sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 15:31:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat(authentication): Avoid that users can open a app they do not have the appropriate LDAP group set for. Implementation is based on role based client scopes. Introducing also an openDesk migration approach with a pre and post deployment stage.

Browse Source
This commit is contained in:
Thorsten Roßner
2024-07-05 16:32:40 +02:00
parent 1067e725b3
commit b4570a9a87
18 changed files with 617 additions and 112 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
.gitlab-ci.yml
View File

@@ -36,9 +36,11 @@ stages:
- "env-cleanup"
- "env"
- "pre-services-deploy"
- "migrations-pre"
- "basic-services-deploy"
- "component-deploy-stage-1"
- "component-deploy-stage-2"
- "migrations-post"
- "lint"
- "tests"
- "env-stop"
@@ -77,6 +79,12 @@ variables:
options:
- "yes"
- "no"
DEPLOY_MIGRATIONS:
description: "Deploy K8s job for migrations (pre & post)."
value: "no"
options:
- "yes"
- "no"
DEPLOY_SERVICES:
description: "Enable Service deployment."
value: "no"
@@ -208,6 +216,7 @@ env-cleanup:
done
kubectl delete pvc --all --namespace ${NAMESPACE};
kubectl delete jobs --all --namespace ${NAMESPACE};
kubectl delete configmaps --all --namespace ${NAMESPACE};
else
helmfile destroy --namespace ${NAMESPACE};
fi
@@ -250,6 +259,30 @@ policies-deploy:
COMPONENT: "services"
ADDITIONAL_ARGS: "-l name=opendesk-otterize"
migrations-pre:
stage: "migrations-pre"
extends: ".deploy-common"
rules:
- if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" &&
$NAMESPACE =~ /.+/ &&
($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_MIGRATIONS != "no")
when: "on_success"
variables:
COMPONENT: "migrations-pre"
migrations-post:
stage: "migrations-post"
extends: ".deploy-common"
rules:
- if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" &&
$NAMESPACE =~ /.+/ &&
($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_MIGRATIONS != "no")
when: "on_success"
variables:
COMPONENT: "migrations-post"
services-deploy:
stage: "basic-services-deploy"
extends: ".deploy-common"

3
helmfile/apps/element/values-synapse.yaml.gotmpl
View File

@@ -52,6 +52,9 @@ configuration:
clientId: "opendesk-matrix"
clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
scopes:
- "openid"
- "opendesk-matrix-scope"
turn:
sharedSecret: {{ .Values.turn.credentials | quote }}

31
helmfile/apps/migrations-post/helmfile-child.yaml Normal file
View File

@@ -0,0 +1,31 @@
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-License-Identifier: Apache-2.0
---
repositories:
# openDesk Migrations
# Source:
- name: "openproject-migrations-repo"
keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.migrations.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/\
{{ .Values.charts.migrations.repository }}"
releases:
- name: "opendesk-migrations-post"
chart: "openproject-migrations-repo/{{ .Values.charts.migrations.name }}"
version: "{{ .Values.charts.migrations.version }}"
wait: true
waitForJobs: true
values:
- "values.yaml.gotmpl"
- "../../shared/migrations.yaml.gotmpl"
installed: {{ .Values.migrations.enabled }}
timeout: 900
commonLabels:
deploy-stage: "component-0"
component: "opendesk-migrations"
...

11
helmfile/apps/migrations-post/helmfile.yaml Normal file
View File

@@ -0,0 +1,11 @@
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
helmfiles:
- path: "./helmfile-child.yaml"
values:
- {{ toYaml .Values | nindent 8 }}
...

8
helmfile/apps/migrations-post/values.yaml.gotmpl Normal file
View File

@@ -0,0 +1,8 @@
{{/*
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
SPDX-License-Identifier: Apache-2.0
*/}}
---
migrations:
stage: "POST"
...

31
helmfile/apps/migrations-pre/helmfile-child.yaml Normal file
View File

@@ -0,0 +1,31 @@
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-License-Identifier: Apache-2.0
---
repositories:
# openDesk Migrations
# Source:
- name: "openproject-migrations-repo"
keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.migrations.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/\
{{ .Values.charts.migrations.repository }}"
releases:
- name: "opendesk-migrations-pre"
chart: "openproject-migrations-repo/{{ .Values.charts.migrations.name }}"
version: "{{ .Values.charts.migrations.version }}"
wait: true
waitForJobs: true
values:
- "values.yaml.gotmpl"
- "../../shared/migrations.yaml.gotmpl"
installed: {{ .Values.migrations.enabled }}
timeout: 900
commonLabels:
deploy-stage: "component-0"
component: "opendesk-migrations"
...

11
helmfile/apps/migrations-pre/helmfile.yaml Normal file
View File

@@ -0,0 +1,11 @@
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
helmfiles:
- path: "./helmfile-child.yaml"
values:
- {{ toYaml .Values | nindent 8 }}
...

8
helmfile/apps/migrations-pre/values.yaml.gotmpl Normal file
View File

@@ -0,0 +1,8 @@
{{/*
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
SPDX-License-Identifier: Apache-2.0
*/}}
---
migrations:
stage: "PRE"
...

2
helmfile/apps/openproject/values.yaml.gotmpl
View File

@@ -132,7 +132,7 @@ openproject:
host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
identifier: "opendesk-openproject"
provider: "keycloak"
scope: "[openid,opendesk]"
scope: "[openid,opendesk-openproject-scope]"
secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
tokenEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
userinfoEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"

376
helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
View File

@@ -31,12 +31,18 @@ config:
twoFactorSettings:
additionalGroups: {{ .Values.authentication.twoFactor.groups }}
custom:
# We use client specific scopes as we bind them to Keycloak role membership which itself is linked
# to LDAP group membership to ensure a user cannot access an application without the required
# group membership.
# ToDo:
# - Jitsi does currently not care if it gets scopes/claims as long as the user is authenticated.
clientScopes:
- name: "read_contacts"
protocol: "openid-connect"
- name: "write_contacts"
protocol: "openid-connect"
- name: "opendesk"
- name: "opendesk-openproject-scope"
description: "Scope for the claims required by openDesk's OpenProject instance."
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
@@ -61,6 +67,306 @@ config:
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
- name: "opendeskProjectmanagementAdmin"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "opendeskProjectmanagementAdmin"
id.token.claim: true
access.token.claim: true
claim.name: "openproject_admin"
jsonType.label: "String"
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "given name"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "firstName"
id.token.claim: true
access.token.claim: true
claim.name: "given_name"
jsonType.label: "String"
- name: "family name"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "lastName"
id.token.claim: true
access.token.claim: true
claim.name: "family_name"
jsonType.label: "String"
- name: "opendesk-jitsi-scope"
description: "Scope for the claims required by openDesk's Jitsi instance."
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
- name: "full name"
protocol: "openid-connect"
protocolMapper: "oidc-full-name-mapper"
consentRequired: false
config:
id.token.claim: true
introspection.token.claim: true
access.token.claim: true
userinfo.token.claim: true
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "opendesk-nextcloud-scope"
description: "Scope for the claims required by openDesk's Nextcloud instance."
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "context"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "oxContextIDNum"
id.token.claim: true
access.token.claim: true
claim.name: "context"
jsonType.label: "String"
- name: "opendesk-matrix-scope"
description: "Scope for the claims required by openDesk's Matrix instance."
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
- name: "full name"
protocol: "openid-connect"
protocolMapper: "oidc-full-name-mapper"
consentRequired: false
config:
id.token.claim: true
introspection.token.claim: true
access.token.claim: true
userinfo.token.claim: true
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "opendesk-xwiki-scope"
description: "Scope for the claims required by openDesk's XWiki instance."
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
- name: "full name"
protocol: "openid-connect"
protocolMapper: "oidc-full-name-mapper"
consentRequired: false
config:
id.token.claim: true
introspection.token.claim: true
access.token.claim: true
userinfo.token.claim: true
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
introspection.token.claim: true
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "opendesk-dovecot-scope"
description: "Scope for the claims required by openDesk's Dovecot instance."
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
- name: "opendesk-oxappsuite-scope"
description: "Scope for the claims required by openDesk's OX Appuite instance."
protocol: "openid-connect"
protocolMappers:
- name: "context"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "oxContextIDNum"
id.token.claim: true
access.token.claim: true
claim.name: "context"
jsonType.label: "String"
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
clients:
- name: "opendesk-dovecot"
clientId: "opendesk-dovecot"
@@ -74,7 +380,7 @@ config:
attributes:
backchannel.logout.session.required: false
defaultClientScopes:
- "opendesk"
- "opendesk-dovecot-scope"
- name: "opendesk-intercom"
clientId: "opendesk-intercom"
protocol: "openid-connect"
@@ -128,7 +434,6 @@ config:
claim.name: "phoenixusername"
jsonType.label: "String"
defaultClientScopes:
- "opendesk"
- "offline_access"
- name: "opendesk-jitsi"
clientId: "opendesk-jitsi"
@@ -142,8 +447,7 @@ config:
fullScopeAllowed: true
authorizationServicesEnabled: false
defaultClientScopes:
- "opendesk"
- "profile"
- "opendesk-jitsi-scope"
- name: "opendesk-matrix"
clientId: "opendesk-matrix"
protocol: "openid-connect"
@@ -165,12 +469,9 @@ config:
backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk"
optionalClientScopes:
- "email"
- "profile"
# This is a temporary OIDC client for matrix, as the OIDC logout still uses "matrix" as client ID. Unless that
# is solved and also is able to use "opendesk-matrix" we keep that dummy client that
- "opendesk-matrix-scope"
# The following is a temporary OIDC client for matrix, as the OIDC logout still uses "matrix" as client ID.
# Unless that is solved and also is able to use "opendesk-matrix" we keep that dummy client that
- name: "matrix"
clientId: "matrix"
protocol: "openid-connect"
@@ -183,6 +484,8 @@ config:
authorizationServicesEnabled: false
attributes:
post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
defaultClientScopes: []
optionalClientScopes: []
- name: "opendesk-nextcloud"
clientId: "opendesk-nextcloud"
protocol: "openid-connect"
@@ -199,21 +502,8 @@ config:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/index.php/apps/user_oidc/backchannel-logout/opendesk"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
protocolMappers:
- name: "context"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "oxContextIDNum"
id.token.claim: true
access.token.claim: true
claim.name: "context"
jsonType.label: "String"
defaultClientScopes:
- "opendesk"
- "email"
- "opendesk-nextcloud-scope"
- "read_contacts"
- "write_contacts"
- name: "opendesk-openproject"
@@ -233,22 +523,8 @@ config:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
protocolMappers:
- name: "opendeskProjectmanagementAdmin"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "opendeskProjectmanagementAdmin"
id.token.claim: true
access.token.claim: true
claim.name: "openproject_admin"
jsonType.label: "String"
defaultClientScopes:
- "opendesk"
- "email"
- "profile"
- "opendesk-openproject-scope"
- name: "opendesk-oxappsuite"
clientId: "opendesk-oxappsuite"
protocol: "openid-connect"
@@ -265,20 +541,8 @@ config:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
protocolMappers:
- name: "context"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "oxContextIDNum"
id.token.claim: true
access.token.claim: true
claim.name: "context"
jsonType.label: "String"
defaultClientScopes:
- "opendesk"
- "opendesk-oxappsuite-scope"
- "read_contacts"
- "write_contacts"
- name: "opendesk-xwiki"
@@ -298,10 +562,7 @@ config:
backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk"
- "address"
- "email"
- "profile"
- "opendesk-xwiki-scope"
- name: "guardian-management-api"
clientId: "guardian-management-api"
rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
@@ -594,7 +855,6 @@ config:
access.token.claim: true
userinfo.token.claim: false
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:

2
helmfile/apps/xwiki/values.yaml.gotmpl
View File

@@ -72,7 +72,7 @@ customConfigs:
oidc.endpoint.userinfo.method: "GET"
oidc.logoutMechanism: "rpInitiated"
oidc.provider: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/opendesk"
oidc.scope: "openid,profile,email,address,opendesk"
oidc.scope: "openid,opendesk-xwiki-scope"
oidc.secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
oidc.skipped: false
oidc.user.nameFormater: "${oidc.user.opendesk_username._clean._lowerCase}"

12
helmfile/environments/default/charts.yaml
View File

@@ -192,6 +192,16 @@ charts:
name: "memcached"
version: "6.7.1"
verify: true
migrations:
# providerCategory: "Platform"
# providerResponsible: "openDesk"
# upstreamRegistry: "https://registry.opencode.de"
# upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-migrations"
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-migrations"
name: "opendesk-migrations"
version: "1.0.1"
verify: true
minio:
# providerCategory: "Community"
# providerResponsible: "openDesk"
@@ -240,7 +250,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
name: "opendesk-keycloak-bootstrap"
version: "1.1.0"
version: "2.1.0"
verify: true
openproject:
# providerCategory: "Supplier"

10
helmfile/environments/default/images.yaml
View File

@@ -198,6 +198,14 @@ images:
registry: "registry-1.docker.io"
repository: "bitnami/memcached"
tag: "1.6.21-debian-11-r107@sha256:247ec29efd6030960047a623aef025021154662edf6b6d6e88c97936f164d99d"
migrations:
# providerCategory: "Platform"
# providerResponsible: "openDesk"
# upstreamRegistry: "https://registry.opencode.de"
# upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
tag: "1.0.2@sha256:fbe21b4e2a276d2c5d052c1bb52158debfcc146188e654661001d4ff45b1b453"
milter:
# providerCategory: "Community"
# providerResponsible: "openDesk"
@@ -253,7 +261,7 @@ images:
# upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
tag: "1.0.5@sha256:76ccd9a74ae2c2dabb6beaa0192c15b9c06763abbd632cd0f8db68e5d8d5883c"
tag: "1.1.0@sha256:20e885e2f2cb19e4b45adfdd6f1622ea888fe26621a0a3ace12c074497ac04aa"
openproject:
# providerCategory: "Supplier"
# providerResponsible: "OpenProject"

1
helmfile/environments/default/selinux.yaml
View File

@@ -30,6 +30,7 @@ seLinuxOptions:
matrixNeoDateFixWidget: ~
matrixUserVerificationService: ~
memcached: ~
migrations: ~
milter: ~
minio: ~
nextcloudApache2: ~

76
helmfile/environments/default/workplace.gotmpl Normal file
View File

@@ -0,0 +1,76 @@
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
#
# Note: Currently only single namespace deployments are supported.
---
certificates:
enabled: true
namespace: {{ env "NAMESPACE" | quote }}
clamavDistributed:
enabled: false
namespace: {{ env "NAMESPACE" | quote }}
clamavSimple:
enabled: true
namespace: {{ env "NAMESPACE" | quote }}
collabora:
enabled: true
namespace: {{ env "NAMESPACE" | quote }}
cryptpad:
enabled: true
namespace: {{ env "NAMESPACE" | quote }}
dovecot:
enabled: true
namespace: {{ env "NAMESPACE" | quote }}
element:
enabled: true
namespace: {{ env "NAMESPACE" | quote }}
home:
enabled: true
namespace: {{ env "NAMESPACE" | quote }}
intercom:
enabled: true
namespace: {{ env "NAMESPACE" | quote }}
jitsi:
enabled: true
namespace: {{ env "NAMESPACE" | quote }}
mariadb:
enabled: true
namespace: {{ env "NAMESPACE" | quote }}
memcached:
enabled: true
namespace: {{ env "NAMESPACE" | quote }}
migrations:
enabled: true
namespace: {{ env "NAMESPACE" | quote }}
minio:
enabled: true
namespace: {{ env "NAMESPACE" | quote }}
nextcloud:
enabled: true
namespace: {{ env "NAMESPACE" | quote }}
openproject:
enabled: true
namespace: {{ env "NAMESPACE" | quote }}
oxAppsuite:
enabled: true
namespace: {{ env "NAMESPACE" | quote }}
oxConnector:
enabled: true
namespace: {{ env "NAMESPACE" | quote }}
postfix:
enabled: true
namespace: {{ env "NAMESPACE" | quote }}
postgresql:
enabled: true
namespace: {{ env "NAMESPACE" | quote }}
redis:
enabled: true
namespace: {{ env "NAMESPACE" | quote }}
univentionManagementStack:
enabled: true
namespace: {{ env "NAMESPACE" | quote }}
xwiki:
enabled: true
namespace: {{ env "NAMESPACE" | quote }}
...

49
helmfile/environments/default/workplace.yaml
View File

@@ -1,49 +0,0 @@
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
certificates:
enabled: true
clamavDistributed:
enabled: false
clamavSimple:
enabled: true
collabora:
enabled: true
cryptpad:
enabled: true
dovecot:
enabled: true
element:
enabled: true
home:
enabled: true
intercom:
enabled: true
jitsi:
enabled: true
mariadb:
enabled: true
memcached:
enabled: true
minio:
enabled: true
nextcloud:
enabled: true
openproject:
enabled: true
oxAppsuite:
enabled: true
oxConnector:
enabled: true
postfix:
enabled: true
postgresql:
enabled: true
redis:
enabled: true
univentionManagementStack:
enabled: true
xwiki:
enabled: true
...

59
helmfile/shared/migrations.yaml.gotmpl Normal file
View File

@@ -0,0 +1,59 @@
{{/*
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
migrations:
runId: 1
currentOdRelease: {{ .Values.global.systemInformation.releaseVersion | quote }}
namespace: {{ .Values.migrations.namespace | quote }}
loglevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
failOnUnexpectedState: true
credentials:
keycloakAdminUsername: "kcadmin"
keycloakAdminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
urls:
keycloakBase: "http://ums-keycloak.{{ .Values.univentionManagementStack.namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.migrations | toYaml | nindent 4 }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.migrations.registry | quote }}
repository: {{ .Values.images.migrations.repository | quote }}
tag: {{ .Values.images.migrations.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy |quote }}
job:
enabled: true
podSecurityContext:
enabled: true
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
...

6
helmfile_generic.yaml
View File

@@ -6,11 +6,13 @@
#
helmfiles:
# Path to the helmfile state file being processed BEFORE releases in this state file
- path: "helmfile/apps/services/helmfile-child.yaml"
- path: "helmfile/apps/migrations-pre/helmfile-child.yaml"
values: &values
- "helmfile/environments/default/*.yaml"
- "helmfile/environments/default/*.gotmpl"
- {{ toYaml .Values | nindent 8 }}
- path: "helmfile/apps/services/helmfile-child.yaml"
values: *values
- path: "helmfile/apps/univention-management-stack/helmfile-child.yaml"
values: *values
- path: "helmfile/apps/intercom-service/helmfile-child.yaml"
@@ -35,5 +37,7 @@ helmfiles:
values: *values
- path: "helmfile/apps/openproject-bootstrap/helmfile-child.yaml"
values: *values
- path: "helmfile/apps/migrations-post/helmfile-child.yaml"
values: *values
missingFileHandler: "Error"
...