sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(nubus): Use otterize feature branch

Browse Source 
feat(nubus): Use nubus umbrella
This commit is contained in:
Andreas Niemann
2024-06-17 14:07:51 +02:00
committed by Carlos García-Mauriño
parent 4b99357b21
commit b00a7b59c0
10 changed files with 1214 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.gitlab-ci.yml
View File

@@ -317,7 +317,7 @@ ums-deploy:
($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UMS != "no")
when: "on_success"
variables:
COMPONENT: "univention-management-stack"
COMPONENT: "nubus"
ox-deploy:
stage: "component-deploy-stage-1"

50
helmfile/apps/nubus/helmfile-child.yaml Normal file
View File

@@ -0,0 +1,50 @@
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-License-Identifier: Apache-2.0
---
repositories:
# Univention Management Stack Umbrella Chart
- name: "nubus"
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.nubus.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url:
"{{ .Values.global.helmRegistry | default .Values.charts.nubus.registry }}/\
{{ .Values.charts.nubus.repository }}"
# OpenDesk Keycloak Bootstrap Chart
- name: "opendesk-keycloak-bootstrap-repo"
keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.opendeskKeycloakBootstrap.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/\
{{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
releases:
# Univention Management Stack Umbrella Chart
- name: "ums"
chart: "nubus/{{ .Values.charts.nubus.name }}"
version: "{{ .Values.charts.nubus.version }}"
values:
- "values-nubus.yaml.gotmpl"
- "values-opendesk-customization.yaml.gotmpl"
# - "values-opendesk-images.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
# OpenDesk Keycloak Bootstrap Chart
- name: "opendesk-keycloak-bootstrap"
chart: "opendesk-keycloak-bootstrap-repo/{{ .Values.charts.opendeskKeycloakBootstrap.name }}"
version: "{{ .Values.charts.opendeskKeycloakBootstrap.version }}"
values:
- "values-opendesk-keycloak-bootstrap.yaml.gotmpl"
needs:
- "ums"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
commonLabels:
deploy-stage: "component-1"
component: "univention-management-stack"
...

12
helmfile/apps/nubus/helmfile.yaml Normal file
View File

@@ -0,0 +1,12 @@
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
helmfiles:
- path: "./helmfile-child.yaml"
values:
- {{ toYaml .Values | nindent 8 }}
...

198
helmfile/apps/nubus/values-nubus.yaml.gotmpl Normal file
View File

@@ -0,0 +1,198 @@
# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
global:
nubusDeployment: true
ldap:
baseDn: {{ .Values.ldap.baseDn | quote }}
domainName: {{ .Values.global.domain | quote }}
domain: {{ .Values.global.domain | quote }}
ingressClass: {{ .Values.ingress.ingressClassName | default "nginx" | quote }}
certManagerIssuer: "letsencrypt-prod-dns"
nubusMasterPassword: {{ env "MASTER_PASSWORD" | default "sovereign-workplace" | quote }}
keycloak:
realm: {{ .Values.platform.realm | quote }}
objectStorage:
bucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
connection:
host: "minio"
port: "9000"
protocol: "http"
nubusStackGateway:
ingress:
hostname: "portal.{{ .Release.Namespace }}.gaia.open-desk.cloud"
ingressClassName: {{ .Values.ingress.ingressClassName | default "nginx" | quote }}
# Nubus bundled services
postgresql:
enabled: false
provisioning:
enabled: false
minio:
enabled: false
# Nubus services which use customer supplied services
keycloak:
postgresql:
connection:
host: {{ .Values.databases.keycloak.host | quote }}
port: {{ .Values.databases.keycloak.port }}
auth:
username: {{ .Values.databases.keycloak.username | quote }}
database: {{ .Values.databases.keycloak.name | quote }}
credentialSecret:
name: "ums-keycloak-postgresql-opendesk-credentials"
key: "keycloakDatabasePassword"
nubusGuardian:
postgresql:
connection:
host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
auth:
username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
credentialSecret:
name: "ums-guardian-postgresql-opendesk-credentials"
key: "guardianDatabasePassword"
nubusNotificationsApi:
postgresql:
connection:
host: {{ .Values.databases.umsNotificationsApi.host | quote }}
port: {{ .Values.databases.umsNotificationsApi.port | quote }}
auth:
username: {{ .Values.databases.umsNotificationsApi.username | quote }}
database: {{ .Values.databases.umsNotificationsApi.name | quote }}
existingSecret: "ums-notifications-api-postgresql-opendesk-credentials"
nubusKeycloakExtensions:
postgresql:
connection:
host: {{ .Values.databases.keycloakExtension.host | quote }}
port: {{ .Values.databases.keycloakExtension.port }}
auth:
database: {{ .Values.databases.keycloakExtension.name | quote }}
username: {{ .Values.databases.keycloakExtension.username | quote }}
credentialSecret:
name: "ums-keycloak-extensions-postgresql-opendesk-credentials"
key: "umcKeycloakExtensionsDatabasePassword"
smtp:
connection:
host: {{ .Values.smtp.host | quote }}
port: {{ .Values.smtp.port | quote }}
auth:
username: {{ .Values.smtp.username | quote }}
credentialSecret:
name: "ums-keycloak-extensions-smtp-opendesk-credentials"
key: "umcKeycloakExtensionsSmtpPassword"
nubusPortalListener:
portalListener:
objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
objectStorageCredentialSecret:
name: "ums-portal-listener-minio-opendesk-credentials"
accessKeyKey: "access-key-id"
secretKeyKey: "secret-key-id"
nubusPortalServer:
portalServer:
objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
objectStorageCredentialSecret:
name: "ums-portal-server-minio-opendesk-credentials"
accessKeyKey: "access-key-id"
secretKeyKey: "secret-key-id"
# Nubus services
nubusStackDataUms:
stackDataContext:
umcPostgresqlHostname: {{ .Values.databases.umsSelfservice.host | quote }}
umcPostgresqlUsername: {{ .Values.databases.umsSelfservice.username | quote }}
umcMemcachedHostname: {{ .Values.cache.umsSelfservice.host | quote }}
umcMemcachedUsername: ""
externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
nubusUmcServer:
memcached:
auth:
username: ""
nubusStackDataSwp:
stackDataContext:
ldapSearchUsers:
{{- range $username, $password := .Values.secrets.univentionManagementStack.ldapSearch }}
- username: {{ printf "ldapsearch_%s" $username | quote }}
password: {{ $password | quote }}
lastname: "LDAP-Search-User"
{{- end }}
externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
smtpHost: {{ .Values.smtp.host | quote }}
smtpPort: {{ .Values.smtp.port | quote }}
smtpUser: {{ .Values.smtp.username | quote }}
nubusUmcGateway:
umcGateway:
umcHtmlTitle: "openDesk - Admin"
nubusUmcServer:
postgresql:
bundled: false
connection:
host: {{ .Values.databases.umsSelfservice.host | quote }}
port: {{ .Values.databases.umsSelfservice.port | quote }}
auth:
username: {{ .Values.databases.umsSelfservice.username | quote }}
database: {{ .Values.databases.umsSelfservice.name | quote }}
credentialSecret:
name: "ums-umc-server-postgresql-opendesk-credentials"
key: "umcServerDatabasePassword"
memcached:
bundled: false
server: {{ .Values.cache.umsSelfservice.host | quote }}
auth:
credentialSecret:
name: "ums-umc-server-memcached-opendesk-credentials"
key: "umcServerMemcachedPassword"
nubusKeycloakBootstrap:
bootstrap:
twoFactorAuthentication:
enabled: true
group: "not2fa-users"
# Credential secrets for accessing customer supplied services
extraSecrets:
- name: "ums-keycloak-postgresql-opendesk-credentials"
stringData:
keycloakDatabasePassword: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
- name: "ums-guardian-postgresql-opendesk-credentials"
stringData:
guardianDatabasePassword: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
- name: "ums-notifications-api-postgresql-opendesk-credentials"
stringData:
password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
- name: "ums-umc-server-postgresql-opendesk-credentials"
stringData:
umcServerDatabasePassword: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
- name: "ums-umc-server-memcached-opendesk-credentials"
stringData:
umcServerMemcachedPassword: ""
- name: "ums-keycloak-extensions-postgresql-opendesk-credentials"
stringData:
umcKeycloakExtensionsDatabasePassword: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
- name: "ums-keycloak-extensions-smtp-opendesk-credentials"
stringData:
umcKeycloakExtensionsSmtpPassword: {{ .Values.smtp.password | quote }}
- name: "ums-portal-server-minio-opendesk-credentials"
stringData:
access-key-id: {{ .Values.objectstores.univentionManagementStack.username | quote }}
secret-key-id: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
- name: "ums-portal-listener-minio-opendesk-credentials"
stringData:
access-key-id: {{ .Values.objectstores.univentionManagementStack.username | quote }}
secret-key-id: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}

270
helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl Normal file
View File

@@ -0,0 +1,270 @@
# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
keycloak:
enabled: true
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak"
replicaCount: {{ .Values.replicas.keycloak }}
resources:
{{ .Values.resources.umsKeycloak | toYaml | nindent 4 }}
guardian:
authorizationApi:
podAnnotations:
intents.otterize.com/service-name: "ums-guardian-authorization-api"
resources:
{{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }}
managementApi:
podAnnotations:
intents.otterize.com/service-name: "ums-guardian-management-api"
resources:
{{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }}
managementUi:
podAnnotations:
intents.otterize.com/service-name: "ums-guardian-management-ui"
resources:
{{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}#
openPolicyAgent:
podAnnotations:
intents.otterize.com/service-name: "ums-ums-open-policy-agent"
resources:
{{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }}
provisioning:
# Using openDesk keycloak provisioning
enabled: false
nubusNotificationsApi:
additionalAnnotations:
intents.otterize.com/service-name: "ums-notifications-api"
serviceAccount:
annotations:
intended.usage: "compliance"
replicaCount: {{ .Values.replicas.umsNotificationsApi }}
resources:
{{ .Values.resources.umsNotificationsApi | toYaml | nindent 4 }}
nubusUmcServer:
additionalAnnotations:
intents.otterize.com/service-name: "ums-umc-server"
replicaCount: {{ .Values.replicas.umsUmcServer }}
resources:
{{ .Values.resources.umsUmcServer | toYaml | nindent 4 }}
nubusKeycloakExtensions:
handler:
replicaCount: {{ .Values.replicas.umsKeycloakExtensionsHandler }}
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak-extensions-handler"
resources:
{{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 6 }}
proxy:
replicaCount: {{ .Values.replicas.umsKeycloakExtensionsProxy }}
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak-extensions-proxy"
resources:
{{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
nubusPortalListener:
podAnnotations:
intents.otterize.com/service-name: "ums-portal-listener"
replicaCount: {{ .Values.replicas.umsPortalListener }}
resources:
{{ .Values.resources.umsPortalListener | toYaml | nindent 4 }}
persistence:
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }}
nubusPortalServer:
additionalAnnotations:
intents.otterize.com/service-name: "ums-portal-server"
serviceAccount:
annotations:
intended.usage: "compliance"
replicaCount: {{ .Values.replicas.umsPortalServer }}
resources:
{{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}
nubusLdapNotifier:
podAnnotations:
intents.otterize.com/service-name: "ums-ldap-notifier"
replicaCount: {{ .Values.replicas.umsLdapNotifier }}
resources:
{{ .Values.resources.umsLdapNotifier | toYaml | nindent 4 }}
nubusLdapServer:
additionalAnnotations:
intents.otterize.com/service-name: "ums-ldap-server"
serviceAccount:
annotations:
intended.usage: "compliance"
initResources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
resources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
persistence:
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
extraVolumes:
- name: "opendesk-schemas"
configMap:
name: "{{ .Release.Name }}-stack-data-swp-schemas"
extraVolumeMounts:
- name: "opendesk-schemas"
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskFileshare.schema"
subPath: "opendeskFileshare.schema"
- name: "opendesk-schemas"
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskKnowledgemanagement.schema"
subPath: "opendeskKnowledgemanagement.schema"
- name: "opendesk-schemas"
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLearnmanagement.schema"
subPath: "opendeskLearnmanagement.schema"
- name: "opendesk-schemas"
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLivecollaboration.schema"
subPath: "opendeskLivecollaboration.schema"
- name: "opendesk-schemas"
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema"
subPath: "opendeskProjectmanagement.schema"
nubusPortalFrontend:
additionalAnnotations:
intents.otterize.com/service-name: "ums-portal-frontend"
serviceAccount:
annotations:
intended.usage: "compliance"
replicaCount: {{ .Values.replicas.umsPortalFrontend }}
resources:
{{ .Values.resources.umsPortalFrontend | toYaml | nindent 4 }}
extraVolumes:
- name: "opendesk-branding"
configMap:
name: "ums-stack-data-swp-branding"
extraVolumeMounts:
- name: "opendesk-branding"
mountPath: "/var/www/html/favicon.ico"
subPath: "favicon.ico"
- name: "opendesk-branding"
mountPath: "/var/www/html/css/custom.css"
subPath: "custom.css"
- name: "opendesk-branding"
mountPath: "/var/www/html/icons/logo.svg"
subPath: "logo.svg"
- name: "opendesk-branding"
mountPath: "/var/www/html/icons/logo_small_border.svg"
subPath: "logo_small_border.svg"
- name: "opendesk-branding"
mountPath: "/var/www/html/custom/portal_background_image.png"
subPath: "portal_background_image.png"
- name: "opendesk-branding"
mountPath: "/var/www/html/custom/portal_background_image.svg"
subPath: "portal_background_image.svg"
nubusStackDataUms:
additionalAnnotations:
intents.otterize.com/service-name: "ums-stack-data-ums"
resources:
{{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
nubusStackDataSwp:
additionalAnnotations:
intents.otterize.com/service-name: "ums-stack-data-swp"
resources:
{{ .Values.resources.umsStackDataSwp | toYaml | nindent 4 }}
nubusSelfServiceListener:
podAnnotations:
intents.otterize.com/service-name: "ums-selfservice-listener"
resources:
{{ .Values.resources.umsSelfserviceListener | toYaml | nindent 4 }}
replicaCount: {{ .Values.replicas.umsSelfserviceListener }}
nubusUdmRestApi:
additionalAnnotations:
intents.otterize.com/service-name: "ums-udm-rest-api"
serviceAccount:
annotations:
intended.usage: "compliance"
resources:
{{ .Values.resources.umsUdmRestApi | toYaml | nindent 4 }}
initResources:
{{ .Values.resources.umsUdmRestApiInit | toYaml | nindent 4 }}
replicaCount: {{ .Values.replicas.umsUdmRestApi }}
extraVolumes:
- name: "attribute-to-group-mapper-hook"
configMap:
name: "ums-stack-data-swp-attribute-to-group-mapper-hook"
extraVolumeMounts:
- name: "attribute-to-group-mapper-hook"
mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py"
subPath: "AttributeToGroupMapper.py"
- name: "attribute-to-group-mapper-hook"
mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
subPath: "flag_to_group_mapping.json"
nubusUmcGateway:
replicaCount: {{ .Values.replicas.umsUmcGateway }}
resources:
{{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
extraVolumes:
- name: "entrypoint-swp-patches"
configMap:
name: "ums-stack-data-swp-umc-gateway-entrypoint"
defaultMode: 0555
- name: "announcements-customization"
configMap:
name: "ums-stack-data-swp-umc-server-announcements"
defaultMode: 0444
extraVolumeMounts:
- name: "entrypoint-swp-patches"
mountPath: "/entrypoint.d/90-swp.sh"
subPath: "90-swp.sh"
- name: "announcements-customization"
mountPath:
"/usr/share/univention-management-console-frontend/js/dijit/themes\
/umc/icons/16x16/udm-portals-announcement.png"
subPath: "udm-portals-announcement.png"
nubusKeycloakBootstrap:
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak-bootstrap"
serviceAccount:
annotations:
intended.usage: "compliance"
resources:
{{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 4 }}
nubusProvisioning:
serviceAccount:
annotations:
intended.usage: "compliance"
nats:
resources:
{{ .Values.resources.nubusProvisioning.nats | toYaml | nindent 6 }}
additionalAnnotations:
intents.otterize.com/service-name: "ums-provisioning-nats"
serviceAccount:
annotations:
intended.usage: "compliance"
api:
resources:
{{ .Values.resources.nubusProvisioning.api | toYaml | nindent 6 }}
additionalAnnotations:
intents.otterize.com/service-name: "ums-provisioning-api"
dispatcher:
resources:
{{ .Values.resources.nubusProvisioning.dispatcher | toYaml | nindent 6 }}
additionalAnnotations:
intents.otterize.com/service-name: "ums-provisioning-dispatcher"
prefill:
resources:
{{ .Values.resources.nubusProvisioning.prefill | toYaml | nindent 6 }}
additionalAnnotations:
intents.otterize.com/service-name: "ums-provisioning-prefill"
registerConsumers:
resources:
{{ .Values.resources.nubusProvisioning.registerConsumers | toYaml | nindent 6 }}
additionalAnnotations:
intents.otterize.com/service-name: "ums-provisioning-register-consumers"
udmTransformer:
resources:
{{ .Values.resources.nubusProvisioning.udmTransformer | toYaml | nindent 6 }}
additionalAnnotations:
intents.otterize.com/service-name: "ums-provisioning-udm-transformer"

625
helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl Normal file
View File

@@ -0,0 +1,625 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.opendeskKeycloakBootstrap.registry | quote }}
repository: {{ .Values.images.opendeskKeycloakBootstrap.repository | quote }}
tag: {{ .Values.images.opendeskKeycloakBootstrap.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
config:
keycloak:
adminUser: "kcadmin"
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
realm: {{ .Values.platform.realm | quote }}
intraCluster:
enabled: true
internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
twoFactorSettings:
additionalGroups: {{ .Values.authentication.twoFactor.groups }}
custom:
clientScopes:
- name: "read_contacts"
protocol: "openid-connect"
- name: "write_contacts"
protocol: "openid-connect"
- name: "opendesk"
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
clients:
- name: "opendesk-dovecot"
clientId: "opendesk-dovecot"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: false
defaultClientScopes:
- "opendesk"
- name: "opendesk-intercom"
clientId: "opendesk-intercom"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback"
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.revoke.offline.tokens: true
backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
protocolMappers:
- name: "intercom-audience"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "opendesk-intercom"
id.token.claim: false
access.token.claim: true
# temporary additional claim while entryuuid is a hardcoded attribute in IntercomService and we cannot set
# it to `opendesk_useruuid` standard claim. For reference:
# https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/app.js#L89
- name: "entryuuid_temp"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "entryuuid"
jsonType.label: "String"
# temporary additional claim while phoenixusername is a hardcoded attribute in IntercomService and we cannot
# set it to `opendesk_username` standard claim. For reference:
# https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/routes/navigation.js#L27
- name: "phoenixusername_temp"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "phoenixusername"
jsonType.label: "String"
defaultClientScopes:
- "opendesk"
- "offline_access"
- name: "opendesk-jitsi"
clientId: "opendesk-jitsi"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
redirectUris:
- "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: true
fullScopeAllowed: true
authorizationServicesEnabled: false
defaultClientScopes:
- "opendesk"
- "profile"
- name: "opendesk-matrix"
clientId: "opendesk-matrix"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
standardFlowEnabled: true
directAccessGrantsEnabled: true
serviceAccountsEnabled: true
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk"
optionalClientScopes:
- "email"
- "profile"
# This is a temporary OIDC client for matrix, as the OIDC logout still uses "matrix" as client ID. Unless that
# is solved and also is able to use "opendesk-matrix" we keep that dummy client that
- name: "matrix"
clientId: "matrix"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
standardFlowEnabled: true
directAccessGrantsEnabled: true
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
- name: "opendesk-nextcloud"
clientId: "opendesk-nextcloud"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/index.php/apps/user_oidc/backchannel-logout/opendesk"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
protocolMappers:
- name: "context"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "oxContextIDNum"
id.token.claim: true
access.token.claim: true
claim.name: "context"
jsonType.label: "String"
defaultClientScopes:
- "opendesk"
- "email"
- "read_contacts"
- "write_contacts"
- name: "opendesk-openproject"
clientId: "opendesk-openproject"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
serviceAccountsEnabled: true
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
protocolMappers:
- name: "opendeskProjectmanagementAdmin"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "opendeskProjectmanagementAdmin"
id.token.claim: true
access.token.claim: true
claim.name: "openproject_admin"
jsonType.label: "String"
defaultClientScopes:
- "opendesk"
- "email"
- "profile"
- name: "opendesk-oxappsuite"
clientId: "opendesk-oxappsuite"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
protocolMappers:
- name: "context"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "oxContextIDNum"
id.token.claim: true
access.token.claim: true
claim.name: "context"
jsonType.label: "String"
defaultClientScopes:
- "opendesk"
- "read_contacts"
- "write_contacts"
- name: "opendesk-xwiki"
clientId: "opendesk-xwiki"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: false
backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk"
- "address"
- "email"
- "profile"
- name: "guardian-management-api"
clientId: "guardian-management-api"
rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
baseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
protocol: "openid-connect"
publicClient: false
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*"
fullScopeAllowed: true
standardFlowEnabled: true
implicitFlowEnabled: false
directAccessGrantsEnabled: false
serviceAccountsEnabled: true
protocolMappers:
- name: "Client Host"
protocol: "openid-connect"
protocolMapper: "oidc-usersessionmodel-note-mapper"
consentRequired: false
config:
user.session.note: "clientHost"
userinfo.token.claim: true
id.token.claim: true
access.token.claim: true
claim.name: "clientHost"
jsonType.label: "String"
- name: "Client ID"
protocol: "openid-connect"
protocolMapper: "oidc-usersessionmodel-note-mapper"
consentRequired: false
config:
user.session.note: "client_id"
userinfo.token.claim: true
id.token.claim: true
access.token.claim: true
claim.name: "client_id"
jsonType.label: "String"
- name: "guardian-audience"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian"
userinfo.token.claim: false
id.token.claim: false
access.token.claim: true
- name: "audiencemap"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian-cli"
userinfo.token.claim: true
id.token.claim: true
access.token.claim: true
- name: "dn"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: false
user.attribute: "LDAP_ENTRY_DN"
id.token.claim: false
access.token.claim: true
claim.name: "dn"
jsonType.label: "String"
- name: "username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "username"
id.token.claim: true
access.token.claim: true
claim.name: "preferred_username"
jsonType.label: "String"
- name: "uid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "uid"
jsonType.label: "String"
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "Client IP Address"
protocol: "openid-connect"
protocolMapper: "oidc-usersessionmodel-note-mapper"
consentRequired: false
config:
user.session.note: "clientAddress"
userinfo.token.claim: true
id.token.claim: true
access.token.claim: true
claim.name: "clientAddress"
jsonType.label: "String"
- name: "guardian-scripts"
clientId: "guardian-scripts"
description: ""
rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
adminUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
baseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
surrogateAuthRequired: false
enabled: true
alwaysDisplayInConsole: false
clientAuthenticatorType: "client-secret"
redirectUris:
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*"
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*"
webOrigins:
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
bearerOnly: false
consentRequired: false
standardFlowEnabled: true
implicitFlowEnabled: false
directAccessGrantsEnabled: true
serviceAccountsEnabled: false
publicClient: true
frontchannelLogout: false
protocol: "openid-connect"
fullScopeAllowed: true
protocolMappers:
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "guardian-audience"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian"
id.token.claim: false
access.token.claim: true
userinfo.token.claim: false
- name: "username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "username"
id.token.claim: true
access.token.claim: true
claim.name: "preferred_username"
jsonType.label: "String"
- name: "uid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "uid"
jsonType.label: "String"
- name: "audiencemap"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian-scripts"
id.token.claim: true
access.token.claim: true
userinfo.token.claim: true
- name: "dn"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
aggregate.attrs: false
multivalued: false
userinfo.token.claim: false
user.attribute: "LDAP_ENTRY_DN"
id.token.claim: false
access.token.claim: true
claim.name: "dn"
jsonType.label: "String"
defaultClientScopes:
- "opendesk"
- "web-origins"
- "acr"
- "roles"
- "profile"
- "email"
optionalClientScopes:
- "address"
- "phone"
- "offline_access"
- "microprofile-jwt"
- name: "guardian-ui"
clientId: "guardian-ui"
rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
baseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
clientAuthenticatorType: "client-secret"
redirectUris:
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*"
standardFlowEnabled: true
publicClient: true
implicitFlowEnabled: false
directAccessGrantsEnabled: false
serviceAccountsEnabled: false
protocol: "openid-connect"
fullScopeAllowed: true
protocolMappers:
- name: "uid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "uid"
jsonType.label: "String"
- name: "username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "username"
id.token.claim: true
access.token.claim: true
claim.name: "preferred_username"
jsonType.label: "String"
- name: "dn"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: "false"
user.attribute: "LDAP_ENTRY_DN"
id.token.claim: false
access.token.claim: true
claim.name: "dn"
jsonType.label: "String"
- name: "audiencemap"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian"
id.token.claim: true
access.token.claim: true
userinfo.token.claim: true
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "guardian-audience"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian"
id.token.claim: false
access.token.claim: true
userinfo.token.claim: false
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.opendeskKeycloakBootstrap | toYaml | nindent 4 }}
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak-bootstrap"
podSecurityContext:
enabled: true
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
resources:
{{ .Values.resources.opendeskKeycloakBootstrap | toYaml | nindent 2 }}
...

14
helmfile/environments/default/charts.yaml
View File

@@ -242,6 +242,18 @@ charts:
name: "nginx"
version: "15.9.3"
verify: true
nubus:
# providerCategory: "Supplier"
# providerResponsible: "Univention"
# upstreamRegistry: "https://artifacts.software-univention.de"
# upstreamRepository: "nubus/charts/nubus"
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ["0", "12", "0"]
registry: "artifacts.software-univention.de"
repository: "nubus/charts"
name: "nubus"
version: "0.19.3"
verify: true
opendeskKeycloakBootstrap:
# providerCategory: "Platform"
# providerResponsible: "openDesk"
@@ -304,7 +316,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize"
name: "opendesk-otterize"
version: "2.0.1"
version: "2.1.0"
verify: true
oxConnector:
# providerCategory: "Supplier"

43
helmfile/environments/default/resources.yaml
View File

@@ -218,6 +218,49 @@ resources:
requests:
cpu: 0.1
memory: "512Mi"
nubusProvisioning:
nats:
limits:
cpu: 288
memory: "1Gi"
requests:
cpu: 0.1
memory: "128Mi"
dispatcher:
limits:
cpu: 1
memory: "1Gi"
requests:
cpu: 0.1
memory: "64Mi"
registerConsumers:
limits:
cpu: 1
memory: "1Gi"
requests:
cpu: 0.1
memory: "64Mi"
udmTransformer:
limits:
cpu: 1
memory: "1Gi"
requests:
cpu: 0.1
memory: "64Mi"
prefill:
limits:
cpu: 1
memory: "1Gi"
requests:
cpu: 0.1
memory: "64Mi"
api:
limits:
cpu: 1
memory: "1Gi"
requests:
cpu: 0.1
memory: "100Mi"
openproject:
limits:
cpu: 99

2
helmfile/environments/default/secrets.gotmpl
View File

@@ -73,7 +73,7 @@ secrets:
openprojectUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "openproject_user" | sha1sum | quote) }}
umsUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "ums_user" | sha1sum | quote) }}
keycloak:
adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "adminPassword" | sha1sum | quote }}
adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "keycloak-admin" | sha1sum | quote }}
clientSecret:
dovecot: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "dovecot_client_secret" | sha1sum | quote }}
intercom: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "intercom_client_secret" | sha1sum | quote }}

4
helmfile_generic.yaml
View File

@@ -11,9 +11,7 @@ helmfiles:
- "helmfile/environments/default/*.yaml"
- "helmfile/environments/default/*.gotmpl"
- {{ toYaml .Values | nindent 8 }}
- path: "helmfile/apps/services/helmfile-child.yaml"
values: *values
- path: "helmfile/apps/univention-management-stack/helmfile-child.yaml"
- path: "helmfile/apps/nubus/helmfile-child.yaml"
values: *values
- path: "helmfile/apps/intercom-service/helmfile-child.yaml"
values: *values