diff --git a/helmfile/apps/services/values-postgresql.gotmpl b/helmfile/apps/services/values-postgresql.gotmpl
index 95e99101..f6c966d2 100644
--- a/helmfile/apps/services/values-postgresql.gotmpl
+++ b/helmfile/apps/services/values-postgresql.gotmpl
@@ -25,6 +25,8 @@ job:
password: {{ .Values.secrets.postgresql.matrixUser | quote }}
- username: "notificationsapi_user"
password: {{ .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
+ - username: "guardianmanagementapi_user"
+ password: {{ .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
- username: "selfservice_user"
password: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
databases:
@@ -37,6 +39,8 @@ job:
- name: "matrix"
user: "matrix_user"
additionalParams: "ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0"
+ - name: "guardianmanagementapi"
+ user: "guardianmanagementapi_user"
- name: "notificationsapi"
user: "notificationsapi_user"
- name: "selfservice"
diff --git a/helmfile/apps/univention-management-stack/helmfile.yaml b/helmfile/apps/univention-management-stack/helmfile.yaml
index bf45a6fd..f3b8b905 100644
--- a/helmfile/apps/univention-management-stack/helmfile.yaml
+++ b/helmfile/apps/univention-management-stack/helmfile.yaml
@@ -6,6 +6,34 @@ bases:
---
repositories:
# Univention Management Stack
+ - name: "ums-guardian-management-api-repo"
+ oci: {{ .Values.charts.umsGuardianManagementApi.oci }}
+ keyring: "../../files/gpg-pubkeys/univention-de.gpg"
+ verify: {{ .Values.charts.umsGuardianManagementApi.verify }}
+ username: {{ .Values.charts.umsGuardianManagementApi.username | quote }}
+ password: {{ .Values.charts.umsGuardianManagementApi.password | quote }}
+ url: "{{ .Values.charts.umsGuardianManagementApi.registry }}/{{ .Values.charts.umsGuardianManagementApi.repository }}"
+ - name: "ums-guardian-management-ui-repo"
+ oci: {{ .Values.charts.umsGuardianManagementUi.oci }}
+ keyring: "../../files/gpg-pubkeys/univention-de.gpg"
+ verify: {{ .Values.charts.umsGuardianManagementUi.verify }}
+ username: {{ .Values.charts.umsGuardianManagementUi.username | quote }}
+ password: {{ .Values.charts.umsGuardianManagementUi.password | quote }}
+ url: "{{ .Values.charts.umsGuardianManagementUi.registry }}/{{ .Values.charts.umsGuardianManagementUi.repository }}"
+ - name: "ums-guardian-authorization-api-repo"
+ oci: {{ .Values.charts.umsGuardianAuthorizationApi.oci }}
+ keyring: "../../files/gpg-pubkeys/univention-de.gpg"
+ verify: {{ .Values.charts.umsGuardianAuthorizationApi.verify }}
+ username: {{ .Values.charts.umsGuardianAuthorizationApi.username | quote }}
+ password: {{ .Values.charts.umsGuardianAuthorizationApi.password | quote }}
+ url: "{{ .Values.charts.umsGuardianAuthorizationApi.registry }}/{{ .Values.charts.umsGuardianAuthorizationApi.repository }}"
+ - name: "ums-open-policy-agent-repo"
+ oci: {{ .Values.charts.umsOpenPolicyAgent.oci }}
+ keyring: "../../files/gpg-pubkeys/univention-de.gpg"
+ verify: {{ .Values.charts.umsOpenPolicyAgent.verify }}
+ username: {{ .Values.charts.umsOpenPolicyAgent.username | quote }}
+ password: {{ .Values.charts.umsOpenPolicyAgent.password | quote }}
+ url: "{{ .Values.charts.umsOpenPolicyAgent.registry }}/{{ .Values.charts.umsOpenPolicyAgent.repository }}"
- name: "ums-store-dav-repo"
oci: {{ .Values.charts.umsStoreDav.oci }}
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
@@ -329,6 +357,41 @@ releases:
- "values-common.yaml"
- "values-provisioning.gotmpl"
- "values-provisioning.yaml"
+ - name: "ums-guardian-management-api"
+ chart: "ums-guardian-management-api-repo/{{ .Values.charts.umsGuardianManagementApi.name }}"
+ version: "{{ .Values.charts.umsGuardianManagementApi.version }}"
+ values:
+ - "values-common.gotmpl"
+ - "values-common.yaml"
+ - "values-guardian-management-api.gotmpl"
+ - "values-guardian-management-api.yaml"
+ installed: {{ .Values.univentionManagementStack.enabled }}
+ - name: "ums-guardian-management-ui"
+ chart: "ums-guardian-management-ui-repo/{{ .Values.charts.umsGuardianManagementUi.name }}"
+ version: "{{ .Values.charts.umsGuardianManagementUi.version }}"
+ values:
+ - "values-common.gotmpl"
+ - "values-common.yaml"
+ - "values-guardian-management-ui.gotmpl"
+ - "values-guardian-management-ui.yaml"
+ installed: {{ .Values.univentionManagementStack.enabled }}
+ - name: "ums-guardian-authorization-api"
+ chart: "ums-guardian-authorization-api-repo/{{ .Values.charts.umsGuardianAuthorizationApi.name }}"
+ version: "{{ .Values.charts.umsGuardianAuthorizationApi.version }}"
+ values:
+ - "values-common.gotmpl"
+ - "values-common.yaml"
+ - "values-guardian-authorization-api.gotmpl"
+ - "values-guardian-authorization-api.yaml"
+ installed: {{ .Values.univentionManagementStack.enabled }}
+ - name: "ums-open-policy-agent"
+ chart: "ums-open-policy-agent-repo/{{ .Values.charts.umsOpenPolicyAgent.name }}"
+ version: "{{ .Values.charts.umsOpenPolicyAgent.version }}"
+ values:
+ - "values-common.gotmpl"
+ - "values-common.yaml"
+ - "values-open-policy-agent.gotmpl"
+ - "values-open-policy-agent.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
commonLabels:
diff --git a/helmfile/apps/univention-management-stack/values-guardian-authorization-api.gotmpl b/helmfile/apps/univention-management-stack/values-guardian-authorization-api.gotmpl
new file mode 100644
index 00000000..27809ad4
--- /dev/null
+++ b/helmfile/apps/univention-management-stack/values-guardian-authorization-api.gotmpl
@@ -0,0 +1,21 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+guardianAuthorizationApi:
+ udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+ oauthAdapterWellKnownUrl: "http://ums-keycloak:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
+image:
+ registry: {{ .Values.global.imageRegistry }}
+ repository: {{ .Values.images.umsGuardianAuthorizationApi.repository }}
+ pullPolicy: {{ .Values.global.imagePullPolicy }}
+ tag: {{ .Values.images.umsGuardianAuthorizationApi.tag }}
+ pullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . | quote }}
+ {{- end }}
+
+resources:
+ {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 2 }}
+...
diff --git a/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml b/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml
new file mode 100644
index 00000000..c6b44cb4
--- /dev/null
+++ b/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml
@@ -0,0 +1,39 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+guardianAuthorizationApi:
+ home: "/guardian_service_dir"
+ guardianAuthzCorsAllowedOrigins: "*"
+ guardianAuthzAdapterSettingsPort: "env"
+ guardianAuthzAdapterAppPersistencePort: "udm_data"
+ guardianAuthzAdapterPolicyPort: "opa"
+ guardianAuthzAdapterAuthenticationPort: "fast_api_oauth"
+ isUniventionAppCenter: 0
+ udmDataAdapterUrl: "http://ums-udm-rest-api/udm/"
+ udmDataAdapterUsername: "cn=admin"
+ opaAdapterUrl: "http://ums-open-policy-agent/"
+ guardianAuthzLoggingLevel: "DEBUG"
+ guardianAuthzLoggingStructured: false
+ guardianAuthzLoggingFormat: "{time:YYYY-MM-DD HH:mm:ss.SSS ZZ} | {level} | {message} | {extra}"
+
+securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ add:
+ - "CHOWN"
+ - "DAC_OVERRIDE"
+ - "FOWNER"
+ - "FSETID"
+ - "KILL"
+ - "SETGID"
+ - "SETUID"
+ - "SETPCAP"
+ - "NET_BIND_SERVICE"
+ - "NET_RAW"
+ - "SYS_CHROOT"
+ privileged: false
+ seccompProfile:
+ type: "RuntimeDefault"
+...
diff --git a/helmfile/apps/univention-management-stack/values-guardian-management-api.gotmpl b/helmfile/apps/univention-management-stack/values-guardian-management-api.gotmpl
new file mode 100644
index 00000000..7737cacb
--- /dev/null
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-api.gotmpl
@@ -0,0 +1,32 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+guardianManagementApi:
+ oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
+ oauthAdapterWellKnownUrl: "http://ums-keycloak:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
+
+postgresql:
+ bundled: false
+ connection:
+ host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
+ port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
+ auth:
+ username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
+ database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
+ password: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
+
+image:
+ registry: {{ .Values.global.imageRegistry }}
+ repository: {{ .Values.images.umsGuardianManagementApi.repository }}
+ pullPolicy: {{ .Values.global.imagePullPolicy }}
+ tag: {{ .Values.images.umsGuardianManagementApi.tag }}
+ pullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . | quote }}
+ {{- end }}
+
+resources:
+ {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 2 }}
+...
diff --git a/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml b/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml
new file mode 100644
index 00000000..1922dc52
--- /dev/null
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml
@@ -0,0 +1,47 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+guardianManagementApi:
+ home: "/guardian_service_dir"
+ guardianManagementCorsAllowedOrigins: "*"
+ guardianManagementAdapterSettingsPort: "env"
+ guardianManagementAdapterAppPersistencePort: "sql"
+ guardianManagementAdapterConditionPersistencePort: "sql"
+ guardianManagementAdapterContextPersistencePort: "sql"
+ guardianManagementAdapterNamespacePersistencePort: "sql"
+ guardianManagementAdapterPermissionPersistencePort: "sql"
+ guardianManagementAdapterRolePersistencePort: "sql"
+ guardianManagementAdapterCapabilityPersistencePort: "sql"
+ guardianManagementAdapterAuthenticationPort: "fast_api_oauth"
+ guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization"
+ guardianManagementAdapterResourceAuthorizationPort: "always"
+ isUniventionAppCenter: 0
+ sqlPersistenceAdapterDialect: "postgresql"
+ sqlPersistenceAdapterDbName: "postgres"
+ oauthAdapterM2mSecretFile: "/var/secrets/oauthAdapterM2mSecret"
+ guardianManagementLoggingLevel: "DEBUG"
+ guardianManagementLoggingStructured: false
+ guardianManagementLoggingFormat: "{time:YYYY-MM-DD HH:mm:ss.SSS ZZ} | {level} | {message} | {extra}"
+ guardianManagementBaseUrl: "http://0.0.0.0:8000"
+
+securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ add:
+ - "CHOWN"
+ - "DAC_OVERRIDE"
+ - "FOWNER"
+ - "FSETID"
+ - "KILL"
+ - "SETGID"
+ - "SETUID"
+ - "SETPCAP"
+ - "NET_BIND_SERVICE"
+ - "NET_RAW"
+ - "SYS_CHROOT"
+ privileged: false
+ seccompProfile:
+ type: "RuntimeDefault"
+...
diff --git a/helmfile/apps/univention-management-stack/values-guardian-management-ui.gotmpl b/helmfile/apps/univention-management-stack/values-guardian-management-ui.gotmpl
new file mode 100644
index 00000000..35b2792c
--- /dev/null
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-ui.gotmpl
@@ -0,0 +1,23 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+guardianManagementUi:
+ viteApiDataAdapterUri: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/management"
+ viteKeycloakAuthenticationAdapterSsoUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
+ viteKeycloakAuthenticationAdapterRealm: {{ .Values.platform.realm | quote }}
+
+image:
+ registry: {{ .Values.global.imageRegistry }}
+ repository: {{ .Values.images.umsGuardianManagementUi.repository }}
+ pullPolicy: {{ .Values.global.imagePullPolicy }}
+ tag: {{ .Values.images.umsGuardianManagementUi.tag }}
+ pullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . | quote }}
+ {{- end }}
+
+resources:
+ {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 2 }}
+...
diff --git a/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml b/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml
new file mode 100644
index 00000000..5674ae30
--- /dev/null
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml
@@ -0,0 +1,29 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+guardianManagementUi:
+ viteManagementUiAdapterAuthenticationPort: "keycloak"
+ viteManagementUiAdapterDataPort: "api"
+ viteKeycloakAuthenticationAdapterClientId: "guardian-ui"
+
+securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ add:
+ - "CHOWN"
+ - "DAC_OVERRIDE"
+ - "FOWNER"
+ - "FSETID"
+ - "KILL"
+ - "SETGID"
+ - "SETUID"
+ - "SETPCAP"
+ - "NET_BIND_SERVICE"
+ - "NET_RAW"
+ - "SYS_CHROOT"
+ privileged: false
+ seccompProfile:
+ type: "RuntimeDefault"
+...
diff --git a/helmfile/apps/univention-management-stack/values-open-policy-agent.gotmpl b/helmfile/apps/univention-management-stack/values-open-policy-agent.gotmpl
new file mode 100644
index 00000000..fa9633c9
--- /dev/null
+++ b/helmfile/apps/univention-management-stack/values-open-policy-agent.gotmpl
@@ -0,0 +1,18 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+ registry: {{ .Values.global.imageRegistry }}
+ repository: {{ .Values.images.umsOpenPolicyAgent.repository }}
+ pullPolicy: {{ .Values.global.imagePullPolicy }}
+ tag: {{ .Values.images.umsOpenPolicyAgent.tag }}
+ pullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . | quote }}
+ {{- end }}
+
+resources:
+ {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 2 }}
+...
diff --git a/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml b/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml
new file mode 100644
index 00000000..eafae8a9
--- /dev/null
+++ b/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml
@@ -0,0 +1,32 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+openPolicyAgent:
+ isUniventionAppCenter: 0
+ opaDataBundle: "bundles/GuardianDataBundle.tar.gz"
+ opaPolicyBundle: "bundles/GuardianPolicyBundle.tar.gz"
+ opaPollingMinDelay: 10
+ opaPollingMaxDelay: 15
+ opaGuardianManagementUrl: "http://ums-guardian-management-api/guardian/management"
+
+securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ add:
+ - "CHOWN"
+ - "DAC_OVERRIDE"
+ - "FOWNER"
+ - "FSETID"
+ - "KILL"
+ - "SETGID"
+ - "SETUID"
+ - "SETPCAP"
+ - "NET_BIND_SERVICE"
+ - "NET_RAW"
+ - "SYS_CHROOT"
+ privileged: false
+ seccompProfile:
+ type: "RuntimeDefault"
+...
diff --git a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
index e7c0fa4b..989646d9 100644
--- a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -415,12 +415,12 @@ config:
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*"
fullScopeAllowed: true
protocol: "openid-connect"
- publiClient: true
+ publicClient: true
frontchannelLogout: false
standardFlowEnabled: true
attributes:
- use.refresh.tokens: true
- backchannel.logout.session.required: true
+ use.refresh.tokens: "true"
+ backchannel.logout.session.required: "true"
protocolMappers:
- name: "email"
protocol: "openid-connect"
diff --git a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml
index 2933cb32..2cbb6438 100644
--- a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml
+++ b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml
@@ -243,6 +243,21 @@ serverBlock: |
proxy_pass http://ums-provisioning-provisioning-api:80;
}
+ ## guardian
+ location /univention/guardian/management-ui {
+ proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui;
+ }
+ location /guardian/opa {
+ rewrite ^/guardian/opa(/.*)$ $1 break;
+ proxy_pass http://ums-open-policy-agent:80/;
+ }
+ location /guardian/management {
+ proxy_pass http://ums-guardian-management-api:80/guardian/management;
+ }
+ location /guardian/authorization {
+ proxy_pass http://ums-guardian-authorization-api:80/guardian/authorization;
+ }
+
}
podSecurityContext:
diff --git a/helmfile/environments/default/charts.yaml b/helmfile/environments/default/charts.yaml
index 4ef0241b..dbf2888b 100644
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -457,7 +457,7 @@ charts:
repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize"
name: "opendesk-otterize"
oci: true
- version: "1.3.1"
+ version: "1.5.0"
verify: true
username: ~
password: ~
@@ -567,6 +567,66 @@ charts:
username: ~
password: ~
+ umsGuardianManagementApi:
+ # renovate:
+ # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
+ # packageName=umc-server
+ # dataSource=helm
+ # dependencyType=supplier
+ registry: "external-registry.souvap-univention.de"
+ repository: "sovereign-workplace/souvap/tooling/charts/univention"
+ name: "guardian-management-api"
+ oci: true
+ verify: true
+ version: "0.0.1"
+ username: ~
+ password: ~
+
+ umsGuardianManagementUi:
+ # renovate:
+ # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
+ # packageName=umc-server
+ # dataSource=helm
+ # dependencyType=supplier
+ registry: "external-registry.souvap-univention.de"
+ repository: "sovereign-workplace/souvap/tooling/charts/univention"
+ name: "guardian-management-ui"
+ oci: true
+ verify: true
+ version: "0.0.1"
+ username: ~
+ password: ~
+
+ umsGuardianAuthorizationApi:
+ # renovate:
+ # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
+ # packageName=umc-server
+ # dataSource=helm
+ # dependencyType=supplier
+ registry: "external-registry.souvap-univention.de"
+ repository: "sovereign-workplace/souvap/tooling/charts/univention"
+ name: "guardian-authorization-api"
+ oci: true
+ verify: true
+ version: "0.0.1"
+ username: ~
+ password: ~
+
+ umsOpenPolicyAgent:
+ # renovate:
+ # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
+ # packageName=umc-server
+ # dataSource=helm
+ # dependencyType=supplier
+ registry: "external-registry.souvap-univention.de"
+ repository: "sovereign-workplace/souvap/tooling/charts/univention"
+ name: "open-policy-agent"
+ oci: true
+ verify: true
+ version: "0.0.1"
+ username: ~
+ password: ~
+
umsLdapNotifier:
# renovate:
# registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
@@ -578,7 +638,7 @@ charts:
name: "ldap-notifier"
oci: true
verify: true
- version: "0.7.2"
+ version: "0.8.2"
username: ~
password: ~
@@ -593,7 +653,7 @@ charts:
name: "ldap-server"
oci: true
verify: true
- version: "0.7.2"
+ version: "0.8.2"
username: ~
password: ~
@@ -698,7 +758,7 @@ charts:
name: "stack-data-swp"
oci: true
verify: true
- version: "0.39.5"
+ version: "0.41.2"
username: ~
password: ~
@@ -713,7 +773,7 @@ charts:
name: "stack-data-ums"
oci: true
verify: true
- version: "0.39.5"
+ version: "0.41.2"
username: ~
password: ~
@@ -743,7 +803,7 @@ charts:
name: "udm-rest-api"
oci: true
verify: true
- version: "0.4.3"
+ version: "0.5.2"
username: ~
password: ~
diff --git a/helmfile/environments/default/database.yaml b/helmfile/environments/default/database.yaml
index 18a03ec7..5c11bd9d 100644
--- a/helmfile/environments/default/database.yaml
+++ b/helmfile/environments/default/database.yaml
@@ -36,6 +36,12 @@ databases:
username: "matrix_user"
password: ""
port: 5432
+ umsGuardianManagementApi:
+ name: "guardianmanagementapi"
+ host: "postgresql"
+ port: 5432
+ username: "guardianmanagementapi_user"
+ password: ""
umsNotificationsApi:
name: "notificationsapi"
host: "postgresql"
diff --git a/helmfile/environments/default/images.yaml b/helmfile/environments/default/images.yaml
index 32c5365b..87609965 100644
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -470,12 +470,44 @@ images:
# @supplier: "Univention"
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
# @mirrorFrom: ['0', '39', '5']
+ umsGuardianManagementApi:
+ # renovate:
+ # registryUrl=https://registry.souvap-univention.de
+ # dependencyType=supplier
+ # This is a preview and not part of the standard deployment.
+ repository: "souvap/tooling/images/univention/guardian-management-api"
+ tag: "0.0.1-pre-jlohmer-container-ci-2@sha256:db0a109866feb79aa2cd97db957b5c68bf58d9e2b41ddb05b8859f9445361a3f"
+ # @supplier: "Univention"
+ umsGuardianManagementUi:
+ # renovate:
+ # registryUrl=https://registry.souvap-univention.de
+ # dependencyType=supplier
+ # This is a preview and not part of the standard deployment.
+ repository: "souvap/tooling/images/univention/guardian-management-ui"
+ tag: "0.0.1-pre-jlohmer-container-ci-2@sha256:e47091da3a6bcabd20cedbda490324a968cd1fd683bb8feed19a6f2b0377fd8b"
+ # @supplier: "Univention"
+ umsGuardianAuthorizationApi:
+ # renovate:
+ # registryUrl=https://registry.souvap-univention.de
+ # dependencyType=supplier
+ # This is a preview and not part of the standard deployment.
+ repository: "souvap/tooling/images/univention/guardian-authorization-api"
+ tag: "0.0.1-pre-jlohmer-container-ci-2@sha256:54b4a2ac043443627b9ff7c5f9b88ce76e8af0b193ba9187ceebc47acc9a204f"
+ # @supplier: "Univention"
+ umsOpenPolicyAgent:
+ # renovate:
+ # registryUrl=https://registry.souvap-univention.de
+ # dependencyType=supplier
+ # This is a preview and not part of the standard deployment.
+ repository: "souvap/tooling/images/univention/guardian-opa"
+ tag: "0.0.1-pre-jlohmer-container-ci-2@sha256:bc515dfd18af8edecd0289b44bb8cbefa195d1a9c162357b8b13db8dcf63ba16"
+ # @supplier: "Univention"
umsLdapNotifier:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=supplier
repository: "souvap/tooling/images/univention/ldap-notifier"
- tag: "0.7.2@sha256:cd05f5c8c6765ed5bdc1246178498a8d47e4f7ec6a75c3e0f1f69c0ee18f6e6a"
+ tag: "0.8.2@sha256:bb7d76fb5299e9d019aa61b5397af15063a5b341fcf2b74c65db679ca5fa873f"
# @supplier: "Univention"
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
# @mirrorFrom: ['0', '7', '2']
@@ -484,7 +516,7 @@ images:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=supplier
repository: "souvap/tooling/images/univention/ldap-server"
- tag: "0.7.2@sha256:591115300e67ace320333b7a865922f528a7628e693db858f20f59c3ff454b51"
+ tag: "0.8.2@sha256:abcaec050875a8605befe13cce78f9f8eb28aa3c1764e281a8540b2a3db4a5da"
# @supplier: "Univention"
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
# @mirrorFrom: ['0', '7', '2']
@@ -547,7 +579,7 @@ images:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=supplier
repository: "souvap/tooling/images/univention/udm-rest-api"
- tag: "0.4.3@sha256:d6ae525028dd2ee108e923dee79db9c1f2f4e0e9f0df3b35de1d50ccc3d90420"
+ tag: "0.5.2@sha256:94c8294130f6a187bb850bcaeb314a09c5aa48ab97e3f419fbeb6ddbd39a3246"
# @supplier: "Univention"
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
# @mirrorFrom: ['0', '4', '3']
diff --git a/helmfile/environments/default/resources.yaml b/helmfile/environments/default/resources.yaml
index f8956162..36693c96 100644
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -347,6 +347,34 @@ resources:
requests:
cpu: 0.1
memory: "64Mi"
+ umsGuardianManagementApi:
+ limits:
+ cpu: 99
+ memory: "1Gi"
+ requests:
+ cpu: 0.1
+ memory: "256Mi"
+ umsGuardianManagementUi:
+ limits:
+ cpu: 99
+ memory: "1Gi"
+ requests:
+ cpu: 0.1
+ memory: "256Mi"
+ umsGuardianAuthorizationApi:
+ limits:
+ cpu: 99
+ memory: "1Gi"
+ requests:
+ cpu: 0.1
+ memory: "256Mi"
+ umsOpenPolicyAgent:
+ limits:
+ cpu: 99
+ memory: "1Gi"
+ requests:
+ cpu: 0.1
+ memory: "256Mi"
umsLdapNotifier:
limits:
cpu: 99
diff --git a/helmfile/environments/default/secrets.gotmpl b/helmfile/environments/default/secrets.gotmpl
index 597aa4d8..2b395de4 100644
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -34,6 +34,7 @@ secrets:
matrixUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "matrix_user" | sha1sum | quote }}
openprojectUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "openproject_user" | sha1sum | quote }}
umsNotificationsApiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }}
+ umsGuardianManagementApiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "guardianmanagementapi_user" | sha1sum | quote }}
umsSelfserviceUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "selfservice_user" | sha1sum | quote }}
mariadb:
rootPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "root_password" | sha1sum | quote }}