sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 15:31:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(univention-management-stack): Add guardian components

Browse Source
This commit is contained in:
jconde
2023-12-21 22:25:02 +01:00
committed by Thorsten Roßner
parent b30b29df8a
commit db749d8b1b
17 changed files with 462 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
helmfile/apps/services/values-postgresql.gotmpl
View File

@@ -25,6 +25,8 @@ job:
password: {{ .Values.secrets.postgresql.matrixUser | quote }}
- username: "notificationsapi_user"
password: {{ .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
- username: "guardianmanagementapi_user"
password: {{ .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
- username: "selfservice_user"
password: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
databases:
@@ -37,6 +39,8 @@ job:
- name: "matrix"
user: "matrix_user"
additionalParams: "ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0"
- name: "guardianmanagementapi"
user: "guardianmanagementapi_user"
- name: "notificationsapi"
user: "notificationsapi_user"
- name: "selfservice"

63
helmfile/apps/univention-management-stack/helmfile.yaml
View File

@@ -6,6 +6,34 @@ bases:
---
repositories:
# Univention Management Stack
- name: "ums-guardian-management-api-repo"
oci: {{ .Values.charts.umsGuardianManagementApi.oci }}
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsGuardianManagementApi.verify }}
username: {{ .Values.charts.umsGuardianManagementApi.username | quote }}
password: {{ .Values.charts.umsGuardianManagementApi.password | quote }}
url: "{{ .Values.charts.umsGuardianManagementApi.registry }}/{{ .Values.charts.umsGuardianManagementApi.repository }}"
- name: "ums-guardian-management-ui-repo"
oci: {{ .Values.charts.umsGuardianManagementUi.oci }}
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsGuardianManagementUi.verify }}
username: {{ .Values.charts.umsGuardianManagementUi.username | quote }}
password: {{ .Values.charts.umsGuardianManagementUi.password | quote }}
url: "{{ .Values.charts.umsGuardianManagementUi.registry }}/{{ .Values.charts.umsGuardianManagementUi.repository }}"
- name: "ums-guardian-authorization-api-repo"
oci: {{ .Values.charts.umsGuardianAuthorizationApi.oci }}
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsGuardianAuthorizationApi.verify }}
username: {{ .Values.charts.umsGuardianAuthorizationApi.username | quote }}
password: {{ .Values.charts.umsGuardianAuthorizationApi.password | quote }}
url: "{{ .Values.charts.umsGuardianAuthorizationApi.registry }}/{{ .Values.charts.umsGuardianAuthorizationApi.repository }}"
- name: "ums-open-policy-agent-repo"
oci: {{ .Values.charts.umsOpenPolicyAgent.oci }}
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsOpenPolicyAgent.verify }}
username: {{ .Values.charts.umsOpenPolicyAgent.username | quote }}
password: {{ .Values.charts.umsOpenPolicyAgent.password | quote }}
url: "{{ .Values.charts.umsOpenPolicyAgent.registry }}/{{ .Values.charts.umsOpenPolicyAgent.repository }}"
- name: "ums-store-dav-repo"
oci: {{ .Values.charts.umsStoreDav.oci }}
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
@@ -329,6 +357,41 @@ releases:
- "values-common.yaml"
- "values-provisioning.gotmpl"
- "values-provisioning.yaml"
- name: "ums-guardian-management-api"
chart: "ums-guardian-management-api-repo/{{ .Values.charts.umsGuardianManagementApi.name }}"
version: "{{ .Values.charts.umsGuardianManagementApi.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-guardian-management-api.gotmpl"
- "values-guardian-management-api.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-guardian-management-ui"
chart: "ums-guardian-management-ui-repo/{{ .Values.charts.umsGuardianManagementUi.name }}"
version: "{{ .Values.charts.umsGuardianManagementUi.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-guardian-management-ui.gotmpl"
- "values-guardian-management-ui.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-guardian-authorization-api"
chart: "ums-guardian-authorization-api-repo/{{ .Values.charts.umsGuardianAuthorizationApi.name }}"
version: "{{ .Values.charts.umsGuardianAuthorizationApi.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-guardian-authorization-api.gotmpl"
- "values-guardian-authorization-api.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-open-policy-agent"
chart: "ums-open-policy-agent-repo/{{ .Values.charts.umsOpenPolicyAgent.name }}"
version: "{{ .Values.charts.umsOpenPolicyAgent.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-open-policy-agent.gotmpl"
- "values-open-policy-agent.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
commonLabels:

21
helmfile/apps/univention-management-stack/values-guardian-authorization-api.gotmpl Normal file
View File

@@ -0,0 +1,21 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
guardianAuthorizationApi:
udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
oauthAdapterWellKnownUrl: "http://ums-keycloak:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
image:
registry: {{ .Values.global.imageRegistry }}
repository: {{ .Values.images.umsGuardianAuthorizationApi.repository }}
pullPolicy: {{ .Values.global.imagePullPolicy }}
tag: {{ .Values.images.umsGuardianAuthorizationApi.tag }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 2 }}
...

39
helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml Normal file
View File

@@ -0,0 +1,39 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
guardianAuthorizationApi:
home: "/guardian_service_dir"
guardianAuthzCorsAllowedOrigins: "*"
guardianAuthzAdapterSettingsPort: "env"
guardianAuthzAdapterAppPersistencePort: "udm_data"
guardianAuthzAdapterPolicyPort: "opa"
guardianAuthzAdapterAuthenticationPort: "fast_api_oauth"
isUniventionAppCenter: 0
udmDataAdapterUrl: "http://ums-udm-rest-api/udm/"
udmDataAdapterUsername: "cn=admin"
opaAdapterUrl: "http://ums-open-policy-agent/"
guardianAuthzLoggingLevel: "DEBUG"
guardianAuthzLoggingStructured: false
guardianAuthzLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

32
helmfile/apps/univention-management-stack/values-guardian-management-api.gotmpl Normal file
View File

@@ -0,0 +1,32 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
guardianManagementApi:
oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
oauthAdapterWellKnownUrl: "http://ums-keycloak:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
postgresql:
bundled: false
connection:
host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
auth:
username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
password: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
image:
registry: {{ .Values.global.imageRegistry }}
repository: {{ .Values.images.umsGuardianManagementApi.repository }}
pullPolicy: {{ .Values.global.imagePullPolicy }}
tag: {{ .Values.images.umsGuardianManagementApi.tag }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 2 }}
...

47
helmfile/apps/univention-management-stack/values-guardian-management-api.yaml Normal file
View File

@@ -0,0 +1,47 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
guardianManagementApi:
home: "/guardian_service_dir"
guardianManagementCorsAllowedOrigins: "*"
guardianManagementAdapterSettingsPort: "env"
guardianManagementAdapterAppPersistencePort: "sql"
guardianManagementAdapterConditionPersistencePort: "sql"
guardianManagementAdapterContextPersistencePort: "sql"
guardianManagementAdapterNamespacePersistencePort: "sql"
guardianManagementAdapterPermissionPersistencePort: "sql"
guardianManagementAdapterRolePersistencePort: "sql"
guardianManagementAdapterCapabilityPersistencePort: "sql"
guardianManagementAdapterAuthenticationPort: "fast_api_oauth"
guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization"
guardianManagementAdapterResourceAuthorizationPort: "always"
isUniventionAppCenter: 0
sqlPersistenceAdapterDialect: "postgresql"
sqlPersistenceAdapterDbName: "postgres"
oauthAdapterM2mSecretFile: "/var/secrets/oauthAdapterM2mSecret"
guardianManagementLoggingLevel: "DEBUG"
guardianManagementLoggingStructured: false
guardianManagementLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
guardianManagementBaseUrl: "http://0.0.0.0:8000"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

23
helmfile/apps/univention-management-stack/values-guardian-management-ui.gotmpl Normal file
View File

@@ -0,0 +1,23 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
guardianManagementUi:
viteApiDataAdapterUri: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/management"
viteKeycloakAuthenticationAdapterSsoUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
viteKeycloakAuthenticationAdapterRealm: {{ .Values.platform.realm | quote }}
image:
registry: {{ .Values.global.imageRegistry }}
repository: {{ .Values.images.umsGuardianManagementUi.repository }}
pullPolicy: {{ .Values.global.imagePullPolicy }}
tag: {{ .Values.images.umsGuardianManagementUi.tag }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 2 }}
...

29
helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml Normal file
View File

@@ -0,0 +1,29 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
guardianManagementUi:
viteManagementUiAdapterAuthenticationPort: "keycloak"
viteManagementUiAdapterDataPort: "api"
viteKeycloakAuthenticationAdapterClientId: "guardian-ui"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

18
helmfile/apps/univention-management-stack/values-open-policy-agent.gotmpl Normal file
View File

@@ -0,0 +1,18 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
registry: {{ .Values.global.imageRegistry }}
repository: {{ .Values.images.umsOpenPolicyAgent.repository }}
pullPolicy: {{ .Values.global.imagePullPolicy }}
tag: {{ .Values.images.umsOpenPolicyAgent.tag }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 2 }}
...

32
helmfile/apps/univention-management-stack/values-open-policy-agent.yaml Normal file
View File

@@ -0,0 +1,32 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
openPolicyAgent:
isUniventionAppCenter: 0
opaDataBundle: "bundles/GuardianDataBundle.tar.gz"
opaPolicyBundle: "bundles/GuardianPolicyBundle.tar.gz"
opaPollingMinDelay: 10
opaPollingMaxDelay: 15
opaGuardianManagementUrl: "http://ums-guardian-management-api/guardian/management"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

6
helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
View File

@@ -415,12 +415,12 @@ config:
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*"
fullScopeAllowed: true
protocol: "openid-connect"
publiClient: true
publicClient: true
frontchannelLogout: false
standardFlowEnabled: true
attributes:
use.refresh.tokens: true
backchannel.logout.session.required: true
use.refresh.tokens: "true"
backchannel.logout.session.required: "true"
protocolMappers:
- name: "email"
protocol: "openid-connect"

15
helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml
View File

@@ -243,6 +243,21 @@ serverBlock: |
proxy_pass http://ums-provisioning-provisioning-api:80;
}
## guardian
location /univention/guardian/management-ui {
proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui;
}
location /guardian/opa {
rewrite ^/guardian/opa(/.*)$ $1 break;
proxy_pass http://ums-open-policy-agent:80/;
}
location /guardian/management {
proxy_pass http://ums-guardian-management-api:80/guardian/management;
}
location /guardian/authorization {
proxy_pass http://ums-guardian-authorization-api:80/guardian/authorization;
}
}
podSecurityContext:

72
helmfile/environments/default/charts.yaml
View File

@@ -457,7 +457,7 @@ charts:
repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize"
name: "opendesk-otterize"
oci: true
version: "1.3.1"
version: "1.5.0"
verify: true
username: ~
password: ~
@@ -567,6 +567,66 @@ charts:
username: ~
password: ~
umsGuardianManagementApi:
# renovate:
# registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
# packageName=umc-server
# dataSource=helm
# dependencyType=supplier
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/univention"
name: "guardian-management-api"
oci: true
verify: true
version: "0.0.1"
username: ~
password: ~
umsGuardianManagementUi:
# renovate:
# registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
# packageName=umc-server
# dataSource=helm
# dependencyType=supplier
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/univention"
name: "guardian-management-ui"
oci: true
verify: true
version: "0.0.1"
username: ~
password: ~
umsGuardianAuthorizationApi:
# renovate:
# registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
# packageName=umc-server
# dataSource=helm
# dependencyType=supplier
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/univention"
name: "guardian-authorization-api"
oci: true
verify: true
version: "0.0.1"
username: ~
password: ~
umsOpenPolicyAgent:
# renovate:
# registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
# packageName=umc-server
# dataSource=helm
# dependencyType=supplier
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/univention"
name: "open-policy-agent"
oci: true
verify: true
version: "0.0.1"
username: ~
password: ~
umsLdapNotifier:
# renovate:
# registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
@@ -578,7 +638,7 @@ charts:
name: "ldap-notifier"
oci: true
verify: true
version: "0.7.2"
version: "0.8.2"
username: ~
password: ~
@@ -593,7 +653,7 @@ charts:
name: "ldap-server"
oci: true
verify: true
version: "0.7.2"
version: "0.8.2"
username: ~
password: ~
@@ -698,7 +758,7 @@ charts:
name: "stack-data-swp"
oci: true
verify: true
version: "0.39.5"
version: "0.41.2"
username: ~
password: ~
@@ -713,7 +773,7 @@ charts:
name: "stack-data-ums"
oci: true
verify: true
version: "0.39.5"
version: "0.41.2"
username: ~
password: ~
@@ -743,7 +803,7 @@ charts:
name: "udm-rest-api"
oci: true
verify: true
version: "0.4.3"
version: "0.5.2"
username: ~
password: ~

6
helmfile/environments/default/database.yaml
View File

@@ -36,6 +36,12 @@ databases:
username: "matrix_user"
password: ""
port: 5432
umsGuardianManagementApi:
name: "guardianmanagementapi"
host: "postgresql"
port: 5432
username: "guardianmanagementapi_user"
password: ""
umsNotificationsApi:
name: "notificationsapi"
host: "postgresql"

38
helmfile/environments/default/images.yaml
View File

@@ -470,12 +470,44 @@ images:
# @supplier: "Univention"
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
# @mirrorFrom: ['0', '39', '5']
umsGuardianManagementApi:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=supplier
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/guardian-management-api"
tag: "0.0.1-pre-jlohmer-container-ci-2@sha256:db0a109866feb79aa2cd97db957b5c68bf58d9e2b41ddb05b8859f9445361a3f"
# @supplier: "Univention"
umsGuardianManagementUi:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=supplier
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/guardian-management-ui"
tag: "0.0.1-pre-jlohmer-container-ci-2@sha256:e47091da3a6bcabd20cedbda490324a968cd1fd683bb8feed19a6f2b0377fd8b"
# @supplier: "Univention"
umsGuardianAuthorizationApi:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=supplier
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/guardian-authorization-api"
tag: "0.0.1-pre-jlohmer-container-ci-2@sha256:54b4a2ac043443627b9ff7c5f9b88ce76e8af0b193ba9187ceebc47acc9a204f"
# @supplier: "Univention"
umsOpenPolicyAgent:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=supplier
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/guardian-opa"
tag: "0.0.1-pre-jlohmer-container-ci-2@sha256:bc515dfd18af8edecd0289b44bb8cbefa195d1a9c162357b8b13db8dcf63ba16"
# @supplier: "Univention"
umsLdapNotifier:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=supplier
repository: "souvap/tooling/images/univention/ldap-notifier"
tag: "0.7.2@sha256:cd05f5c8c6765ed5bdc1246178498a8d47e4f7ec6a75c3e0f1f69c0ee18f6e6a"
tag: "0.8.2@sha256:bb7d76fb5299e9d019aa61b5397af15063a5b341fcf2b74c65db679ca5fa873f"
# @supplier: "Univention"
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
# @mirrorFrom: ['0', '7', '2']
@@ -484,7 +516,7 @@ images:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=supplier
repository: "souvap/tooling/images/univention/ldap-server"
tag: "0.7.2@sha256:591115300e67ace320333b7a865922f528a7628e693db858f20f59c3ff454b51"
tag: "0.8.2@sha256:abcaec050875a8605befe13cce78f9f8eb28aa3c1764e281a8540b2a3db4a5da"
# @supplier: "Univention"
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
# @mirrorFrom: ['0', '7', '2']
@@ -547,7 +579,7 @@ images:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=supplier
repository: "souvap/tooling/images/univention/udm-rest-api"
tag: "0.4.3@sha256:d6ae525028dd2ee108e923dee79db9c1f2f4e0e9f0df3b35de1d50ccc3d90420"
tag: "0.5.2@sha256:94c8294130f6a187bb850bcaeb314a09c5aa48ab97e3f419fbeb6ddbd39a3246"
# @supplier: "Univention"
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
# @mirrorFrom: ['0', '4', '3']

28
helmfile/environments/default/resources.yaml
View File

@@ -347,6 +347,34 @@ resources:
requests:
cpu: 0.1
memory: "64Mi"
umsGuardianManagementApi:
limits:
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "256Mi"
umsGuardianManagementUi:
limits:
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "256Mi"
umsGuardianAuthorizationApi:
limits:
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "256Mi"
umsOpenPolicyAgent:
limits:
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "256Mi"
umsLdapNotifier:
limits:
cpu: 99

1
helmfile/environments/default/secrets.gotmpl
View File

@@ -34,6 +34,7 @@ secrets:
matrixUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "matrix_user" | sha1sum | quote }}
openprojectUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "openproject_user" | sha1sum | quote }}
umsNotificationsApiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }}
umsGuardianManagementApiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "guardianmanagementapi_user" | sha1sum | quote }}
umsSelfserviceUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "selfservice_user" | sha1sum | quote }}
mariadb:
rootPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "root_password" | sha1sum | quote }}