fix(univention-management-stack): Add ums provisioning service

Adds provisioning API along with NATS and NATS box

docs/security.md

@@ -105,6 +105,7 @@ This list gives you an overview of default security settings and if they comply
 |                             | portal-frontend              |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | portal-listener              |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | portal-server                |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | provisioning-api                |        :x:         |         :white_check_mark:         |     :white_check_mark:      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | selfservice-listener         |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | stack-gateway                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 |                             | store-dav                    |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |

helmfile/apps/univention-management-stack/helmfile.yaml

@@ -97,6 +97,13 @@ repositories:
     username: {{ .Values.charts.umsSelfserviceListener.username | quote }}
     password: {{ .Values.charts.umsSelfserviceListener.password | quote }}
     url: "{{ .Values.charts.umsSelfserviceListener.registry }}/{{ .Values.charts.umsSelfserviceListener.repository }}"
+  - name: "ums-provisioning-repo"
+    oci: {{ .Values.charts.umsProvisioning.oci }}
+    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
+    verify: {{ .Values.charts.umsProvisioning.verify }}
+    username: {{ .Values.charts.umsProvisioning.username | quote }}
+    password: {{ .Values.charts.umsProvisioning.password | quote }}
+    url: "{{ .Values.charts.umsProvisioning.registry }}/{{ .Values.charts.umsProvisioning.repository }}"
 
   # Univention Keycloak Extensions
   - name: "ums-keycloak-extensions-repo"
@@ -314,6 +321,16 @@ releases:
       - "values-selfservice-listener.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
 
+  - name: "ums-provisioning"
+    chart: "ums-provisioning-repo/{{ .Values.charts.umsProvisioning.name }}"
+    version: "{{ .Values.charts.umsProvisioning.version }}"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-provisioning.gotmpl"
+      - "values-provisioning.yaml"
+    installed: {{ .Values.univentionManagementStack.enabled }}
+
 commonLabels:
   deploy-stage: "component-1"
   component: "univention-management-stack"

helmfile/apps/univention-management-stack/values-provisioning.gotmpl

@@ -0,0 +1,19 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+
+image:
+  registry: {{ .Values.global.imageRegistry | quote }}
+  repository: {{ .Values.images.umsProvisioning.repository | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.umsProvisioning.tag | quote }}
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . | quote }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsProvisioning | toYaml | nindent 2 }}
+...

helmfile/apps/univention-management-stack/values-provisioning.yaml

@@ -0,0 +1,15 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+provisioningApi:
+  rootPath: "/univention/provisioning-api"
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+...

helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml

@@ -237,6 +237,12 @@ serverBlock: |
       proxy_pass http://ums-portal-frontend:80/;
     }
 
+    ## provisioning-api
+    location /univention/provisioning-api/ {
+      rewrite ^/univention/provisioning-api(/.*)$ $1 break;
+      proxy_pass http://ums-provisioning-provisioning-api:80;
+    }
+
   }
 
 podSecurityContext:

helmfile/environments/default/charts.yaml

@@ -657,6 +657,21 @@ charts:
     username: ~
     password: ~
 
+  umsProvisioning:
+    # renovate:
+    # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
+    # packageName=provisioning-api
+    # dataSource=helm
+    # dependencyType=vendor
+    registry: "external-registry.souvap-univention.de"
+    repository: "sovereign-workplace/souvap/tooling/charts/univention"
+    name: "provisioning-api"
+    oci: true
+    verify: true
+    version: "0.2.1"
+    username: ~
+    password: ~
+
   umsSelfserviceListener:
     # renovate:
     # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable

helmfile/environments/default/images.yaml

@@ -385,7 +385,6 @@ images:
     # renovate:
     # registryUrl=https://registry.souvap-univention.de
     # dependencyType=supplier
-    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/config-htpasswd"
     tag: "0.9.3@sha256:a6ae17dab54fdf75ed59078c25b4f4a6eca9ef755a78fd9a092c5a1c27473da6"
     # @supplier: "Univention"
@@ -393,7 +392,6 @@ images:
     # renovate:
     # registryUrl=https://registry.souvap-univention.de
     # dependencyType=supplier
-    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/data-loader"
     tag: "0.39.5@sha256:01370139fd682a20f42e7b9b7f269c5bb8e0f9a392e0119135c88abbf2c5616c"
     # @supplier: "Univention"
@@ -401,7 +399,6 @@ images:
     # renovate:
     # registryUrl=https://registry.souvap-univention.de
     # dependencyType=supplier
-    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/ldap-notifier"
     tag: "0.7.2@sha256:cd05f5c8c6765ed5bdc1246178498a8d47e4f7ec6a75c3e0f1f69c0ee18f6e6a"
     # @supplier: "Univention"
@@ -409,7 +406,6 @@ images:
     # renovate:
     # registryUrl=https://registry.souvap-univention.de
     # dependencyType=supplier
-    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/ldap-server"
     tag: "0.7.2@sha256:591115300e67ace320333b7a865922f528a7628e693db858f20f59c3ff454b51"
     # @supplier: "Univention"
@@ -417,7 +413,6 @@ images:
     # renovate:
     # registryUrl=https://registry.souvap-univention.de
     # dependencyType=supplier
-    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/notifications-api"
     tag: "0.9.2@sha256:4df0fd062a84afffb9b21e62d7fef594dac1920c8485fb178ee65738060db19e"
     # @supplier: "Univention"
@@ -425,7 +420,6 @@ images:
     # renovate:
     # registryUrl=https://registry.souvap-univention.de
     # dependencyType=supplier
-    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/portal-listener"
     tag: "0.9.2@sha256:4d52acbabc2b2fce3c9830a154c394aae5beec53d38f399ce8865ade2d97eb55"
     # @supplier: "Univention"
@@ -433,7 +427,6 @@ images:
     # renovate:
     # registryUrl=https://registry.souvap-univention.de
     # dependencyType=supplier
-    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/portal-frontend"
     tag: "0.9.2@sha256:29abefe80cea54753a85e3d020a68c6025f5b11b8fafcc84b9e71bccac86316b"
     # @supplier: "Univention"
@@ -441,7 +434,6 @@ images:
     # renovate:
     # registryUrl=https://registry.souvap-univention.de
     # dependencyType=supplier
-    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/portal-server"
     tag: "0.9.2@sha256:7a6468bcda5b5ee2fd24d0029435d86dca96096f28cbe32d6497bcafa683610a"
     # @supplier: "Univention"
@@ -449,7 +441,6 @@ images:
     # renovate:
     # registryUrl=https://registry.souvap-univention.de
     # dependencyType=supplier
-    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/wait-for-dependency"
     tag: "0.9.2@sha256:524e9bad6875bf12370dfbd5cd85df13a04e34c49d074eca34b3ca4b4efc7d8e"
     # @supplier: "Univention"
@@ -457,7 +448,6 @@ images:
     # renovate:
     # registryUrl=https://registry.souvap-univention.de
     # dependencyType=supplier
-    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/store-dav"
     tag: "0.9.3@sha256:e7b1be11933112fe22f5336ec7cd526faeac77a28120abf806d7758dc48d0596"
     # @supplier: "Univention"
@@ -465,7 +455,6 @@ images:
     # renovate:
     # registryUrl=https://registry.souvap-univention.de
     # dependencyType=supplier
-    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/udm-rest-api"
     tag: "0.4.3@sha256:d6ae525028dd2ee108e923dee79db9c1f2f4e0e9f0df3b35de1d50ccc3d90420"
     # @supplier: "Univention"
@@ -473,7 +462,6 @@ images:
     # renovate:
     # registryUrl=https://registry.souvap-univention.de
     # dependencyType=supplier
-    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/umc-gateway"
     tag: "0.6.4@sha256:733d2eac6d358b6d78925d346db8ab6d1adff1ef3179ce8c300e25284ff2c400"
     # @supplier: "Univention"
@@ -481,7 +469,6 @@ images:
     # renovate:
     # registryUrl=https://registry.souvap-univention.de
     # dependencyType=supplier
-    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/umc-server"
     tag: "0.6.4@sha256:ed3c11df4e51939f771a3035055b1bebc360f0971a8b1a11b7eb39cf065875eb"
     # @supplier: "Univention"
@@ -489,7 +476,6 @@ images:
     # renovate:
     # registryUrl=https://registry.souvap-univention.de
     # dependencyType=supplier
-    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/selfservice-listener"
     tag: "0.3.1@sha256:eb1866c364b476258cfa535aa0c94e0da6706cf74e0f774fd80ebce22c3ce6d8"
     # @supplier: "Univention"
@@ -497,7 +483,6 @@ images:
     # renovate:
     # registryUrl=https://registry.souvap-univention.de
     # dependencyType=supplier
-    # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/selfservice-invitation"
     tag: "0.3.1@sha256:c985e679fa2af21dce4ce5a41750aec76674858f016b6f8d962f44f90551895d"
     # @supplier: "Univention"
@@ -515,4 +500,11 @@ images:
     repository: "xwikisas/swp/xwiki"
     tag: "0.12-mariadb-jetty-alpine@sha256:c195d8baf38b6c6b0c533a3216e726cd863a6c2ba0e65f18036402592bb72896"
     # @supplier: "XWiki"
+  umsProvisioning:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=vendor
+    repository: "souvap/tooling/images/univention/provisioning-dispatch"
+    tag: "0.2.1@sha256:5c048d0d715ac701c67a98950d87524b54e62d60c4ae39ebb4e8d0a55d0d3438"
+    # @supplier: "Univention"
 ...

helmfile/environments/default/resources.yaml

@@ -396,6 +396,13 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
+  umsProvisioning:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
   umsSelfserviceListener:
     limits:
       cpu: 99
@@ -410,7 +417,6 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
-
   umsStackDataUms:
     limits:
       cpu: 99