diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 2cfe282e..782290d3 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -317,7 +317,7 @@ ums-deploy: ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UMS != "no") when: "on_success" variables: - COMPONENT: "univention-management-stack" + COMPONENT: "nubus" ox-deploy: stage: "component-deploy-stage-1" diff --git a/helmfile/apps/nubus/helmfile-child.yaml b/helmfile/apps/nubus/helmfile-child.yaml new file mode 100644 index 00000000..7ddad76d --- /dev/null +++ b/helmfile/apps/nubus/helmfile-child.yaml @@ -0,0 +1,50 @@ +# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH +# SPDX-License-Identifier: Apache-2.0 +--- +repositories: + # Univention Management Stack Umbrella Chart + - name: "nubus" + keyring: "../../files/gpg-pubkeys/univention-de.gpg" + verify: {{ .Values.charts.nubus.verify }} + username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} + password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} + oci: true + url: + "{{ .Values.global.helmRegistry | default .Values.charts.nubus.registry }}/\ + {{ .Values.charts.nubus.repository }}" + # OpenDesk Keycloak Bootstrap Chart + - name: "opendesk-keycloak-bootstrap-repo" + keyring: "../../files/gpg-pubkeys/opencode.gpg" + verify: {{ .Values.charts.opendeskKeycloakBootstrap.verify }} + username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} + password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} + oci: true + url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/\ + {{ .Values.charts.opendeskKeycloakBootstrap.repository }}" + +releases: + # Univention Management Stack Umbrella Chart + - name: "ums" + chart: "nubus/{{ .Values.charts.nubus.name }}" + version: "{{ .Values.charts.nubus.version }}" + values: + - "values-nubus.yaml.gotmpl" + - "values-opendesk-customization.yaml.gotmpl" + # - "values-opendesk-images.yaml.gotmpl" + installed: {{ .Values.univentionManagementStack.enabled }} + timeout: 900 + # OpenDesk Keycloak Bootstrap Chart + - name: "opendesk-keycloak-bootstrap" + chart: "opendesk-keycloak-bootstrap-repo/{{ .Values.charts.opendeskKeycloakBootstrap.name }}" + version: "{{ .Values.charts.opendeskKeycloakBootstrap.version }}" + values: + - "values-opendesk-keycloak-bootstrap.yaml.gotmpl" + needs: + - "ums" + installed: {{ .Values.univentionManagementStack.enabled }} + timeout: 900 + +commonLabels: + deploy-stage: "component-1" + component: "univention-management-stack" +... diff --git a/helmfile/apps/nubus/helmfile.yaml b/helmfile/apps/nubus/helmfile.yaml new file mode 100644 index 00000000..9b507b66 --- /dev/null +++ b/helmfile/apps/nubus/helmfile.yaml @@ -0,0 +1,12 @@ +# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +bases: + - "../../bases/environments.yaml" +--- +helmfiles: + - path: "./helmfile-child.yaml" + values: + - {{ toYaml .Values | nindent 8 }} +... diff --git a/helmfile/apps/nubus/values-nubus.yaml.gotmpl b/helmfile/apps/nubus/values-nubus.yaml.gotmpl new file mode 100644 index 00000000..cadcb296 --- /dev/null +++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl @@ -0,0 +1,198 @@ +# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +global: + nubusDeployment: true + ldap: + baseDn: {{ .Values.ldap.baseDn | quote }} + domainName: {{ .Values.global.domain | quote }} + domain: {{ .Values.global.domain | quote }} + ingressClass: {{ .Values.ingress.ingressClassName | default "nginx" | quote }} + certManagerIssuer: "letsencrypt-prod-dns" + nubusMasterPassword: {{ env "MASTER_PASSWORD" | default "sovereign-workplace" | quote }} + keycloak: + realm: {{ .Values.platform.realm | quote }} + objectStorage: + bucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }} + connection: + host: "minio" + port: "9000" + protocol: "http" + +nubusStackGateway: + ingress: + hostname: "portal.{{ .Release.Namespace }}.gaia.open-desk.cloud" + ingressClassName: {{ .Values.ingress.ingressClassName | default "nginx" | quote }} + +# Nubus bundled services +postgresql: + enabled: false + provisioning: + enabled: false + +minio: + enabled: false + +# Nubus services which use customer supplied services +keycloak: + postgresql: + connection: + host: {{ .Values.databases.keycloak.host | quote }} + port: {{ .Values.databases.keycloak.port }} + auth: + username: {{ .Values.databases.keycloak.username | quote }} + database: {{ .Values.databases.keycloak.name | quote }} + credentialSecret: + name: "ums-keycloak-postgresql-opendesk-credentials" + key: "keycloakDatabasePassword" + +nubusGuardian: + postgresql: + connection: + host: {{ .Values.databases.umsGuardianManagementApi.host | quote }} + port: {{ .Values.databases.umsGuardianManagementApi.port | quote }} + auth: + username: {{ .Values.databases.umsGuardianManagementApi.username | quote }} + database: {{ .Values.databases.umsGuardianManagementApi.name | quote }} + credentialSecret: + name: "ums-guardian-postgresql-opendesk-credentials" + key: "guardianDatabasePassword" + +nubusNotificationsApi: + postgresql: + connection: + host: {{ .Values.databases.umsNotificationsApi.host | quote }} + port: {{ .Values.databases.umsNotificationsApi.port | quote }} + auth: + username: {{ .Values.databases.umsNotificationsApi.username | quote }} + database: {{ .Values.databases.umsNotificationsApi.name | quote }} + existingSecret: "ums-notifications-api-postgresql-opendesk-credentials" + + +nubusKeycloakExtensions: + postgresql: + connection: + host: {{ .Values.databases.keycloakExtension.host | quote }} + port: {{ .Values.databases.keycloakExtension.port }} + auth: + database: {{ .Values.databases.keycloakExtension.name | quote }} + username: {{ .Values.databases.keycloakExtension.username | quote }} + credentialSecret: + name: "ums-keycloak-extensions-postgresql-opendesk-credentials" + key: "umcKeycloakExtensionsDatabasePassword" + smtp: + connection: + host: {{ .Values.smtp.host | quote }} + port: {{ .Values.smtp.port | quote }} + auth: + username: {{ .Values.smtp.username | quote }} + credentialSecret: + name: "ums-keycloak-extensions-smtp-opendesk-credentials" + key: "umcKeycloakExtensionsSmtpPassword" + +nubusPortalListener: + portalListener: + objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }} + objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }} + objectStorageCredentialSecret: + name: "ums-portal-listener-minio-opendesk-credentials" + accessKeyKey: "access-key-id" + secretKeyKey: "secret-key-id" + +nubusPortalServer: + portalServer: + objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }} + objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }} + objectStorageCredentialSecret: + name: "ums-portal-server-minio-opendesk-credentials" + accessKeyKey: "access-key-id" + secretKeyKey: "secret-key-id" + + +# Nubus services +nubusStackDataUms: + stackDataContext: + umcPostgresqlHostname: {{ .Values.databases.umsSelfservice.host | quote }} + umcPostgresqlUsername: {{ .Values.databases.umsSelfservice.username | quote }} + umcMemcachedHostname: {{ .Values.cache.umsSelfservice.host | quote }} + umcMemcachedUsername: "" + externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }} + nubusUmcServer: + memcached: + auth: + username: "" + +nubusStackDataSwp: + stackDataContext: + ldapSearchUsers: + {{- range $username, $password := .Values.secrets.univentionManagementStack.ldapSearch }} + - username: {{ printf "ldapsearch_%s" $username | quote }} + password: {{ $password | quote }} + lastname: "LDAP-Search-User" + {{- end }} + externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }} + smtpHost: {{ .Values.smtp.host | quote }} + smtpPort: {{ .Values.smtp.port | quote }} + smtpUser: {{ .Values.smtp.username | quote }} + +nubusUmcGateway: + umcGateway: + umcHtmlTitle: "openDesk - Admin" + +nubusUmcServer: + postgresql: + bundled: false + connection: + host: {{ .Values.databases.umsSelfservice.host | quote }} + port: {{ .Values.databases.umsSelfservice.port | quote }} + auth: + username: {{ .Values.databases.umsSelfservice.username | quote }} + database: {{ .Values.databases.umsSelfservice.name | quote }} + credentialSecret: + name: "ums-umc-server-postgresql-opendesk-credentials" + key: "umcServerDatabasePassword" + memcached: + bundled: false + server: {{ .Values.cache.umsSelfservice.host | quote }} + auth: + credentialSecret: + name: "ums-umc-server-memcached-opendesk-credentials" + key: "umcServerMemcachedPassword" + +nubusKeycloakBootstrap: + bootstrap: + twoFactorAuthentication: + enabled: true + group: "not2fa-users" + +# Credential secrets for accessing customer supplied services +extraSecrets: + - name: "ums-keycloak-postgresql-opendesk-credentials" + stringData: + keycloakDatabasePassword: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }} + - name: "ums-guardian-postgresql-opendesk-credentials" + stringData: + guardianDatabasePassword: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }} + - name: "ums-notifications-api-postgresql-opendesk-credentials" + stringData: + password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }} + - name: "ums-umc-server-postgresql-opendesk-credentials" + stringData: + umcServerDatabasePassword: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }} + - name: "ums-umc-server-memcached-opendesk-credentials" + stringData: + umcServerMemcachedPassword: "" + - name: "ums-keycloak-extensions-postgresql-opendesk-credentials" + stringData: + umcKeycloakExtensionsDatabasePassword: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }} + - name: "ums-keycloak-extensions-smtp-opendesk-credentials" + stringData: + umcKeycloakExtensionsSmtpPassword: {{ .Values.smtp.password | quote }} + - name: "ums-portal-server-minio-opendesk-credentials" + stringData: + access-key-id: {{ .Values.objectstores.univentionManagementStack.username | quote }} + secret-key-id: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }} + - name: "ums-portal-listener-minio-opendesk-credentials" + stringData: + access-key-id: {{ .Values.objectstores.univentionManagementStack.username | quote }} + secret-key-id: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }} diff --git a/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl b/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl new file mode 100644 index 00000000..cfd6accd --- /dev/null +++ b/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl @@ -0,0 +1,270 @@ +# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +keycloak: + enabled: true + podAnnotations: + intents.otterize.com/service-name: "ums-keycloak" + replicaCount: {{ .Values.replicas.keycloak }} + resources: + {{ .Values.resources.umsKeycloak | toYaml | nindent 4 }} + +guardian: + authorizationApi: + podAnnotations: + intents.otterize.com/service-name: "ums-guardian-authorization-api" + resources: + {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }} + managementApi: + podAnnotations: + intents.otterize.com/service-name: "ums-guardian-management-api" + resources: + {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }} + managementUi: + podAnnotations: + intents.otterize.com/service-name: "ums-guardian-management-ui" + resources: + {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}# + openPolicyAgent: + podAnnotations: + intents.otterize.com/service-name: "ums-ums-open-policy-agent" + resources: + {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }} + provisioning: + # Using openDesk keycloak provisioning + enabled: false + +nubusNotificationsApi: + additionalAnnotations: + intents.otterize.com/service-name: "ums-notifications-api" + serviceAccount: + annotations: + intended.usage: "compliance" + replicaCount: {{ .Values.replicas.umsNotificationsApi }} + resources: + {{ .Values.resources.umsNotificationsApi | toYaml | nindent 4 }} + +nubusUmcServer: + additionalAnnotations: + intents.otterize.com/service-name: "ums-umc-server" + replicaCount: {{ .Values.replicas.umsUmcServer }} + resources: + {{ .Values.resources.umsUmcServer | toYaml | nindent 4 }} + +nubusKeycloakExtensions: + handler: + replicaCount: {{ .Values.replicas.umsKeycloakExtensionsHandler }} + podAnnotations: + intents.otterize.com/service-name: "ums-keycloak-extensions-handler" + resources: + {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 6 }} + proxy: + replicaCount: {{ .Values.replicas.umsKeycloakExtensionsProxy }} + podAnnotations: + intents.otterize.com/service-name: "ums-keycloak-extensions-proxy" + resources: + {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }} + +nubusPortalListener: + podAnnotations: + intents.otterize.com/service-name: "ums-portal-listener" + replicaCount: {{ .Values.replicas.umsPortalListener }} + resources: + {{ .Values.resources.umsPortalListener | toYaml | nindent 4 }} + persistence: + storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }} + size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }} + +nubusPortalServer: + additionalAnnotations: + intents.otterize.com/service-name: "ums-portal-server" + serviceAccount: + annotations: + intended.usage: "compliance" + replicaCount: {{ .Values.replicas.umsPortalServer }} + resources: + {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }} + +nubusLdapNotifier: + podAnnotations: + intents.otterize.com/service-name: "ums-ldap-notifier" + replicaCount: {{ .Values.replicas.umsLdapNotifier }} + resources: + {{ .Values.resources.umsLdapNotifier | toYaml | nindent 4 }} + +nubusLdapServer: + additionalAnnotations: + intents.otterize.com/service-name: "ums-ldap-server" + serviceAccount: + annotations: + intended.usage: "compliance" + initResources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }} + resources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }} + persistence: + storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }} + size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }} + extraVolumes: + - name: "opendesk-schemas" + configMap: + name: "{{ .Release.Name }}-stack-data-swp-schemas" + extraVolumeMounts: + - name: "opendesk-schemas" + mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskFileshare.schema" + subPath: "opendeskFileshare.schema" + - name: "opendesk-schemas" + mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskKnowledgemanagement.schema" + subPath: "opendeskKnowledgemanagement.schema" + - name: "opendesk-schemas" + mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLearnmanagement.schema" + subPath: "opendeskLearnmanagement.schema" + - name: "opendesk-schemas" + mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLivecollaboration.schema" + subPath: "opendeskLivecollaboration.schema" + - name: "opendesk-schemas" + mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema" + subPath: "opendeskProjectmanagement.schema" + +nubusPortalFrontend: + additionalAnnotations: + intents.otterize.com/service-name: "ums-portal-frontend" + serviceAccount: + annotations: + intended.usage: "compliance" + replicaCount: {{ .Values.replicas.umsPortalFrontend }} + resources: + {{ .Values.resources.umsPortalFrontend | toYaml | nindent 4 }} + extraVolumes: + - name: "opendesk-branding" + configMap: + name: "ums-stack-data-swp-branding" + extraVolumeMounts: + - name: "opendesk-branding" + mountPath: "/var/www/html/favicon.ico" + subPath: "favicon.ico" + - name: "opendesk-branding" + mountPath: "/var/www/html/css/custom.css" + subPath: "custom.css" + - name: "opendesk-branding" + mountPath: "/var/www/html/icons/logo.svg" + subPath: "logo.svg" + - name: "opendesk-branding" + mountPath: "/var/www/html/icons/logo_small_border.svg" + subPath: "logo_small_border.svg" + - name: "opendesk-branding" + mountPath: "/var/www/html/custom/portal_background_image.png" + subPath: "portal_background_image.png" + - name: "opendesk-branding" + mountPath: "/var/www/html/custom/portal_background_image.svg" + subPath: "portal_background_image.svg" + +nubusStackDataUms: + additionalAnnotations: + intents.otterize.com/service-name: "ums-stack-data-ums" + resources: + {{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }} + +nubusStackDataSwp: + additionalAnnotations: + intents.otterize.com/service-name: "ums-stack-data-swp" + resources: + {{ .Values.resources.umsStackDataSwp | toYaml | nindent 4 }} + +nubusSelfServiceListener: + podAnnotations: + intents.otterize.com/service-name: "ums-selfservice-listener" + resources: + {{ .Values.resources.umsSelfserviceListener | toYaml | nindent 4 }} + replicaCount: {{ .Values.replicas.umsSelfserviceListener }} + +nubusUdmRestApi: + additionalAnnotations: + intents.otterize.com/service-name: "ums-udm-rest-api" + serviceAccount: + annotations: + intended.usage: "compliance" + resources: + {{ .Values.resources.umsUdmRestApi | toYaml | nindent 4 }} + initResources: + {{ .Values.resources.umsUdmRestApiInit | toYaml | nindent 4 }} + replicaCount: {{ .Values.replicas.umsUdmRestApi }} + extraVolumes: + - name: "attribute-to-group-mapper-hook" + configMap: + name: "ums-stack-data-swp-attribute-to-group-mapper-hook" + extraVolumeMounts: + - name: "attribute-to-group-mapper-hook" + mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py" + subPath: "AttributeToGroupMapper.py" + - name: "attribute-to-group-mapper-hook" + mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json" + subPath: "flag_to_group_mapping.json" + +nubusUmcGateway: + replicaCount: {{ .Values.replicas.umsUmcGateway }} + resources: + {{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }} + extraVolumes: + - name: "entrypoint-swp-patches" + configMap: + name: "ums-stack-data-swp-umc-gateway-entrypoint" + defaultMode: 0555 + - name: "announcements-customization" + configMap: + name: "ums-stack-data-swp-umc-server-announcements" + defaultMode: 0444 + extraVolumeMounts: + - name: "entrypoint-swp-patches" + mountPath: "/entrypoint.d/90-swp.sh" + subPath: "90-swp.sh" + - name: "announcements-customization" + mountPath: + "/usr/share/univention-management-console-frontend/js/dijit/themes\ + /umc/icons/16x16/udm-portals-announcement.png" + subPath: "udm-portals-announcement.png" + +nubusKeycloakBootstrap: + podAnnotations: + intents.otterize.com/service-name: "ums-keycloak-bootstrap" + serviceAccount: + annotations: + intended.usage: "compliance" + resources: + {{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 4 }} + +nubusProvisioning: + serviceAccount: + annotations: + intended.usage: "compliance" + nats: + resources: + {{ .Values.resources.nubusProvisioning.nats | toYaml | nindent 6 }} + additionalAnnotations: + intents.otterize.com/service-name: "ums-provisioning-nats" + serviceAccount: + annotations: + intended.usage: "compliance" + api: + resources: + {{ .Values.resources.nubusProvisioning.api | toYaml | nindent 6 }} + additionalAnnotations: + intents.otterize.com/service-name: "ums-provisioning-api" + dispatcher: + resources: + {{ .Values.resources.nubusProvisioning.dispatcher | toYaml | nindent 6 }} + additionalAnnotations: + intents.otterize.com/service-name: "ums-provisioning-dispatcher" + prefill: + resources: + {{ .Values.resources.nubusProvisioning.prefill | toYaml | nindent 6 }} + additionalAnnotations: + intents.otterize.com/service-name: "ums-provisioning-prefill" + registerConsumers: + resources: + {{ .Values.resources.nubusProvisioning.registerConsumers | toYaml | nindent 6 }} + additionalAnnotations: + intents.otterize.com/service-name: "ums-provisioning-register-consumers" + udmTransformer: + resources: + {{ .Values.resources.nubusProvisioning.udmTransformer | toYaml | nindent 6 }} + additionalAnnotations: + intents.otterize.com/service-name: "ums-provisioning-udm-transformer" diff --git a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl new file mode 100644 index 00000000..6fee28f6 --- /dev/null +++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl @@ -0,0 +1,625 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + domain: "{{ .Values.global.domain }}" + hosts: + {{ .Values.global.hosts | toYaml | nindent 4 }} + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +image: + registry: {{ .Values.global.imageRegistry | default .Values.images.opendeskKeycloakBootstrap.registry | quote }} + repository: {{ .Values.images.opendeskKeycloakBootstrap.repository | quote }} + tag: {{ .Values.images.opendeskKeycloakBootstrap.tag | quote }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} + +cleanup: + deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }} + keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }} + +config: + keycloak: + adminUser: "kcadmin" + adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }} + realm: {{ .Values.platform.realm | quote }} + intraCluster: + enabled: true + internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080" + twoFactorSettings: + additionalGroups: {{ .Values.authentication.twoFactor.groups }} + custom: + clientScopes: + - name: "read_contacts" + protocol: "openid-connect" + - name: "write_contacts" + protocol: "openid-connect" + - name: "opendesk" + protocol: "openid-connect" + protocolMappers: + - name: "opendesk_useruuid" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "entryUUID" + id.token.claim: true + access.token.claim: true + claim.name: "opendesk_useruuid" + jsonType.label: "String" + - name: "opendesk_username" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "uid" + id.token.claim: true + access.token.claim: true + claim.name: "opendesk_username" + jsonType.label: "String" + clients: + - name: "opendesk-dovecot" + clientId: "opendesk-dovecot" + protocol: "openid-connect" + clientAuthenticatorType: "client-secret" + secret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }} + consentRequired: false + frontchannelLogout: false + publicClient: false + authorizationServicesEnabled: false + attributes: + backchannel.logout.session.required: false + defaultClientScopes: + - "opendesk" + - name: "opendesk-intercom" + clientId: "opendesk-intercom" + protocol: "openid-connect" + clientAuthenticatorType: "client-secret" + secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }} + redirectUris: + - "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback" + consentRequired: false + frontchannelLogout: false + publicClient: false + authorizationServicesEnabled: false + attributes: + backchannel.logout.session.required: true + backchannel.logout.revoke.offline.tokens: true + backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout" + protocolMappers: + - name: "intercom-audience" + protocol: "openid-connect" + protocolMapper: "oidc-audience-mapper" + consentRequired: false + config: + included.client.audience: "opendesk-intercom" + id.token.claim: false + access.token.claim: true + # temporary additional claim while entryuuid is a hardcoded attribute in IntercomService and we cannot set + # it to `opendesk_useruuid` standard claim. For reference: + # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/app.js#L89 + - name: "entryuuid_temp" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "entryUUID" + id.token.claim: true + access.token.claim: true + claim.name: "entryuuid" + jsonType.label: "String" + # temporary additional claim while phoenixusername is a hardcoded attribute in IntercomService and we cannot + # set it to `opendesk_username` standard claim. For reference: + # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/routes/navigation.js#L27 + - name: "phoenixusername_temp" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "uid" + id.token.claim: true + access.token.claim: true + claim.name: "phoenixusername" + jsonType.label: "String" + defaultClientScopes: + - "opendesk" + - "offline_access" + - name: "opendesk-jitsi" + clientId: "opendesk-jitsi" + protocol: "openid-connect" + clientAuthenticatorType: "client-secret" + redirectUris: + - "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}/*" + consentRequired: false + frontchannelLogout: false + publicClient: true + fullScopeAllowed: true + authorizationServicesEnabled: false + defaultClientScopes: + - "opendesk" + - "profile" + - name: "opendesk-matrix" + clientId: "opendesk-matrix" + protocol: "openid-connect" + clientAuthenticatorType: "client-secret" + secret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }} + redirectUris: + - "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*" + - "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*" + - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" + standardFlowEnabled: true + directAccessGrantsEnabled: true + serviceAccountsEnabled: true + consentRequired: false + frontchannelLogout: false + publicClient: false + authorizationServicesEnabled: false + attributes: + backchannel.logout.session.required: true + backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout" + post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" + defaultClientScopes: + - "opendesk" + optionalClientScopes: + - "email" + - "profile" + # This is a temporary OIDC client for matrix, as the OIDC logout still uses "matrix" as client ID. Unless that + # is solved and also is able to use "opendesk-matrix" we keep that dummy client that + - name: "matrix" + clientId: "matrix" + protocol: "openid-connect" + clientAuthenticatorType: "client-secret" + standardFlowEnabled: true + directAccessGrantsEnabled: true + consentRequired: false + frontchannelLogout: false + publicClient: false + authorizationServicesEnabled: false + attributes: + post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" + - name: "opendesk-nextcloud" + clientId: "opendesk-nextcloud" + protocol: "openid-connect" + clientAuthenticatorType: "client-secret" + secret: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }} + redirectUris: + - "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*" + - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" + consentRequired: false + frontchannelLogout: false + publicClient: false + authorizationServicesEnabled: false + attributes: + backchannel.logout.session.required: true + backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/index.php/apps/user_oidc/backchannel-logout/opendesk" + post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" + protocolMappers: + - name: "context" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "oxContextIDNum" + id.token.claim: true + access.token.claim: true + claim.name: "context" + jsonType.label: "String" + defaultClientScopes: + - "opendesk" + - "email" + - "read_contacts" + - "write_contacts" + - name: "opendesk-openproject" + clientId: "opendesk-openproject" + protocol: "openid-connect" + clientAuthenticatorType: "client-secret" + secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }} + redirectUris: + - "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*" + - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" + consentRequired: false + frontchannelLogout: false + publicClient: false + serviceAccountsEnabled: true + authorizationServicesEnabled: false + attributes: + backchannel.logout.session.required: true + backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout" + post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" + protocolMappers: + - name: "opendeskProjectmanagementAdmin" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "opendeskProjectmanagementAdmin" + id.token.claim: true + access.token.claim: true + claim.name: "openproject_admin" + jsonType.label: "String" + defaultClientScopes: + - "opendesk" + - "email" + - "profile" + - name: "opendesk-oxappsuite" + clientId: "opendesk-oxappsuite" + protocol: "openid-connect" + clientAuthenticatorType: "client-secret" + secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }} + redirectUris: + - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*" + - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" + consentRequired: false + frontchannelLogout: false + publicClient: false + authorizationServicesEnabled: false + attributes: + backchannel.logout.session.required: true + backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout" + post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" + protocolMappers: + - name: "context" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "oxContextIDNum" + id.token.claim: true + access.token.claim: true + claim.name: "context" + jsonType.label: "String" + defaultClientScopes: + - "opendesk" + - "read_contacts" + - "write_contacts" + - name: "opendesk-xwiki" + clientId: "opendesk-xwiki" + protocol: "openid-connect" + clientAuthenticatorType: "client-secret" + secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }} + redirectUris: + - "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*" + - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" + consentRequired: false + frontchannelLogout: false + publicClient: false + authorizationServicesEnabled: false + attributes: + backchannel.logout.session.required: false + backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout" + post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" + defaultClientScopes: + - "opendesk" + - "address" + - "email" + - "profile" + - name: "guardian-management-api" + clientId: "guardian-management-api" + rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + baseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + protocol: "openid-connect" + publicClient: false + clientAuthenticatorType: "client-secret" + secret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }} + redirectUris: + - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*" + fullScopeAllowed: true + standardFlowEnabled: true + implicitFlowEnabled: false + directAccessGrantsEnabled: false + serviceAccountsEnabled: true + protocolMappers: + - name: "Client Host" + protocol: "openid-connect" + protocolMapper: "oidc-usersessionmodel-note-mapper" + consentRequired: false + config: + user.session.note: "clientHost" + userinfo.token.claim: true + id.token.claim: true + access.token.claim: true + claim.name: "clientHost" + jsonType.label: "String" + - name: "Client ID" + protocol: "openid-connect" + protocolMapper: "oidc-usersessionmodel-note-mapper" + consentRequired: false + config: + user.session.note: "client_id" + userinfo.token.claim: true + id.token.claim: true + access.token.claim: true + claim.name: "client_id" + jsonType.label: "String" + - name: "guardian-audience" + protocol: "openid-connect" + protocolMapper: "oidc-audience-mapper" + consentRequired: false + config: + included.client.audience: "guardian" + userinfo.token.claim: false + id.token.claim: false + access.token.claim: true + - name: "audiencemap" + protocol: "openid-connect" + protocolMapper: "oidc-audience-mapper" + consentRequired: false + config: + included.client.audience: "guardian-cli" + userinfo.token.claim: true + id.token.claim: true + access.token.claim: true + - name: "dn" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: false + user.attribute: "LDAP_ENTRY_DN" + id.token.claim: false + access.token.claim: true + claim.name: "dn" + jsonType.label: "String" + - name: "username" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-property-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "username" + id.token.claim: true + access.token.claim: true + claim.name: "preferred_username" + jsonType.label: "String" + - name: "uid" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "uid" + id.token.claim: true + access.token.claim: true + claim.name: "uid" + jsonType.label: "String" + - name: "email" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-property-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "email" + id.token.claim: true + access.token.claim: true + claim.name: "email" + jsonType.label: "String" + - name: "Client IP Address" + protocol: "openid-connect" + protocolMapper: "oidc-usersessionmodel-note-mapper" + consentRequired: false + config: + user.session.note: "clientAddress" + userinfo.token.claim: true + id.token.claim: true + access.token.claim: true + claim.name: "clientAddress" + jsonType.label: "String" + - name: "guardian-scripts" + clientId: "guardian-scripts" + description: "" + rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + adminUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + baseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + surrogateAuthRequired: false + enabled: true + alwaysDisplayInConsole: false + clientAuthenticatorType: "client-secret" + redirectUris: + - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*" + - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*" + webOrigins: + - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + bearerOnly: false + consentRequired: false + standardFlowEnabled: true + implicitFlowEnabled: false + directAccessGrantsEnabled: true + serviceAccountsEnabled: false + publicClient: true + frontchannelLogout: false + protocol: "openid-connect" + fullScopeAllowed: true + protocolMappers: + - name: "email" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-property-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "email" + id.token.claim: true + access.token.claim: true + claim.name: "email" + jsonType.label: "String" + - name: "guardian-audience" + protocol: "openid-connect" + protocolMapper: "oidc-audience-mapper" + consentRequired: false + config: + included.client.audience: "guardian" + id.token.claim: false + access.token.claim: true + userinfo.token.claim: false + - name: "username" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-property-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "username" + id.token.claim: true + access.token.claim: true + claim.name: "preferred_username" + jsonType.label: "String" + - name: "uid" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "uid" + id.token.claim: true + access.token.claim: true + claim.name: "uid" + jsonType.label: "String" + - name: "audiencemap" + protocol: "openid-connect" + protocolMapper: "oidc-audience-mapper" + consentRequired: false + config: + included.client.audience: "guardian-scripts" + id.token.claim: true + access.token.claim: true + userinfo.token.claim: true + - name: "dn" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + aggregate.attrs: false + multivalued: false + userinfo.token.claim: false + user.attribute: "LDAP_ENTRY_DN" + id.token.claim: false + access.token.claim: true + claim.name: "dn" + jsonType.label: "String" + defaultClientScopes: + - "opendesk" + - "web-origins" + - "acr" + - "roles" + - "profile" + - "email" + optionalClientScopes: + - "address" + - "phone" + - "offline_access" + - "microprofile-jwt" + - name: "guardian-ui" + clientId: "guardian-ui" + rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + baseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + clientAuthenticatorType: "client-secret" + redirectUris: + - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*" + standardFlowEnabled: true + publicClient: true + implicitFlowEnabled: false + directAccessGrantsEnabled: false + serviceAccountsEnabled: false + protocol: "openid-connect" + fullScopeAllowed: true + protocolMappers: + - name: "uid" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "uid" + id.token.claim: true + access.token.claim: true + claim.name: "uid" + jsonType.label: "String" + - name: "username" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-property-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "username" + id.token.claim: true + access.token.claim: true + claim.name: "preferred_username" + jsonType.label: "String" + - name: "dn" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-attribute-mapper" + consentRequired: false + config: + userinfo.token.claim: "false" + user.attribute: "LDAP_ENTRY_DN" + id.token.claim: false + access.token.claim: true + claim.name: "dn" + jsonType.label: "String" + - name: "audiencemap" + protocol: "openid-connect" + protocolMapper: "oidc-audience-mapper" + consentRequired: false + config: + included.client.audience: "guardian" + id.token.claim: true + access.token.claim: true + userinfo.token.claim: true + - name: "email" + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-property-mapper" + consentRequired: false + config: + userinfo.token.claim: true + user.attribute: "email" + id.token.claim: true + access.token.claim: true + claim.name: "email" + jsonType.label: "String" + - name: "guardian-audience" + protocol: "openid-connect" + protocolMapper: "oidc-audience-mapper" + consentRequired: false + config: + included.client.audience: "guardian" + id.token.claim: false + access.token.claim: true + userinfo.token.claim: false + + +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + enabled: true + privileged: false + runAsUser: 1000 + runAsGroup: 1000 + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: true + runAsNonRoot: true + seLinuxOptions: + {{ .Values.seLinuxOptions.opendeskKeycloakBootstrap | toYaml | nindent 4 }} + +podAnnotations: + intents.otterize.com/service-name: "ums-keycloak-bootstrap" + +podSecurityContext: + enabled: true + fsGroup: 1000 + fsGroupChangePolicy: "OnRootMismatch" + +resources: + {{ .Values.resources.opendeskKeycloakBootstrap | toYaml | nindent 2 }} + +... diff --git a/helmfile/environments/default/charts.yaml b/helmfile/environments/default/charts.yaml index f2418651..3bd93751 100644 --- a/helmfile/environments/default/charts.yaml +++ b/helmfile/environments/default/charts.yaml @@ -242,6 +242,18 @@ charts: name: "nginx" version: "15.9.3" verify: true + nubus: + # providerCategory: "Supplier" + # providerResponsible: "Univention" + # upstreamRegistry: "https://artifacts.software-univention.de" + # upstreamRepository: "nubus/charts/nubus" + # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$' + # upstreamMirrorStartFrom: ["0", "12", "0"] + registry: "artifacts.software-univention.de" + repository: "nubus/charts" + name: "nubus" + version: "0.19.3" + verify: true opendeskKeycloakBootstrap: # providerCategory: "Platform" # providerResponsible: "openDesk" @@ -304,7 +316,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize" name: "opendesk-otterize" - version: "2.0.1" + version: "2.1.0" verify: true oxConnector: # providerCategory: "Supplier" diff --git a/helmfile/environments/default/resources.yaml b/helmfile/environments/default/resources.yaml index 48bb54a7..628f04db 100644 --- a/helmfile/environments/default/resources.yaml +++ b/helmfile/environments/default/resources.yaml @@ -218,6 +218,49 @@ resources: requests: cpu: 0.1 memory: "512Mi" + nubusProvisioning: + nats: + limits: + cpu: 288 + memory: "1Gi" + requests: + cpu: 0.1 + memory: "128Mi" + dispatcher: + limits: + cpu: 1 + memory: "1Gi" + requests: + cpu: 0.1 + memory: "64Mi" + registerConsumers: + limits: + cpu: 1 + memory: "1Gi" + requests: + cpu: 0.1 + memory: "64Mi" + udmTransformer: + limits: + cpu: 1 + memory: "1Gi" + requests: + cpu: 0.1 + memory: "64Mi" + prefill: + limits: + cpu: 1 + memory: "1Gi" + requests: + cpu: 0.1 + memory: "64Mi" + api: + limits: + cpu: 1 + memory: "1Gi" + requests: + cpu: 0.1 + memory: "100Mi" openproject: limits: cpu: 99 diff --git a/helmfile/environments/default/secrets.gotmpl b/helmfile/environments/default/secrets.gotmpl index 60f73130..59a1c597 100644 --- a/helmfile/environments/default/secrets.gotmpl +++ b/helmfile/environments/default/secrets.gotmpl @@ -73,7 +73,7 @@ secrets: openprojectUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "openproject_user" | sha1sum | quote) }} umsUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "ums_user" | sha1sum | quote) }} keycloak: - adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "adminPassword" | sha1sum | quote }} + adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "keycloak-admin" | sha1sum | quote }} clientSecret: dovecot: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "dovecot_client_secret" | sha1sum | quote }} intercom: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "intercom_client_secret" | sha1sum | quote }} diff --git a/helmfile_generic.yaml b/helmfile_generic.yaml index 68276085..0a3d6535 100644 --- a/helmfile_generic.yaml +++ b/helmfile_generic.yaml @@ -11,9 +11,7 @@ helmfiles: - "helmfile/environments/default/*.yaml" - "helmfile/environments/default/*.gotmpl" - {{ toYaml .Values | nindent 8 }} - - path: "helmfile/apps/services/helmfile-child.yaml" - values: *values - - path: "helmfile/apps/univention-management-stack/helmfile-child.yaml" + - path: "helmfile/apps/nubus/helmfile-child.yaml" values: *values - path: "helmfile/apps/intercom-service/helmfile-child.yaml" values: *values