fix(univention-management-stack): Apply styling

helmfile/apps/services/values-postgresql.gotmpl

@@ -24,7 +24,7 @@ job:
     - username: "matrix_user"
       password: {{ .Values.secrets.postgresql.matrixUser | quote }}
     - username: "notificationsapi_user"
-      password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
+      password: {{ .Values.secrets.postgresql.notificationsApiUser | quote }}
   databases:
     - name: "keycloak"
       user: "keycloak_user"

helmfile/apps/univention-management-stack/helmfile.yaml

@@ -32,6 +32,7 @@ releases:
     version: "15.3.5"
     values:
       - "values-ums-stack-gateway.gotmpl"
+      - "values-ums-stack-gateway.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
 
   # renovate:
@@ -105,6 +106,7 @@ releases:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-stack-data-ums.gotmpl"
+      - "values-stack-data-ums.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
 
   # renovate:
@@ -134,6 +136,7 @@ releases:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-portal-server.gotmpl"
+      - "values-portal-server.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
 
   # renovate:
@@ -178,6 +181,7 @@ releases:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-portal-frontend.gotmpl"
+      - "values-portal-frontend.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
 
   # renovate:

helmfile/apps/univention-management-stack/values-common.gotmpl

@@ -4,15 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 ingress:
-  # Intentionally not using the Ingress configuration of the UMS stack at the
-  # moment, since it does depend on rewriting capabilities of the ingress
-  # controller. Those are encapsulated into the release "stack-gateway" so that
-  # the compatibility with all ingress controllers is increased.
-  enabled: false
   host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
   ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
-  tls:
+
-    # The TLS configuration is on the "master" Ingress, see "portal-frontend"
-    enabled: false
-    secretName: ""
 ...

helmfile/apps/univention-management-stack/values-common.yaml

@@ -6,5 +6,18 @@ global:
   configMapUcr: "ums-stack-data-swp-ucr"
   configMapUcrForced: null
 
+ingress:
+  # Intentionally not using the Ingress configuration of the UMS stack at the
+  # moment, since it does depend on rewriting capabilities of the ingress
+  # controller. Those are encapsulated into the release "stack-gateway" so that
+  # the compatibility with all ingress controllers is increased.
+  enabled: false
+  tls:
+    # The TLS configuration is on the "master" Ingress, see "portal-frontend"
+    enabled: false
+    secretName: ""
+
 istio:
   enabled: false
+
+...

helmfile/apps/univention-management-stack/values-ldap-server.gotmpl

@@ -5,15 +5,7 @@ SPDX-License-Identifier: Apache-2.0
 ---
 ldapServer:
   ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  ldapBaseDn: "dc=swp-ldap,dc=internal"
+  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-
-  waitForSamlMetadata: true
-
-  # TODO: Certificates handling
-  # caCert: ""
-  # certPem: ""
-  # privateKey: ""
-  # dhParam: ""
 
 image:
   registry: {{ .Values.global.imageRegistry | quote }}
@@ -26,12 +18,11 @@ image:
     {{- end }}
 
   waitForDependency:
-    registry: "{{ .Values.global.imageRegistry }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
-    repository: "{{ .Values.images.umsWaitForDependency.repository }}"
+    repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
-    imagePullPolicy: "Always"
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: "{{ .Values.images.umsWaitForDependency.tag }}"
+    tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
 
-# TODO: Pending upstream support, #199
 persistence:
   data:
     storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}

helmfile/apps/univention-management-stack/values-ldap-server.yaml

@@ -2,6 +2,9 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 
+ldapServer:
+  waitForSamlMetadata: true
+
 service:
   type: "ClusterIP"
 

helmfile/apps/univention-management-stack/values-notifications-api.gotmpl

@@ -6,12 +6,12 @@ SPDX-License-Identifier: Apache-2.0
 postgresql:
   bundled: false
   connection:
-    host: "postgresql"
+    host: {{ .Values.databases.notificationsApi.host | quote }}
-    port: 5432
+    port: {{ .Values.databases.notificationsApi.port | quote }}
   auth:
-    username: "notificationsapi_user"
+    username: {{ .Values.databases.notificationsApi.username | quote }}
-    database: "notificationsapi"
+    database: {{ .Values.databases.notificationsApi.name | quote }}
-    password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
+    password: {{ .Values.databases.notificationsApi.password | default .Values.secrets.postgresql.notificationsApiUser | quote }}
 
 image:
   registry: {{ .Values.global.imageRegistry }}

helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl

@@ -14,76 +14,11 @@ image:
     {{- end }}
 
 extraIngresses:
-  redirects:
-    # Using "stack-gateway" currently.
-    enabled: false
-    # The TLS configuration is on the "master" Ingress, see below.
-    tls:
-      enabled: false
   master:
-    # Using "stack-gateway" currently.
-    enabled: false
     tls:
       enabled: {{ .Values.ingress.tls.enabled }}
       secretName: {{ .Values.ingress.tls.secretName | quote }}
 
-  # See "extraVolumeMounts" below
-  custom-favicon:
-    # Using "stack-gateway" at the moment
-    enabled: false
-    annotations:
-      nginx.org/mergeable-ingress-type: "minion"
-    paths:
-      - pathType: Exact
-        path: /favicon.ico
-    tls: {}
-
-  # See "extraVolumeMounts" below
-  custom-branding:
-    # Using "stack-gateway" at the moment
-    enabled: false
-    annotations:
-      nginx.ingress.kubernetes.io/configuration-snippet: |
-        rewrite ^/univention/portal(/.*)$ $1 break;
-      nginx.org/location-snippets: |
-        rewrite ^/univention/portal(/.*)$ $1 break;
-      nginx.org/mergeable-ingress-type: "minion"
-    paths:
-      # This relies on the correct implementation of the matching for paths of
-      # type "Prefix" since "/univention/portal/icons/entries/" is owned by
-      # store-dav.
-      # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches
-      - pathType: Prefix
-        path: /univention/portal/icons/
-      - pathType: Prefix
-        path: /univention/portal/custom/
-    tls: {}
-
-extraVolumes:
-  - name: "opendesk-branding"
-    configMap:
-      name: "ums-stack-data-swp-branding"
-
-extraVolumeMounts:
-  - name: "opendesk-branding"
-    mountPath: "/var/www/html/favicon.ico"
-    subPath: "favicon.ico"
-  - name: "opendesk-branding"
-    mountPath: "/var/www/html/css/custom.css"
-    subPath: "custom.css"
-  - name: "opendesk-branding"
-    mountPath: "/var/www/html/icons/logo.svg"
-    subPath: "logo.svg"
-  - name: "opendesk-branding"
-    mountPath: "/var/www/html/icons/logo_small_border.svg"
-    subPath: "logo_small_border.svg"
-  - name: "opendesk-branding"
-    mountPath: "/var/www/html/custom/portal_background_image.png"
-    subPath: "portal_background_image.png"
-  - name: "opendesk-branding"
-    mountPath: "/var/www/html/custom/portal_background_image.svg"
-    subPath: "portal_background_image.svg"
-
 resources:
   {{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }}
 ...

helmfile/apps/univention-management-stack/values-portal-frontend.yaml

@@ -0,0 +1,73 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+extraIngresses:
+  redirects:
+    # Using "stack-gateway" currently.
+    enabled: false
+    # The TLS configuration is on the "master" Ingress, see below.
+    tls:
+      enabled: false
+  master:
+    # Using "stack-gateway" currently.
+    enabled: false
+
+  # See "extraVolumeMounts" below
+  custom-favicon:
+    # Using "stack-gateway" at the moment
+    enabled: false
+    annotations:
+      nginx.org/mergeable-ingress-type: "minion"
+    paths:
+      - pathType: "Exact"
+        path: "/favicon.ico"
+    tls: {}
+
+  # See "extraVolumeMounts" below
+  custom-branding:
+    # Using "stack-gateway" at the moment
+    enabled: false
+    annotations:
+      nginx.ingress.kubernetes.io/configuration-snippet: |
+        rewrite ^/univention/portal(/.*)$ $1 break;
+      nginx.org/location-snippets: |
+        rewrite ^/univention/portal(/.*)$ $1 break;
+      nginx.org/mergeable-ingress-type: "minion"
+    paths:
+      # This relies on the correct implementation of the matching for paths of
+      # type "Prefix" since "/univention/portal/icons/entries/" is owned by
+      # store-dav.
+      # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches
+      - pathType: "Prefix"
+        path: "/univention/portal/icons/"
+      - pathType: "Prefix"
+        path: "/univention/portal/custom/"
+    tls: {}
+
+extraVolumes:
+  - name: "opendesk-branding"
+    configMap:
+      name: "ums-stack-data-swp-branding"
+
+extraVolumeMounts:
+  - name: "opendesk-branding"
+    mountPath: "/var/www/html/favicon.ico"
+    subPath: "favicon.ico"
+  - name: "opendesk-branding"
+    mountPath: "/var/www/html/css/custom.css"
+    subPath: "custom.css"
+  - name: "opendesk-branding"
+    mountPath: "/var/www/html/icons/logo.svg"
+    subPath: "logo.svg"
+  - name: "opendesk-branding"
+    mountPath: "/var/www/html/icons/logo_small_border.svg"
+    subPath: "logo_small_border.svg"
+  - name: "opendesk-branding"
+    mountPath: "/var/www/html/custom/portal_background_image.png"
+    subPath: "portal_background_image.png"
+  - name: "opendesk-branding"
+    mountPath: "/var/www/html/custom/portal_background_image.svg"
+    subPath: "portal_background_image.svg"
+
+...

helmfile/apps/univention-management-stack/values-portal-listener.gotmpl

@@ -4,25 +4,20 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 portalListener:
-  adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
+  adminGroup: "cn=Domain Admins,cn=groups,{{ .Values.ldap.baseDn }}"
-  environment: "staging"
-  debugLevel: "4"
   assetsRoot: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-assets/"
   ucsInternalUrl: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-data/"
-  umcGetUrl: "http://ums-umc-server/get"
-  umcSessionUrl: "http://ums-umc-server/get/session-info"
 
-  ldapBaseDn: "dc=swp-ldap,dc=internal"
+  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-  ldapHost: "{{ .Values.ldap.host }}"
+  ldapHost: {{ .Values.ldap.host | quote }}
-  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
+  ldapHostDn: "cn=admin,{{ .Values.ldap.baseDn }}"
   ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
   machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
   notifierServer: {{ .Values.ldap.notifierHost | quote }}
-  portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,dc=swp-ldap,dc=internal"
+  portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,{{ .Values.ldap.baseDn }}"
   udmApiUrl: "http://ums-udm-rest-api/udm/"
   udmApiUsername: "cn=admin"
 
-  tlsMode: "off"
 
 image:
   registry: {{ .Values.global.imageRegistry | quote }}
@@ -37,10 +32,9 @@ image:
   waitForDependency:
     registry: {{ .Values.global.imageRegistry | quote }}
     repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
-    imagePullPolicy: "Always"
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
 
-# TODO: Pending upstream support, #200
 persistence:
   storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
   size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }}

helmfile/apps/univention-management-stack/values-portal-listener.yaml

@@ -2,6 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 
+portalListener:
+  debugLevel: "4"
+  tlsMode: "off"
+  udmApiUrl: "http://ums-udm-rest-api/udm/"
+  udmApiUsername: "cn=admin"
+  umcGetUrl: "http://ums-umc-server/get"
+  umcSessionUrl: "http://ums-umc-server/get/session-info"
+
 store-dav:
   bundled: false
 

helmfile/apps/univention-management-stack/values-portal-server.gotmpl

@@ -4,16 +4,9 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 portalServer:
-  adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
+  adminGroup: "cn=Domain Admins,cn=groups,{{ .Values.ldap.baseDn }}"
-  authMode: "saml"
-  environment: "staging"
-  editable: "false"
-  logLevel: "DEBUG"
   ucsInternalUrl: "http://portal-server:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}@ums-store-dav/portal-data"
-  umcGetUrl: "http://ums-umc-server/get"
-  umcSessionUrl: "http://ums-umc-server/get/session-info"
   centralNavigation:
-    enabled: true
     authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
 
 image:

helmfile/apps/univention-management-stack/values-portal-server.yaml

@@ -0,0 +1,14 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+portalServer:
+  authMode: "saml"
+  editable: "false"
+  logLevel: "DEBUG"
+  umcGetUrl: "http://ums-umc-server/get"
+  umcSessionUrl: "http://ums-umc-server/get/session-info"
+  centralNavigation:
+    enabled: true
+
+...

helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl

@@ -8,14 +8,14 @@ stackDataSwp:
 
 stackDataContext:
   ldapSearchUsers:
-    {{- range $k, $v := .Values.secrets.univentionCorporateServer.ldapSearch }}
+    {{- range $username, $password := .Values.secrets.univentionCorporateServer.ldapSearch }}
-    - username: {{ printf "ldapsearch_%s" $k | quote }}
+    - username: {{ printf "ldapsearch_%s" $username | quote }}
-      password: {{ $v | quote }}
+      password: {{ $password | quote }}
       lastname: {{ "LDAP-Search-User" }}
     {{- end }}
 
-  externalDomainName: "{{ .Values.global.domain }}"
+  externalDomainName: {{ .Values.global.domain | quote }}
-  externalMailDomain: "{{ .Values.global.domain }}"
+  externalMailDomain: {{ .Values.global.domain | quote }}
 
   portalGroupwareLinkBase: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
   portalFileshareLinkBase: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"

helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl

@@ -4,32 +4,24 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 stackDataUms:
-  udmApiUser: "cn=admin"
   udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  udmApiUrl: "http://ums-udm-rest-api/udm/"
-  loadDevData: true
 
 stackDataContext:
-  domainname: "{{ .Values.global.domain }}"
+  domainname: {{ .Values.global.domain | quote }}
-  externalMailDomain: "{{ .Values.global.domain }}"
+  externalMailDomain: {{ .Values.global.domain | quote }}
-  hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
+  hostname: {{ .Values.global.hosts.univentionManagementStack | quote }}
-  ldapHost: "{{ .Values.ldap.host }}"
+  ldapHost: {{ .Values.ldap.host | quote }}
-  ldapBase: "dc=swp-ldap,dc=internal"
+  ldapBase: {{ .Values.ldap.baseDn | quote }}
   # TODO: This should not be required, the machine account is not there
   # ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
-  ldapHostDn: cn=admin,dc=swp-ldap,dc=internal
+  ldapHostDn: "cn=admin,{{ .Values.ldap.baseDn }}"
 
   idpSamlMetadataUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/saml/descriptor"
-  idpSamlMetadataUrlInternal: null
   umcSamlSpFqdn: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-  umcSamlSchemes: "https"
   idpFqdn: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
   ldapSamlSpUrls: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/saml/metadata"
 
-  initialPasswordAdministrator: "{{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword }}"
+  initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
-
-  # The SWP configuration brings its own UMC policies.
-  installUmcPolicies: false
 
 image:
   registry: {{ .Values.global.imageRegistry | quote }}

helmfile/apps/univention-management-stack/values-stack-data-ums.yaml

@@ -0,0 +1,15 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+stackDataUms:
+  loadDevData: true
+  udmApiUrl: "http://ums-udm-rest-api/udm/"
+  udmApiUser: "cn=admin"
+
+stackDataContext:
+  idpSamlMetadataUrlInternal: null
+  umcSamlSchemes: "https"
+  # The openDesk configuration brings its own UMC policies.
+  installUmcPolicies: false
+
+...

helmfile/apps/univention-management-stack/values-store-dav.gotmpl

@@ -21,7 +21,6 @@ image:
   configHtpasswd:
     registry: {{ .Values.global.imageRegistry | quote }}
     repository: {{ .Values.images.umsConfigHtpasswd.repository | quote }}
-    pullPolicy: "Always"
     pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     tag: {{ .Values.images.umsConfigHtpasswd.tag | quote }}
     pullSecrets:
@@ -29,7 +28,6 @@ image:
       - name: {{ . | quote }}
       {{- end }}
 
-# TODO: Pending upstream support, #201
 persistence:
   storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
   size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }}

helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl

@@ -7,12 +7,7 @@ udmRestApi:
   # TODO: Secret should be entered without b64enc
   ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
   # TODO: Secret should be entered without b64enc
-  machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
+  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
-  # TODO: Stub value currently
-  caCert: ""
-  # TODO: This should not be part of the udm-rest-api anymore
-  loadJoinData:
-    enabled: true
 
 image:
   registry: {{ .Values.global.imageRegistry | quote }}

helmfile/apps/univention-management-stack/values-udm-rest-api.yaml

@@ -1,6 +1,10 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+udmRestApi:
+  # TODO: Stub value currently
+  caCert: ""
+
 extraVolumes:
   - name: "attribute-to-group-mapper-hook"
     configMap:

helmfile/apps/univention-management-stack/values-umc-gateway.yaml

@@ -16,6 +16,8 @@ extraVolumeMounts:
     mountPath: "/entrypoint.d/90-swp.sh"
     subPath: "90-swp.sh"
   - name: "announcements-customization"
-    mountPath: "/usr/share/univention-management-console-frontend/js/dijit/themes/umc/icons/16x16/udm-portals-announcement.png"
+    mountPath:
+      "/usr/share/univention-management-console-frontend/js/dijit/themes\
+      /umc/icons/16x16/udm-portals-announcement.png"
     subPath: "udm-portals-announcement.png"
 ...

helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl

@@ -3,182 +3,10 @@
 ---
 
 ingress:
-  enabled: true
+  enabled: {{ .Values.ingress.enabled }}
   hostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
-  tls: false
   extraTls:
     - hosts:
         - "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-      secretName: "{{ .Values.ingress.tls.secretName }}"
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
-
-service:
-  type: "ClusterIP"
-
-# The content of the "serverBlock" does resemble the Ingress configuration of
-# the UMS components. The "location" entries do intentionally reflect precisely
-# the respective paths which are configured.
-serverBlock: |
-  server {
-    listen 8080;
-
-    ## portal-frontend
-    # The frontend does not own "/univention/portal", only these two bits
-    location = /univention/portal/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80/;
-    }
-    location = /univention/portal/index.html {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80/;
-    }
-
-    # The following prefixes are owned by the frontend
-    location /univention/portal/css/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/portal/fonts/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/portal/i18n/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/portal/media/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/portal/js/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/portal/oidc/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-
-
-    ## frontend redirects
-    location = / {
-       absolute_redirect off;
-       return 302 /univention/portal/;
-    }
-    location = /univention {
-       absolute_redirect off;
-       return 302 /univention/portal/;
-    }
-    location = /univention/ {
-       absolute_redirect off;
-       return 302 /univention/portal/;
-    }
-    location = /univention/portal {
-       absolute_redirect off;
-       return 302 /univention/portal/;
-    }
-
-
-    ## portal-server
-    location = /univention/portal/portal.json {
-      proxy_pass http://ums-portal-server:80;
-    }
-    location = /univention/portal/navigation.json {
-      proxy_pass http://ums-portal-server:80;
-    }
-
-
-    ## store-dav
-    location /univention/portal/icons/entries/ {
-      rewrite ^/univention/portal(/icons/entries/.*)$ /portal-assets$1 break;
-      proxy_pass http://ums-store-dav:80;
-    }
-    location /univention/portal/icons/logos/ {
-      rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break;
-      proxy_pass http://ums-store-dav:80;
-    }
-
-
-    ## udm-rest-api
-    location /univention/udm/ {
-      rewrite ^/univention(/udm/.*)$ $1 break;
-      proxy_pass http://ums-udm-rest-api:80;
-      proxy_set_header X-Forwarded-Host $host;
-    }
-
-
-    ## umc-gateway
-    location = /univention/languages.json {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location = /univention/meta.json {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location = /univention/theme.css {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location /univention/js/ {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location /univention/login/ {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location /univention/management/ {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location /univention/themes/ {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-
-
-    ## umc-server
-    location = /univention/auth {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/logout/ {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/saml/ {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/get/ {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/set/ {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/command/ {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/upload/ {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-
-
-    ## notifications-api
-    location /univention/portal/notifications-api/ {
-      rewrite ^/univention/portal/notifications-api(/.*)$ $1 break;
-      proxy_pass http://ums-notifications-api:80;
-    }
-
-    ## openDesk branding
-    location = /favicon.ico {
-      proxy_pass http://ums-portal-frontend:80/;
-    }
-    location /univention/portal/custom/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80/;
-    }
-    location /univention/portal/icons/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80/;
-    }
-
-  }

helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml

@@ -0,0 +1,177 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+ingress:
+  tls: false
+
+service:
+  type: "ClusterIP"
+
+# The content of the "serverBlock" does resemble the Ingress configuration of
+# the UMS components. The "location" entries do intentionally reflect precisely
+# the respective paths which are configured.
+serverBlock: |
+  server {
+    listen 8080;
+
+    ## portal-frontend
+    # The frontend does not own "/univention/portal", only these two bits
+    location = /univention/portal/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80/;
+    }
+    location = /univention/portal/index.html {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80/;
+    }
+
+    # The following prefixes are owned by the frontend
+    location /univention/portal/css/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/fonts/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/i18n/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/media/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/js/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/oidc/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+
+
+    ## frontend redirects
+    location = / {
+       absolute_redirect off;
+       return 302 /univention/portal/;
+    }
+    location = /univention {
+       absolute_redirect off;
+       return 302 /univention/portal/;
+    }
+    location = /univention/ {
+       absolute_redirect off;
+       return 302 /univention/portal/;
+    }
+    location = /univention/portal {
+       absolute_redirect off;
+       return 302 /univention/portal/;
+    }
+
+
+    ## portal-server
+    location = /univention/portal/portal.json {
+      proxy_pass http://ums-portal-server:80;
+    }
+    location = /univention/portal/navigation.json {
+      proxy_pass http://ums-portal-server:80;
+    }
+
+
+    ## store-dav
+    location /univention/portal/icons/entries/ {
+      rewrite ^/univention/portal(/icons/entries/.*)$ /portal-assets$1 break;
+      proxy_pass http://ums-store-dav:80;
+    }
+    location /univention/portal/icons/logos/ {
+      rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break;
+      proxy_pass http://ums-store-dav:80;
+    }
+
+
+    ## udm-rest-api
+    location /univention/udm/ {
+      rewrite ^/univention(/udm/.*)$ $1 break;
+      proxy_pass http://ums-udm-rest-api:80;
+      proxy_set_header X-Forwarded-Host $host;
+    }
+
+
+    ## umc-gateway
+    location = /univention/languages.json {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location = /univention/meta.json {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location = /univention/theme.css {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location /univention/js/ {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location /univention/login/ {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location /univention/management/ {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location /univention/themes/ {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+
+
+    ## umc-server
+    location = /univention/auth {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/logout/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/saml/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/get/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/set/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/command/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/upload/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+
+
+    ## notifications-api
+    location /univention/portal/notifications-api/ {
+      rewrite ^/univention/portal/notifications-api(/.*)$ $1 break;
+      proxy_pass http://ums-notifications-api:80;
+    }
+
+    ## openDesk branding
+    location = /favicon.ico {
+      proxy_pass http://ums-portal-frontend:80/;
+    }
+    location /univention/portal/custom/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80/;
+    }
+    location /univention/portal/icons/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80/;
+    }
+
+  }
+...

helmfile/environments/default/_helper.gotmpl

@@ -7,4 +7,5 @@ SPDX-License-Identifier: Apache-2.0
 ldap:
   host: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-server" {{ else }} "univention-corporate-container" {{ end }}
   notifierHost: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-notifier" {{ else }} "univention-corporate-container" {{ end }}
+  baseDn: "dc=swp-ldap,dc=internal"
 ...

helmfile/environments/default/database.yaml

@@ -19,6 +19,12 @@ databases:
     host: "mariadb"
     username: "nextcloud_user"
     password: ""
+  notificationsApi:
+    name: "notificationsapi"
+    host: "postgresql"
+    port: 5432
+    username: "notificationsapi_user"
+    password: ""
   openproject:
     name: "openproject"
     host: "postgresql"

helmfile/environments/default/secrets.gotmpl

@@ -38,7 +38,7 @@ secrets:
     keycloakExtensionUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_extensions_user" | sha1sum | quote }}
     matrixUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "matrix_user" | sha1sum | quote }}
     openprojectUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "openproject_user" | sha1sum | quote }}
-    notificationsapiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }}
+    notificationsApiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }}
   mariadb:
     rootPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "root_password" | sha1sum | quote }}
     xwikiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "xwiki_user" | sha1sum | quote }}