fix(services): Add Otterize based security settings

helmfile/apps/services/helmfile.yaml

@@ -6,6 +6,17 @@ bases:
 
 ---
 repositories:
+  # openDesk Otterize
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-otterize
+  - name: "opendesk-otterize-repo"
+    oci: true
+    # yamllint disable rule:line-length
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/opendesk-otterize" }}
+    # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
   # openDesk Certificates
   # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-certificates
   - name: "opendesk-certificates-repo"
@@ -75,6 +86,17 @@ repositories:
 releases:
   # renovate:
   # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/opendesk-otterize/opendesk-otterize
+  # dataSource=docker
+  # dependencyType=service
+  - name: "opendesk-otterize"
+    chart: "opendesk-otterize-repo/opendesk-otterize"
+    version: "1.0.3"
+    values:
+      - "values-otterize.gotmpl"
+    installed: { { .Values.security.otterizeIntents.enabled } }
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
   # packageName=souvap/tooling/charts/sovereign-workplace-certificates/opendesk-certificates
   # dataSource=docker
   # dependencyType=service

helmfile/apps/services/values-otterize.gotmpl

@@ -0,0 +1,56 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+apps:
+  clamavDistributed:
+    enabled: {{ .Values.clamavDistributed.enabled }}
+  clamavSimple:
+    enabled: {{ .Values.clamavSimple.enabled }}
+  collabora:
+    enabled: {{ .Values.collabora.enabled }}
+  cryptpad:
+    enabled: {{ .Values.cryptpad.enabled }}
+  dovecot:
+    enabled: {{ .Values.dovecot.enabled }}
+  element:
+    enabled: {{ .Values.element.enabled }}
+  intercom:
+    enabled: {{ .Values.intercom.enabled }}
+  jitsi:
+    enabled: {{ .Values.jitsi.enabled }}
+  keycloak:
+    enabled: {{ .Values.keycloak.enabled }}
+  mariadb:
+    enabled: {{ .Values.mariadb.enabled }}
+  memcached:
+    enabled: {{ .Values.memcached.enabled }}
+  minio:
+    enabled: {{ .Values.minio.enabled }}
+  nextcloud:
+    enabled: {{ .Values.nextcloud.enabled }}
+  openproject:
+    enabled: {{ .Values.openproject.enabled }}
+  oxAppsuite:
+    enabled: {{ .Values.oxAppsuite.enabled }}
+  oxConnector:
+    enabled: {{ .Values.oxConnector.enabled }}
+  postfix:
+    enabled: {{ .Values.postfix.enabled }}
+  postgresql:
+    enabled: {{ .Values.postgresql.enabled }}
+  redis:
+    enabled: {{ .Values.redis.enabled }}
+  univentionCorporateServer:
+    enabled: {{ .Values.univentionCorporateServer.enabled }}
+  univentionManagementStack:
+    enabled: {{ .Values.univentionManagementStack.enabled }}
+  xwiki:
+    enabled: {{ .Values.xwiki.enabled }}
+
+extraApps:
+  clusterPostfix:
+    enabled: {{ .Values.security.clusterPostfix.enabled }}
+    namespace: {{ .Values.security.clusterPostfix.namespace }}
+...

helmfile/environments/default/security.yaml

@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+security:
+  otterizeIntents:
+    enabled: false
+  clusterPostfix:
+    enabled: false
+    namespace: ""
+...

helmfile/environments/default/workplace.yaml

@@ -4,9 +4,9 @@
 certificates:
   enabled: true
 clamavDistributed:
-  enabled: false
-clamavSimple:
   enabled: true
+clamavSimple:
+  enabled: false
 collabora:
   enabled: true
 cryptpad:
@@ -42,9 +42,9 @@ postgresql:
 redis:
   enabled: true
 univentionCorporateServer:
-  enabled: true
-univentionManagementStack:
   enabled: false
+univentionManagementStack:
+  enabled: true
 xwiki:
   enabled: true
 ...