From d039c65c4b808e2a55a428502a8cfc05d001b43c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20K=C3=B6nig-Festl?= Date: Thu, 7 Dec 2023 16:19:30 +0000 Subject: [PATCH] fix(univention-management-stack): Add ums provisioning service Adds provisioning API along with NATS and NATS box --- docs/security.md | 1 + .../univention-management-stack/helmfile.yaml | 17 ++++++++++++++ .../values-provisioning.gotmpl | 19 ++++++++++++++++ .../values-provisioning.yaml | 15 +++++++++++++ .../values-ums-stack-gateway.yaml | 6 +++++ helmfile/environments/default/charts.yaml | 15 +++++++++++++ helmfile/environments/default/images.yaml | 22 ++++++------------- helmfile/environments/default/resources.yaml | 8 ++++++- 8 files changed, 87 insertions(+), 16 deletions(-) create mode 100644 helmfile/apps/univention-management-stack/values-provisioning.gotmpl create mode 100644 helmfile/apps/univention-management-stack/values-provisioning.yaml diff --git a/docs/security.md b/docs/security.md index a61c704a..733cb172 100644 --- a/docs/security.md +++ b/docs/security.md @@ -105,6 +105,7 @@ This list gives you an overview of default security settings and if they comply | | portal-frontend | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - | | | portal-listener | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - | | | portal-server | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - | +| | provisioning-api | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | | | selfservice-listener | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - | | | stack-gateway | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | | | store-dav | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - | diff --git a/helmfile/apps/univention-management-stack/helmfile.yaml b/helmfile/apps/univention-management-stack/helmfile.yaml index 371f7fab..bf45a6fd 100644 --- a/helmfile/apps/univention-management-stack/helmfile.yaml +++ b/helmfile/apps/univention-management-stack/helmfile.yaml @@ -97,6 +97,13 @@ repositories: username: {{ .Values.charts.umsSelfserviceListener.username | quote }} password: {{ .Values.charts.umsSelfserviceListener.password | quote }} url: "{{ .Values.charts.umsSelfserviceListener.registry }}/{{ .Values.charts.umsSelfserviceListener.repository }}" + - name: "ums-provisioning-repo" + oci: {{ .Values.charts.umsProvisioning.oci }} + keyring: "../../files/gpg-pubkeys/univention-de.gpg" + verify: {{ .Values.charts.umsProvisioning.verify }} + username: {{ .Values.charts.umsProvisioning.username | quote }} + password: {{ .Values.charts.umsProvisioning.password | quote }} + url: "{{ .Values.charts.umsProvisioning.registry }}/{{ .Values.charts.umsProvisioning.repository }}" # Univention Keycloak Extensions - name: "ums-keycloak-extensions-repo" @@ -314,6 +321,16 @@ releases: - "values-selfservice-listener.yaml" installed: {{ .Values.univentionManagementStack.enabled }} + - name: "ums-provisioning" + chart: "ums-provisioning-repo/{{ .Values.charts.umsProvisioning.name }}" + version: "{{ .Values.charts.umsProvisioning.version }}" + values: + - "values-common.gotmpl" + - "values-common.yaml" + - "values-provisioning.gotmpl" + - "values-provisioning.yaml" + installed: {{ .Values.univentionManagementStack.enabled }} + commonLabels: deploy-stage: "component-1" component: "univention-management-stack" diff --git a/helmfile/apps/univention-management-stack/values-provisioning.gotmpl b/helmfile/apps/univention-management-stack/values-provisioning.gotmpl new file mode 100644 index 00000000..e52c8ca0 --- /dev/null +++ b/helmfile/apps/univention-management-stack/values-provisioning.gotmpl @@ -0,0 +1,19 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- + +image: + registry: {{ .Values.global.imageRegistry | quote }} + repository: {{ .Values.images.umsProvisioning.repository | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + tag: {{ .Values.images.umsProvisioning.tag | quote }} + pullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} + +resources: + {{ .Values.resources.umsProvisioning | toYaml | nindent 2 }} +... diff --git a/helmfile/apps/univention-management-stack/values-provisioning.yaml b/helmfile/apps/univention-management-stack/values-provisioning.yaml new file mode 100644 index 00000000..6284c83e --- /dev/null +++ b/helmfile/apps/univention-management-stack/values-provisioning.yaml @@ -0,0 +1,15 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +provisioningApi: + rootPath: "/univention/provisioning-api" + +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + privileged: false + seccompProfile: + type: "RuntimeDefault" +... diff --git a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml index 2593c325..2933cb32 100644 --- a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml +++ b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml @@ -237,6 +237,12 @@ serverBlock: | proxy_pass http://ums-portal-frontend:80/; } + ## provisioning-api + location /univention/provisioning-api/ { + rewrite ^/univention/provisioning-api(/.*)$ $1 break; + proxy_pass http://ums-provisioning-provisioning-api:80; + } + } podSecurityContext: diff --git a/helmfile/environments/default/charts.yaml b/helmfile/environments/default/charts.yaml index 22b7a1ef..4fe2b814 100644 --- a/helmfile/environments/default/charts.yaml +++ b/helmfile/environments/default/charts.yaml @@ -657,6 +657,21 @@ charts: username: ~ password: ~ + umsProvisioning: + # renovate: + # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable + # packageName=provisioning-api + # dataSource=helm + # dependencyType=vendor + registry: "external-registry.souvap-univention.de" + repository: "sovereign-workplace/souvap/tooling/charts/univention" + name: "provisioning-api" + oci: true + verify: true + version: "0.2.1" + username: ~ + password: ~ + umsSelfserviceListener: # renovate: # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable diff --git a/helmfile/environments/default/images.yaml b/helmfile/environments/default/images.yaml index 4dd6200e..a83fdc05 100644 --- a/helmfile/environments/default/images.yaml +++ b/helmfile/environments/default/images.yaml @@ -385,7 +385,6 @@ images: # renovate: # registryUrl=https://registry.souvap-univention.de # dependencyType=supplier - # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/config-htpasswd" tag: "0.9.3@sha256:a6ae17dab54fdf75ed59078c25b4f4a6eca9ef755a78fd9a092c5a1c27473da6" # @supplier: "Univention" @@ -393,7 +392,6 @@ images: # renovate: # registryUrl=https://registry.souvap-univention.de # dependencyType=supplier - # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/data-loader" tag: "0.39.5@sha256:01370139fd682a20f42e7b9b7f269c5bb8e0f9a392e0119135c88abbf2c5616c" # @supplier: "Univention" @@ -401,7 +399,6 @@ images: # renovate: # registryUrl=https://registry.souvap-univention.de # dependencyType=supplier - # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/ldap-notifier" tag: "0.7.2@sha256:cd05f5c8c6765ed5bdc1246178498a8d47e4f7ec6a75c3e0f1f69c0ee18f6e6a" # @supplier: "Univention" @@ -409,7 +406,6 @@ images: # renovate: # registryUrl=https://registry.souvap-univention.de # dependencyType=supplier - # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/ldap-server" tag: "0.7.2@sha256:591115300e67ace320333b7a865922f528a7628e693db858f20f59c3ff454b51" # @supplier: "Univention" @@ -417,7 +413,6 @@ images: # renovate: # registryUrl=https://registry.souvap-univention.de # dependencyType=supplier - # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/notifications-api" tag: "0.9.2@sha256:4df0fd062a84afffb9b21e62d7fef594dac1920c8485fb178ee65738060db19e" # @supplier: "Univention" @@ -425,7 +420,6 @@ images: # renovate: # registryUrl=https://registry.souvap-univention.de # dependencyType=supplier - # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/portal-listener" tag: "0.9.2@sha256:4d52acbabc2b2fce3c9830a154c394aae5beec53d38f399ce8865ade2d97eb55" # @supplier: "Univention" @@ -433,7 +427,6 @@ images: # renovate: # registryUrl=https://registry.souvap-univention.de # dependencyType=supplier - # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/portal-frontend" tag: "0.9.2@sha256:29abefe80cea54753a85e3d020a68c6025f5b11b8fafcc84b9e71bccac86316b" # @supplier: "Univention" @@ -441,7 +434,6 @@ images: # renovate: # registryUrl=https://registry.souvap-univention.de # dependencyType=supplier - # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/portal-server" tag: "0.9.2@sha256:7a6468bcda5b5ee2fd24d0029435d86dca96096f28cbe32d6497bcafa683610a" # @supplier: "Univention" @@ -449,7 +441,6 @@ images: # renovate: # registryUrl=https://registry.souvap-univention.de # dependencyType=supplier - # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/wait-for-dependency" tag: "0.9.2@sha256:524e9bad6875bf12370dfbd5cd85df13a04e34c49d074eca34b3ca4b4efc7d8e" # @supplier: "Univention" @@ -457,7 +448,6 @@ images: # renovate: # registryUrl=https://registry.souvap-univention.de # dependencyType=supplier - # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/store-dav" tag: "0.9.3@sha256:e7b1be11933112fe22f5336ec7cd526faeac77a28120abf806d7758dc48d0596" # @supplier: "Univention" @@ -465,7 +455,6 @@ images: # renovate: # registryUrl=https://registry.souvap-univention.de # dependencyType=supplier - # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/udm-rest-api" tag: "0.4.3@sha256:d6ae525028dd2ee108e923dee79db9c1f2f4e0e9f0df3b35de1d50ccc3d90420" # @supplier: "Univention" @@ -473,7 +462,6 @@ images: # renovate: # registryUrl=https://registry.souvap-univention.de # dependencyType=supplier - # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/umc-gateway" tag: "0.6.4@sha256:733d2eac6d358b6d78925d346db8ab6d1adff1ef3179ce8c300e25284ff2c400" # @supplier: "Univention" @@ -481,7 +469,6 @@ images: # renovate: # registryUrl=https://registry.souvap-univention.de # dependencyType=supplier - # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/umc-server" tag: "0.6.4@sha256:ed3c11df4e51939f771a3035055b1bebc360f0971a8b1a11b7eb39cf065875eb" # @supplier: "Univention" @@ -489,7 +476,6 @@ images: # renovate: # registryUrl=https://registry.souvap-univention.de # dependencyType=supplier - # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/selfservice-listener" tag: "0.3.1@sha256:eb1866c364b476258cfa535aa0c94e0da6706cf74e0f774fd80ebce22c3ce6d8" # @supplier: "Univention" @@ -497,7 +483,6 @@ images: # renovate: # registryUrl=https://registry.souvap-univention.de # dependencyType=supplier - # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/selfservice-invitation" tag: "0.3.1@sha256:c985e679fa2af21dce4ce5a41750aec76674858f016b6f8d962f44f90551895d" # @supplier: "Univention" @@ -515,4 +500,11 @@ images: repository: "xwikisas/swp/xwiki" tag: "0.12-mariadb-jetty-alpine@sha256:c195d8baf38b6c6b0c533a3216e726cd863a6c2ba0e65f18036402592bb72896" # @supplier: "XWiki" + umsProvisioning: + # renovate: + # registryUrl=https://registry.souvap-univention.de + # dependencyType=vendor + repository: "souvap/tooling/images/univention/provisioning-dispatch" + tag: "0.2.1@sha256:5c048d0d715ac701c67a98950d87524b54e62d60c4ae39ebb4e8d0a55d0d3438" + # @supplier: "Univention" ... diff --git a/helmfile/environments/default/resources.yaml b/helmfile/environments/default/resources.yaml index 98c3f193..f8956162 100644 --- a/helmfile/environments/default/resources.yaml +++ b/helmfile/environments/default/resources.yaml @@ -396,6 +396,13 @@ resources: requests: cpu: 0.1 memory: "256Mi" + umsProvisioning: + limits: + cpu: 99 + memory: "1Gi" + requests: + cpu: 0.1 + memory: "256Mi" umsSelfserviceListener: limits: cpu: 99 @@ -410,7 +417,6 @@ resources: requests: cpu: 0.1 memory: "256Mi" - umsStackDataUms: limits: cpu: 99