fix(univention-management-stack): Add guardian components

helmfile/apps/services/values-postgresql.gotmpl

@@ -25,6 +25,8 @@ job:
       password: {{ .Values.secrets.postgresql.matrixUser | quote }}
     - username: "notificationsapi_user"
       password: {{ .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
+    - username: "guardianmanagementapi_user"
+      password: {{ .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
     - username: "selfservice_user"
       password: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
   databases:
@@ -37,6 +39,8 @@ job:
     - name: "matrix"
       user: "matrix_user"
       additionalParams: "ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0"
+    - name: "guardianmanagementapi"
+      user: "guardianmanagementapi_user"
     - name: "notificationsapi"
       user: "notificationsapi_user"
     - name: "selfservice"

helmfile/apps/univention-management-stack/helmfile.yaml

@@ -6,6 +6,34 @@ bases:
 ---
 repositories:
   # Univention Management Stack
+  - name: "ums-guardian-management-api-repo"
+    oci: {{ .Values.charts.umsGuardianManagementApi.oci }}
+    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
+    verify: {{ .Values.charts.umsGuardianManagementApi.verify }}
+    username: {{ .Values.charts.umsGuardianManagementApi.username | quote }}
+    password: {{ .Values.charts.umsGuardianManagementApi.password | quote }}
+    url: "{{ .Values.charts.umsGuardianManagementApi.registry }}/{{ .Values.charts.umsGuardianManagementApi.repository }}"
+  - name: "ums-guardian-management-ui-repo"
+    oci: {{ .Values.charts.umsGuardianManagementUi.oci }}
+    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
+    verify: {{ .Values.charts.umsGuardianManagementUi.verify }}
+    username: {{ .Values.charts.umsGuardianManagementUi.username | quote }}
+    password: {{ .Values.charts.umsGuardianManagementUi.password | quote }}
+    url: "{{ .Values.charts.umsGuardianManagementUi.registry }}/{{ .Values.charts.umsGuardianManagementUi.repository }}"
+  - name: "ums-guardian-authorization-api-repo"
+    oci: {{ .Values.charts.umsGuardianAuthorizationApi.oci }}
+    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
+    verify: {{ .Values.charts.umsGuardianAuthorizationApi.verify }}
+    username: {{ .Values.charts.umsGuardianAuthorizationApi.username | quote }}
+    password: {{ .Values.charts.umsGuardianAuthorizationApi.password | quote }}
+    url: "{{ .Values.charts.umsGuardianAuthorizationApi.registry }}/{{ .Values.charts.umsGuardianAuthorizationApi.repository }}"
+  - name: "ums-open-policy-agent-repo"
+    oci: {{ .Values.charts.umsOpenPolicyAgent.oci }}
+    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
+    verify: {{ .Values.charts.umsOpenPolicyAgent.verify }}
+    username: {{ .Values.charts.umsOpenPolicyAgent.username | quote }}
+    password: {{ .Values.charts.umsOpenPolicyAgent.password | quote }}
+    url: "{{ .Values.charts.umsOpenPolicyAgent.registry }}/{{ .Values.charts.umsOpenPolicyAgent.repository }}"
   - name: "ums-store-dav-repo"
     oci: {{ .Values.charts.umsStoreDav.oci }}
     keyring: "../../files/gpg-pubkeys/univention-de.gpg"
@@ -329,6 +357,41 @@ releases:
       - "values-common.yaml"
       - "values-provisioning.gotmpl"
       - "values-provisioning.yaml"
+  - name: "ums-guardian-management-api"
+    chart: "ums-guardian-management-api-repo/{{ .Values.charts.umsGuardianManagementApi.name }}"
+    version: "{{ .Values.charts.umsGuardianManagementApi.version }}"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-guardian-management-api.gotmpl"
+      - "values-guardian-management-api.yaml"
+    installed: {{ .Values.univentionManagementStack.enabled }}
+  - name: "ums-guardian-management-ui"
+    chart: "ums-guardian-management-ui-repo/{{ .Values.charts.umsGuardianManagementUi.name }}"
+    version: "{{ .Values.charts.umsGuardianManagementUi.version }}"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-guardian-management-ui.gotmpl"
+      - "values-guardian-management-ui.yaml"
+    installed: {{ .Values.univentionManagementStack.enabled }}
+  - name: "ums-guardian-authorization-api"
+    chart: "ums-guardian-authorization-api-repo/{{ .Values.charts.umsGuardianAuthorizationApi.name }}"
+    version: "{{ .Values.charts.umsGuardianAuthorizationApi.version }}"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-guardian-authorization-api.gotmpl"
+      - "values-guardian-authorization-api.yaml"
+    installed: {{ .Values.univentionManagementStack.enabled }}
+  - name: "ums-open-policy-agent"
+    chart: "ums-open-policy-agent-repo/{{ .Values.charts.umsOpenPolicyAgent.name }}"
+    version: "{{ .Values.charts.umsOpenPolicyAgent.version }}"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-open-policy-agent.gotmpl"
+      - "values-open-policy-agent.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
 
 commonLabels:

helmfile/apps/univention-management-stack/values-guardian-authorization-api.gotmpl

@@ -0,0 +1,21 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+guardianAuthorizationApi:
+  udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  oauthAdapterWellKnownUrl: "http://ums-keycloak:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
+image:
+  registry: {{ .Values.global.imageRegistry }}
+  repository: {{ .Values.images.umsGuardianAuthorizationApi.repository }}
+  pullPolicy: {{ .Values.global.imagePullPolicy }}
+  tag: {{ .Values.images.umsGuardianAuthorizationApi.tag }}
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . | quote }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 2 }}
+...

helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml

@@ -0,0 +1,39 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+guardianAuthorizationApi:
+  home: "/guardian_service_dir"
+  guardianAuthzCorsAllowedOrigins: "*"
+  guardianAuthzAdapterSettingsPort: "env"
+  guardianAuthzAdapterAppPersistencePort: "udm_data"
+  guardianAuthzAdapterPolicyPort: "opa"
+  guardianAuthzAdapterAuthenticationPort: "fast_api_oauth"
+  isUniventionAppCenter: 0
+  udmDataAdapterUrl: "http://ums-udm-rest-api/udm/"
+  udmDataAdapterUsername: "cn=admin"
+  opaAdapterUrl: "http://ums-open-policy-agent/"
+  guardianAuthzLoggingLevel: "DEBUG"
+  guardianAuthzLoggingStructured: false
+  guardianAuthzLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+...

helmfile/apps/univention-management-stack/values-guardian-management-api.gotmpl

@@ -0,0 +1,32 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+guardianManagementApi:
+  oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
+  oauthAdapterWellKnownUrl: "http://ums-keycloak:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
+
+postgresql:
+  bundled: false
+  connection:
+    host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
+    port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
+  auth:
+    username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
+    database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
+    password: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
+
+image:
+  registry: {{ .Values.global.imageRegistry }}
+  repository: {{ .Values.images.umsGuardianManagementApi.repository }}
+  pullPolicy: {{ .Values.global.imagePullPolicy }}
+  tag: {{ .Values.images.umsGuardianManagementApi.tag }}
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . | quote }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 2 }}
+...

helmfile/apps/univention-management-stack/values-guardian-management-api.yaml

@@ -0,0 +1,47 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+guardianManagementApi:
+  home: "/guardian_service_dir"
+  guardianManagementCorsAllowedOrigins: "*"
+  guardianManagementAdapterSettingsPort: "env"
+  guardianManagementAdapterAppPersistencePort: "sql"
+  guardianManagementAdapterConditionPersistencePort: "sql"
+  guardianManagementAdapterContextPersistencePort: "sql"
+  guardianManagementAdapterNamespacePersistencePort: "sql"
+  guardianManagementAdapterPermissionPersistencePort: "sql"
+  guardianManagementAdapterRolePersistencePort: "sql"
+  guardianManagementAdapterCapabilityPersistencePort: "sql"
+  guardianManagementAdapterAuthenticationPort: "fast_api_oauth"
+  guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization"
+  guardianManagementAdapterResourceAuthorizationPort: "always"
+  isUniventionAppCenter: 0
+  sqlPersistenceAdapterDialect: "postgresql"
+  sqlPersistenceAdapterDbName: "postgres"
+  oauthAdapterM2mSecretFile: "/var/secrets/oauthAdapterM2mSecret"
+  guardianManagementLoggingLevel: "DEBUG"
+  guardianManagementLoggingStructured: false
+  guardianManagementLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
+  guardianManagementBaseUrl: "http://0.0.0.0:8000"
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+...

helmfile/apps/univention-management-stack/values-guardian-management-ui.gotmpl

@@ -0,0 +1,23 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+guardianManagementUi:
+  viteApiDataAdapterUri: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/management"
+  viteKeycloakAuthenticationAdapterSsoUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
+  viteKeycloakAuthenticationAdapterRealm: {{ .Values.platform.realm | quote }}
+
+image:
+  registry: {{ .Values.global.imageRegistry }}
+  repository: {{ .Values.images.umsGuardianManagementUi.repository }}
+  pullPolicy: {{ .Values.global.imagePullPolicy }}
+  tag: {{ .Values.images.umsGuardianManagementUi.tag }}
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . | quote }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 2 }}
+...

helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml

@@ -0,0 +1,29 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+guardianManagementUi:
+  viteManagementUiAdapterAuthenticationPort: "keycloak"
+  viteManagementUiAdapterDataPort: "api"
+  viteKeycloakAuthenticationAdapterClientId: "guardian-ui"
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+...

helmfile/apps/univention-management-stack/values-open-policy-agent.gotmpl

@@ -0,0 +1,18 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  registry: {{ .Values.global.imageRegistry }}
+  repository: {{ .Values.images.umsOpenPolicyAgent.repository }}
+  pullPolicy: {{ .Values.global.imagePullPolicy }}
+  tag: {{ .Values.images.umsOpenPolicyAgent.tag }}
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . | quote }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 2 }}
+...

helmfile/apps/univention-management-stack/values-open-policy-agent.yaml

@@ -0,0 +1,32 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+openPolicyAgent:
+  isUniventionAppCenter: 0
+  opaDataBundle: "bundles/GuardianDataBundle.tar.gz"
+  opaPolicyBundle: "bundles/GuardianPolicyBundle.tar.gz"
+  opaPollingMinDelay: 10
+  opaPollingMaxDelay: 15
+  opaGuardianManagementUrl: "http://ums-guardian-management-api/guardian/management"
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+...

helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -415,12 +415,12 @@ config:
           - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*"
         fullScopeAllowed: true
         protocol: "openid-connect"
-        publiClient: true
+        publicClient: true
         frontchannelLogout: false
         standardFlowEnabled: true
         attributes:
-          use.refresh.tokens: true
+          use.refresh.tokens: "true"
-          backchannel.logout.session.required: true
+          backchannel.logout.session.required: "true"
         protocolMappers:
           - name: "email"
             protocol: "openid-connect"

helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml

@@ -243,6 +243,21 @@ serverBlock: |
       proxy_pass http://ums-provisioning-provisioning-api:80;
     }
 
+    ## guardian
+    location /univention/guardian/management-ui {
+      proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui;
+    }
+    location /guardian/opa {
+      rewrite ^/guardian/opa(/.*)$ $1 break;
+      proxy_pass http://ums-open-policy-agent:80/;
+    }
+    location /guardian/management {
+      proxy_pass http://ums-guardian-management-api:80/guardian/management;
+    }
+    location /guardian/authorization {
+      proxy_pass http://ums-guardian-authorization-api:80/guardian/authorization;
+    }
+
   }
 
 podSecurityContext:

helmfile/environments/default/charts.yaml

@@ -457,7 +457,7 @@ charts:
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize"
     name: "opendesk-otterize"
     oci: true
-    version: "1.3.1"
+    version: "1.5.0"
     verify: true
     username: ~
     password: ~
@@ -567,6 +567,66 @@ charts:
     username: ~
     password: ~
 
+  umsGuardianManagementApi:
+    # renovate:
+    # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
+    # packageName=umc-server
+    # dataSource=helm
+    # dependencyType=supplier
+    registry: "external-registry.souvap-univention.de"
+    repository: "sovereign-workplace/souvap/tooling/charts/univention"
+    name: "guardian-management-api"
+    oci: true
+    verify: true
+    version: "0.0.1"
+    username: ~
+    password: ~
+
+  umsGuardianManagementUi:
+    # renovate:
+    # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
+    # packageName=umc-server
+    # dataSource=helm
+    # dependencyType=supplier
+    registry: "external-registry.souvap-univention.de"
+    repository: "sovereign-workplace/souvap/tooling/charts/univention"
+    name: "guardian-management-ui"
+    oci: true
+    verify: true
+    version: "0.0.1"
+    username: ~
+    password: ~
+
+  umsGuardianAuthorizationApi:
+    # renovate:
+    # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
+    # packageName=umc-server
+    # dataSource=helm
+    # dependencyType=supplier
+    registry: "external-registry.souvap-univention.de"
+    repository: "sovereign-workplace/souvap/tooling/charts/univention"
+    name: "guardian-authorization-api"
+    oci: true
+    verify: true
+    version: "0.0.1"
+    username: ~
+    password: ~
+
+  umsOpenPolicyAgent:
+    # renovate:
+    # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
+    # packageName=umc-server
+    # dataSource=helm
+    # dependencyType=supplier
+    registry: "external-registry.souvap-univention.de"
+    repository: "sovereign-workplace/souvap/tooling/charts/univention"
+    name: "open-policy-agent"
+    oci: true
+    verify: true
+    version: "0.0.1"
+    username: ~
+    password: ~
+
   umsLdapNotifier:
     # renovate:
     # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
@@ -578,7 +638,7 @@ charts:
     name: "ldap-notifier"
     oci: true
     verify: true
-    version: "0.7.2"
+    version: "0.8.2"
     username: ~
     password: ~
 
@@ -593,7 +653,7 @@ charts:
     name: "ldap-server"
     oci: true
     verify: true
-    version: "0.7.2"
+    version: "0.8.2"
     username: ~
     password: ~
 
@@ -698,7 +758,7 @@ charts:
     name: "stack-data-swp"
     oci: true
     verify: true
-    version: "0.39.5"
+    version: "0.41.2"
     username: ~
     password: ~
 
@@ -713,7 +773,7 @@ charts:
     name: "stack-data-ums"
     oci: true
     verify: true
-    version: "0.39.5"
+    version: "0.41.2"
     username: ~
     password: ~
 
@@ -743,7 +803,7 @@ charts:
     name: "udm-rest-api"
     oci: true
     verify: true
-    version: "0.4.3"
+    version: "0.5.2"
     username: ~
     password: ~
 

helmfile/environments/default/database.yaml

@@ -36,6 +36,12 @@ databases:
     username: "matrix_user"
     password: ""
     port: 5432
+  umsGuardianManagementApi:
+    name: "guardianmanagementapi"
+    host: "postgresql"
+    port: 5432
+    username: "guardianmanagementapi_user"
+    password: ""
   umsNotificationsApi:
     name: "notificationsapi"
     host: "postgresql"

helmfile/environments/default/images.yaml

@@ -470,12 +470,44 @@ images:
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['0', '39', '5']
+  umsGuardianManagementApi:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=supplier
+    # This is a preview and not part of the standard deployment.
+    repository: "souvap/tooling/images/univention/guardian-management-api"
+    tag: "0.0.1-pre-jlohmer-container-ci-2@sha256:db0a109866feb79aa2cd97db957b5c68bf58d9e2b41ddb05b8859f9445361a3f"
+    # @supplier: "Univention"
+  umsGuardianManagementUi:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=supplier
+    # This is a preview and not part of the standard deployment.
+    repository: "souvap/tooling/images/univention/guardian-management-ui"
+    tag: "0.0.1-pre-jlohmer-container-ci-2@sha256:e47091da3a6bcabd20cedbda490324a968cd1fd683bb8feed19a6f2b0377fd8b"
+    # @supplier: "Univention"
+  umsGuardianAuthorizationApi:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=supplier
+    # This is a preview and not part of the standard deployment.
+    repository: "souvap/tooling/images/univention/guardian-authorization-api"
+    tag: "0.0.1-pre-jlohmer-container-ci-2@sha256:54b4a2ac043443627b9ff7c5f9b88ce76e8af0b193ba9187ceebc47acc9a204f"
+    # @supplier: "Univention"
+  umsOpenPolicyAgent:
+    # renovate:
+    # registryUrl=https://registry.souvap-univention.de
+    # dependencyType=supplier
+    # This is a preview and not part of the standard deployment.
+    repository: "souvap/tooling/images/univention/guardian-opa"
+    tag: "0.0.1-pre-jlohmer-container-ci-2@sha256:bc515dfd18af8edecd0289b44bb8cbefa195d1a9c162357b8b13db8dcf63ba16"
+    # @supplier: "Univention"
   umsLdapNotifier:
     # renovate:
     # registryUrl=https://registry.souvap-univention.de
     # dependencyType=supplier
     repository: "souvap/tooling/images/univention/ldap-notifier"
-    tag: "0.7.2@sha256:cd05f5c8c6765ed5bdc1246178498a8d47e4f7ec6a75c3e0f1f69c0ee18f6e6a"
+    tag: "0.8.2@sha256:bb7d76fb5299e9d019aa61b5397af15063a5b341fcf2b74c65db679ca5fa873f"
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['0', '7', '2']
@@ -484,7 +516,7 @@ images:
     # registryUrl=https://registry.souvap-univention.de
     # dependencyType=supplier
     repository: "souvap/tooling/images/univention/ldap-server"
-    tag: "0.7.2@sha256:591115300e67ace320333b7a865922f528a7628e693db858f20f59c3ff454b51"
+    tag: "0.8.2@sha256:abcaec050875a8605befe13cce78f9f8eb28aa3c1764e281a8540b2a3db4a5da"
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['0', '7', '2']
@@ -547,7 +579,7 @@ images:
     # registryUrl=https://registry.souvap-univention.de
     # dependencyType=supplier
     repository: "souvap/tooling/images/univention/udm-rest-api"
-    tag: "0.4.3@sha256:d6ae525028dd2ee108e923dee79db9c1f2f4e0e9f0df3b35de1d50ccc3d90420"
+    tag: "0.5.2@sha256:94c8294130f6a187bb850bcaeb314a09c5aa48ab97e3f419fbeb6ddbd39a3246"
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['0', '4', '3']

helmfile/environments/default/resources.yaml

@@ -347,6 +347,34 @@ resources:
     requests:
       cpu: 0.1
       memory: "64Mi"
+  umsGuardianManagementApi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsGuardianManagementUi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsGuardianAuthorizationApi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsOpenPolicyAgent:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
   umsLdapNotifier:
     limits:
       cpu: 99

helmfile/environments/default/secrets.gotmpl

@@ -34,6 +34,7 @@ secrets:
     matrixUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "matrix_user" | sha1sum | quote }}
     openprojectUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "openproject_user" | sha1sum | quote }}
     umsNotificationsApiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }}
+    umsGuardianManagementApiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "guardianmanagementapi_user" | sha1sum | quote }}
     umsSelfserviceUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "selfservice_user" | sha1sum | quote }}
   mariadb:
     rootPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "root_password" | sha1sum | quote }}