmfile/environments/default/charts.yaml.gotmpl @@ -305,6 +305,16 @@ charts: name: "nubus" version: "1.5.1" verify: true + opendesk2FAHelpdesk: + # providerCategory: "Platform" + # providerResponsible: "openDesk" + # upstreamRegistry: "https://registry.opencode.de" + # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-2fa-admin" + registry: "registry.opencode.de" + repository: "bmi/opendesk/components/platform-development/charts/opendesk-2fa-admin" + name: "opendesk-2fa-helpdesk-backend" + version: "1.0.0" + verify: true opendeskAlerts: # providerCategory: "Platform" # providerResponsible: "openDesk" diff --git a/helmfile/environments/default/customization.yaml.gotmpl b/helmfile/environments/default/customization.yaml.gotmpl index bd158976..a6dc4bed 100644 --- a/helmfile/environments/default/customization.yaml.gotmpl +++ b/helmfile/environments/default/customization.yaml.gotmpl @@ -54,6 +54,7 @@ customization: ums: {} intercomService: {} opendeskKeycloakBootstrap: {} + opendesk2FAHelpdesk: {} nginxS3Gateway: {} # open-xchange dovecot: {} diff --git a/helmfile/environments/default/images.yaml.gotmpl b/helmfile/environments/default/images.yaml.gotmpl index 174451ee..4e18ed40 100644 --- a/helmfile/environments/default/images.yaml.gotmpl +++ b/helmfile/environments/default/images.yaml.gotmpl @@ -419,6 +419,16 @@ images: registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-keycloak" tag: "25.0.1-ucs1@sha256:61cb3e703672f6d8806af41bec8056ca84e295bbeb546fdb5349322d1174a43d" + opendesk2FAHelpdesk: + # providerCategory: "Supplier" + # providerResponsible: "Univention" + # upstreamRegistry: "https://artifacts.software-univention.de" + # upstreamRepository: "nubus/images/keycloak-bootstrap" + # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' + # upstreamMirrorStartFrom: ["0", "1", "0"] + registry: "registry.opencode.de" + repository: "bmi/opendesk/components/platform-development/images/opendesk-2fa-admin-backend" + tag: "1.0.0@sha256:790ae7fc673f2d577a27953d713109802866f368ae69a3faa043b309a550fde3" nubusKeycloakBootstrap: # providerCategory: "Supplier" # providerResponsible: "Univention" diff --git a/helmfile/environments/default/resources.yaml.gotmpl b/helmfile/environments/default/resources.yaml.gotmpl index 46362504..a536afd8 100644 --- a/helmfile/environments/default/resources.yaml.gotmpl +++ b/helmfile/environments/default/resources.yaml.gotmpl @@ -157,6 +157,13 @@ resources: requests: cpu: 0.1 memory: "256Mi" + opendesk2FAHelpdesk: + limits: + cpu: 99 + memory: "512Mi" + requests: + cpu: 0.1 + memory: "256Mi" opendeskStaticFiles: limits: cpu: 99 diff --git a/helmfile/environments/default/selinux.yaml.gotmpl b/helmfile/environments/default/selinux.yaml.gotmpl index 229f78c0..1bd6a1c4 100644 --- a/helmfile/environments/default/selinux.yaml.gotmpl +++ b/helmfile/environments/default/selinux.yaml.gotmpl @@ -44,6 +44,7 @@ seLinuxOptions: notesFrontend: ~ notesYProvider: ~ opendeskKeycloakBootstrap: ~ + opendesk2FAHelpdesk: ~ opendeskStaticFiles: ~ openproject: ~ openprojectBootstrap: ~