diff --git a/helmfile/apps/keycloak/values-keycloak.gotmpl b/helmfile/apps/keycloak/values-keycloak.gotmpl index 983dfcf1..ae1c37b0 100644 --- a/helmfile/apps/keycloak/values-keycloak.gotmpl +++ b/helmfile/apps/keycloak/values-keycloak.gotmpl @@ -34,7 +34,7 @@ keycloakConfigCli: - name: "LDAP_USERS_DN" value: "cn=users,dc=swp-ldap,dc=internal" - name: "LDAP_SERVER_URL" - value: "univention-corporate-container" + value: "{{ .Values.global.ldap.host }}" - name: "IDENTIFIER" value: "souvap" - name: "THEME" diff --git a/helmfile/apps/nextcloud/values-bootstrap.gotmpl b/helmfile/apps/nextcloud/values-bootstrap.gotmpl index 4408a6b9..1a698a70 100644 --- a/helmfile/apps/nextcloud/values-bootstrap.gotmpl +++ b/helmfile/apps/nextcloud/values-bootstrap.gotmpl @@ -36,6 +36,7 @@ config: password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }} ldapSearch: + host: "{{ .Values.global.ldap.host }}" password: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud }}" smtp: diff --git a/helmfile/apps/nextcloud/values-bootstrap.yaml b/helmfile/apps/nextcloud/values-bootstrap.yaml index 19a935a3..2b2347ed 100644 --- a/helmfile/apps/nextcloud/values-bootstrap.yaml +++ b/helmfile/apps/nextcloud/values-bootstrap.yaml @@ -13,7 +13,4 @@ config: cryptpad: enabled: true - - ldapSearch: - host: "univention-corporate-container" ... diff --git a/helmfile/apps/open-xchange/values-dovecot.gotmpl b/helmfile/apps/open-xchange/values-dovecot.gotmpl index 034fdda4..c1b8fdb4 100644 --- a/helmfile/apps/open-xchange/values-dovecot.gotmpl +++ b/helmfile/apps/open-xchange/values-dovecot.gotmpl @@ -19,6 +19,7 @@ dovecot: password: {{ .Values.secrets.dovecot.doveadm | quote }} ldap: dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal" + host: "{{ .Values.global.ldap.host }}" password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }} oidc: introspectionURL: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token/introspect" diff --git a/helmfile/apps/open-xchange/values-dovecot.yaml b/helmfile/apps/open-xchange/values-dovecot.yaml index b14a7ed4..a18ad954 100644 --- a/helmfile/apps/open-xchange/values-dovecot.yaml +++ b/helmfile/apps/open-xchange/values-dovecot.yaml @@ -7,7 +7,6 @@ containerSecurityContext: dovecot: ldap: enabled: true - host: "univention-corporate-container" port: 389 base: "dc=swp-ldap,dc=internal" diff --git a/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl b/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl index 42af978e..05423493 100644 --- a/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl +++ b/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl @@ -8,6 +8,10 @@ appsuite: secretYAMLFiles: ldap-client-config.yml: contactsLdapClient: + pool: + host: + address: "{{ .Values.global.ldap.host }}" + port: 389 auth: adminDN: password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }} diff --git a/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml b/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml index 3de694dc..1d10265e 100644 --- a/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml +++ b/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml @@ -16,9 +16,6 @@ appsuite: contactsLdapClient: pool: type: "simple" - host: - address: "univention-corporate-container" - port: 389 auth: type: "adminDN" adminDN: diff --git a/helmfile/apps/open-xchange/values-openxchange.gotmpl b/helmfile/apps/open-xchange/values-openxchange.gotmpl index ad93eb2a..7ec12eee 100644 --- a/helmfile/apps/open-xchange/values-openxchange.gotmpl +++ b/helmfile/apps/open-xchange/values-openxchange.gotmpl @@ -83,6 +83,7 @@ appsuite: propertiesFiles: "/opt/open-xchange/etc/ldapauth.properties": bindDNPassword: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }} + java.naming.provider.url: "ldap://{{ .Values.global.ldap.host }}:389/dc=swp-ldap,dc=internal" uiSettings: "io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/" "io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/" diff --git a/helmfile/apps/open-xchange/values-openxchange.yaml b/helmfile/apps/open-xchange/values-openxchange.yaml index a83802d3..23a3a1c1 100644 --- a/helmfile/apps/open-xchange/values-openxchange.yaml +++ b/helmfile/apps/open-xchange/values-openxchange.yaml @@ -111,7 +111,6 @@ appsuite: /opt/open-xchange/etc/system.properties: SERVER_NAME: "oxserver" /opt/open-xchange/etc/ldapauth.properties: - java.naming.provider.url: "ldap://univention-corporate-container:389/dc=swp-ldap,dc=internal" bindOnly: "false" bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal" diff --git a/helmfile/apps/openproject/values.gotmpl b/helmfile/apps/openproject/values.gotmpl index 3750c022..347855e4 100644 --- a/helmfile/apps/openproject/values.gotmpl +++ b/helmfile/apps/openproject/values.gotmpl @@ -54,6 +54,9 @@ environment: OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/" OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout" + # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections + OPENPROJECT_SEED_LDAP_OPENDESK_HOST: "{{ .Values.global.ldap.host }}" + OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389" OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }} OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}" OPENPROJECT_SMTP__DOMAIN: "{{ .Values.global.domain }}" diff --git a/helmfile/apps/openproject/values.yaml b/helmfile/apps/openproject/values.yaml index 19d3ff8a..ddffdf6b 100644 --- a/helmfile/apps/openproject/values.yaml +++ b/helmfile/apps/openproject/values.yaml @@ -55,9 +55,6 @@ environment: OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true" OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer" OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc" - # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections - OPENPROJECT_SEED_LDAP_OPENDESK_HOST: "univention-corporate-container" - OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389" OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap" OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal" OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal" diff --git a/helmfile/apps/provisioning/values-oxconnector.gotmpl b/helmfile/apps/provisioning/values-oxconnector.gotmpl index c10bed9d..dd87a884 100644 --- a/helmfile/apps/provisioning/values-oxconnector.gotmpl +++ b/helmfile/apps/provisioning/values-oxconnector.gotmpl @@ -19,6 +19,8 @@ persistence: oxConnector: domainName: "{{ .Values.global.domain }}" + ldapHost: "{{ .Values.global.ldap.host }}" + notifierServer: "{{ .Values.global.ldap.notifierHost }}" #oxMasterAdmin: "(( .Values.appsuite.core-mw.masterAdmin ))" oxMasterAdmin: "admin" oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }} diff --git a/helmfile/apps/provisioning/values-oxconnector.yaml b/helmfile/apps/provisioning/values-oxconnector.yaml index c1d59570..0e472e6e 100644 --- a/helmfile/apps/provisioning/values-oxconnector.yaml +++ b/helmfile/apps/provisioning/values-oxconnector.yaml @@ -5,11 +5,9 @@ ingress: enabled: false oxConnector: - ldapHost: "univention-corporate-container" # ldapHostIp: "" ldapBaseDn: "dc=swp-ldap,dc=internal" ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal" - notifierServer: "univention-corporate-container" tlsMode: "off" # current static password for UCC ldapPassword: "ucctempldapstring" diff --git a/helmfile/apps/univention-management-stack/helmfile.yaml b/helmfile/apps/univention-management-stack/helmfile.yaml index d5f47b93..acd775ab 100644 --- a/helmfile/apps/univention-management-stack/helmfile.yaml +++ b/helmfile/apps/univention-management-stack/helmfile.yaml @@ -11,11 +11,29 @@ repositories: url: >- {{ env "PRIVATE_CHART_REPOSITORY_URL" | default "https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable" }} + # VMWare Bitnami + # Source: https://github.com/bitnami/charts/ + - name: "bitnami-repo" + oci: true + url: >- + {{ env "PRIVATE_IMAGE_REGISTRY_URL" | + default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }} + verify: true + keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" releases: + # TODO: Interim, until the UMS stack has a stack umbrella chart and provides a solution + {{- if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }} + - name: "ums-stack-gateway" + chart: "bitnami-repo/nginx" + version: "15.3.5" + values: + - "values-ums-stack-gateway.gotmpl" + condition: "univentionManagementStack.enabled" + {{- end }} - name: "ums-store-dav" chart: "ums-repo/store-dav" - version: "0.2.0" + version: "0.5.2" values: - "values-common.gotmpl" - "values-common.yaml" @@ -23,7 +41,7 @@ releases: installed: {{ .Values.univentionManagementStack.enabled }} - name: "ums-ldap-server" chart: "ums-repo/ldap-server" - version: "0.1.0" + version: "0.4.1" values: - "values-common.gotmpl" - "values-common.yaml" @@ -31,7 +49,7 @@ releases: installed: {{ .Values.univentionManagementStack.enabled }} - name: "ums-ldap-notifier" chart: "ums-repo/ldap-notifier" - version: "0.1.0" + version: "0.4.1" values: - "values-common.gotmpl" - "values-common.yaml" @@ -40,7 +58,7 @@ releases: installed: {{ .Values.univentionManagementStack.enabled }} - name: "ums-udm-rest-api" chart: "ums-repo/udm-rest-api" - version: "0.1.0" + version: "0.3.2" values: - "values-common.gotmpl" - "values-common.yaml" @@ -48,7 +66,7 @@ releases: installed: {{ .Values.univentionManagementStack.enabled }} - name: "ums-stack-data-ums" chart: "ums-repo/stack-data-ums" - version: "0.1.0" + version: "0.15.2" values: - "values-common.gotmpl" - "values-common.yaml" @@ -56,7 +74,7 @@ releases: installed: {{ .Values.univentionManagementStack.enabled }} - name: "ums-stack-data-swp" chart: "ums-repo/stack-data-swp" - version: "0.1.0" + version: "0.15.2" values: - "values-common.gotmpl" - "values-common.yaml" @@ -64,7 +82,7 @@ releases: installed: {{ .Values.univentionManagementStack.enabled }} - name: "ums-portal-server" chart: "ums-repo/portal-server" - version: "0.1.0" + version: "0.3.4" values: - "values-common.gotmpl" - "values-common.yaml" @@ -72,7 +90,7 @@ releases: installed: {{ .Values.univentionManagementStack.enabled }} - name: "ums-notifications-api" chart: "ums-repo/notifications-api" - version: "0.1.0" + version: "0.3.4" values: - "values-common.gotmpl" - "values-common.yaml" @@ -81,7 +99,7 @@ releases: installed: {{ .Values.univentionManagementStack.enabled }} - name: "ums-portal-listener" chart: "ums-repo/portal-listener" - version: "0.1.0" + version: "0.3.4" values: - "values-common.gotmpl" - "values-common.yaml" @@ -90,28 +108,36 @@ releases: installed: {{ .Values.univentionManagementStack.enabled }} - name: "ums-portal-frontend" chart: "ums-repo/portal-frontend" - version: "0.1.0" + version: "0.3.4" values: - "values-common.gotmpl" - "values-common.yaml" - "values-portal-frontend.gotmpl" installed: {{ .Values.univentionManagementStack.enabled }} + - name: "ums-portal-frontend-custom" + # TODO: Replace with our own Nginx chart. + chart: "bitnami-repo/nginx" + version: "15.3.5" + values: + - "values-portal-frontend-custom.yaml" + - "values-portal-frontend-custom.gotmpl" + installed: {{ .Values.univentionManagementStack.enabled }} - name: "ums-umc-gateway" chart: "ums-repo/umc-gateway" - version: "0.1.0" + version: "0.3.2" values: - "values-common.gotmpl" - "values-common.yaml" - "values-umc-gateway.gotmpl" - - "values-umc-gateway.yaml" installed: {{ .Values.univentionManagementStack.enabled }} - name: "ums-umc-server" chart: "ums-repo/umc-server" - version: "0.1.0" + version: "0.3.2" values: - "values-common.gotmpl" - "values-common.yaml" - "values-umc-server.gotmpl" + - "values-umc-server.yaml" installed: {{ .Values.univentionManagementStack.enabled }} commonLabels: diff --git a/helmfile/apps/univention-management-stack/values-common.gotmpl b/helmfile/apps/univention-management-stack/values-common.gotmpl index 6e44f8f5..27957046 100644 --- a/helmfile/apps/univention-management-stack/values-common.gotmpl +++ b/helmfile/apps/univention-management-stack/values-common.gotmpl @@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0 --- ingress: - enabled: {{ .Values.ingress.enabled }} + enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }} host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" ingressClassName: "{{ .Values.ingress.ingressClassName }}" tls: diff --git a/helmfile/apps/univention-management-stack/values-common.yaml b/helmfile/apps/univention-management-stack/values-common.yaml index a090def8..af6ca953 100644 --- a/helmfile/apps/univention-management-stack/values-common.yaml +++ b/helmfile/apps/univention-management-stack/values-common.yaml @@ -1,6 +1,10 @@ # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0 --- +global: + configMapUcrDefaults: "ums-stack-data-ums-ucr" + configMapUcr: "ums-stack-data-swp-ucr" + configMapUcrForced: null istio: enabled: false diff --git a/helmfile/apps/univention-management-stack/values-ldap-server.gotmpl b/helmfile/apps/univention-management-stack/values-ldap-server.gotmpl index 9b86f2dd..a3976597 100644 --- a/helmfile/apps/univention-management-stack/values-ldap-server.gotmpl +++ b/helmfile/apps/univention-management-stack/values-ldap-server.gotmpl @@ -14,10 +14,9 @@ ldapServer: # dhParam: "" tlsMode: "off" - # TODO: SAML integration - # samlMetadataUrl: "http://localhost:8097/realms/ucs/protocol/saml/descriptor" - # samlMetadataUrlInternal: "http://keycloak.default/realms/ucs/protocol/saml/descriptor" - # serviceProviders: "http://localhost:8000/univention/saml/metadata,http://localhost:8000/auth/realms/ucs" + samlMetadataUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/saml/descriptor" + samlMetadataUrlInternal: null + serviceProviders: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/saml/metadata" image: registry: "{{ .Values.global.imageRegistry }}" @@ -29,6 +28,12 @@ image: - name: {{ . }} {{- end }} + waitForDependency: + registry: "{{ .Values.global.imageRegistry }}" + repository: "{{ .Values.images.umsWaitForDependency.repository }}" + imagePullPolicy: "Always" + tag: "{{ .Values.images.umsWaitForDependency.tag }}" + # TODO: Pending upstream support, #199 persistence: data: diff --git a/helmfile/apps/univention-management-stack/values-portal-frontend-custom.gotmpl b/helmfile/apps/univention-management-stack/values-portal-frontend-custom.gotmpl new file mode 100644 index 00000000..3ba7e474 --- /dev/null +++ b/helmfile/apps/univention-management-stack/values-portal-frontend-custom.gotmpl @@ -0,0 +1,53 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- + +ingress: + enabled: true + hostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + ingressClassName: "nginx" + annotations: + nginx.org/mergeable-ingress-type: "minion" + tls: false + + pathType: Exact + path: /favicon.ico + + extraPaths: + - pathType: Exact + path: /univention/portal/css/custom.css + backend: + service: + name: ums-portal-frontend-custom-nginx + port: + name: http + - pathType: Exact + path: /univention/portal/icons/logo.svg + backend: + service: + name: ums-portal-frontend-custom-nginx + port: + name: http + - pathType: Exact + path: /univention/portal/icons/logo_small_border.svg + backend: + service: + name: ums-portal-frontend-custom-nginx + port: + name: http + - pathType: Exact + path: /univention/portal/custom/portal_background_image.png + backend: + service: + name: ums-portal-frontend-custom-nginx + port: + name: http + - pathType: Exact + path: /univention/portal/custom/portal_background_image.svg + backend: + service: + name: ums-portal-frontend-custom-nginx + port: + name: http + +... diff --git a/helmfile/apps/univention-management-stack/values-portal-frontend-custom.yaml b/helmfile/apps/univention-management-stack/values-portal-frontend-custom.yaml new file mode 100644 index 00000000..531650d7 --- /dev/null +++ b/helmfile/apps/univention-management-stack/values-portal-frontend-custom.yaml @@ -0,0 +1,33 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- + +service: + type: "ClusterIP" + +extraVolumes: + - name: "opendesk-branding" + configMap: + name: "ums-stack-data-swp-branding" + +extraVolumeMounts: + - name: "opendesk-branding" + mountPath: "/app/favicon.ico" + subPath: "favicon.ico" + - name: "opendesk-branding" + mountPath: "/app/univention/portal/css/custom.css" + subPath: "custom.css" + - name: "opendesk-branding" + mountPath: "/app/univention/portal/icons/logo.svg" + subPath: "logo.svg" + - name: "opendesk-branding" + mountPath: "/app/univention/portal/icons/logo_small_border.svg" + subPath: "logo_small_border.svg" + - name: "opendesk-branding" + mountPath: "/app/univention/portal/custom/portal_background_image.png" + subPath: "portal_background_image.png" + - name: "opendesk-branding" + mountPath: "/app/univention/portal/custom/portal_background_image.svg" + subPath: "portal_background_image.svg" + +... diff --git a/helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl b/helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl index ef7b73c8..5e1ce1f6 100644 --- a/helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl +++ b/helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl @@ -16,11 +16,12 @@ image: extraIngresses: redirects: + enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }} # The TLS configuration is on the "master" Ingress, see below. tls: enabled: false master: - enabled: {{ .Values.ingress.enabled }} + enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }} tls: enabled: {{ .Values.ingress.tls.enabled }} secretName: "{{ .Values.ingress.tls.secretName }}" diff --git a/helmfile/apps/univention-management-stack/values-portal-listener.gotmpl b/helmfile/apps/univention-management-stack/values-portal-listener.gotmpl index decbf998..8222d148 100644 --- a/helmfile/apps/univention-management-stack/values-portal-listener.gotmpl +++ b/helmfile/apps/univention-management-stack/values-portal-listener.gotmpl @@ -13,7 +13,7 @@ portalListener: umcSessionUrl: "http://ums-umc-server/get/session-info" ldapBaseDn: "dc=swp-ldap,dc=internal" - ldapHost: "ums-ldap-server" + ldapHost: "{{ .Values.global.ldap.host }}" ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal" ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}" machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}" diff --git a/helmfile/apps/univention-management-stack/values-portal-server.gotmpl b/helmfile/apps/univention-management-stack/values-portal-server.gotmpl index 8db50b95..b5e39036 100644 --- a/helmfile/apps/univention-management-stack/values-portal-server.gotmpl +++ b/helmfile/apps/univention-management-stack/values-portal-server.gotmpl @@ -7,7 +7,7 @@ portalServer: adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal" authMode: "saml" environment: "staging" - editable: "true" + editable: "false" logLevel: "DEBUG" ucsInternalUrl: "http://portal-server:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}@ums-store-dav/portal-data" umcGetUrl: "http://ums-umc-server/get" diff --git a/helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl b/helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl index ca605ebc..6c05c6c5 100644 --- a/helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl +++ b/helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl @@ -4,22 +4,29 @@ SPDX-License-Identifier: Apache-2.0 */}} --- stackDataSwp: - udmApiUsername: "cn=admin" + udmApiUser: "cn=admin" udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} udmApiUrl: "http://ums-udm-rest-api/udm/" loadDevData: true stackDataContext: ldapBase: "dc=swp-ldap,dc=internal" + ldapSearchUsers: + {{- range $k, $v := .Values.secrets.univentionCorporateServer.ldapSearch }} + - username: {{ printf "ldapsearch_%s" $k | quote }} + password: {{ $v | quote }} + lastname: {{ "LDAP-Search-User" }} + {{- end }} + externalDomainName: "{{ .Values.global.domain }}" externalMailDomain: "{{ .Values.global.domain }}" - portalGroupwareLinkBase: "https://webmail.{{ .Values.istio.domain }}" - portalFileshareLinkBase: "https://fs.{{ .Values.global.domain }}" - portalRealtimeCollaborationLinkBase: "https://chat.{{ .Values.global.domain }}" - portalRealtimeVideoconferenceLinkBase: "https://meet.{{ .Values.global.domain }}" - portalManagementProjectLinkBase: "https://project.{{ .Values.global.domain }}" - portalManagementKnowledgeLinkBase: "https://wiki.{{ .Values.global.domain }}" + portalGroupwareLinkBase: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" + portalFileshareLinkBase: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}" + portalRealtimeCollaborationLinkBase: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}" + portalRealtimeVideoconferenceLinkBase: "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}" + portalManagementProjectLinkBase: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}" + portalManagementKnowledgeLinkBase: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}" oxDefaultContext: "10" diff --git a/helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl b/helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl index 93499df5..42b59547 100644 --- a/helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl +++ b/helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl @@ -10,8 +10,22 @@ stackDataUms: loadDevData: true stackDataContext: + domainname: "{{ .Values.global.domain }}" + externalMailDomain: "{{ .Values.global.domain }}" + hostname: "{{ .Values.global.hosts.univentionManagementStack }}" + ldapHost: "{{ .Values.global.ldap.host }}" ldapBase: "dc=swp-ldap,dc=internal" - initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }} + # TODO: This should not be required, the machine account is not there + # ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal + ldapHostDn: cn=admin,dc=swp-ldap,dc=internal + + samlMetadataUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/saml/descriptor" + samlMetadataUrlInternal: null + samlSpServer: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + samlSchemes: "https" + ssoFqdn: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" + + initialPasswordAdministrator: "{{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword }}" # The SWP configuration brings its own UMC policies. installUmcPolicies: false diff --git a/helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl b/helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl index 2964d5fc..eaa6d98b 100644 --- a/helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl +++ b/helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl @@ -4,29 +4,15 @@ SPDX-License-Identifier: Apache-2.0 */}} --- udmRestApi: - apiLogLevel: "4" - authGroups: - dcBackup: "cn=DC Backup Hosts,cn=groups,dc=swp-ldap,dc=internal" - dcSlaves: "cn=DC Slave Hosts,cn=groups,dc=swp-ldap,dc=internal" - domainAdmins: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal" - ldapHost: "ums-ldap-server" - ldapBaseDn: "dc=swp-ldap,dc=internal" - # TODO: This should not be required, the machine account is not there - # ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal - ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal" # TODO: Secret should be entered without b64enc ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}" # TODO: Secret should be entered without b64enc machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}" - # TODO: why do we need this many subprocesses? - numberOfSubprocesses: 8 # TODO: Stub value currently caCert: "" # TODO: This should not be part of the udm-rest-api anymore loadJoinData: enabled: true - # TODO: configurable - tlsMode: "off" image: registry: "{{ .Values.global.imageRegistry }}" diff --git a/helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl b/helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl index e337c5b3..22a44cec 100644 --- a/helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl +++ b/helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl @@ -4,9 +4,17 @@ SPDX-License-Identifier: Apache-2.0 */}} --- umcGateway: - domainname: "{{ .Values.global.domain }}" - hostname: "{{ .Values.global.hosts.univentionManagementStack }}" - ssoFqdn: "localhost:8097" + +extraVolumes: + - name: "entrypoint-swp-patches" + configMap: + name: "ums-stack-data-swp-umc-gateway-entrypoint" + defaultMode: 0555 + +extraVolumeMounts: + - name: "entrypoint-swp-patches" + mountPath: "/entrypoint.d/90-swp.sh" + subPath: "90-swp.sh" image: registry: "{{ .Values.global.imageRegistry }}" diff --git a/helmfile/apps/univention-management-stack/values-umc-gateway.yaml b/helmfile/apps/univention-management-stack/values-umc-gateway.yaml deleted file mode 100644 index 97f63a1c..00000000 --- a/helmfile/apps/univention-management-stack/values-umc-gateway.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- -umcGateway: - showCookieBanner: true - cookieBannerTitleDE: "Cookie Zustimmung" - cookieBannerTitleEN: "Cookie Consent" - cookieBannerTextDE: >- - Die Nutzung dieses Angebots ist nur möglich, wenn Cookies gespeichert und - verarbeitet werden können (essenzielle Cookies). Dafür benötigen wir Ihre - Zustimmung. Bitte akzeptieren Sie um fortzufahren oder schließen Sie die - Seite. - cookieBannerTextEN: >- - Usage of this site is only possible by storing and processing cookie - information (essential cookies). We require your consent. Please accept to - continue or close the page. - -... diff --git a/helmfile/apps/univention-management-stack/values-umc-server.gotmpl b/helmfile/apps/univention-management-stack/values-umc-server.gotmpl index febffb39..b002c6ab 100644 --- a/helmfile/apps/univention-management-stack/values-umc-server.gotmpl +++ b/helmfile/apps/univention-management-stack/values-umc-server.gotmpl @@ -4,24 +4,6 @@ SPDX-License-Identifier: Apache-2.0 */}} --- umcServer: - domainname: "{{ .Values.global.domain }}" - hostname: "{{ .Values.global.hosts.univentionManagementStack }}" - ldapHost: "ums-ldap-server" - ldapBaseDn: "dc=swp-ldap,dc=internal" - # TODO: This should not be required, the machine account is not there - # ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal - ldapHostDn: cn=admin,dc=swp-ldap,dc=internal - enforceSessionCookie: "true" - - # TODO: The keycloak integration is pending - samlEnabled: false - samlMetadataUrl: "http://localhost:8097/realms/ucs/protocol/saml/descriptor" - samlMetadataUrlInternal: "http://keycloak/realms/ucs/protocol/saml/descriptor" - samlSpServer: "localhost:8000" - samlSchemes: "http" - - tlsMode: "off" - # TODO: Secret should be entered without b64enc ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}" # TODO: Secret should be entered without b64enc diff --git a/helmfile/apps/univention-management-stack/values-umc-server.yaml b/helmfile/apps/univention-management-stack/values-umc-server.yaml new file mode 100644 index 00000000..b0598b31 --- /dev/null +++ b/helmfile/apps/univention-management-stack/values-umc-server.yaml @@ -0,0 +1,17 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +umcServer: + certPemFile: "/var/secrets/ssl/tls.crt" + privateKeyFile: "/var/secrets/ssl/tls.key" + +extraVolumes: + - name: "certificates" + secret: + secretName: "opendesk-certificates-tls" + +extraVolumeMounts: + - name: "certificates" + mountPath: "/var/secrets/ssl" + +... diff --git a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl new file mode 100644 index 00000000..cf79a1cb --- /dev/null +++ b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl @@ -0,0 +1,173 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- + +ingress: + enabled: true + hostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + ingressClassName: "{{ .Values.ingress.ingressClassName }}" + tls: false + extraTls: + - hosts: + - "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" + secretName: "{{ .Values.ingress.tls.secretName }}" + +service: + type: "ClusterIP" + +# The content of the "serverBlock" does resemble the Ingress configuration of +# the UMS components. The "location" entries do intentionally reflect precisely +# the respective paths which are configured. +serverBlock: | + server { + listen 8080; + + ## portal-frontend + # The frontend does not own "/univention/portal", only these two bits + location = /univention/portal/ { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80/; + } + location = /univention/portal/index.html { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80/; + } + + # The following prefixes are owned by the frontend + location /univention/portal/css/ { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80; + } + location /univention/portal/fonts/ { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80; + } + location /univention/portal/i18n/ { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80; + } + location /univention/portal/media/ { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80; + } + location /univention/portal/js/ { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80; + } + location /univention/portal/oidc/ { + rewrite ^/univention/portal(/.*)$ $1 break; + proxy_pass http://ums-portal-frontend:80; + } + + + ## frontend redirects + + location = / { + absolute_redirect off; + return 302 /univention/portal/; + } + location = /univention { + absolute_redirect off; + return 302 /univention/portal/; + } + location = /univention/ { + absolute_redirect off; + return 302 /univention/portal/; + } + location = /univention/portal { + absolute_redirect off; + return 302 /univention/portal/; + } + + + ## portal-server + location = /univention/portal/portal.json { + proxy_pass http://ums-portal-server:80; + } + location = /univention/portal/navigation.json { + proxy_pass http://ums-portal-server:80; + } + + + ## store-dav + location /univention/portal/icons/entries/ { + rewrite ^/univention/portal(/icons/entries/.*)$ /portal-assets$1 break; + proxy_pass http://ums-store-dav:80; + } + location /univention/portal/icons/logos/ { + rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break; + proxy_pass http://ums-store-dav:80; + } + + + ## udm-rest-api + location /univention/udm/ { + rewrite ^/univention(/udm/.*)$ $1 break; + proxy_pass http://ums-udm-rest-api:80; + proxy_set_header X-Forwarded-Host $host; + } + + + ## umc-gateway + location = /univention/languages.json { + proxy_pass http://ums-umc-gateway:80; + } + location = /univention/meta.json { + proxy_pass http://ums-umc-gateway:80; + } + location = /univention/theme.css { + proxy_pass http://ums-umc-gateway:80; + } + location /univention/js/ { + proxy_pass http://ums-umc-gateway:80; + } + location /univention/login/ { + proxy_pass http://ums-umc-gateway:80; + } + location /univention/management/ { + proxy_pass http://ums-umc-gateway:80; + } + location /univention/themes/ { + proxy_pass http://ums-umc-gateway:80; + } + + + ## umc-server + location = /univention/auth { + rewrite ^/univention(/.*)$ $1 break; + proxy_pass http://ums-umc-server:80; + } + location /univention/logout/ { + rewrite ^/univention(/.*)$ $1 break; + proxy_pass http://ums-umc-server:80; + } + location /univention/saml/ { + rewrite ^/univention(/.*)$ $1 break; + proxy_pass http://ums-umc-server:80; + } + location /univention/get/ { + rewrite ^/univention(/.*)$ $1 break; + proxy_pass http://ums-umc-server:80; + } + location /univention/set/ { + rewrite ^/univention(/.*)$ $1 break; + proxy_pass http://ums-umc-server:80; + } + location /univention/command/ { + rewrite ^/univention(/.*)$ $1 break; + proxy_pass http://ums-umc-server:80; + } + location /univention/upload/ { + rewrite ^/univention(/.*)$ $1 break; + proxy_pass http://ums-umc-server:80; + } + + + ## notifications-api + + location /univention/portal/notifications-api/ { + rewrite ^/univention/portal/notifications-api(/.*)$ $1 break; + proxy_pass http://ums-notifications-api:80; + } + + } diff --git a/helmfile/apps/xwiki/values.gotmpl b/helmfile/apps/xwiki/values.gotmpl index b84d162b..bbf4c53d 100644 --- a/helmfile/apps/xwiki/values.gotmpl +++ b/helmfile/apps/xwiki/values.gotmpl @@ -18,7 +18,7 @@ customConfigs: "xwiki.cfg": "xwiki.superadminpassword": "{{ .Values.secrets.xwiki.superadminpassword }}" ## LDAP Server configuration - xwiki.authentication.ldap.server: "univention-corporate-container" + xwiki.authentication.ldap.server: "{{ .Values.global.ldap.host }}" xwiki.authentication.ldap.port: 389 ## Authentication to the LDAP server xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal" diff --git a/helmfile/environments/default/global.gotmpl b/helmfile/environments/default/global.gotmpl index 9a7c47cb..a13f3397 100644 --- a/helmfile/environments/default/global.gotmpl +++ b/helmfile/environments/default/global.gotmpl @@ -11,6 +11,12 @@ global: # domain: {{ env "DOMAIN" | default "souvap.cloud" }} + + ## Define LDAP service (supports "ums_eval" from the CI pipeline) + ldap: + host: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-server" {{ else }} "univention-corporate-container" {{ end }} + notifierHost: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-notifier" {{ else }} "univention-corporate-container" {{ end }} + ## Define docker registry address. # imageRegistry: {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "external-registry.souvap-univention.de/sovereign-workplace" }} diff --git a/helmfile/environments/default/images.yaml b/helmfile/environments/default/images.yaml index e6f270cd..02a76a4a 100644 --- a/helmfile/environments/default/images.yaml +++ b/helmfile/environments/default/images.yaml @@ -213,67 +213,67 @@ images: umsConfigHtpasswd: # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/config-htpasswd" - tag: "latest" + tag: "0.5.2" # @supplier: "Univention" umsDataLoader: # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/data-loader" - tag: "latest" + tag: "0.15.2" # @supplier: "Univention" umsLdapNotifier: # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/ldap-notifier" - tag: "latest" + tag: "0.4.1" # @supplier: "Univention" umsLdapServer: # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/ldap-server" - tag: "latest" + tag: "0.4.1" # @supplier: "Univention" umsNotificationsApi: # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/notifications-api" - tag: "latest" + tag: "0.3.4" # @supplier: "Univention" umsPortalListener: # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/portal-listener" - tag: "latest" + tag: "0.3.4" # @supplier: "Univention" umsPortalFrontend: # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/portal-frontend" - tag: "latest" + tag: "0.3.5" # @supplier: "Univention" umsPortalServer: # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/portal-server" - tag: "latest" + tag: "0.3.4" # @supplier: "Univention" umsWaitForDependency: # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/wait-for-dependency" - tag: "latest" + tag: "0.3.4" # @supplier: "Univention" umsStoreDav: # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/store-dav" - tag: "latest" + tag: "0.5.2" # @supplier: "Univention" umsUdmRestApi: # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/udm-rest-api" - tag: "latest" + tag: "0.3.2" # @supplier: "Univention" umsUmcGateway: # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/umc-gateway" - tag: "latest" + tag: "0.3.2" # @supplier: "Univention" umsUmcServer: # This is a preview and not part of the standard deployment. repository: "souvap/tooling/images/univention/umc-server" - tag: "latest" + tag: "0.3.2" # @supplier: "Univention" wellKnown: repository: "library/nginx"