fix(services): Add minio as service and consume by OpenProject

.gitignore

@@ -2,6 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 .vscode
 .idea
+.yamllint
 
 # Ignore changes to sample environments
 helmfile/environments/dev/values.yaml

COMPONENTS-SERVICE.md

@@ -60,3 +60,6 @@ This service is used by
 - Open-Xchange
 
 ## Objectstore - MinIO
+
+This services is used by:
+- OpenProject (attachment storage)

README.md

@@ -224,6 +224,7 @@ subdirectory `/helmfile/apps/services`.
 | Keycloak                    | `keycloak.enabled`                  | `true`  | Identity Provider              | Functional |
 | MariaDB                     | `mariadb.enabled`                   | `true`  | Database                       | Eval       |
 | Memcached                   | `memcached.enabled`                 | `true`  | Cache Database                 | Eval       |
+| MinIO                       | `minio.enabled`                     | `true`  | Object Storage                 | Eval       |
 | Nextcloud                   | `nextcloud.enabled`                 | `true`  | File share                     | Functional |
 | OpenProject                 | `openproject.enabled`               | `true`  | Project management             | Functional |
 | OX Appsuite                 | `oxAppsuite.enabled`                | `true`  | Groupware                      | Functional |

helmfile/apps/openproject/values.gotmpl

@@ -42,7 +42,7 @@ openproject:
   host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
   # Will only be set on initial seed / installation
   admin_user:
-    name: "OpenProject Interal Admin"
+    name: "OpenProject Internal Admin"
     mail: "openproject-admin@swp-domain.internal"
     password_reset: "false"
     password: {{ .Values.secrets.openproject.adminPassword | quote }}
@@ -75,10 +75,9 @@ environment:
   OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}"
   # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
   OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }}
-
+  OPENPROJECT_FOG_CREDENTIALS_HOST: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
-persistence:
+  OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: "https://{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
-  size: {{ .Values.persistence.size.openproject | quote }}
+  OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: {{ .Values.secrets.minio.openprojectUser | quote }}
-  storageClassName: {{ .Values.persistence.storageClassNames.RWX | quote }}
 
 replicaCount: {{ .Values.replicas.openproject }}
 

helmfile/apps/openproject/values.yaml

@@ -37,8 +37,10 @@ securityContext:
   readOnlyRootFilesystem: false
 
 persistence:
-  accessModes:
+  enabled: false
-    - "ReadWriteMany"
+
+s3:
+  enabled: true
 
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
@@ -71,5 +73,10 @@ environment:
     "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
   OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
   OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
-
+  # Details: https://www.openproject.org/docs/installation-and-operations/configuration/#attachments-storage
+  OPENPROJECT_ATTACHMENTS__STORAGE: "fog"
+  OPENPROJECT_FOG_DIRECTORY: "openproject"
+  OPENPROJECT_FOG_CREDENTIALS_PROVIDER: "AWS"
+  OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
+  OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: "openproject_user"
 ...

helmfile/apps/services/helmfile.yaml

@@ -137,6 +137,13 @@ releases:
       - "values-istio-gateway.yaml"
       - "values-istio-gateway.gotmpl"
     installed: {{ .Values.istio.enabled }}
+  - name: "minio"
+    chart: "bitnami-repo/minio"
+    version: "12.8.19"
+    values:
+      - "values-minio.yaml"
+      - "values-minio.gotmpl"
+    installed: {{ .Values.minio.enabled }}
 
 commonLabels:
   deploy-stage: "services"

helmfile/apps/services/values-minio.gotmpl

@@ -0,0 +1,80 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  registry: "{{ .Values.global.imageRegistry }}"
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.minio.repository }}"
+  tag: "{{ .Values.images.minio.tag }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+
+auth:
+  rootPassword: {{ .Values.secrets.minio.rootPassword | quote }}
+
+statefulset:
+  replicaCount: {{ .Values.replicas.minioDistributed }}
+
+resources:
+  {{ .Values.resources.minio | toYaml | nindent 2 }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+  hostname: "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
+  extraTls:
+    - hosts:
+      - "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
+      secretName: "{{ .Values.ingress.tls.secretName }}"
+
+apiIngress:
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+  hostname: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
+  extraTls:
+    - hosts:
+      - "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
+      secretName: "{{ .Values.ingress.tls.secretName }}"
+
+metrics:
+  serviceMonitor:
+    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+  prometheusRule:
+    enabled: {{ .Values.prometheus.prometheusRules.enabled }}
+
+persistence:
+  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  size: "{{ .Values.persistence.size.minio }}"
+
+provisioning:
+  users:
+    - username: "openproject_user"
+      password: {{ .Values.secrets.minio.openprojectUser | quote }}
+      disabled: false
+      policies:
+        - "openproject-bucket-policy"
+      setPolicies: true
+    - username: "openxchange_user"
+      password: {{ .Values.secrets.minio.openxchangeUser | quote }}
+      disabled: false
+      policies:
+        - "openxchange-bucket-policy"
+      setPolicies: true
+    - username: "ums_user"
+      password: {{ .Values.secrets.minio.umsUser | quote }}
+      disabled: false
+      policies:
+        - "ums-bucket-policy"
+      setPolicies: true
+    - username: "nextcloud_user"
+      password: {{ .Values.secrets.minio.nextcloudUser | quote }}
+      disabled: false
+      policies:
+        - "nextcloud-bucket-policy"
+      setPolicies: true
+...

helmfile/apps/services/values-minio.yaml

@@ -0,0 +1,114 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+mode: "standalone"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+
+containerSecurityContext:
+  enabled: true
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  privileged: false
+  runAsUser: 1000
+  runAsNonRoot: true
+  seccompProfile:
+    type: "RuntimeDefault"
+
+ingress:
+  annotations:
+    nginx.org/websocket-services: "minio"
+
+networkPolicy:
+  enabled: false
+
+defaultBuckets: "openproject,openxchange,ums,nextcloud"
+
+provisioning:
+  enabled: true
+  cleanupAfterFinished:
+    enabled: true
+  buckets:
+    - name: "openproject"
+      versioning: true
+      withLock: false
+    - name: "openxchange"
+      versioning: true
+      withLock: false
+    - name: "ums"
+      versioning: true
+      withLock: false
+    - name: "nextcloud"
+      versioning: true
+      withLock: false
+  policies:
+    - name: "openproject-bucket-policy"
+      statements:
+        - resources:
+            - "arn:aws:s3:::openproject"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+        - resources:
+            - "arn:aws:s3:::openproject/*"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+    - name: "openxchange-bucket-policy"
+      statements:
+        - resources:
+            - "arn:aws:s3:::openxchange"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+        - resources:
+            - "arn:aws:s3:::openxchange/*"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+    - name: "ums-bucket-policy"
+      statements:
+        - resources:
+            - "arn:aws:s3:::ums"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+        - resources:
+            - "arn:aws:s3:::ums/*"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+    - name: "nextcloud-bucket-policy"
+      statements:
+        - resources:
+            - "arn:aws:s3:::nextcloud"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+        - resources:
+            - "arn:aws:s3:::nextcloud/*"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+
+livenessProbe:
+  enabled: true
+  initialDelaySeconds: 5
+  periodSeconds: 10
+  timeoutSeconds: 10
+
+readinessProbe:
+  enabled: true
+  initialDelaySeconds: 5
+  periodSeconds: 10
+  timeoutSeconds: 10
+
+startupProbe:
+  enabled: true
+  periodSeconds: 10
+  timeoutSeconds: 10
+...

helmfile/environments/default/global.yaml

@@ -4,7 +4,6 @@
 ## The global properties are used to configure multiple charts at once.
 #
 global:
-
   ## Define ingress/virtualservice host.
   #
   hosts:
@@ -20,6 +19,8 @@ global:
     matrixNeoChoiceWidget: "matrix-neochoice-widget"
     matrixNeoDateFixBot: "matrix-neodatefix-bot"
     matrixNeoDateFixWidget: "matrix-neodatefix-widget"
+    minioApi: "minio"
+    minioConsole: "minio-console"
     nextcloud: "fs"
     openproject: "project"
     openxchange: "webmail"
@@ -30,7 +31,6 @@ global:
     whiteboard: "whiteboard"
     xwiki: "wiki"
 
-
   ## Define docker registry address.
   #
   imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"

helmfile/environments/default/images.yaml

@@ -112,6 +112,10 @@ images:
     repository: "clamav/clamav"
     tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
     # @supplier: "openDesk DevSecOps"
+  minio:
+    repository: "bitnami/minio"
+    tag: "2023@sha256:bced4f2f9fc48b755ebb3e1b35e76195a978d4331bf2d0c6699dab412d3c0be7"
+    # @supplier: "openDesk DevSecOps"
   nextcloud:
     repository: "nextcloud"
     tag: "27.1.1-apache@sha256:47325758ffcd54563021e697905aaba6aac8c21bceefb245c67d40194813ce39"

helmfile/environments/default/persistence.yaml

@@ -10,10 +10,10 @@ persistence:
     dovecot: "1Gi"
     mariadb: "1Gi"
     matrixNeoDateFixBot: "1Gi"
+    minio: "1Gi"
     nextcloud:
       main: "1.2Gi"
       data: "10Gi"
-    openproject: "1Gi"
     postfix: "1Gi"
     postgresql: "1Gi"
     prosody: "1Gi"

helmfile/environments/default/replicas.yaml

@@ -27,6 +27,7 @@ replicas:
   matrixUserVerificationService: 1
   # clamav-distributed
   milter: 1
+  minioDistributed: 4
   nextcloud: 1
   openproject: 1
   postfix: 1

helmfile/environments/default/resources.yaml

@@ -170,6 +170,13 @@ resources:
     requests:
       cpu: 0.1
       memory: "2Gi"
+  minio:
+    limits:
+      cpu: 2
+      memory: "4Gi"
+    requests:
+      cpu: 0.25
+      memory: "1Gi"
   nextcloud:
     limits:
       cpu: 2
@@ -352,5 +359,4 @@ resources:
     requests:
       cpu: 0.1
       memory: "6Gi"
-
 ...

helmfile/environments/default/secrets.gotmpl

@@ -42,6 +42,12 @@ secrets:
     xwikiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "xwiki_user" | sha1sum | quote }}
     openxchangeUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "openxchange_user" | sha1sum | quote }}
     nextcloudUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "nextcloud_user" | sha1sum | quote }}
+  minio:
+    rootPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "root_password" | sha1sum | quote) }}
+    openprojectUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "openproject_user" | sha1sum | quote) }}
+    openxchangeUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "openxchange_user" | sha1sum | quote) }}
+    umsUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "ums_user" | sha1sum | quote) }}
+    nextcloudUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "nextcloud_user" | sha1sum | quote) }}
   keycloak:
     adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "adminPassword" | sha1sum | quote }}
     clientSecret:

helmfile/environments/default/workplace.yaml

@@ -25,6 +25,8 @@ mariadb:
   enabled: true
 memcached:
   enabled: true
+minio:
+  enabled: true
 nextcloud:
   enabled: true
 openproject: