diff --git a/.gitignore b/.gitignore index c3606772..44f71f2d 100755 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,7 @@ # SPDX-License-Identifier: Apache-2.0 .vscode .idea +.yamllint # Ignore changes to sample environments helmfile/environments/dev/values.yaml diff --git a/COMPONENTS-SERVICE.md b/COMPONENTS-SERVICE.md index 6cc37936..a7b909b4 100644 --- a/COMPONENTS-SERVICE.md +++ b/COMPONENTS-SERVICE.md @@ -60,3 +60,6 @@ This service is used by - Open-Xchange ## Objectstore - MinIO + +This services is used by: +- OpenProject (attachment storage) diff --git a/README.md b/README.md index f8407efa..0fe99302 100644 --- a/README.md +++ b/README.md @@ -224,6 +224,7 @@ subdirectory `/helmfile/apps/services`. | Keycloak | `keycloak.enabled` | `true` | Identity Provider | Functional | | MariaDB | `mariadb.enabled` | `true` | Database | Eval | | Memcached | `memcached.enabled` | `true` | Cache Database | Eval | +| MinIO | `minio.enabled` | `true` | Object Storage | Eval | | Nextcloud | `nextcloud.enabled` | `true` | File share | Functional | | OpenProject | `openproject.enabled` | `true` | Project management | Functional | | OX Appsuite | `oxAppsuite.enabled` | `true` | Groupware | Functional | diff --git a/helmfile/apps/openproject/values.gotmpl b/helmfile/apps/openproject/values.gotmpl index 326552be..b1ac50b6 100644 --- a/helmfile/apps/openproject/values.gotmpl +++ b/helmfile/apps/openproject/values.gotmpl @@ -42,7 +42,7 @@ openproject: host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}" # Will only be set on initial seed / installation admin_user: - name: "OpenProject Interal Admin" + name: "OpenProject Internal Admin" mail: "openproject-admin@swp-domain.internal" password_reset: "false" password: {{ .Values.secrets.openproject.adminPassword | quote }} @@ -75,10 +75,9 @@ environment: OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}" # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }} - -persistence: - size: {{ .Values.persistence.size.openproject | quote }} - storageClassName: {{ .Values.persistence.storageClassNames.RWX | quote }} + OPENPROJECT_FOG_CREDENTIALS_HOST: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}" + OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: "https://{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}" + OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: {{ .Values.secrets.minio.openprojectUser | quote }} replicaCount: {{ .Values.replicas.openproject }} diff --git a/helmfile/apps/openproject/values.yaml b/helmfile/apps/openproject/values.yaml index ddffdf6b..f717f803 100644 --- a/helmfile/apps/openproject/values.yaml +++ b/helmfile/apps/openproject/values.yaml @@ -37,8 +37,10 @@ securityContext: readOnlyRootFilesystem: false persistence: - accessModes: - - "ReadWriteMany" + enabled: false + +s3: + enabled: true # For more details and more options see # https://www.openproject.org/docs/installation-and-operations/configuration/environment/ @@ -71,5 +73,10 @@ environment: "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))" OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true" OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn" - + # Details: https://www.openproject.org/docs/installation-and-operations/configuration/#attachments-storage + OPENPROJECT_ATTACHMENTS__STORAGE: "fog" + OPENPROJECT_FOG_DIRECTORY: "openproject" + OPENPROJECT_FOG_CREDENTIALS_PROVIDER: "AWS" + OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true" + OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: "openproject_user" ... diff --git a/helmfile/apps/services/helmfile.yaml b/helmfile/apps/services/helmfile.yaml index 2de61d8e..0b3ab1a1 100644 --- a/helmfile/apps/services/helmfile.yaml +++ b/helmfile/apps/services/helmfile.yaml @@ -137,6 +137,13 @@ releases: - "values-istio-gateway.yaml" - "values-istio-gateway.gotmpl" installed: {{ .Values.istio.enabled }} + - name: "minio" + chart: "bitnami-repo/minio" + version: "12.8.19" + values: + - "values-minio.yaml" + - "values-minio.gotmpl" + installed: {{ .Values.minio.enabled }} commonLabels: deploy-stage: "services" diff --git a/helmfile/apps/services/values-minio.gotmpl b/helmfile/apps/services/values-minio.gotmpl new file mode 100644 index 00000000..56b952e2 --- /dev/null +++ b/helmfile/apps/services/values-minio.gotmpl @@ -0,0 +1,80 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + registry: "{{ .Values.global.imageRegistry }}" + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + +image: + registry: "{{ .Values.global.imageRegistry }}" + repository: "{{ .Values.images.minio.repository }}" + tag: "{{ .Values.images.minio.tag }}" + pullPolicy: "{{ .Values.global.imagePullPolicy }}" + +auth: + rootPassword: {{ .Values.secrets.minio.rootPassword | quote }} + +statefulset: + replicaCount: {{ .Values.replicas.minioDistributed }} + +resources: + {{ .Values.resources.minio | toYaml | nindent 2 }} + +ingress: + enabled: {{ .Values.ingress.enabled }} + ingressClassName: {{ .Values.ingress.ingressClassName }} + hostname: "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}" + extraTls: + - hosts: + - "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}" + secretName: "{{ .Values.ingress.tls.secretName }}" + +apiIngress: + enabled: {{ .Values.ingress.enabled }} + ingressClassName: {{ .Values.ingress.ingressClassName }} + hostname: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}" + extraTls: + - hosts: + - "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}" + secretName: "{{ .Values.ingress.tls.secretName }}" + +metrics: + serviceMonitor: + enabled: {{ .Values.prometheus.serviceMonitors.enabled }} + prometheusRule: + enabled: {{ .Values.prometheus.prometheusRules.enabled }} + +persistence: + storageClass: "{{ .Values.persistence.storageClassNames.RWO }}" + size: "{{ .Values.persistence.size.minio }}" + +provisioning: + users: + - username: "openproject_user" + password: {{ .Values.secrets.minio.openprojectUser | quote }} + disabled: false + policies: + - "openproject-bucket-policy" + setPolicies: true + - username: "openxchange_user" + password: {{ .Values.secrets.minio.openxchangeUser | quote }} + disabled: false + policies: + - "openxchange-bucket-policy" + setPolicies: true + - username: "ums_user" + password: {{ .Values.secrets.minio.umsUser | quote }} + disabled: false + policies: + - "ums-bucket-policy" + setPolicies: true + - username: "nextcloud_user" + password: {{ .Values.secrets.minio.nextcloudUser | quote }} + disabled: false + policies: + - "nextcloud-bucket-policy" + setPolicies: true +... diff --git a/helmfile/apps/services/values-minio.yaml b/helmfile/apps/services/values-minio.yaml new file mode 100644 index 00000000..7f205aee --- /dev/null +++ b/helmfile/apps/services/values-minio.yaml @@ -0,0 +1,114 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +mode: "standalone" + +podSecurityContext: + enabled: true + fsGroup: 1000 + +containerSecurityContext: + enabled: true + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + privileged: false + runAsUser: 1000 + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + +ingress: + annotations: + nginx.org/websocket-services: "minio" + +networkPolicy: + enabled: false + +defaultBuckets: "openproject,openxchange,ums,nextcloud" + +provisioning: + enabled: true + cleanupAfterFinished: + enabled: true + buckets: + - name: "openproject" + versioning: true + withLock: false + - name: "openxchange" + versioning: true + withLock: false + - name: "ums" + versioning: true + withLock: false + - name: "nextcloud" + versioning: true + withLock: false + policies: + - name: "openproject-bucket-policy" + statements: + - resources: + - "arn:aws:s3:::openproject" + effect: "Allow" + actions: + - "s3:*" + - resources: + - "arn:aws:s3:::openproject/*" + effect: "Allow" + actions: + - "s3:*" + - name: "openxchange-bucket-policy" + statements: + - resources: + - "arn:aws:s3:::openxchange" + effect: "Allow" + actions: + - "s3:*" + - resources: + - "arn:aws:s3:::openxchange/*" + effect: "Allow" + actions: + - "s3:*" + - name: "ums-bucket-policy" + statements: + - resources: + - "arn:aws:s3:::ums" + effect: "Allow" + actions: + - "s3:*" + - resources: + - "arn:aws:s3:::ums/*" + effect: "Allow" + actions: + - "s3:*" + - name: "nextcloud-bucket-policy" + statements: + - resources: + - "arn:aws:s3:::nextcloud" + effect: "Allow" + actions: + - "s3:*" + - resources: + - "arn:aws:s3:::nextcloud/*" + effect: "Allow" + actions: + - "s3:*" + +livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 10 + +readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 10 + +startupProbe: + enabled: true + periodSeconds: 10 + timeoutSeconds: 10 +... diff --git a/helmfile/environments/default/global.yaml b/helmfile/environments/default/global.yaml index 26e49703..740a5cf9 100644 --- a/helmfile/environments/default/global.yaml +++ b/helmfile/environments/default/global.yaml @@ -4,7 +4,6 @@ ## The global properties are used to configure multiple charts at once. # global: - ## Define ingress/virtualservice host. # hosts: @@ -20,6 +19,8 @@ global: matrixNeoChoiceWidget: "matrix-neochoice-widget" matrixNeoDateFixBot: "matrix-neodatefix-bot" matrixNeoDateFixWidget: "matrix-neodatefix-widget" + minioApi: "minio" + minioConsole: "minio-console" nextcloud: "fs" openproject: "project" openxchange: "webmail" @@ -30,7 +31,6 @@ global: whiteboard: "whiteboard" xwiki: "wiki" - ## Define docker registry address. # imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace" diff --git a/helmfile/environments/default/images.yaml b/helmfile/environments/default/images.yaml index 21f6fc0f..412a4277 100644 --- a/helmfile/environments/default/images.yaml +++ b/helmfile/environments/default/images.yaml @@ -112,6 +112,10 @@ images: repository: "clamav/clamav" tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f" # @supplier: "openDesk DevSecOps" + minio: + repository: "bitnami/minio" + tag: "2023@sha256:bced4f2f9fc48b755ebb3e1b35e76195a978d4331bf2d0c6699dab412d3c0be7" + # @supplier: "openDesk DevSecOps" nextcloud: repository: "nextcloud" tag: "27.1.1-apache@sha256:47325758ffcd54563021e697905aaba6aac8c21bceefb245c67d40194813ce39" diff --git a/helmfile/environments/default/persistence.yaml b/helmfile/environments/default/persistence.yaml index 2e390a83..8d507de4 100644 --- a/helmfile/environments/default/persistence.yaml +++ b/helmfile/environments/default/persistence.yaml @@ -10,10 +10,10 @@ persistence: dovecot: "1Gi" mariadb: "1Gi" matrixNeoDateFixBot: "1Gi" + minio: "1Gi" nextcloud: main: "1.2Gi" data: "10Gi" - openproject: "1Gi" postfix: "1Gi" postgresql: "1Gi" prosody: "1Gi" diff --git a/helmfile/environments/default/replicas.yaml b/helmfile/environments/default/replicas.yaml index 8fd39182..6cf3dc63 100644 --- a/helmfile/environments/default/replicas.yaml +++ b/helmfile/environments/default/replicas.yaml @@ -27,6 +27,7 @@ replicas: matrixUserVerificationService: 1 # clamav-distributed milter: 1 + minioDistributed: 4 nextcloud: 1 openproject: 1 postfix: 1 diff --git a/helmfile/environments/default/resources.yaml b/helmfile/environments/default/resources.yaml index 63ed6f28..f38a9ee0 100644 --- a/helmfile/environments/default/resources.yaml +++ b/helmfile/environments/default/resources.yaml @@ -170,6 +170,13 @@ resources: requests: cpu: 0.1 memory: "2Gi" + minio: + limits: + cpu: 2 + memory: "4Gi" + requests: + cpu: 0.25 + memory: "1Gi" nextcloud: limits: cpu: 2 @@ -352,5 +359,4 @@ resources: requests: cpu: 0.1 memory: "6Gi" - ... diff --git a/helmfile/environments/default/secrets.gotmpl b/helmfile/environments/default/secrets.gotmpl index 2475936a..7356a0d9 100644 --- a/helmfile/environments/default/secrets.gotmpl +++ b/helmfile/environments/default/secrets.gotmpl @@ -42,6 +42,12 @@ secrets: xwikiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "xwiki_user" | sha1sum | quote }} openxchangeUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "openxchange_user" | sha1sum | quote }} nextcloudUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "nextcloud_user" | sha1sum | quote }} + minio: + rootPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "root_password" | sha1sum | quote) }} + openprojectUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "openproject_user" | sha1sum | quote) }} + openxchangeUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "openxchange_user" | sha1sum | quote) }} + umsUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "ums_user" | sha1sum | quote) }} + nextcloudUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "nextcloud_user" | sha1sum | quote) }} keycloak: adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "adminPassword" | sha1sum | quote }} clientSecret: diff --git a/helmfile/environments/default/workplace.yaml b/helmfile/environments/default/workplace.yaml index 5fa27ec4..c3e3c7f0 100644 --- a/helmfile/environments/default/workplace.yaml +++ b/helmfile/environments/default/workplace.yaml @@ -25,6 +25,8 @@ mariadb: enabled: true memcached: enabled: true +minio: + enabled: true nextcloud: enabled: true openproject: