From b3d45c45e1b754e14ab0519efcb6b6a359f0ad1e Mon Sep 17 00:00:00 2001 From: Johannes Bornhold Date: Fri, 24 Nov 2023 00:28:22 +0100 Subject: [PATCH] fix(univention-management-stack): Apply styling --- .../apps/services/values-postgresql.gotmpl | 2 +- .../univention-management-stack/helmfile.yaml | 4 + .../values-common.gotmpl | 10 +- .../values-common.yaml | 13 ++ .../values-ldap-server.gotmpl | 19 +- .../values-ldap-server.yaml | 3 + .../values-notifications-api.gotmpl | 10 +- .../values-portal-frontend.gotmpl | 65 ------- .../values-portal-frontend.yaml | 73 +++++++ .../values-portal-listener.gotmpl | 18 +- .../values-portal-listener.yaml | 8 + .../values-portal-server.gotmpl | 9 +- .../values-portal-server.yaml | 14 ++ .../values-stack-data-swp.gotmpl | 10 +- .../values-stack-data-ums.gotmpl | 22 +-- .../values-stack-data-ums.yaml | 15 ++ .../values-store-dav.gotmpl | 2 - .../values-udm-rest-api.gotmpl | 7 +- .../values-udm-rest-api.yaml | 4 + .../values-umc-gateway.yaml | 4 +- .../values-ums-stack-gateway.gotmpl | 178 +----------------- .../values-ums-stack-gateway.yaml | 177 +++++++++++++++++ helmfile/environments/default/_helper.gotmpl | 1 + helmfile/environments/default/database.yaml | 6 + helmfile/environments/default/secrets.gotmpl | 2 +- 25 files changed, 357 insertions(+), 319 deletions(-) create mode 100644 helmfile/apps/univention-management-stack/values-portal-frontend.yaml create mode 100644 helmfile/apps/univention-management-stack/values-portal-server.yaml create mode 100644 helmfile/apps/univention-management-stack/values-stack-data-ums.yaml create mode 100644 helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml diff --git a/helmfile/apps/services/values-postgresql.gotmpl b/helmfile/apps/services/values-postgresql.gotmpl index bee72cae..44e0d105 100644 --- a/helmfile/apps/services/values-postgresql.gotmpl +++ b/helmfile/apps/services/values-postgresql.gotmpl @@ -24,7 +24,7 @@ job: - username: "matrix_user" password: {{ .Values.secrets.postgresql.matrixUser | quote }} - username: "notificationsapi_user" - password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }} + password: {{ .Values.secrets.postgresql.notificationsApiUser | quote }} databases: - name: "keycloak" user: "keycloak_user" diff --git a/helmfile/apps/univention-management-stack/helmfile.yaml b/helmfile/apps/univention-management-stack/helmfile.yaml index 932c1ff1..1972c04c 100644 --- a/helmfile/apps/univention-management-stack/helmfile.yaml +++ b/helmfile/apps/univention-management-stack/helmfile.yaml @@ -32,6 +32,7 @@ releases: version: "15.3.5" values: - "values-ums-stack-gateway.gotmpl" + - "values-ums-stack-gateway.yaml" installed: {{ .Values.univentionManagementStack.enabled }} # renovate: @@ -105,6 +106,7 @@ releases: - "values-common.gotmpl" - "values-common.yaml" - "values-stack-data-ums.gotmpl" + - "values-stack-data-ums.yaml" installed: {{ .Values.univentionManagementStack.enabled }} # renovate: @@ -134,6 +136,7 @@ releases: - "values-common.gotmpl" - "values-common.yaml" - "values-portal-server.gotmpl" + - "values-portal-server.yaml" installed: {{ .Values.univentionManagementStack.enabled }} # renovate: @@ -178,6 +181,7 @@ releases: - "values-common.gotmpl" - "values-common.yaml" - "values-portal-frontend.gotmpl" + - "values-portal-frontend.yaml" installed: {{ .Values.univentionManagementStack.enabled }} # renovate: diff --git a/helmfile/apps/univention-management-stack/values-common.gotmpl b/helmfile/apps/univention-management-stack/values-common.gotmpl index f6abadf8..652b07c0 100644 --- a/helmfile/apps/univention-management-stack/values-common.gotmpl +++ b/helmfile/apps/univention-management-stack/values-common.gotmpl @@ -4,15 +4,7 @@ SPDX-License-Identifier: Apache-2.0 */}} --- ingress: - # Intentionally not using the Ingress configuration of the UMS stack at the - # moment, since it does depend on rewriting capabilities of the ingress - # controller. Those are encapsulated into the release "stack-gateway" so that - # the compatibility with all ingress controllers is increased. - enabled: false host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" ingressClassName: {{ .Values.ingress.ingressClassName | quote }} - tls: - # The TLS configuration is on the "master" Ingress, see "portal-frontend" - enabled: false - secretName: "" + ... diff --git a/helmfile/apps/univention-management-stack/values-common.yaml b/helmfile/apps/univention-management-stack/values-common.yaml index af6ca953..e5edfe91 100644 --- a/helmfile/apps/univention-management-stack/values-common.yaml +++ b/helmfile/apps/univention-management-stack/values-common.yaml @@ -6,5 +6,18 @@ global: configMapUcr: "ums-stack-data-swp-ucr" configMapUcrForced: null +ingress: + # Intentionally not using the Ingress configuration of the UMS stack at the + # moment, since it does depend on rewriting capabilities of the ingress + # controller. Those are encapsulated into the release "stack-gateway" so that + # the compatibility with all ingress controllers is increased. + enabled: false + tls: + # The TLS configuration is on the "master" Ingress, see "portal-frontend" + enabled: false + secretName: "" + istio: enabled: false + +... diff --git a/helmfile/apps/univention-management-stack/values-ldap-server.gotmpl b/helmfile/apps/univention-management-stack/values-ldap-server.gotmpl index d3f5b95a..36bdf8f2 100644 --- a/helmfile/apps/univention-management-stack/values-ldap-server.gotmpl +++ b/helmfile/apps/univention-management-stack/values-ldap-server.gotmpl @@ -5,15 +5,7 @@ SPDX-License-Identifier: Apache-2.0 --- ldapServer: ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - ldapBaseDn: "dc=swp-ldap,dc=internal" - - waitForSamlMetadata: true - - # TODO: Certificates handling - # caCert: "" - # certPem: "" - # privateKey: "" - # dhParam: "" + ldapBaseDn: {{ .Values.ldap.baseDn | quote }} image: registry: {{ .Values.global.imageRegistry | quote }} @@ -26,12 +18,11 @@ image: {{- end }} waitForDependency: - registry: "{{ .Values.global.imageRegistry }}" - repository: "{{ .Values.images.umsWaitForDependency.repository }}" - imagePullPolicy: "Always" - tag: "{{ .Values.images.umsWaitForDependency.tag }}" + registry: {{ .Values.global.imageRegistry | quote }} + repository: {{ .Values.images.umsWaitForDependency.repository | quote }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} + tag: {{ .Values.images.umsWaitForDependency.tag | quote }} -# TODO: Pending upstream support, #199 persistence: data: storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }} diff --git a/helmfile/apps/univention-management-stack/values-ldap-server.yaml b/helmfile/apps/univention-management-stack/values-ldap-server.yaml index dae6f674..32b731c6 100644 --- a/helmfile/apps/univention-management-stack/values-ldap-server.yaml +++ b/helmfile/apps/univention-management-stack/values-ldap-server.yaml @@ -2,6 +2,9 @@ # SPDX-License-Identifier: Apache-2.0 --- +ldapServer: + waitForSamlMetadata: true + service: type: "ClusterIP" diff --git a/helmfile/apps/univention-management-stack/values-notifications-api.gotmpl b/helmfile/apps/univention-management-stack/values-notifications-api.gotmpl index ede53cd3..4b49590a 100644 --- a/helmfile/apps/univention-management-stack/values-notifications-api.gotmpl +++ b/helmfile/apps/univention-management-stack/values-notifications-api.gotmpl @@ -6,12 +6,12 @@ SPDX-License-Identifier: Apache-2.0 postgresql: bundled: false connection: - host: "postgresql" - port: 5432 + host: {{ .Values.databases.notificationsApi.host | quote }} + port: {{ .Values.databases.notificationsApi.port | quote }} auth: - username: "notificationsapi_user" - database: "notificationsapi" - password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }} + username: {{ .Values.databases.notificationsApi.username | quote }} + database: {{ .Values.databases.notificationsApi.name | quote }} + password: {{ .Values.databases.notificationsApi.password | default .Values.secrets.postgresql.notificationsApiUser | quote }} image: registry: {{ .Values.global.imageRegistry }} diff --git a/helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl b/helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl index 79780505..eaaaf47e 100644 --- a/helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl +++ b/helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl @@ -14,76 +14,11 @@ image: {{- end }} extraIngresses: - redirects: - # Using "stack-gateway" currently. - enabled: false - # The TLS configuration is on the "master" Ingress, see below. - tls: - enabled: false master: - # Using "stack-gateway" currently. - enabled: false tls: enabled: {{ .Values.ingress.tls.enabled }} secretName: {{ .Values.ingress.tls.secretName | quote }} - # See "extraVolumeMounts" below - custom-favicon: - # Using "stack-gateway" at the moment - enabled: false - annotations: - nginx.org/mergeable-ingress-type: "minion" - paths: - - pathType: Exact - path: /favicon.ico - tls: {} - - # See "extraVolumeMounts" below - custom-branding: - # Using "stack-gateway" at the moment - enabled: false - annotations: - nginx.ingress.kubernetes.io/configuration-snippet: | - rewrite ^/univention/portal(/.*)$ $1 break; - nginx.org/location-snippets: | - rewrite ^/univention/portal(/.*)$ $1 break; - nginx.org/mergeable-ingress-type: "minion" - paths: - # This relies on the correct implementation of the matching for paths of - # type "Prefix" since "/univention/portal/icons/entries/" is owned by - # store-dav. - # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches - - pathType: Prefix - path: /univention/portal/icons/ - - pathType: Prefix - path: /univention/portal/custom/ - tls: {} - -extraVolumes: - - name: "opendesk-branding" - configMap: - name: "ums-stack-data-swp-branding" - -extraVolumeMounts: - - name: "opendesk-branding" - mountPath: "/var/www/html/favicon.ico" - subPath: "favicon.ico" - - name: "opendesk-branding" - mountPath: "/var/www/html/css/custom.css" - subPath: "custom.css" - - name: "opendesk-branding" - mountPath: "/var/www/html/icons/logo.svg" - subPath: "logo.svg" - - name: "opendesk-branding" - mountPath: "/var/www/html/icons/logo_small_border.svg" - subPath: "logo_small_border.svg" - - name: "opendesk-branding" - mountPath: "/var/www/html/custom/portal_background_image.png" - subPath: "portal_background_image.png" - - name: "opendesk-branding" - mountPath: "/var/www/html/custom/portal_background_image.svg" - subPath: "portal_background_image.svg" - resources: {{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }} ... diff --git a/helmfile/apps/univention-management-stack/values-portal-frontend.yaml b/helmfile/apps/univention-management-stack/values-portal-frontend.yaml new file mode 100644 index 00000000..e309bcf0 --- /dev/null +++ b/helmfile/apps/univention-management-stack/values-portal-frontend.yaml @@ -0,0 +1,73 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- + +extraIngresses: + redirects: + # Using "stack-gateway" currently. + enabled: false + # The TLS configuration is on the "master" Ingress, see below. + tls: + enabled: false + master: + # Using "stack-gateway" currently. + enabled: false + + # See "extraVolumeMounts" below + custom-favicon: + # Using "stack-gateway" at the moment + enabled: false + annotations: + nginx.org/mergeable-ingress-type: "minion" + paths: + - pathType: "Exact" + path: "/favicon.ico" + tls: {} + + # See "extraVolumeMounts" below + custom-branding: + # Using "stack-gateway" at the moment + enabled: false + annotations: + nginx.ingress.kubernetes.io/configuration-snippet: | + rewrite ^/univention/portal(/.*)$ $1 break; + nginx.org/location-snippets: | + rewrite ^/univention/portal(/.*)$ $1 break; + nginx.org/mergeable-ingress-type: "minion" + paths: + # This relies on the correct implementation of the matching for paths of + # type "Prefix" since "/univention/portal/icons/entries/" is owned by + # store-dav. + # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches + - pathType: "Prefix" + path: "/univention/portal/icons/" + - pathType: "Prefix" + path: "/univention/portal/custom/" + tls: {} + +extraVolumes: + - name: "opendesk-branding" + configMap: + name: "ums-stack-data-swp-branding" + +extraVolumeMounts: + - name: "opendesk-branding" + mountPath: "/var/www/html/favicon.ico" + subPath: "favicon.ico" + - name: "opendesk-branding" + mountPath: "/var/www/html/css/custom.css" + subPath: "custom.css" + - name: "opendesk-branding" + mountPath: "/var/www/html/icons/logo.svg" + subPath: "logo.svg" + - name: "opendesk-branding" + mountPath: "/var/www/html/icons/logo_small_border.svg" + subPath: "logo_small_border.svg" + - name: "opendesk-branding" + mountPath: "/var/www/html/custom/portal_background_image.png" + subPath: "portal_background_image.png" + - name: "opendesk-branding" + mountPath: "/var/www/html/custom/portal_background_image.svg" + subPath: "portal_background_image.svg" + +... diff --git a/helmfile/apps/univention-management-stack/values-portal-listener.gotmpl b/helmfile/apps/univention-management-stack/values-portal-listener.gotmpl index f903aebb..4f77b688 100644 --- a/helmfile/apps/univention-management-stack/values-portal-listener.gotmpl +++ b/helmfile/apps/univention-management-stack/values-portal-listener.gotmpl @@ -4,25 +4,20 @@ SPDX-License-Identifier: Apache-2.0 */}} --- portalListener: - adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal" - environment: "staging" - debugLevel: "4" + adminGroup: "cn=Domain Admins,cn=groups,{{ .Values.ldap.baseDn }}" assetsRoot: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-assets/" ucsInternalUrl: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-data/" - umcGetUrl: "http://ums-umc-server/get" - umcSessionUrl: "http://ums-umc-server/get/session-info" - ldapBaseDn: "dc=swp-ldap,dc=internal" - ldapHost: "{{ .Values.ldap.host }}" - ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal" + ldapBaseDn: {{ .Values.ldap.baseDn | quote }} + ldapHost: {{ .Values.ldap.host | quote }} + ldapHostDn: "cn=admin,{{ .Values.ldap.baseDn }}" ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} notifierServer: {{ .Values.ldap.notifierHost | quote }} - portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,dc=swp-ldap,dc=internal" + portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,{{ .Values.ldap.baseDn }}" udmApiUrl: "http://ums-udm-rest-api/udm/" udmApiUsername: "cn=admin" - tlsMode: "off" image: registry: {{ .Values.global.imageRegistry | quote }} @@ -37,10 +32,9 @@ image: waitForDependency: registry: {{ .Values.global.imageRegistry | quote }} repository: {{ .Values.images.umsWaitForDependency.repository | quote }} - imagePullPolicy: "Always" + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} tag: {{ .Values.images.umsWaitForDependency.tag | quote }} -# TODO: Pending upstream support, #200 persistence: storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }} size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }} diff --git a/helmfile/apps/univention-management-stack/values-portal-listener.yaml b/helmfile/apps/univention-management-stack/values-portal-listener.yaml index 6b0d060d..13a737be 100644 --- a/helmfile/apps/univention-management-stack/values-portal-listener.yaml +++ b/helmfile/apps/univention-management-stack/values-portal-listener.yaml @@ -2,6 +2,14 @@ # SPDX-License-Identifier: Apache-2.0 --- +portalListener: + debugLevel: "4" + tlsMode: "off" + udmApiUrl: "http://ums-udm-rest-api/udm/" + udmApiUsername: "cn=admin" + umcGetUrl: "http://ums-umc-server/get" + umcSessionUrl: "http://ums-umc-server/get/session-info" + store-dav: bundled: false diff --git a/helmfile/apps/univention-management-stack/values-portal-server.gotmpl b/helmfile/apps/univention-management-stack/values-portal-server.gotmpl index e1f0abd1..e03c89b6 100644 --- a/helmfile/apps/univention-management-stack/values-portal-server.gotmpl +++ b/helmfile/apps/univention-management-stack/values-portal-server.gotmpl @@ -4,16 +4,9 @@ SPDX-License-Identifier: Apache-2.0 */}} --- portalServer: - adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal" - authMode: "saml" - environment: "staging" - editable: "false" - logLevel: "DEBUG" + adminGroup: "cn=Domain Admins,cn=groups,{{ .Values.ldap.baseDn }}" ucsInternalUrl: "http://portal-server:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}@ums-store-dav/portal-data" - umcGetUrl: "http://ums-umc-server/get" - umcSessionUrl: "http://ums-umc-server/get/session-info" centralNavigation: - enabled: true authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }} image: diff --git a/helmfile/apps/univention-management-stack/values-portal-server.yaml b/helmfile/apps/univention-management-stack/values-portal-server.yaml new file mode 100644 index 00000000..0699d1a7 --- /dev/null +++ b/helmfile/apps/univention-management-stack/values-portal-server.yaml @@ -0,0 +1,14 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- + +portalServer: + authMode: "saml" + editable: "false" + logLevel: "DEBUG" + umcGetUrl: "http://ums-umc-server/get" + umcSessionUrl: "http://ums-umc-server/get/session-info" + centralNavigation: + enabled: true + +... diff --git a/helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl b/helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl index c6122dbb..b3417ebe 100644 --- a/helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl +++ b/helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl @@ -8,14 +8,14 @@ stackDataSwp: stackDataContext: ldapSearchUsers: - {{- range $k, $v := .Values.secrets.univentionCorporateServer.ldapSearch }} - - username: {{ printf "ldapsearch_%s" $k | quote }} - password: {{ $v | quote }} + {{- range $username, $password := .Values.secrets.univentionCorporateServer.ldapSearch }} + - username: {{ printf "ldapsearch_%s" $username | quote }} + password: {{ $password | quote }} lastname: {{ "LDAP-Search-User" }} {{- end }} - externalDomainName: "{{ .Values.global.domain }}" - externalMailDomain: "{{ .Values.global.domain }}" + externalDomainName: {{ .Values.global.domain | quote }} + externalMailDomain: {{ .Values.global.domain | quote }} portalGroupwareLinkBase: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" portalFileshareLinkBase: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}" diff --git a/helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl b/helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl index 7eccbcd9..29f9f6db 100644 --- a/helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl +++ b/helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl @@ -4,32 +4,24 @@ SPDX-License-Identifier: Apache-2.0 */}} --- stackDataUms: - udmApiUser: "cn=admin" udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - udmApiUrl: "http://ums-udm-rest-api/udm/" - loadDevData: true stackDataContext: - domainname: "{{ .Values.global.domain }}" - externalMailDomain: "{{ .Values.global.domain }}" - hostname: "{{ .Values.global.hosts.univentionManagementStack }}" - ldapHost: "{{ .Values.ldap.host }}" - ldapBase: "dc=swp-ldap,dc=internal" + domainname: {{ .Values.global.domain | quote }} + externalMailDomain: {{ .Values.global.domain | quote }} + hostname: {{ .Values.global.hosts.univentionManagementStack | quote }} + ldapHost: {{ .Values.ldap.host | quote }} + ldapBase: {{ .Values.ldap.baseDn | quote }} # TODO: This should not be required, the machine account is not there # ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal - ldapHostDn: cn=admin,dc=swp-ldap,dc=internal + ldapHostDn: "cn=admin,{{ .Values.ldap.baseDn }}" idpSamlMetadataUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/saml/descriptor" - idpSamlMetadataUrlInternal: null umcSamlSpFqdn: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" - umcSamlSchemes: "https" idpFqdn: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" ldapSamlSpUrls: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/saml/metadata" - initialPasswordAdministrator: "{{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword }}" - - # The SWP configuration brings its own UMC policies. - installUmcPolicies: false + initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }} image: registry: {{ .Values.global.imageRegistry | quote }} diff --git a/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml b/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml new file mode 100644 index 00000000..10393802 --- /dev/null +++ b/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml @@ -0,0 +1,15 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +stackDataUms: + loadDevData: true + udmApiUrl: "http://ums-udm-rest-api/udm/" + udmApiUser: "cn=admin" + +stackDataContext: + idpSamlMetadataUrlInternal: null + umcSamlSchemes: "https" + # The openDesk configuration brings its own UMC policies. + installUmcPolicies: false + +... diff --git a/helmfile/apps/univention-management-stack/values-store-dav.gotmpl b/helmfile/apps/univention-management-stack/values-store-dav.gotmpl index cbb649a8..387905d2 100644 --- a/helmfile/apps/univention-management-stack/values-store-dav.gotmpl +++ b/helmfile/apps/univention-management-stack/values-store-dav.gotmpl @@ -21,7 +21,6 @@ image: configHtpasswd: registry: {{ .Values.global.imageRegistry | quote }} repository: {{ .Values.images.umsConfigHtpasswd.repository | quote }} - pullPolicy: "Always" pullPolicy: {{ .Values.global.imagePullPolicy | quote }} tag: {{ .Values.images.umsConfigHtpasswd.tag | quote }} pullSecrets: @@ -29,7 +28,6 @@ image: - name: {{ . | quote }} {{- end }} -# TODO: Pending upstream support, #201 persistence: storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }} size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }} diff --git a/helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl b/helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl index 523559d4..76da8cfa 100644 --- a/helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl +++ b/helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl @@ -7,12 +7,7 @@ udmRestApi: # TODO: Secret should be entered without b64enc ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }} # TODO: Secret should be entered without b64enc - machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}" - # TODO: Stub value currently - caCert: "" - # TODO: This should not be part of the udm-rest-api anymore - loadJoinData: - enabled: true + machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }} image: registry: {{ .Values.global.imageRegistry | quote }} diff --git a/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml b/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml index e0103a21..5cce5d30 100644 --- a/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml +++ b/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml @@ -1,6 +1,10 @@ # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0 --- +udmRestApi: + # TODO: Stub value currently + caCert: "" + extraVolumes: - name: "attribute-to-group-mapper-hook" configMap: diff --git a/helmfile/apps/univention-management-stack/values-umc-gateway.yaml b/helmfile/apps/univention-management-stack/values-umc-gateway.yaml index 21855969..c07e1a7a 100644 --- a/helmfile/apps/univention-management-stack/values-umc-gateway.yaml +++ b/helmfile/apps/univention-management-stack/values-umc-gateway.yaml @@ -16,6 +16,8 @@ extraVolumeMounts: mountPath: "/entrypoint.d/90-swp.sh" subPath: "90-swp.sh" - name: "announcements-customization" - mountPath: "/usr/share/univention-management-console-frontend/js/dijit/themes/umc/icons/16x16/udm-portals-announcement.png" + mountPath: + "/usr/share/univention-management-console-frontend/js/dijit/themes\ + /umc/icons/16x16/udm-portals-announcement.png" subPath: "udm-portals-announcement.png" ... diff --git a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl index 66675e7e..9ac6581d 100644 --- a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl +++ b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl @@ -3,182 +3,10 @@ --- ingress: - enabled: true + enabled: {{ .Values.ingress.enabled }} hostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" - ingressClassName: "{{ .Values.ingress.ingressClassName }}" - tls: false + ingressClassName: {{ .Values.ingress.ingressClassName | quote }} extraTls: - hosts: - "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" - secretName: "{{ .Values.ingress.tls.secretName }}" - -service: - type: "ClusterIP" - -# The content of the "serverBlock" does resemble the Ingress configuration of -# the UMS components. The "location" entries do intentionally reflect precisely -# the respective paths which are configured. -serverBlock: | - server { - listen 8080; - - ## portal-frontend - # The frontend does not own "/univention/portal", only these two bits - location = /univention/portal/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80/; - } - location = /univention/portal/index.html { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80/; - } - - # The following prefixes are owned by the frontend - location /univention/portal/css/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/portal/fonts/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/portal/i18n/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/portal/media/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/portal/js/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/portal/oidc/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - - - ## frontend redirects - location = / { - absolute_redirect off; - return 302 /univention/portal/; - } - location = /univention { - absolute_redirect off; - return 302 /univention/portal/; - } - location = /univention/ { - absolute_redirect off; - return 302 /univention/portal/; - } - location = /univention/portal { - absolute_redirect off; - return 302 /univention/portal/; - } - - - ## portal-server - location = /univention/portal/portal.json { - proxy_pass http://ums-portal-server:80; - } - location = /univention/portal/navigation.json { - proxy_pass http://ums-portal-server:80; - } - - - ## store-dav - location /univention/portal/icons/entries/ { - rewrite ^/univention/portal(/icons/entries/.*)$ /portal-assets$1 break; - proxy_pass http://ums-store-dav:80; - } - location /univention/portal/icons/logos/ { - rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break; - proxy_pass http://ums-store-dav:80; - } - - - ## udm-rest-api - location /univention/udm/ { - rewrite ^/univention(/udm/.*)$ $1 break; - proxy_pass http://ums-udm-rest-api:80; - proxy_set_header X-Forwarded-Host $host; - } - - - ## umc-gateway - location = /univention/languages.json { - proxy_pass http://ums-umc-gateway:80; - } - location = /univention/meta.json { - proxy_pass http://ums-umc-gateway:80; - } - location = /univention/theme.css { - proxy_pass http://ums-umc-gateway:80; - } - location /univention/js/ { - proxy_pass http://ums-umc-gateway:80; - } - location /univention/login/ { - proxy_pass http://ums-umc-gateway:80; - } - location /univention/management/ { - proxy_pass http://ums-umc-gateway:80; - } - location /univention/themes/ { - proxy_pass http://ums-umc-gateway:80; - } - - - ## umc-server - location = /univention/auth { - rewrite ^/univention(/.*)$ $1 break; - proxy_pass http://ums-umc-server:80; - } - location /univention/logout/ { - rewrite ^/univention(/.*)$ $1 break; - proxy_pass http://ums-umc-server:80; - } - location /univention/saml/ { - rewrite ^/univention(/.*)$ $1 break; - proxy_pass http://ums-umc-server:80; - } - location /univention/get/ { - rewrite ^/univention(/.*)$ $1 break; - proxy_pass http://ums-umc-server:80; - } - location /univention/set/ { - rewrite ^/univention(/.*)$ $1 break; - proxy_pass http://ums-umc-server:80; - } - location /univention/command/ { - rewrite ^/univention(/.*)$ $1 break; - proxy_pass http://ums-umc-server:80; - } - location /univention/upload/ { - rewrite ^/univention(/.*)$ $1 break; - proxy_pass http://ums-umc-server:80; - } - - - ## notifications-api - location /univention/portal/notifications-api/ { - rewrite ^/univention/portal/notifications-api(/.*)$ $1 break; - proxy_pass http://ums-notifications-api:80; - } - - ## openDesk branding - location = /favicon.ico { - proxy_pass http://ums-portal-frontend:80/; - } - location /univention/portal/custom/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80/; - } - location /univention/portal/icons/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80/; - } - - } + secretName: {{ .Values.ingress.tls.secretName | quote }} diff --git a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml new file mode 100644 index 00000000..05d72a94 --- /dev/null +++ b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml @@ -0,0 +1,177 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +ingress: + tls: false + +service: + type: "ClusterIP" + +# The content of the "serverBlock" does resemble the Ingress configuration of +# the UMS components. The "location" entries do intentionally reflect precisely +# the respective paths which are configured. +serverBlock: | + server { + listen 8080; + + ## portal-frontend + # The frontend does not own "/univention/portal", only these two bits + location = /univention/portal/ { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80/; + } + location = /univention/portal/index.html { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80/; + } + + # The following prefixes are owned by the frontend + location /univention/portal/css/ { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80; + } + location /univention/portal/fonts/ { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80; + } + location /univention/portal/i18n/ { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80; + } + location /univention/portal/media/ { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80; + } + location /univention/portal/js/ { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80; + } + location /univention/portal/oidc/ { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80; + } + + + ## frontend redirects + location = / { + absolute_redirect off; + return 302 /univention/portal/; + } + location = /univention { + absolute_redirect off; + return 302 /univention/portal/; + } + location = /univention/ { + absolute_redirect off; + return 302 /univention/portal/; + } + location = /univention/portal { + absolute_redirect off; + return 302 /univention/portal/; + } + + + ## portal-server + location = /univention/portal/portal.json { + proxy_pass http://ums-portal-server:80; + } + location = /univention/portal/navigation.json { + proxy_pass http://ums-portal-server:80; + } + + + ## store-dav + location /univention/portal/icons/entries/ { + rewrite ^/univention/portal(/icons/entries/.*)$ /portal-assets$1 break; + proxy_pass http://ums-store-dav:80; + } + location /univention/portal/icons/logos/ { + rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break; + proxy_pass http://ums-store-dav:80; + } + + + ## udm-rest-api + location /univention/udm/ { + rewrite ^/univention(/udm/.*)$ $1 break; + proxy_pass http://ums-udm-rest-api:80; + proxy_set_header X-Forwarded-Host $host; + } + + + ## umc-gateway + location = /univention/languages.json { + proxy_pass http://ums-umc-gateway:80; + } + location = /univention/meta.json { + proxy_pass http://ums-umc-gateway:80; + } + location = /univention/theme.css { + proxy_pass http://ums-umc-gateway:80; + } + location /univention/js/ { + proxy_pass http://ums-umc-gateway:80; + } + location /univention/login/ { + proxy_pass http://ums-umc-gateway:80; + } + location /univention/management/ { + proxy_pass http://ums-umc-gateway:80; + } + location /univention/themes/ { + proxy_pass http://ums-umc-gateway:80; + } + + + ## umc-server + location = /univention/auth { + rewrite ^/univention(/.*)$ $1 break; + proxy_pass http://ums-umc-server:80; + } + location /univention/logout/ { + rewrite ^/univention(/.*)$ $1 break; + proxy_pass http://ums-umc-server:80; + } + location /univention/saml/ { + rewrite ^/univention(/.*)$ $1 break; + proxy_pass http://ums-umc-server:80; + } + location /univention/get/ { + rewrite ^/univention(/.*)$ $1 break; + proxy_pass http://ums-umc-server:80; + } + location /univention/set/ { + rewrite ^/univention(/.*)$ $1 break; + proxy_pass http://ums-umc-server:80; + } + location /univention/command/ { + rewrite ^/univention(/.*)$ $1 break; + proxy_pass http://ums-umc-server:80; + } + location /univention/upload/ { + rewrite ^/univention(/.*)$ $1 break; + proxy_pass http://ums-umc-server:80; + } + + + ## notifications-api + location /univention/portal/notifications-api/ { + rewrite ^/univention/portal/notifications-api(/.*)$ $1 break; + proxy_pass http://ums-notifications-api:80; + } + + ## openDesk branding + location = /favicon.ico { + proxy_pass http://ums-portal-frontend:80/; + } + location /univention/portal/custom/ { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80/; + } + location /univention/portal/icons/ { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80/; + } + + } +... diff --git a/helmfile/environments/default/_helper.gotmpl b/helmfile/environments/default/_helper.gotmpl index 4b4f634d..49125d56 100644 --- a/helmfile/environments/default/_helper.gotmpl +++ b/helmfile/environments/default/_helper.gotmpl @@ -7,4 +7,5 @@ SPDX-License-Identifier: Apache-2.0 ldap: host: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-server" {{ else }} "univention-corporate-container" {{ end }} notifierHost: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-notifier" {{ else }} "univention-corporate-container" {{ end }} + baseDn: "dc=swp-ldap,dc=internal" ... diff --git a/helmfile/environments/default/database.yaml b/helmfile/environments/default/database.yaml index 0c3bc0f8..80c00ce0 100644 --- a/helmfile/environments/default/database.yaml +++ b/helmfile/environments/default/database.yaml @@ -19,6 +19,12 @@ databases: host: "mariadb" username: "nextcloud_user" password: "" + notificationsApi: + name: "notificationsapi" + host: "postgresql" + port: 5432 + username: "notificationsapi_user" + password: "" openproject: name: "openproject" host: "postgresql" diff --git a/helmfile/environments/default/secrets.gotmpl b/helmfile/environments/default/secrets.gotmpl index dd853640..8e2d6c9b 100644 --- a/helmfile/environments/default/secrets.gotmpl +++ b/helmfile/environments/default/secrets.gotmpl @@ -38,7 +38,7 @@ secrets: keycloakExtensionUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_extensions_user" | sha1sum | quote }} matrixUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "matrix_user" | sha1sum | quote }} openprojectUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "openproject_user" | sha1sum | quote }} - notificationsapiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }} + notificationsApiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }} mariadb: rootPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "root_password" | sha1sum | quote }} xwikiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "xwiki_user" | sha1sum | quote }}