From d9263c90110df241adaef8d1a5df8e8d8ceda11b Mon Sep 17 00:00:00 2001 From: Dominik Kaminski Date: Fri, 16 Feb 2024 13:49:46 +0100 Subject: [PATCH] fix(ci): Update kyverno rules --- .gitlab-ci.yml | 5 +- .gitlab/common/common.yml | 11 +- .gitlab/lint/lint-kyverno.yml | 9 +- .kyverno/policies/_policies.yaml | 158 ++++++++++++++++-- .../disallow-container-sock-mounts.yaml | 80 +++++++++ .../disallow-default-serviceaccount.yaml | 26 ++- .../policies/disallow-host-namespaces.yaml | 33 ++++ .kyverno/policies/disallow-host-path.yaml | 32 ++++ .kyverno/policies/disallow-host-ports.yaml | 38 +++++ .kyverno/policies/disallow-host-process.yaml | 45 +++++ .kyverno/policies/disallow-latest-tag.yaml | 34 +++- .../require-containersecuritycontext.yaml | 73 +++++++- .../require-health-and-liveness-check.yaml | 17 +- .../require-imagepullpolicy-always.yaml | 40 ----- .../policies/require-imagepullpolicy.yaml | 51 ++++++ .../policies/require-imagepullsecets.yaml | 23 --- .../policies/require-requests-limits.yaml | 12 +- .kyverno/policies/require-tag-and-digest.yaml | 10 +- ...es.yaml => template-image-registries.yaml} | 12 +- .kyverno/policies/template-ingress.yaml | 38 +++++ .kyverno/policies/template-replicas.yaml | 29 ++++ .../template-require-imagepullsecets.yaml | 31 ++++ ...ire-storage.yaml => template-storage.yaml} | 24 ++- helmfile/apps/cryptpad/helmfile.yaml | 3 +- helmfile/apps/element/helmfile.yaml | 27 ++- helmfile/apps/intercom-service/helmfile.yaml | 3 +- helmfile/apps/jitsi/helmfile.yaml | 3 +- helmfile/apps/nextcloud/helmfile.yaml | 6 +- .../nextcloud/values-nextcloud.yaml.gotmpl | 6 +- helmfile/apps/open-xchange/helmfile.yaml | 6 +- .../apps/openproject-bootstrap/helmfile.yaml | 3 +- helmfile/apps/openproject/helmfile.yaml | 3 +- helmfile/apps/openproject/values.yaml.gotmpl | 4 +- helmfile/apps/provisioning/helmfile.yaml | 3 +- .../values-oxconnector.yaml.gotmpl | 2 + helmfile/apps/services/helmfile.yaml | 33 ++-- .../apps/services/values-mariadb.yaml.gotmpl | 2 +- .../services/values-memcached.yaml.gotmpl | 2 + .../apps/services/values-minio.yaml.gotmpl | 6 +- .../services/values-postgresql.yaml.gotmpl | 2 +- .../univention-management-stack/helmfile.yaml | 63 ++++--- helmfile/apps/xwiki/helmfile.yaml | 3 +- helmfile/apps/xwiki/values.yaml.gotmpl | 3 +- .../environments/default/persistence.yaml | 2 +- helmfile/environments/default/replicas.yaml | 10 +- helmfile/environments/default/selinux.yaml | 2 +- helmfile/environments/test/values.yaml.gotmpl | 52 +++++- 47 files changed, 898 insertions(+), 182 deletions(-) create mode 100644 .kyverno/policies/disallow-container-sock-mounts.yaml create mode 100644 .kyverno/policies/disallow-host-namespaces.yaml create mode 100644 .kyverno/policies/disallow-host-path.yaml create mode 100644 .kyverno/policies/disallow-host-ports.yaml create mode 100644 .kyverno/policies/disallow-host-process.yaml delete mode 100644 .kyverno/policies/require-imagepullpolicy-always.yaml create mode 100644 .kyverno/policies/require-imagepullpolicy.yaml delete mode 100644 .kyverno/policies/require-imagepullsecets.yaml rename .kyverno/policies/{restrict-image-registries.yaml => template-image-registries.yaml} (61%) create mode 100644 .kyverno/policies/template-ingress.yaml create mode 100644 .kyverno/policies/template-replicas.yaml create mode 100644 .kyverno/policies/template-require-imagepullsecets.yaml rename .kyverno/policies/{require-storage.yaml => template-storage.yaml} (56%) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 826b4c63..83bd49c3 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -482,7 +482,8 @@ avscan-prepare: yq '.images | with_entries(.key |= "scan-" + .) | .[].extends=".container-clamav" - | with(.[]; .variables.CONTAINER_IMAGE = .repository | .variables.CONTAINER_TAG = .tag | .variables.CONTAINER_REGISTRY = .registry) + | with(.[]; .variables.CONTAINER_IMAGE = .repository + | .variables.CONTAINER_TAG = .tag | .variables.CONTAINER_REGISTRY = .registry) | del(.[].repository) | del(.[].tag) | del(.[].registry)' @@ -595,7 +596,7 @@ release: - | echo -e "\n[INFO] Writing data to helm value file..." cat <helmfile/environments/default/global.generated.yaml - # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" + # SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0 --- global: diff --git a/.gitlab/common/common.yml b/.gitlab/common/common.yml index b7b2c284..e33e9fa5 100644 --- a/.gitlab/common/common.yml +++ b/.gitlab/common/common.yml @@ -2,14 +2,13 @@ # SPDX-License-Identifier: Apache-2.0 --- variables: - OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.4.2\ - @sha256:7a866a34b82dddea8867862afaaccb1d1e385854ce344fc71be492800a5b16a6" - OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.3\ - @sha256:096e649b985dd8e46e9dadff5f7e9c7a8772bf5a1b3df1bb2b4a887716c2ca85" + OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.4.3\ + @sha256:4630299fddf4248af1ad04528f0435d78f5b2694a154c99fe72b960260a7be61" + OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.4\ + @sha256:386e84e2c85c33537479e4bb1e1fe744c9cce5e87bcb9a3a384dcdc1727c19c0" .common: cache: {} needs: [] - tags: - - "docker" + tags: [] ... diff --git a/.gitlab/lint/lint-kyverno.yml b/.gitlab/lint/lint-kyverno.yml index f89aa6b9..9bd8af90 100644 --- a/.gitlab/lint/lint-kyverno.yml +++ b/.gitlab/lint/lint-kyverno.yml @@ -27,7 +27,14 @@ lint-kyverno: script: - "cd ${CI_PROJECT_DIR}/helmfile/apps/${APP}" - "helmfile template -e test --include-needs > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml" - - "node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests -d ${CI_PROJECT_DIR}/.kyverno -t required -s manifest -f opendesk.yaml --skip-tests true ${APP}" + - > + node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests + -d ${CI_PROJECT_DIR}/.kyverno + -t required + -s manifest + -f opendesk.yaml + --skip-tests true + ${APP} - "node /app/opendesk-ci-cli/src/index.js filter-for-kinds -f ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml" - "cd ${CI_PROJECT_DIR}/.kyverno" - "kyverno test ." diff --git a/.kyverno/policies/_policies.yaml b/.kyverno/policies/_policies.yaml index 2eda2bae..c2e0cd52 100644 --- a/.kyverno/policies/_policies.yaml +++ b/.kyverno/policies/_policies.yaml @@ -1,4 +1,4 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0 --- pod: @@ -12,7 +12,7 @@ pod: - "Pod" - "DaemonSet" - name: "disallow-default-serviceaccount" - rule: "require-sa" + rule: "disallow-default-serviceAccountName" type: "required" kinds: - "StatefulSet" @@ -20,8 +20,8 @@ pod: - "Job" - "Pod" - "DaemonSet" - - name: "require-imagepullsecrets" - rule: "require-imagepullsecrets" + - name: "template-imagepullsecrets" + rule: "template-imagePullSecrets" type: "required" kinds: - "StatefulSet" @@ -30,7 +30,7 @@ pod: - "Pod" - "DaemonSet" - name: "disallow-latest-tag" - rule: "validate-image-tag" + rule: "disallow-latest-tag" type: "required" kinds: - "StatefulSet" @@ -38,8 +38,17 @@ pod: - "Job" - "Pod" - "DaemonSet" - - name: "require-imagepullpolicy-always" - rule: "require-imagepullpolicy-always" + - name: "disallow-latest-tag" + rule: "require-image-tag-or-digest" + type: "required" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" + - name: "require-imagepullpolicy" + rule: "require-imagePullPolicy" type: "required" kinds: - "StatefulSet" @@ -55,23 +64,23 @@ pod: - "Deployment" - "Pod" - "DaemonSet" - - name: "require-storage" - rule: "require-storageclass-pvc" + - name: "template-storage" + rule: "template-storageClassName-pod" type: "required" kinds: - "PersistentVolumeClaim" - - name: "require-storage" - rule: "require-storageclass-pod" + - name: "template-storage" + rule: "template-storageClassName-pvc" type: "required" kinds: - "StatefulSet" - - name: "require-storage" - rule: "require-storage-size-pvc" + - name: "template-storage" + rule: "template-requests-storage-pod" type: "required" kinds: - "PersistentVolumeClaim" - - name: "require-storage" - rule: "require-storage-size-pod" + - name: "template-storage" + rule: "template-requests-storage-pvc" type: "required" kinds: - "StatefulSet" @@ -84,8 +93,8 @@ pod: - "Job" - "Pod" - "DaemonSet" - - name: "restrict-image-registries" - rule: "validate-registries" + - name: "template-image-registries" + rule: "template-image-registries" type: "required" kinds: - "StatefulSet" @@ -165,4 +174,119 @@ pod: - "Job" - "Pod" - "DaemonSet" + - name: "require-containersecuritycontext" + rule: "require-empty-seLinuxOptions" + type: "required" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" + - name: "require-containersecuritycontext" + rule: "require-default-procMount" + type: "required" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" + - name: "require-containersecuritycontext" + rule: "restrict-sysctls" + type: "required" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" + - name: "disallow-container-sock-mounts" + rule: "validate-docker-sock-mount" + type: "required" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" + - name: "disallow-container-sock-mounts" + rule: "validate-containerd-sock-mount" + type: "required" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" + - name: "disallow-container-sock-mounts" + rule: "validate-crio-sock-mount" + type: "required" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" + - name: "disallow-container-sock-mounts" + rule: "validate-dockerd-sock-mount" + type: "required" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" + - name: "disallow-host-namespaces" + rule: "disallow-host-namespaces" + type: "required" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" + - name: "disallow-host-path" + rule: "disallow-host-path" + type: "required" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" + - name: "disallow-host-ports" + rule: "disallow-host-ports" + type: "required" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" + - name: "disallow-host-process" + rule: "disallow-host-process" + type: "required" + kinds: + - "StatefulSet" + - "Deployment" + - "Job" + - "Pod" + - "DaemonSet" + - name: "template-ingress" + rule: "template-ingressClassName" + type: "required" + kinds: + - "Ingress" + - name: "template-ingress" + rule: "template-tls-secretName" + type: "required" + kinds: + - "Ingress" + - name: "template-replicas" + rule: "template-replicas" + type: "required" + kinds: + - "StatefulSet" + - "Deployment" ... diff --git a/.kyverno/policies/disallow-container-sock-mounts.yaml b/.kyverno/policies/disallow-container-sock-mounts.yaml new file mode 100644 index 00000000..acadd3da --- /dev/null +++ b/.kyverno/policies/disallow-container-sock-mounts.yaml @@ -0,0 +1,80 @@ +# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +apiVersion: "kyverno.io/v1" +kind: "ClusterPolicy" +metadata: + name: "disallow-container-sock-mounts" + annotations: + policies.kyverno.io/title: "Disallow CRI socket mounts" + policies.kyverno.io/subject: "Pod" + policies.kyverno.io/description: >- + Container daemon socket bind mounts allow access to the container engine on the node. + This access can be used for privilege escalation and to manage containers outside of Kubernetes, and hence should + not be allowed. + This policy validates that the sockets used for CRI engines Docker, Containerd, and CRI-O are not used. + In addition to or replacement of this policy, preventing users from mounting the parent directories + (/var/run and /var) may be necessary to completely prevent socket bind mounts. +spec: + background: true + rules: + - name: "validate-docker-sock-mount" + match: + any: + - resources: + kinds: + - "Pod" + validate: + message: "Use of the Docker Unix socket is not allowed." + anyPattern: + - spec: + =(volumes): + - =(hostPath): + path: "!/var/run/docker.sock" + - spec: + =(volumes): + - name: "validate-containerd-sock-mount" + match: + any: + - resources: + kinds: + - "Pod" + validate: + message: "Use of the Containerd Unix socket is not allowed." + anyPattern: + - spec: + =(volumes): + - =(hostPath): + path: "!/var/run/containerd/containerd.sock" + - spec: + =(volumes): + - name: "validate-crio-sock-mount" + match: + any: + - resources: + kinds: + - "Pod" + validate: + message: "Use of the CRI-O Unix socket is not allowed." + anyPattern: + - spec: + =(volumes): + - =(hostPath): + path: "!/var/run/crio/crio.sock" + - spec: + =(volumes): + - name: "validate-dockerd-sock-mount" + match: + any: + - resources: + kinds: + - "Pod" + validate: + message: "Use of the Docker CRI socket is not allowed." + anyPattern: + - spec: + =(volumes): + - =(hostPath): + path: "!/var/run/cri-dockerd.sock" + - spec: + =(volumes): diff --git a/.kyverno/policies/disallow-default-serviceaccount.yaml b/.kyverno/policies/disallow-default-serviceaccount.yaml index c0d03064..ef2d894e 100644 --- a/.kyverno/policies/disallow-default-serviceaccount.yaml +++ b/.kyverno/policies/disallow-default-serviceaccount.yaml @@ -1,10 +1,20 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0 --- apiVersion: "kyverno.io/v1" kind: "ClusterPolicy" metadata: name: "disallow-default-serviceaccount" + annotations: + policies.kyverno.io/title: "Prevent default ServiceAccount privilege escalation" + policies.kyverno.io/subject: "Pod" + policies.kyverno.io/description: >- + Kubernetes automatically creates a ServiceAccount object named default for every namespace in your cluster. + These default service accounts get no permissions by default. + Accidental or intended assignment of permissions on the default service account results in elevated permissions + for all pods with default service account assigned. + This risk can be mitigated by creating a custom ServiceAccount for each application or reduce the risk by disable + auto mounting the default service account into the pod. spec: background: true rules: @@ -12,11 +22,15 @@ spec: resources: kinds: - "Pod" - name: "require-sa" + name: "disallow-default-serviceAccountName" validate: - message: "serviceAccountName must be set to anything other than 'default'." - pattern: - spec: - serviceAccountName: "!default" + message: >- + Field serviceAccountName must be set to anything other than 'default'. + When serviceAccountName is 'default' then automountServiceAccountToken must set to 'false' . + anyPattern: + - spec: + serviceAccountName: "!default" + - spec: + automountServiceAccountToken: "false" validationFailureAction: "audit" ... diff --git a/.kyverno/policies/disallow-host-namespaces.yaml b/.kyverno/policies/disallow-host-namespaces.yaml new file mode 100644 index 00000000..8e9ef117 --- /dev/null +++ b/.kyverno/policies/disallow-host-namespaces.yaml @@ -0,0 +1,33 @@ +# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +apiVersion: "kyverno.io/v1" +kind: "ClusterPolicy" +metadata: + name: "disallow-host-namespaces" + annotations: + policies.kyverno.io/title: "Disallow Host Namespaces" + policies.kyverno.io/subject: "Pod" + policies.kyverno.io/description: >- + Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access + to shared information and can be used to elevate privileges. + Pods should not be allowed access to host namespaces. + This policy ensures fields which make use of these host namespaces are unset or set to `false`. +spec: + background: true + rules: + - name: "disallow-host-namespaces" + match: + any: + - resources: + kinds: + - "Pod" + validate: + message: >- + Sharing the host namespaces is disallowed. The fields spec.hostNetwork, + spec.hostIPC, and spec.hostPID must be unset or set to `false`. + pattern: + spec: + =(hostPID): "false" + =(hostIPC): "false" + =(hostNetwork): "false" diff --git a/.kyverno/policies/disallow-host-path.yaml b/.kyverno/policies/disallow-host-path.yaml new file mode 100644 index 00000000..f613eb78 --- /dev/null +++ b/.kyverno/policies/disallow-host-path.yaml @@ -0,0 +1,32 @@ +# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +apiVersion: "kyverno.io/v1" +kind: "ClusterPolicy" +metadata: + name: "disallow-host-path" + annotations: + policies.kyverno.io/title: "Disallow hostPath" + policies.kyverno.io/subject: "Pod,Volume" + policies.kyverno.io/description: >- + HostPath volumes let Pods use host directories and volumes in containers. + Using host resources can be used to access shared data or escalate privileges and should not be allowed. + This policy ensures no hostPath volumes are in use. +spec: + background: true + rules: + - name: "disallow-host-path" + match: + any: + - resources: + kinds: + - "Pod" + validate: + message: >- + HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset. + anyPattern: + - spec: + =(volumes): + - X(hostPath): "null" + - spec: + =(volumes): diff --git a/.kyverno/policies/disallow-host-ports.yaml b/.kyverno/policies/disallow-host-ports.yaml new file mode 100644 index 00000000..6e58524c --- /dev/null +++ b/.kyverno/policies/disallow-host-ports.yaml @@ -0,0 +1,38 @@ +# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +apiVersion: "kyverno.io/v1" +kind: "ClusterPolicy" +metadata: + name: "disallow-host-ports" + annotations: + policies.kyverno.io/title: "Disallow hostPorts" + policies.kyverno.io/subject: "Pod" + policies.kyverno.io/description: >- + Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum + restricted to a known list. This policy ensures the `hostPort` field is unset or set to `0`. +spec: + background: true + rules: + - name: "disallow-host-ports" + match: + any: + - resources: + kinds: + - "Pod" + validate: + message: >- + Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort + , spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort + must either be unset or set to `0`. + pattern: + spec: + =(ephemeralContainers): + - =(ports): + - =(hostPort): 0 + =(initContainers): + - =(ports): + - =(hostPort): 0 + containers: + - =(ports): + - =(hostPort): 0 diff --git a/.kyverno/policies/disallow-host-process.yaml b/.kyverno/policies/disallow-host-process.yaml new file mode 100644 index 00000000..315e51ff --- /dev/null +++ b/.kyverno/policies/disallow-host-process.yaml @@ -0,0 +1,45 @@ +# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +apiVersion: "kyverno.io/v1" +kind: "ClusterPolicy" +metadata: + name: "disallow-host-process" + annotations: + policies.kyverno.io/title: "Disallow hostProcess" + policies.kyverno.io/subject: "Pod" + policies.kyverno.io/description: >- + Windows pods offer the ability to run HostProcess containers which enables privileged access to the Windows node. + Privileged access to the host is disallowed in the baseline policy. + HostProcess pods are an alpha feature as of Kubernetes v1.22. + This policy ensures the `hostProcess` field, if present, is set to `false`. +spec: + background: true + rules: + - name: "disallow-host-process" + match: + any: + - resources: + kinds: + - "Pod" + validate: + message: >- + HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess, + spec.containers[*].securityContext.windowsOptions.hostProcess, + spec.initContainers[*].securityContext.windowsOptions.hostProcess, and + spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess must either be undefined or set to + `false`. + pattern: + spec: + =(ephemeralContainers): + - =(securityContext): + =(windowsOptions): + =(hostProcess): "false" + =(initContainers): + - =(securityContext): + =(windowsOptions): + =(hostProcess): "false" + containers: + - =(securityContext): + =(windowsOptions): + =(hostProcess): "false" diff --git a/.kyverno/policies/disallow-latest-tag.yaml b/.kyverno/policies/disallow-latest-tag.yaml index 0f7480f5..0d873d75 100644 --- a/.kyverno/policies/disallow-latest-tag.yaml +++ b/.kyverno/policies/disallow-latest-tag.yaml @@ -1,10 +1,18 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0 --- apiVersion: "kyverno.io/v1" kind: "ClusterPolicy" metadata: name: "disallow-latest-tag" + annotations: + policies.kyverno.io/title: "Disallow usage of latest tag" + policies.kyverno.io/subject: "Pod" + policies.kyverno.io/description: >- + The ':latest' tag is mutable and can lead to unexpected errors if the image changes. + A best practice is to use an immutable tag that maps to a specific version of an application Pod. + This policy validates that the image specifies a tag and that it is not called `latest`. + Defining no image tag or digest result in the container engine retrieving the latest tag. spec: background: true rules: @@ -12,7 +20,7 @@ spec: resources: kinds: - "Pod" - name: "validate-image-tag" + name: "disallow-latest-tag" validate: message: "Using a mutable image tag e.g. 'latest' is not allowed." pattern: @@ -23,5 +31,27 @@ spec: - image: "!*:latest" containers: - image: "!*:latest" + - match: + resources: + kinds: + - "Pod" + name: "require-image-tag-or-digest" + validate: + message: "A image tag or a digest is required, otherwise latest tag is chosen." + anyPattern: + - spec: + =(ephemeralContainers): + - image: "*:*" + =(initContainers): + - image: "*:*" + containers: + - image: "*:*" + - spec: + =(ephemeralContainers): + - image: "*@*" + =(initContainers): + - image: "*@*" + containers: + - image: "*@*" validationFailureAction: "audit" ... diff --git a/.kyverno/policies/require-containersecuritycontext.yaml b/.kyverno/policies/require-containersecuritycontext.yaml index ec1e9b44..e3947269 100644 --- a/.kyverno/policies/require-containersecuritycontext.yaml +++ b/.kyverno/policies/require-containersecuritycontext.yaml @@ -1,10 +1,16 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0 --- apiVersion: "kyverno.io/v1" kind: "ClusterPolicy" metadata: name: "require-containersecuritycontext" + annotations: + policies.kyverno.io/title: "ContainerSecurityContext best practices are set." + policies.kyverno.io/subject: "Pod" + policies.kyverno.io/description: >- + The containerSecurityContext is the most important security-related section because it has the highest precedence + and restricts the container to its minimal privileges. spec: background: true rules: @@ -169,5 +175,70 @@ spec: - securityContext: runAsNonRoot: true + - name: "require-empty-seLinuxOptions" + match: + resources: + kinds: + - "Pod" + validate: + message: "SELinux options have to be unset." + pattern: + spec: + =(ephemeralContainers): + - securityContext: + seLinuxOptions: + =(initContainers): + - securityContext: + seLinuxOptions: + containers: + - securityContext: + seLinuxOptions: + + - name: "require-default-procMount" + match: + resources: + kinds: + - "Pod" + validate: + message: >- + Changing the proc mount from the default is not allowed. The fields + spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount, + and spec.ephemeralContainers[*].securityContext.procMount must be unset or + set to `Default`. + pattern: + spec: + =(ephemeralContainers): + - =(securityContext): + =(procMount): "Default" + =(initContainers): + - =(securityContext): + =(procMount): "Default" + containers: + - =(securityContext): + =(procMount): "Default" + + - name: "restrict-sysctls" + match: + resources: + kinds: + - "Pod" + validate: + message: >- + Setting additional sysctls above the allowed type is not allowed. + The field spec.securityContext.sysctls must be unset or not use any other names + than kernel.shm_rmid_forced, net.ipv4.ip_local_port_range, + net.ipv4.ip_unprivileged_port_start, net.ipv4.tcp_syncookies and + net.ipv4.ping_group_range. + pattern: + spec: + =(securityContext): + =(sysctls): + - =(name): >- + kernel.shm_rmid_forced | + net.ipv4.ip_local_port_range | + net.ipv4.ip_unprivileged_port_start | + net.ipv4.tcp_syncookies | + net.ipv4.ping_group_range + validationFailureAction: "audit" ... diff --git a/.kyverno/policies/require-health-and-liveness-check.yaml b/.kyverno/policies/require-health-and-liveness-check.yaml index 87021d21..329a8eb7 100644 --- a/.kyverno/policies/require-health-and-liveness-check.yaml +++ b/.kyverno/policies/require-health-and-liveness-check.yaml @@ -1,10 +1,20 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0 --- apiVersion: "kyverno.io/v1" kind: "ClusterPolicy" metadata: name: "require-health-and-liveness-check" + annotations: + policies.kyverno.io/title: "Disallow usage of latest tag" + policies.kyverno.io/subject: "Pod" + policies.kyverno.io/description: >- + Liveness and readiness probes need to be configured to correctly manage a Pod's lifecycle during deployments, + restarts, and upgrades. + For each Pod, a periodic `livenessProbe` is performed by the kubelet to determine if the Pod's containers are + running or need to be restarted. + A `readinessProbe` is used by Services and Pods to determine if the Pod is ready to receive network traffic. + This policy validates that all containers have livenessProbe and readinessProbe defined. spec: background: true rules: @@ -14,8 +24,9 @@ spec: - "Pod" name: "require-health-and-liveness-check" validate: - message: "Liveness and readiness probes are required. spec.containers[*].livenessProbe.periodSeconds - must be set to a value greater than 0." + message: >- + Liveness and readiness probes are required. spec.containers[*].livenessProbe.periodSeconds must be set to a + value greater than 0. pattern: spec: containers: diff --git a/.kyverno/policies/require-imagepullpolicy-always.yaml b/.kyverno/policies/require-imagepullpolicy-always.yaml deleted file mode 100644 index b4da3842..00000000 --- a/.kyverno/policies/require-imagepullpolicy-always.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- -apiVersion: "kyverno.io/v1" -kind: "ClusterPolicy" -metadata: - name: "require-imagepullpolicy-always" -spec: - background: true - rules: - - match: - resources: - kinds: - - "Pod" - name: "require-imagepullpolicy-always" - validate: - message: "The imagePullPolicy must be set to `Always` when the tag `latest` is used." - anyPattern: - - spec: - =(ephemeralContainers): - - (image): "*:latest" - imagePullPolicy: "Always" - =(initContainers): - - (image): "*:latest" - imagePullPolicy: "Always" - containers: - - (image): "*:latest" - imagePullPolicy: "Always" - - spec: - =(ephemeralContainers): - - (image): "!*:latest" - imagePullPolicy: "IfNotPresent" - =(initContainers): - - (image): "!*:latest" - imagePullPolicy: "IfNotPresent" - containers: - - (image): "!*:latest" - imagePullPolicy: "IfNotPresent" - validationFailureAction: "audit" -... diff --git a/.kyverno/policies/require-imagepullpolicy.yaml b/.kyverno/policies/require-imagepullpolicy.yaml new file mode 100644 index 00000000..92eb0eea --- /dev/null +++ b/.kyverno/policies/require-imagepullpolicy.yaml @@ -0,0 +1,51 @@ +# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +apiVersion: "kyverno.io/v1" +kind: "ClusterPolicy" +metadata: + name: "require-imagepullpolicy" + annotations: + policies.kyverno.io/title: "Disallow usage of latest tag" + policies.kyverno.io/subject: "Pod" + policies.kyverno.io/description: >- + If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to + ensure later pulls get an updated image in case the latest tag gets updated. + This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or + where a tag is not defined at all. + Additionally this policy checks if the variable `.Values.global.imagePullPolicy` is used in templates. +spec: + background: true + rules: + - match: + resources: + kinds: + - "Pod" + name: "require-imagePullPolicy" + validate: + message: >- + The imagePullPolicy must be set to `Always` when the `latest` tag is used, otherwise the value from + `.Values.global.imagePullPolicy` has to be used. + anyPattern: + - spec: + =(ephemeralContainers): + - (image): "*:latest | !*:*" + imagePullPolicy: "Always" + =(initContainers): + - (image): "*:latest | !*:*" + imagePullPolicy: "Always" + containers: + - (image): "*:latest | !*:*" + imagePullPolicy: "Always" + - spec: + =(ephemeralContainers): + - (image): "!*:latest" + imagePullPolicy: "kyverno" + =(initContainers): + - (image): "!*:latest" + imagePullPolicy: "kyverno" + containers: + - (image): "!*:latest" + imagePullPolicy: "kyverno" + validationFailureAction: "audit" +... diff --git a/.kyverno/policies/require-imagepullsecets.yaml b/.kyverno/policies/require-imagepullsecets.yaml deleted file mode 100644 index 16211cea..00000000 --- a/.kyverno/policies/require-imagepullsecets.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- -apiVersion: "kyverno.io/v1" -kind: "ClusterPolicy" -metadata: - name: "require-imagepullsecrets" -spec: - background: true - rules: - - match: - resources: - kinds: - - "Pod" - name: "require-imagepullsecrets" - validate: - message: "ImagePullSecrets are required." - pattern: - spec: - imagePullSecrets: - - name: "*" - validationFailureAction: "audit" -... diff --git a/.kyverno/policies/require-requests-limits.yaml b/.kyverno/policies/require-requests-limits.yaml index 692ef52e..fcce1e58 100644 --- a/.kyverno/policies/require-requests-limits.yaml +++ b/.kyverno/policies/require-requests-limits.yaml @@ -1,10 +1,20 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0 --- apiVersion: "kyverno.io/v1" kind: "ClusterPolicy" metadata: name: "require-requests-limits" + annotations: + policies.kyverno.io/title: "Require resources cpu/memory request and limits." + policies.kyverno.io/subject: "Pod" + policies.kyverno.io/description: >- + As application workloads share cluster resources, it is important to limit resources requested and consumed by + each Pod. + It is recommended to require resource requests and limits per Pod, especially for memory and CPU. + If a Namespace level request or limit is specified, defaults will automatically be applied to each Pod based on + the LimitRange configuration. + This policy validates that all containers have specified requests for memory and CPU and a limit for memory. spec: background: true rules: diff --git a/.kyverno/policies/require-tag-and-digest.yaml b/.kyverno/policies/require-tag-and-digest.yaml index 8ba1cd27..a467abdf 100644 --- a/.kyverno/policies/require-tag-and-digest.yaml +++ b/.kyverno/policies/require-tag-and-digest.yaml @@ -1,10 +1,18 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0 --- apiVersion: "kyverno.io/v1" kind: "ClusterPolicy" metadata: name: "require-tag-and-digest" + annotations: + policies.kyverno.io/title: "Require tag and digest for image." + policies.kyverno.io/subject: "Pod" + policies.kyverno.io/description: >- + To ensure that containers are not compromised in container registry by pushing malicious code to the same tag, it + is required to reference images by setting a sha256 hashed digest. + Setting only the digest is complicated for humans to compare software versions, therefore in openDesk it is + required to reference container images by tag and digest. spec: background: true rules: diff --git a/.kyverno/policies/restrict-image-registries.yaml b/.kyverno/policies/template-image-registries.yaml similarity index 61% rename from .kyverno/policies/restrict-image-registries.yaml rename to .kyverno/policies/template-image-registries.yaml index 7cb6c4b2..264e9a36 100644 --- a/.kyverno/policies/restrict-image-registries.yaml +++ b/.kyverno/policies/template-image-registries.yaml @@ -1,10 +1,16 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0 --- apiVersion: "kyverno.io/v1" kind: "ClusterPolicy" metadata: - name: "restrict-image-registries" + name: "template-image-registries" + annotations: + policies.kyverno.io/title: "Check image registry template" + policies.kyverno.io/subject: "Pod" + policies.kyverno.io/description: >- + This policy verifies that a custom external registry can be template to allow downloads from a private registry or + cache. spec: background: true rules: @@ -12,7 +18,7 @@ spec: resources: kinds: - "Pod" - name: "validate-registries" + name: "template-image-registries" validate: message: "Unknown image registry." pattern: diff --git a/.kyverno/policies/template-ingress.yaml b/.kyverno/policies/template-ingress.yaml new file mode 100644 index 00000000..fbdf21d5 --- /dev/null +++ b/.kyverno/policies/template-ingress.yaml @@ -0,0 +1,38 @@ +# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +apiVersion: "kyverno.io/v1" +kind: "ClusterPolicy" +metadata: + name: "template-ingress" + annotations: + policies.kyverno.io/title: "Validate openDesk Ingress templating" + policies.kyverno.io/subject: "Pod" + policies.kyverno.io/description: >- + This policy verifies that ingress variables are templated. +spec: + background: true + rules: + - match: + resources: + kinds: + - "Ingress" + name: "template-ingressClassName" + validate: + message: "Verifies that ingressClassName can be customized by `.Values.ingress.ingressClassName` variable." + pattern: + spec: + ingressClassName: "kyverno" + - match: + resources: + kinds: + - "Ingress" + name: "template-tls-secretName" + validate: + message: "Verifies that tls.secretName can be customized by `.Values.ingress.tls.secretName` variable." + pattern: + spec: + tls: + - secretName: "kyverno-tls" + validationFailureAction: "audit" +... diff --git a/.kyverno/policies/template-replicas.yaml b/.kyverno/policies/template-replicas.yaml new file mode 100644 index 00000000..ac1979a8 --- /dev/null +++ b/.kyverno/policies/template-replicas.yaml @@ -0,0 +1,29 @@ +# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +apiVersion: "kyverno.io/v1" +kind: "ClusterPolicy" +metadata: + name: "template-replicas" + annotations: + policies.kyverno.io/title: "Validate openDesk Pod replicas templating" + policies.kyverno.io/subject: "Pod" + policies.kyverno.io/description: >- + This policy verifies that `.Values.replicas.` variables are templated. +spec: + background: true + rules: + - match: + resources: + kinds: + - "Deployment" + - "StatefulSet" + name: "template-replicas" + validate: + message: "Verifies that replica count can be customized by `.Values.replicas.` variable." + pattern: + spec: + replicas: 42 + + validationFailureAction: "audit" +... diff --git a/.kyverno/policies/template-require-imagepullsecets.yaml b/.kyverno/policies/template-require-imagepullsecets.yaml new file mode 100644 index 00000000..d2e0a14b --- /dev/null +++ b/.kyverno/policies/template-require-imagepullsecets.yaml @@ -0,0 +1,31 @@ +# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +apiVersion: "kyverno.io/v1" +kind: "ClusterPolicy" +metadata: + name: "template-imagepullsecrets" + annotations: + policies.kyverno.io/title: "ImagePullSecrets template variable have to be implemented." + policies.kyverno.io/subject: "Pod" + policies.kyverno.io/description: >- + It is recommended to cache images to ensure continuous image availability during network partitions, rate limiting + or registry outages. + These caches as well as a company proxy may require authentication which will be provided as ImagePullSecrets. + This is a openDesk test to ensure that environment variables are templated in Helmfile deployment. +spec: + background: true + rules: + - match: + resources: + kinds: + - "Pod" + name: "template-imagePullSecrets" + validate: + message: "ImagePullSecrets are required." + pattern: + spec: + imagePullSecrets: + - name: "kyverno-test" + validationFailureAction: "audit" +... diff --git a/.kyverno/policies/require-storage.yaml b/.kyverno/policies/template-storage.yaml similarity index 56% rename from .kyverno/policies/require-storage.yaml rename to .kyverno/policies/template-storage.yaml index 8ed332b0..71a0cce4 100644 --- a/.kyverno/policies/require-storage.yaml +++ b/.kyverno/policies/template-storage.yaml @@ -4,7 +4,13 @@ apiVersion: "kyverno.io/v1" kind: "ClusterPolicy" metadata: - name: "require-storage" + name: "template-storage" + annotations: + policies.kyverno.io/title: "Validate storageClass and size templates." + policies.kyverno.io/subject: "Pod" + policies.kyverno.io/description: >- + This policy validates if `.Values.persistence.storageClassNames` variables are used in templates and if the size + of volumes can be customized by `.Values.persistence.size` variable. spec: background: true rules: @@ -12,9 +18,9 @@ spec: resources: kinds: - "StatefulSet" - name: "require-storageclass-pod" + name: "template-storageClassName-pod" validate: - message: "VolumeClaims inside pods need to have storageClass set when templated." + message: "VolumeClaims inside pods needs to have storageClass set when templated." pattern: spec: (volumeClaimTemplates): @@ -24,9 +30,9 @@ spec: resources: kinds: - "PersistentVolumeClaim" - name: "require-storageclass-pvc" + name: "template-storageClassName-pvc" validate: - message: "Persistent Volume Claim need to have storageClassName set when templated." + message: "PersistentVolumeClaim needs to have storageClassName set when templated." pattern: spec: storageClassName: "kyverno-test" @@ -35,9 +41,9 @@ spec: resources: kinds: - "StatefulSet" - name: "require-storage-size-pod" + name: "template-requests-storage-pod" validate: - message: "VolumeClaims inside pods need to have storageClass set when templated." + message: "VolumeClaims inside pods needs to have storageClass set when templated." pattern: spec: (volumeClaimTemplates): @@ -49,9 +55,9 @@ spec: resources: kinds: - "PersistentVolumeClaim" - name: "require-storage-size-pvc" + name: "template-requests-storage-pvc" validate: - message: "Persistent Volume Claim need to have storageClassName set when templated." + message: "PersistentVolumeClaim needs to have storageClassName set when templated." pattern: spec: resources: diff --git a/helmfile/apps/cryptpad/helmfile.yaml b/helmfile/apps/cryptpad/helmfile.yaml index 051005ff..c78e47a8 100644 --- a/helmfile/apps/cryptpad/helmfile.yaml +++ b/helmfile/apps/cryptpad/helmfile.yaml @@ -13,7 +13,8 @@ repositories: username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/\ + {{ .Values.charts.cryptpad.repository }}" releases: - name: "cryptpad" diff --git a/helmfile/apps/element/helmfile.yaml b/helmfile/apps/element/helmfile.yaml index aec18b00..7ab6c6ca 100644 --- a/helmfile/apps/element/helmfile.yaml +++ b/helmfile/apps/element/helmfile.yaml @@ -13,35 +13,40 @@ repositories: username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.element.registry }}/\ + {{ .Values.charts.element.repository }}" - name: "element-well-known-repo" keyring: "../../files/gpg-pubkeys/opencode.gpg" verify: {{ .Values.charts.elementWellKnown.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/\ + {{ .Values.charts.elementWellKnown.repository }}" - name: "synapse-web-repo" keyring: "../../files/gpg-pubkeys/opencode.gpg" verify: {{ .Values.charts.synapseWeb.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/\ + {{ .Values.charts.synapseWeb.repository }}" - name: "synapse-repo" keyring: "../../files/gpg-pubkeys/opencode.gpg" verify: {{ .Values.charts.synapse.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/\ + {{ .Values.charts.synapse.repository }}" - name: "synapse-create-account-repo" keyring: "../../files/gpg-pubkeys/opencode.gpg" verify: {{ .Values.charts.synapseCreateAccount.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/\ + {{ .Values.charts.synapseCreateAccount.repository }}" # openDesk Matrix Widgets # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets @@ -59,28 +64,32 @@ repositories: username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/\ + {{ .Values.charts.matrixNeoboardWidget.repository }}" - name: "matrix-neochoice-widget-repo" keyring: "../../files/gpg-pubkeys/opencode.gpg" verify: {{ .Values.charts.matrixNeoboardWidget.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/\ + {{ .Values.charts.matrixNeoboardWidget.repository }}" - name: "matrix-neodatefix-widget-repo" keyring: "../../files/gpg-pubkeys/opencode.gpg" verify: {{ .Values.charts.matrixNeodatefixWidget.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/\ + {{ .Values.charts.matrixNeodatefixWidget.repository }}" - name: "matrix-neodatefix-bot-repo" keyring: "../../files/gpg-pubkeys/opencode.gpg" verify: {{ .Values.charts.matrixNeodatefixBot.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/\ + {{ .Values.charts.matrixNeodatefixBot.repository }}" releases: diff --git a/helmfile/apps/intercom-service/helmfile.yaml b/helmfile/apps/intercom-service/helmfile.yaml index 0ce14450..4f451b66 100644 --- a/helmfile/apps/intercom-service/helmfile.yaml +++ b/helmfile/apps/intercom-service/helmfile.yaml @@ -13,7 +13,8 @@ repositories: username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/\ + {{ .Values.charts.intercomService.repository }}" releases: - name: "intercom-service" diff --git a/helmfile/apps/jitsi/helmfile.yaml b/helmfile/apps/jitsi/helmfile.yaml index 9d78a4f5..64170370 100644 --- a/helmfile/apps/jitsi/helmfile.yaml +++ b/helmfile/apps/jitsi/helmfile.yaml @@ -13,7 +13,8 @@ repositories: username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/\ + {{ .Values.charts.jitsi.repository }}" releases: - name: "jitsi" diff --git a/helmfile/apps/nextcloud/helmfile.yaml b/helmfile/apps/nextcloud/helmfile.yaml index e3423a47..840ffeeb 100644 --- a/helmfile/apps/nextcloud/helmfile.yaml +++ b/helmfile/apps/nextcloud/helmfile.yaml @@ -13,14 +13,16 @@ repositories: username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/\ + {{ .Values.charts.nextcloudManagement.repository }}" - name: "nextcloud-repo" keyring: "../../files/gpg-pubkeys/opencode.gpg" verify: {{ .Values.charts.nextcloud.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/\ + {{ .Values.charts.nextcloud.repository }}" releases: - name: "opendesk-nextcloud-management" diff --git a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl index e183b7ee..57697df9 100644 --- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl +++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl @@ -40,7 +40,7 @@ exporter: enabled: {{ .Values.prometheus.prometheusRules.enabled }} additionalLabels: {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 8 }} - replicas: {{ .Values.replicas.nextcloudExporter }} + replicaCount: {{ .Values.replicas.nextcloudExporter }} resources: {{ .Values.resources.nextcloudExporter | toYaml | nindent 4 }} @@ -97,7 +97,7 @@ php: enabled: {{ .Values.prometheus.prometheusRules.enabled }} additionalLabels: {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 8 }} - replicas: {{ .Values.replicas.nextcloudPHP }} + replicaCount: {{ .Values.replicas.nextcloudPHP }} resources: {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }} @@ -130,7 +130,7 @@ apache2: repository: {{ .Values.images.nextcloudApache2.repository | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} tag: {{ .Values.images.nextcloudApache2.tag | quote }} - replicas: {{ .Values.replicas.nextcloudApache2 }} + replicaCount: {{ .Values.replicas.nextcloudApache2 }} resources: {{ .Values.resources.nextcloudApache2 | toYaml | nindent 4 }} ... diff --git a/helmfile/apps/open-xchange/helmfile.yaml b/helmfile/apps/open-xchange/helmfile.yaml index 83365b45..bf0a6462 100644 --- a/helmfile/apps/open-xchange/helmfile.yaml +++ b/helmfile/apps/open-xchange/helmfile.yaml @@ -13,14 +13,16 @@ repositories: username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/\ + {{ .Values.charts.dovecot.repository }}" # Open-Xchange - name: "open-xchange-repo" username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuite.registry }}/{{ .Values.charts.openXchangeAppSuite.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuite.registry }}/\ + {{ .Values.charts.openXchangeAppSuite.repository }}" # openDesk Open-Xchange Bootstrap # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap diff --git a/helmfile/apps/openproject-bootstrap/helmfile.yaml b/helmfile/apps/openproject-bootstrap/helmfile.yaml index 361212b7..3db3fd11 100644 --- a/helmfile/apps/openproject-bootstrap/helmfile.yaml +++ b/helmfile/apps/openproject-bootstrap/helmfile.yaml @@ -13,7 +13,8 @@ repositories: username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/\ + {{ .Values.charts.openprojectBootstrap.repository }}" releases: - name: "opendesk-openproject-bootstrap" diff --git a/helmfile/apps/openproject/helmfile.yaml b/helmfile/apps/openproject/helmfile.yaml index 2b401beb..c3c3f079 100644 --- a/helmfile/apps/openproject/helmfile.yaml +++ b/helmfile/apps/openproject/helmfile.yaml @@ -13,7 +13,8 @@ repositories: username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/\ + {{ .Values.charts.openproject.repository }}" releases: - name: "openproject" diff --git a/helmfile/apps/openproject/values.yaml.gotmpl b/helmfile/apps/openproject/values.yaml.gotmpl index 40b2b2fd..e41e9bdf 100644 --- a/helmfile/apps/openproject/values.yaml.gotmpl +++ b/helmfile/apps/openproject/values.yaml.gotmpl @@ -144,7 +144,9 @@ ingress: enabled: {{ .Values.ingress.tls.enabled }} secretName: {{ .Values.ingress.tls.secretName | quote }} -replicaCount: {{ .Values.replicas.openproject }} +backgroundReplicaCount: {{ .Values.replicas.openprojectWorker }} + +replicaCount: {{ .Values.replicas.openprojectWeb }} resources: {{ .Values.resources.openproject | toYaml | nindent 2 }} diff --git a/helmfile/apps/provisioning/helmfile.yaml b/helmfile/apps/provisioning/helmfile.yaml index c89e989c..0832f837 100644 --- a/helmfile/apps/provisioning/helmfile.yaml +++ b/helmfile/apps/provisioning/helmfile.yaml @@ -10,7 +10,8 @@ repositories: username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/\ + {{ .Values.charts.oxConnector.repository }}" releases: - name: "ox-connector" diff --git a/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl b/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl index e4553980..2e181da7 100644 --- a/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl +++ b/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl @@ -59,6 +59,8 @@ probes: failureThreshold: 30 successThreshold: 1 +replicaCount: {{ .Values.replicas.oxConnector }} + securityContext: allowPrivilegeEscalation: false capabilities: diff --git a/helmfile/apps/services/helmfile.yaml b/helmfile/apps/services/helmfile.yaml index fd4a29dc..9b3b8ec3 100644 --- a/helmfile/apps/services/helmfile.yaml +++ b/helmfile/apps/services/helmfile.yaml @@ -13,7 +13,8 @@ repositories: username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/\ + {{ .Values.charts.otterize.repository }}" # openDesk Certificates # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates @@ -23,7 +24,8 @@ repositories: username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/\ + {{ .Values.charts.certificates.repository }}" # openDesk PostgreSQL # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postgresql @@ -33,7 +35,8 @@ repositories: username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/\ + {{ .Values.charts.postgresql.repository }}" # openDesk MariaDB # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-mariadb @@ -43,7 +46,8 @@ repositories: username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/\ + {{ .Values.charts.mariadb.repository }}" # openDesk Postfix # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postfix @@ -53,7 +57,8 @@ repositories: username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/\ + {{ .Values.charts.postfix.repository }}" # openDesk Istio Resources # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-istio-resources @@ -63,7 +68,8 @@ repositories: username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.istioResources.registry }}/{{ .Values.charts.istioResources.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.istioResources.registry }}/\ + {{ .Values.charts.istioResources.repository }}" # openDesk ClamAV # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-clamav @@ -73,14 +79,16 @@ repositories: username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/\ + {{ .Values.charts.clamav.repository }}" - name: "clamav-simple-repo" keyring: "../../files/gpg-pubkeys/opencode.gpg" verify: {{ .Values.charts.clamavSimple.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/\ + {{ .Values.charts.clamavSimple.repository }}" # VMWare Bitnami # Source: https://github.com/bitnami/charts/ @@ -90,21 +98,24 @@ repositories: username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/\ + {{ .Values.charts.memcached.repository }}" - name: "redis-repo" keyring: "../../files/gpg-pubkeys/opencode.gpg" verify: {{ .Values.charts.redis.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.redis.registry }}/\ + {{ .Values.charts.redis.repository }}" - name: "minio-repo" keyring: "../../files/gpg-pubkeys/opencode.gpg" verify: {{ .Values.charts.minio.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/\ + {{ .Values.charts.minio.repository }}" releases: - name: "opendesk-otterize" diff --git a/helmfile/apps/services/values-mariadb.yaml.gotmpl b/helmfile/apps/services/values-mariadb.yaml.gotmpl index c7f57a61..3f5362a3 100644 --- a/helmfile/apps/services/values-mariadb.yaml.gotmpl +++ b/helmfile/apps/services/values-mariadb.yaml.gotmpl @@ -60,7 +60,7 @@ podSecurityContext: fsGroup: 1001 fsGroupChangePolicy: "OnRootMismatch" -replicaCount: 1 +replicaCount: {{ .Values.replicas.mariadb }} resources: {{ .Values.resources.mariadb | toYaml | nindent 2 }} diff --git a/helmfile/apps/services/values-memcached.yaml.gotmpl b/helmfile/apps/services/values-memcached.yaml.gotmpl index 9dcb834a..a4ec0a72 100644 --- a/helmfile/apps/services/values-memcached.yaml.gotmpl +++ b/helmfile/apps/services/values-memcached.yaml.gotmpl @@ -1,6 +1,8 @@ # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0 --- +architecture: {{ if gt .Values.replicas.memcached 1 }}"high-availability"{{ else }}"standalone"{{ end }} + containerSecurityContext: allowPrivilegeEscalation: false capabilities: diff --git a/helmfile/apps/services/values-minio.yaml.gotmpl b/helmfile/apps/services/values-minio.yaml.gotmpl index 67e18f0c..934f0f0b 100644 --- a/helmfile/apps/services/values-minio.yaml.gotmpl +++ b/helmfile/apps/services/values-minio.yaml.gotmpl @@ -62,7 +62,7 @@ livenessProbe: periodSeconds: 10 timeoutSeconds: 10 -mode: "standalone" +mode: {{ if gt .Values.replicas.minio 1 }}"distributed"{{ else }}"standalone"{{ end }} metrics: serviceMonitor: @@ -94,7 +94,7 @@ provisioning: - name: "openxchange" versioning: true withLock: false - - name: {{ .Values.objectstores.univentionManagementStack.bucket | quote }} + - name: {{ .Values.objectstores.univentionManagementStack.bucket | quote }} versioning: false withLock: false - name: "nextcloud" @@ -192,6 +192,6 @@ startupProbe: timeoutSeconds: 10 statefulset: - replicaCount: {{ .Values.replicas.minioDistributed }} + replicaCount: {{ .Values.replicas.minio }} ... diff --git a/helmfile/apps/services/values-postgresql.yaml.gotmpl b/helmfile/apps/services/values-postgresql.yaml.gotmpl index ace3b0e0..b44c26cf 100644 --- a/helmfile/apps/services/values-postgresql.yaml.gotmpl +++ b/helmfile/apps/services/values-postgresql.yaml.gotmpl @@ -26,7 +26,7 @@ podSecurityContext: postgres: user: "postgres" -replicaCount: 1 +replicaCount: {{ .Values.replicas.postgres }} global: imagePullSecrets: diff --git a/helmfile/apps/univention-management-stack/helmfile.yaml b/helmfile/apps/univention-management-stack/helmfile.yaml index c4da65fd..eecbfc92 100644 --- a/helmfile/apps/univention-management-stack/helmfile.yaml +++ b/helmfile/apps/univention-management-stack/helmfile.yaml @@ -12,126 +12,144 @@ repositories: username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianManagementApi.registry }}/{{ .Values.charts.umsGuardianManagementApi.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianManagementApi.registry }}/\ + {{ .Values.charts.umsGuardianManagementApi.repository }}" - name: "ums-guardian-management-ui-repo" keyring: "../../files/gpg-pubkeys/univention-de.gpg" verify: {{ .Values.charts.umsGuardianManagementUi.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianManagementUi.registry }}/{{ .Values.charts.umsGuardianManagementUi.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianManagementUi.registry }}/\ + {{ .Values.charts.umsGuardianManagementUi.repository }}" - name: "ums-guardian-authorization-api-repo" keyring: "../../files/gpg-pubkeys/univention-de.gpg" verify: {{ .Values.charts.umsGuardianAuthorizationApi.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianAuthorizationApi.registry }}/{{ .Values.charts.umsGuardianAuthorizationApi.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianAuthorizationApi.registry }}/\ + {{ .Values.charts.umsGuardianAuthorizationApi.repository }}" - name: "ums-open-policy-agent-repo" keyring: "../../files/gpg-pubkeys/univention-de.gpg" verify: {{ .Values.charts.umsOpenPolicyAgent.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsOpenPolicyAgent.registry }}/{{ .Values.charts.umsOpenPolicyAgent.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.umsOpenPolicyAgent.registry }}/\ + {{ .Values.charts.umsOpenPolicyAgent.repository }}" - name: "ums-ldap-server-repo" keyring: "../../files/gpg-pubkeys/univention-de.gpg" verify: {{ .Values.charts.umsLdapServer.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsLdapServer.registry }}/{{ .Values.charts.umsLdapServer.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.umsLdapServer.registry }}/\ + {{ .Values.charts.umsLdapServer.repository }}" - name: "ums-ldap-notifier-repo" keyring: "../../files/gpg-pubkeys/univention-de.gpg" verify: {{ .Values.charts.umsLdapNotifier.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsLdapNotifier.registry }}/{{ .Values.charts.umsLdapNotifier.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.umsLdapNotifier.registry }}/\ + {{ .Values.charts.umsLdapNotifier.repository }}" - name: "ums-udm-rest-api-repo" keyring: "../../files/gpg-pubkeys/univention-de.gpg" verify: {{ .Values.charts.umsUdmRestApi.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUdmRestApi.registry }}/{{ .Values.charts.umsUdmRestApi.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUdmRestApi.registry }}/\ + {{ .Values.charts.umsUdmRestApi.repository }}" - name: "ums-stack-data-ums-repo" keyring: "../../files/gpg-pubkeys/univention-de.gpg" verify: {{ .Values.charts.umsStackDataUms.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStackDataUms.registry }}/{{ .Values.charts.umsStackDataUms.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStackDataUms.registry }}/\ + {{ .Values.charts.umsStackDataUms.repository }}" - name: "ums-stack-data-swp-repo" keyring: "../../files/gpg-pubkeys/univention-de.gpg" verify: {{ .Values.charts.umsStackDataSwp.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStackDataSwp.registry }}/{{ .Values.charts.umsStackDataSwp.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStackDataSwp.registry }}/\ + {{ .Values.charts.umsStackDataSwp.repository }}" - name: "ums-portal-server-repo" keyring: "../../files/gpg-pubkeys/univention-de.gpg" verify: {{ .Values.charts.umsPortalServer.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalServer.registry }}/{{ .Values.charts.umsPortalServer.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalServer.registry }}/\ + {{ .Values.charts.umsPortalServer.repository }}" - name: "ums-notifications-api-repo" keyring: "../../files/gpg-pubkeys/univention-de.gpg" verify: {{ .Values.charts.umsNotificationsApi.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsNotificationsApi.registry }}/{{ .Values.charts.umsNotificationsApi.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.umsNotificationsApi.registry }}/\ + {{ .Values.charts.umsNotificationsApi.repository }}" - name: "ums-portal-listener-repo" keyring: "../../files/gpg-pubkeys/univention-de.gpg" verify: {{ .Values.charts.umsPortalListener.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalListener.registry }}/{{ .Values.charts.umsPortalListener.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalListener.registry }}/\ + {{ .Values.charts.umsPortalListener.repository }}" - name: "ums-portal-frontend-repo" keyring: "../../files/gpg-pubkeys/univention-de.gpg" verify: {{ .Values.charts.umsPortalFrontend.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalFrontend.registry }}/{{ .Values.charts.umsPortalFrontend.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalFrontend.registry }}/\ + {{ .Values.charts.umsPortalFrontend.repository }}" - name: "ums-umc-gateway-repo" keyring: "../../files/gpg-pubkeys/univention-de.gpg" verify: {{ .Values.charts.umsUmcGateway.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUmcGateway.registry }}/{{ .Values.charts.umsUmcGateway.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUmcGateway.registry }}/\ + {{ .Values.charts.umsUmcGateway.repository }}" - name: "ums-umc-server-repo" keyring: "../../files/gpg-pubkeys/univention-de.gpg" verify: {{ .Values.charts.umsUmcServer.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUmcServer.registry }}/{{ .Values.charts.umsUmcServer.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUmcServer.registry }}/\ + {{ .Values.charts.umsUmcServer.repository }}" - name: "ums-selfservice-listener-repo" keyring: "../../files/gpg-pubkeys/univention-de.gpg" verify: {{ .Values.charts.umsSelfserviceListener.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsSelfserviceListener.registry }}/{{ .Values.charts.umsSelfserviceListener.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.umsSelfserviceListener.registry }}/\ + {{ .Values.charts.umsSelfserviceListener.repository }}" - name: "ums-provisioning-repo" keyring: "../../files/gpg-pubkeys/univention-de.gpg" verify: {{ .Values.charts.umsProvisioning.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsProvisioning.registry }}/{{ .Values.charts.umsProvisioning.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.umsProvisioning.registry }}/\ + {{ .Values.charts.umsProvisioning.repository }}" # Univention Keycloak Extensions - name: "ums-keycloak-extensions-repo" username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloakExtensions.registry }}/{{ .Values.charts.umsKeycloakExtensions.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloakExtensions.registry }}/\ + {{ .Values.charts.umsKeycloakExtensions.repository }}" # Univention Keycloak - name: "ums-keycloak-repo" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" @@ -139,14 +157,16 @@ repositories: username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloak.registry }}/{{ .Values.charts.umsKeycloak.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloak.registry }}/\ + {{ .Values.charts.umsKeycloak.repository }}" - name: "ums-keycloak-bootstrap-repo" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" verify: {{ .Values.charts.umsKeycloakBootstrap.verify }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloakBootstrap.registry }}/{{ .Values.charts.umsKeycloakBootstrap.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloakBootstrap.registry }}/\ + {{ .Values.charts.umsKeycloakBootstrap.repository }}" - name: "opendesk-keycloak-bootstrap-repo" keyring: "../../files/gpg-pubkeys/opencode.gpg" verify: {{ .Values.charts.opendeskKeycloakBootstrap.verify }} @@ -163,7 +183,8 @@ repositories: username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.nginx.registry }}/{{ .Values.charts.nginx.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.nginx.registry }}/\ + {{ .Values.charts.nginx.repository }}" releases: - name: "ums-keycloak" diff --git a/helmfile/apps/xwiki/helmfile.yaml b/helmfile/apps/xwiki/helmfile.yaml index e9456b50..760f2cc6 100644 --- a/helmfile/apps/xwiki/helmfile.yaml +++ b/helmfile/apps/xwiki/helmfile.yaml @@ -13,7 +13,8 @@ repositories: username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true - url: "{{ .Values.global.helmRegistry | default .Values.charts.xwiki.registry }}/{{ .Values.charts.xwiki.repository }}" + url: "{{ .Values.global.helmRegistry | default .Values.charts.xwiki.registry }}/\ + {{ .Values.charts.xwiki.repository }}" releases: - name: "xwiki" diff --git a/helmfile/apps/xwiki/values.yaml.gotmpl b/helmfile/apps/xwiki/values.yaml.gotmpl index c8e63322..1b58bb82 100644 --- a/helmfile/apps/xwiki/values.yaml.gotmpl +++ b/helmfile/apps/xwiki/values.yaml.gotmpl @@ -161,7 +161,8 @@ properties: "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))" "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.title": "{{ .Values.theme.texts.productName }} Wissen - $!tdoc.displayTitle" -replicaCount: {{ .Values.replicas.xwiki }} +cluster: + replicas: {{ .Values.replicas.xwiki }} resources: {{ .Values.resources.xwiki | toYaml | nindent 2 }} diff --git a/helmfile/environments/default/persistence.yaml b/helmfile/environments/default/persistence.yaml index d209f121..441a4d06 100644 --- a/helmfile/environments/default/persistence.yaml +++ b/helmfile/environments/default/persistence.yaml @@ -10,7 +10,7 @@ persistence: dovecot: "1Gi" mariadb: "1Gi" matrixNeoDateFixBot: "1Gi" - minio: "1Gi" + minio: "10Gi" postfix: "1Gi" postgresql: "1Gi" prosody: "1Gi" diff --git a/helmfile/environments/default/replicas.yaml b/helmfile/environments/default/replicas.yaml index 33eb0c30..e9a38f14 100644 --- a/helmfile/environments/default/replicas.yaml +++ b/helmfile/environments/default/replicas.yaml @@ -1,6 +1,8 @@ # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0 --- +# Before increasing the replicas of components, please consult the scaling documentation at "docs/scaling.md" to ensure +# that scaling of the respective component is possible and has the desired effect. replicas: # clamav-simple clamav: 1 @@ -21,6 +23,7 @@ replicas: jitsiKeycloakAdapter: 1 jvb: 1 keycloak: 1 + mariadb: 1 matrixNeoBoardWidget: 1 matrixNeoChoiceWidget: 1 matrixNeoDateFixBot: 1 @@ -29,12 +32,15 @@ replicas: memcached: 1 # clamav-distributed milter: 1 - minioDistributed: 4 + minio: 1 nextcloudApache2: 1 nextcloudExporter: 1 nextcloudPHP: 1 - openproject: 1 + openprojectWeb: 1 + openprojectWorker: 1 + oxConnector: 1 postfix: 1 + postgres: 1 redis: 1 synapse: 1 synapseWeb: 1 diff --git a/helmfile/environments/default/selinux.yaml b/helmfile/environments/default/selinux.yaml index 085eb6f1..ea6f36c2 100644 --- a/helmfile/environments/default/selinux.yaml +++ b/helmfile/environments/default/selinux.yaml @@ -16,7 +16,7 @@ seLinuxOptions: icap: ~ intercom: ~ # The Jibri Helm chart does not support setting the securityContext externally. - #jibri: ~ + # jibri: ~ jicofo: ~ jitsi: ~ jitsiKeycloakAdapter: ~ diff --git a/helmfile/environments/test/values.yaml.gotmpl b/helmfile/environments/test/values.yaml.gotmpl index d80aabc0..02fd4897 100644 --- a/helmfile/environments/test/values.yaml.gotmpl +++ b/helmfile/environments/test/values.yaml.gotmpl @@ -5,6 +5,9 @@ SPDX-License-Identifier: Apache-2.0 --- global: imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace" + imagePullSecrets: + - "kyverno-test" + imagePullPolicy: "kyverno" persistence: storageClassNames: RWX: "kyverno-test" @@ -25,6 +28,53 @@ persistence: ldapServerShared: "42Gi" portalListener: "42Gi" selfserviceListener: "42Gi" - storeDav: "42Gi" xwiki: "42Gi" +ingress: + ingressClassName: "kyverno" + tls: + enabled: true + secretName: "kyverno-tls" +replicas: + # clamav-simple + clamav: 42 + # clamav-distributed + clamd: 42 + collabora: 42 + cryptpad: 42 + dovecot: 42 + element: 42 + # clamav-distributed + freshclam: 42 + # clamav-distributed + icap: 42 + intercomService: 42 + jibri: 42 + jicofo: 42 + jitsi: 42 + jitsiKeycloakAdapter: 42 + jvb: 42 + keycloak: 42 + mariadb: 42 + matrixNeoBoardWidget: 42 + matrixNeoChoiceWidget: 42 + matrixNeoDateFixBot: 42 + matrixNeoDateFixWidget: 42 + matrixUserVerificationService: 42 + memcached: 42 + # clamav-distributed + milter: 42 + minio: 42 + nextcloudApache2: 42 + nextcloudExporter: 42 + nextcloudPHP: 42 + openprojectWeb: 42 + openprojectWorker: 42 + oxConnector: 42 + postfix: 42 + postgres: 42 + redis: 42 + synapse: 42 + synapseWeb: 42 + wellKnown: 42 + xwiki: 42 ...