sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(univention-management-stack): Apply styling

Browse Source
This commit is contained in:
Johannes Bornhold
2023-11-24 00:28:22 +01:00
parent c246edd8f9
commit b3d45c45e1
25 changed files with 357 additions and 319 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
helmfile/apps/services/values-postgresql.gotmpl
View File

@@ -24,7 +24,7 @@ job:
- username: "matrix_user"
password: {{ .Values.secrets.postgresql.matrixUser | quote }}
- username: "notificationsapi_user"
password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
password: {{ .Values.secrets.postgresql.notificationsApiUser | quote }}
databases:
- name: "keycloak"
user: "keycloak_user"

4
helmfile/apps/univention-management-stack/helmfile.yaml
View File

@@ -32,6 +32,7 @@ releases:
version: "15.3.5"
values:
- "values-ums-stack-gateway.gotmpl"
- "values-ums-stack-gateway.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
# renovate:
@@ -105,6 +106,7 @@ releases:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-stack-data-ums.gotmpl"
- "values-stack-data-ums.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
# renovate:
@@ -134,6 +136,7 @@ releases:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-portal-server.gotmpl"
- "values-portal-server.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
# renovate:
@@ -178,6 +181,7 @@ releases:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-portal-frontend.gotmpl"
- "values-portal-frontend.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
# renovate:

10
helmfile/apps/univention-management-stack/values-common.gotmpl
View File

@@ -4,15 +4,7 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
ingress:
# Intentionally not using the Ingress configuration of the UMS stack at the
# moment, since it does depend on rewriting capabilities of the ingress
# controller. Those are encapsulated into the release "stack-gateway" so that
# the compatibility with all ingress controllers is increased.
enabled: false
host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
# The TLS configuration is on the "master" Ingress, see "portal-frontend"
enabled: false
secretName: ""
...

13
helmfile/apps/univention-management-stack/values-common.yaml
View File

@@ -6,5 +6,18 @@ global:
configMapUcr: "ums-stack-data-swp-ucr"
configMapUcrForced: null
ingress:
# Intentionally not using the Ingress configuration of the UMS stack at the
# moment, since it does depend on rewriting capabilities of the ingress
# controller. Those are encapsulated into the release "stack-gateway" so that
# the compatibility with all ingress controllers is increased.
enabled: false
tls:
# The TLS configuration is on the "master" Ingress, see "portal-frontend"
enabled: false
secretName: ""
istio:
enabled: false
...

19
helmfile/apps/univention-management-stack/values-ldap-server.gotmpl
View File

@@ -5,15 +5,7 @@ SPDX-License-Identifier: Apache-2.0
---
ldapServer:
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
ldapBaseDn: "dc=swp-ldap,dc=internal"
waitForSamlMetadata: true
# TODO: Certificates handling
# caCert: ""
# certPem: ""
# privateKey: ""
# dhParam: ""
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
image:
registry: {{ .Values.global.imageRegistry | quote }}
@@ -26,12 +18,11 @@ image:
{{- end }}
waitForDependency:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsWaitForDependency.repository }}"
imagePullPolicy: "Always"
tag: "{{ .Values.images.umsWaitForDependency.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
# TODO: Pending upstream support, #199
persistence:
data:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}

3
helmfile/apps/univention-management-stack/values-ldap-server.yaml
View File

@@ -2,6 +2,9 @@
# SPDX-License-Identifier: Apache-2.0
---
ldapServer:
waitForSamlMetadata: true
service:
type: "ClusterIP"

10
helmfile/apps/univention-management-stack/values-notifications-api.gotmpl
View File

@@ -6,12 +6,12 @@ SPDX-License-Identifier: Apache-2.0
postgresql:
bundled: false
connection:
host: "postgresql"
port: 5432
host: {{ .Values.databases.notificationsApi.host | quote }}
port: {{ .Values.databases.notificationsApi.port | quote }}
auth:
username: "notificationsapi_user"
database: "notificationsapi"
password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
username: {{ .Values.databases.notificationsApi.username | quote }}
database: {{ .Values.databases.notificationsApi.name | quote }}
password: {{ .Values.databases.notificationsApi.password | default .Values.secrets.postgresql.notificationsApiUser | quote }}
image:
registry: {{ .Values.global.imageRegistry }}

65
helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl
View File

@@ -14,76 +14,11 @@ image:
{{- end }}
extraIngresses:
redirects:
# Using "stack-gateway" currently.
enabled: false
# The TLS configuration is on the "master" Ingress, see below.
tls:
enabled: false
master:
# Using "stack-gateway" currently.
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
# See "extraVolumeMounts" below
custom-favicon:
# Using "stack-gateway" at the moment
enabled: false
annotations:
nginx.org/mergeable-ingress-type: "minion"
paths:
- pathType: Exact
path: /favicon.ico
tls: {}
# See "extraVolumeMounts" below
custom-branding:
# Using "stack-gateway" at the moment
enabled: false
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
rewrite ^/univention/portal(/.*)$ $1 break;
nginx.org/location-snippets: |
rewrite ^/univention/portal(/.*)$ $1 break;
nginx.org/mergeable-ingress-type: "minion"
paths:
# This relies on the correct implementation of the matching for paths of
# type "Prefix" since "/univention/portal/icons/entries/" is owned by
# store-dav.
# See: https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches
- pathType: Prefix
path: /univention/portal/icons/
- pathType: Prefix
path: /univention/portal/custom/
tls: {}
extraVolumes:
- name: "opendesk-branding"
configMap:
name: "ums-stack-data-swp-branding"
extraVolumeMounts:
- name: "opendesk-branding"
mountPath: "/var/www/html/favicon.ico"
subPath: "favicon.ico"
- name: "opendesk-branding"
mountPath: "/var/www/html/css/custom.css"
subPath: "custom.css"
- name: "opendesk-branding"
mountPath: "/var/www/html/icons/logo.svg"
subPath: "logo.svg"
- name: "opendesk-branding"
mountPath: "/var/www/html/icons/logo_small_border.svg"
subPath: "logo_small_border.svg"
- name: "opendesk-branding"
mountPath: "/var/www/html/custom/portal_background_image.png"
subPath: "portal_background_image.png"
- name: "opendesk-branding"
mountPath: "/var/www/html/custom/portal_background_image.svg"
subPath: "portal_background_image.svg"
resources:
{{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }}
...

73
helmfile/apps/univention-management-stack/values-portal-frontend.yaml Normal file
View File

@@ -0,0 +1,73 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
extraIngresses:
redirects:
# Using "stack-gateway" currently.
enabled: false
# The TLS configuration is on the "master" Ingress, see below.
tls:
enabled: false
master:
# Using "stack-gateway" currently.
enabled: false
# See "extraVolumeMounts" below
custom-favicon:
# Using "stack-gateway" at the moment
enabled: false
annotations:
nginx.org/mergeable-ingress-type: "minion"
paths:
- pathType: "Exact"
path: "/favicon.ico"
tls: {}
# See "extraVolumeMounts" below
custom-branding:
# Using "stack-gateway" at the moment
enabled: false
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
rewrite ^/univention/portal(/.*)$ $1 break;
nginx.org/location-snippets: |
rewrite ^/univention/portal(/.*)$ $1 break;
nginx.org/mergeable-ingress-type: "minion"
paths:
# This relies on the correct implementation of the matching for paths of
# type "Prefix" since "/univention/portal/icons/entries/" is owned by
# store-dav.
# See: https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches
- pathType: "Prefix"
path: "/univention/portal/icons/"
- pathType: "Prefix"
path: "/univention/portal/custom/"
tls: {}
extraVolumes:
- name: "opendesk-branding"
configMap:
name: "ums-stack-data-swp-branding"
extraVolumeMounts:
- name: "opendesk-branding"
mountPath: "/var/www/html/favicon.ico"
subPath: "favicon.ico"
- name: "opendesk-branding"
mountPath: "/var/www/html/css/custom.css"
subPath: "custom.css"
- name: "opendesk-branding"
mountPath: "/var/www/html/icons/logo.svg"
subPath: "logo.svg"
- name: "opendesk-branding"
mountPath: "/var/www/html/icons/logo_small_border.svg"
subPath: "logo_small_border.svg"
- name: "opendesk-branding"
mountPath: "/var/www/html/custom/portal_background_image.png"
subPath: "portal_background_image.png"
- name: "opendesk-branding"
mountPath: "/var/www/html/custom/portal_background_image.svg"
subPath: "portal_background_image.svg"
...

18
helmfile/apps/univention-management-stack/values-portal-listener.gotmpl
View File

@@ -4,25 +4,20 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
portalListener:
adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
environment: "staging"
debugLevel: "4"
adminGroup: "cn=Domain Admins,cn=groups,{{ .Values.ldap.baseDn }}"
assetsRoot: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-assets/"
ucsInternalUrl: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-data/"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
ldapBaseDn: "dc=swp-ldap,dc=internal"
ldapHost: "{{ .Values.ldap.host }}"
ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
ldapHostDn: "cn=admin,{{ .Values.ldap.baseDn }}"
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
notifierServer: {{ .Values.ldap.notifierHost | quote }}
portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,dc=swp-ldap,dc=internal"
portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,{{ .Values.ldap.baseDn }}"
udmApiUrl: "http://ums-udm-rest-api/udm/"
udmApiUsername: "cn=admin"
tlsMode: "off"
image:
registry: {{ .Values.global.imageRegistry | quote }}
@@ -37,10 +32,9 @@ image:
waitForDependency:
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
imagePullPolicy: "Always"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
# TODO: Pending upstream support, #200
persistence:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }}

8
helmfile/apps/univention-management-stack/values-portal-listener.yaml
View File

@@ -2,6 +2,14 @@
# SPDX-License-Identifier: Apache-2.0
---
portalListener:
debugLevel: "4"
tlsMode: "off"
udmApiUrl: "http://ums-udm-rest-api/udm/"
udmApiUsername: "cn=admin"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
store-dav:
bundled: false

9
helmfile/apps/univention-management-stack/values-portal-server.gotmpl
View File

@@ -4,16 +4,9 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
portalServer:
adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
authMode: "saml"
environment: "staging"
editable: "false"
logLevel: "DEBUG"
adminGroup: "cn=Domain Admins,cn=groups,{{ .Values.ldap.baseDn }}"
ucsInternalUrl: "http://portal-server:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}@ums-store-dav/portal-data"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
centralNavigation:
enabled: true
authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
image:

14
helmfile/apps/univention-management-stack/values-portal-server.yaml Normal file
View File

@@ -0,0 +1,14 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
portalServer:
authMode: "saml"
editable: "false"
logLevel: "DEBUG"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
centralNavigation:
enabled: true
...

10
helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl
View File

@@ -8,14 +8,14 @@ stackDataSwp:
stackDataContext:
ldapSearchUsers:
{{- range $k, $v := .Values.secrets.univentionCorporateServer.ldapSearch }}
- username: {{ printf "ldapsearch_%s" $k | quote }}
password: {{ $v | quote }}
{{- range $username, $password := .Values.secrets.univentionCorporateServer.ldapSearch }}
- username: {{ printf "ldapsearch_%s" $username | quote }}
password: {{ $password | quote }}
lastname: {{ "LDAP-Search-User" }}
{{- end }}
externalDomainName: "{{ .Values.global.domain }}"
externalMailDomain: "{{ .Values.global.domain }}"
externalDomainName: {{ .Values.global.domain | quote }}
externalMailDomain: {{ .Values.global.domain | quote }}
portalGroupwareLinkBase: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
portalFileshareLinkBase: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"

22
helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl
View File

@@ -4,32 +4,24 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
stackDataUms:
udmApiUser: "cn=admin"
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
udmApiUrl: "http://ums-udm-rest-api/udm/"
loadDevData: true
stackDataContext:
domainname: "{{ .Values.global.domain }}"
externalMailDomain: "{{ .Values.global.domain }}"
hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
ldapHost: "{{ .Values.ldap.host }}"
ldapBase: "dc=swp-ldap,dc=internal"
domainname: {{ .Values.global.domain | quote }}
externalMailDomain: {{ .Values.global.domain | quote }}
hostname: {{ .Values.global.hosts.univentionManagementStack | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
ldapBase: {{ .Values.ldap.baseDn | quote }}
# TODO: This should not be required, the machine account is not there
# ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
ldapHostDn: cn=admin,dc=swp-ldap,dc=internal
ldapHostDn: "cn=admin,{{ .Values.ldap.baseDn }}"
idpSamlMetadataUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/saml/descriptor"
idpSamlMetadataUrlInternal: null
umcSamlSpFqdn: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
umcSamlSchemes: "https"
idpFqdn: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
ldapSamlSpUrls: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/saml/metadata"
initialPasswordAdministrator: "{{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword }}"
# The SWP configuration brings its own UMC policies.
installUmcPolicies: false
initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
image:
registry: {{ .Values.global.imageRegistry | quote }}

15
helmfile/apps/univention-management-stack/values-stack-data-ums.yaml Normal file
View File

@@ -0,0 +1,15 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
stackDataUms:
loadDevData: true
udmApiUrl: "http://ums-udm-rest-api/udm/"
udmApiUser: "cn=admin"
stackDataContext:
idpSamlMetadataUrlInternal: null
umcSamlSchemes: "https"
# The openDesk configuration brings its own UMC policies.
installUmcPolicies: false
...

2
helmfile/apps/univention-management-stack/values-store-dav.gotmpl
View File

@@ -21,7 +21,6 @@ image:
configHtpasswd:
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsConfigHtpasswd.repository | quote }}
pullPolicy: "Always"
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsConfigHtpasswd.tag | quote }}
pullSecrets:
@@ -29,7 +28,6 @@ image:
- name: {{ . | quote }}
{{- end }}
# TODO: Pending upstream support, #201
persistence:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }}

7
helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl
View File

@@ -7,12 +7,7 @@ udmRestApi:
# TODO: Secret should be entered without b64enc
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
# TODO: Secret should be entered without b64enc
machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
# TODO: Stub value currently
caCert: ""
# TODO: This should not be part of the udm-rest-api anymore
loadJoinData:
enabled: true
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
image:
registry: {{ .Values.global.imageRegistry | quote }}

4
helmfile/apps/univention-management-stack/values-udm-rest-api.yaml
View File

@@ -1,6 +1,10 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
udmRestApi:
# TODO: Stub value currently
caCert: ""
extraVolumes:
- name: "attribute-to-group-mapper-hook"
configMap:

4
helmfile/apps/univention-management-stack/values-umc-gateway.yaml
View File

@@ -16,6 +16,8 @@ extraVolumeMounts:
mountPath: "/entrypoint.d/90-swp.sh"
subPath: "90-swp.sh"
- name: "announcements-customization"
mountPath: "/usr/share/univention-management-console-frontend/js/dijit/themes/umc/icons/16x16/udm-portals-announcement.png"
mountPath:
"/usr/share/univention-management-console-frontend/js/dijit/themes\
/umc/icons/16x16/udm-portals-announcement.png"
subPath: "udm-portals-announcement.png"
...

178
helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl
View File

@@ -3,182 +3,10 @@
---
ingress:
enabled: true
enabled: {{ .Values.ingress.enabled }}
hostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
tls: false
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
extraTls:
- hosts:
- "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
service:
type: "ClusterIP"
# The content of the "serverBlock" does resemble the Ingress configuration of
# the UMS components. The "location" entries do intentionally reflect precisely
# the respective paths which are configured.
serverBlock: |
server {
listen 8080;
## portal-frontend
# The frontend does not own "/univention/portal", only these two bits
location = /univention/portal/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
location = /univention/portal/index.html {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
# The following prefixes are owned by the frontend
location /univention/portal/css/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/fonts/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/i18n/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/media/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/js/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/oidc/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
## frontend redirects
location = / {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention/ {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention/portal {
absolute_redirect off;
return 302 /univention/portal/;
}
## portal-server
location = /univention/portal/portal.json {
proxy_pass http://ums-portal-server:80;
}
location = /univention/portal/navigation.json {
proxy_pass http://ums-portal-server:80;
}
## store-dav
location /univention/portal/icons/entries/ {
rewrite ^/univention/portal(/icons/entries/.*)$ /portal-assets$1 break;
proxy_pass http://ums-store-dav:80;
}
location /univention/portal/icons/logos/ {
rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break;
proxy_pass http://ums-store-dav:80;
}
## udm-rest-api
location /univention/udm/ {
rewrite ^/univention(/udm/.*)$ $1 break;
proxy_pass http://ums-udm-rest-api:80;
proxy_set_header X-Forwarded-Host $host;
}
## umc-gateway
location = /univention/languages.json {
proxy_pass http://ums-umc-gateway:80;
}
location = /univention/meta.json {
proxy_pass http://ums-umc-gateway:80;
}
location = /univention/theme.css {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/js/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/login/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/management/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/themes/ {
proxy_pass http://ums-umc-gateway:80;
}
## umc-server
location = /univention/auth {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/logout/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/saml/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/get/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/set/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/command/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/upload/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
## notifications-api
location /univention/portal/notifications-api/ {
rewrite ^/univention/portal/notifications-api(/.*)$ $1 break;
proxy_pass http://ums-notifications-api:80;
}
## openDesk branding
location = /favicon.ico {
proxy_pass http://ums-portal-frontend:80/;
}
location /univention/portal/custom/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
location /univention/portal/icons/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
}
secretName: {{ .Values.ingress.tls.secretName | quote }}

177
helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml Normal file
View File

@@ -0,0 +1,177 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
ingress:
tls: false
service:
type: "ClusterIP"
# The content of the "serverBlock" does resemble the Ingress configuration of
# the UMS components. The "location" entries do intentionally reflect precisely
# the respective paths which are configured.
serverBlock: |
server {
listen 8080;
## portal-frontend
# The frontend does not own "/univention/portal", only these two bits
location = /univention/portal/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
location = /univention/portal/index.html {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
# The following prefixes are owned by the frontend
location /univention/portal/css/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/fonts/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/i18n/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/media/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/js/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/oidc/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
## frontend redirects
location = / {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention/ {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention/portal {
absolute_redirect off;
return 302 /univention/portal/;
}
## portal-server
location = /univention/portal/portal.json {
proxy_pass http://ums-portal-server:80;
}
location = /univention/portal/navigation.json {
proxy_pass http://ums-portal-server:80;
}
## store-dav
location /univention/portal/icons/entries/ {
rewrite ^/univention/portal(/icons/entries/.*)$ /portal-assets$1 break;
proxy_pass http://ums-store-dav:80;
}
location /univention/portal/icons/logos/ {
rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break;
proxy_pass http://ums-store-dav:80;
}
## udm-rest-api
location /univention/udm/ {
rewrite ^/univention(/udm/.*)$ $1 break;
proxy_pass http://ums-udm-rest-api:80;
proxy_set_header X-Forwarded-Host $host;
}
## umc-gateway
location = /univention/languages.json {
proxy_pass http://ums-umc-gateway:80;
}
location = /univention/meta.json {
proxy_pass http://ums-umc-gateway:80;
}
location = /univention/theme.css {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/js/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/login/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/management/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/themes/ {
proxy_pass http://ums-umc-gateway:80;
}
## umc-server
location = /univention/auth {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/logout/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/saml/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/get/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/set/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/command/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/upload/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
## notifications-api
location /univention/portal/notifications-api/ {
rewrite ^/univention/portal/notifications-api(/.*)$ $1 break;
proxy_pass http://ums-notifications-api:80;
}
## openDesk branding
location = /favicon.ico {
proxy_pass http://ums-portal-frontend:80/;
}
location /univention/portal/custom/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
location /univention/portal/icons/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
}
...

1
helmfile/environments/default/_helper.gotmpl
View File

@@ -7,4 +7,5 @@ SPDX-License-Identifier: Apache-2.0
ldap:
host: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-server" {{ else }} "univention-corporate-container" {{ end }}
notifierHost: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-notifier" {{ else }} "univention-corporate-container" {{ end }}
baseDn: "dc=swp-ldap,dc=internal"
...

6
helmfile/environments/default/database.yaml
View File

@@ -19,6 +19,12 @@ databases:
host: "mariadb"
username: "nextcloud_user"
password: ""
notificationsApi:
name: "notificationsapi"
host: "postgresql"
port: 5432
username: "notificationsapi_user"
password: ""
openproject:
name: "openproject"
host: "postgresql"

2
helmfile/environments/default/secrets.gotmpl
View File

@@ -38,7 +38,7 @@ secrets:
keycloakExtensionUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_extensions_user" | sha1sum | quote }}
matrixUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "matrix_user" | sha1sum | quote }}
openprojectUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "openproject_user" | sha1sum | quote }}
notificationsapiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }}
notificationsApiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }}
mariadb:
rootPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "root_password" | sha1sum | quote }}
xwikiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "xwiki_user" | sha1sum | quote }}