sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(ci): Add Kyverno CI Lint

Browse Source
This commit is contained in:
Dominik Kaminski
2024-01-17 18:17:44 +01:00
parent 67f7c05038
commit e778a59cdd
31 changed files with 967 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.gitignore vendored
View File

@@ -6,5 +6,8 @@
# Ignore changes to sample environments
helmfile/environments/dev/values.yaml.gotmpl
helmfile/environments/test/values.yaml.gotmpl
helmfile/environments/prod/values.yaml.gotmpl
# Ignore in CI generated files
.kyverno/opendesk.yaml
.kyverno/kyverno-test.yaml

38
.gitlab-ci.yml
View File

@@ -12,6 +12,16 @@ include:
file: "gitlab/environments.yaml"
rules:
- if: "$INCLUDE_ENVIRONMENTS_ENABLED != 'false'"
- local: "/.gitlab/lint/lint-opendesk.yml"
rules:
- if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
when: "never"
- when: "always"
- local: "/.gitlab/lint/lint-kyverno.yml"
rules:
- if: "$JOB_KYVERNO_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
when: "never"
- when: "always"
stages:
- ".pre"
@@ -137,8 +147,8 @@ variables:
cache: {}
dependencies: []
extends: ".environments"
image: "external-registry.souvap-univention.de/registry-souvap-univention-de/souvap/tooling/images/helm\
@sha256:5a53455af45f4af5c97a01ee2dd5f9ef683f365b59f1ab0102505bc0fd37f6c5"
image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/helm:1.0.1\
@sha256:d38f41b88374e055332860018f2936db8807b763caf6089735db0484cbb2842a"
script:
- "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
# MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD
@@ -517,22 +527,6 @@ generate-release-assets:
variables:
ASSET_GENERATOR_REPO_PATH: "bmi/opendesk/tooling/opendesk-asset-generator"
opendesk-linter:
cache: {}
image: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:1.0.1"
needs: []
rules:
- if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
when: "never"
- when: "always"
script:
- "node /app/src/index.js sort-images ${CI_PROJECT_DIR}/helmfile/environments/default/images.yaml"
- "node /app/src/index.js sort-charts ${CI_PROJECT_DIR}/helmfile/environments/default/charts.yaml"
- "git diff --exit-code"
stage: "lint"
tags:
- "docker"
# Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.
# 'cache' is used because job must contain at least one key, so cache is just a dummy key.
.environments:
@@ -613,7 +607,13 @@ release:
"@semantic-release/release-notes-generator",
"@semantic-release/changelog",
["@semantic-release/git", {
"assets": ["charts/**/Chart.yaml", "CHANGELOG.md", "charts/**/README.md", "helmfile/environments/default/global.generated.yaml"],
"assets": [
"charts/**/Chart.yaml",
"CHANGELOG.md",
"charts/**/README.md",
"helmfile/environments/default/global.generated.yaml",
".kyverno/kyverno-test.yaml"
],
"message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
}]
]

17
.gitlab/lint/lint-common.yml Normal file
View File

@@ -0,0 +1,17 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
variables:
OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.2.0\
@sha256:b36b1fc8a19605306dffef2c919c2a6bf5a3099e8a42ecb39a416394410b75d7"
OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.1\
@sha256:5b1bd85cc73ba0cede1f37d79fa7eeebffa653afa7944406eea9287c29a7769a"
.lint-common:
cache: {}
needs: []
stage: "lint"
tags:
- "docker"
...

35
.gitlab/lint/lint-kyverno.yml Normal file
View File

@@ -0,0 +1,35 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
include:
- local: "/.gitlab/lint/lint-common.yml"
lint-kyverno:
allow_failure: true
extends: ".lint-common"
image: "${OPENDESK_LINT_IMAGE}"
parallel:
matrix:
- APP:
- "collabora"
- "cryptpad"
- "element"
- "intercom-service"
- "jitsi"
- "nextcloud"
- "open-xchange"
- "openproject"
- "openproject-bootstrap"
- "provisioning"
- "services"
- "univention-management-stack"
- "xwiki"
script:
- "cd ${CI_PROJECT_DIR}/helmfile/apps/${APP}"
- "helmfile template -e test --include-needs > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
- "node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests -d ${CI_PROJECT_DIR}/.kyverno -t required ${APP}"
- "node /app/opendesk-ci-cli/src/index.js filter-for-kinds -f ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
- "cd ${CI_PROJECT_DIR}/.kyverno"
- "kyverno test ."
...

13
.gitlab/lint/lint-opendesk.yml Normal file
View File

@@ -0,0 +1,13 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
include:
- local: "/.gitlab/lint/lint-common.yml"
lint-opendesk:
extends: ".lint-common"
image: "${OPENDESK_CI_CLI_IMAGE}"
script:
- "node /app/src/index.js sort-all -d ${CI_PROJECT_DIR}/helmfile"
- "git diff --exit-code"
...

276
.kyverno/_apps.yaml Normal file
View File

@@ -0,0 +1,276 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
pod:
- resource: "mariadb"
kind: "StatefulSet"
app: "services"
- resource: "postgresql"
kind: "StatefulSet"
app: "services"
- resource: "clamav-simple"
kind: "StatefulSet"
app: "services"
- resource: "redis-master"
kind: "StatefulSet"
app: "services"
- resource: "ums-store-dav"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-ldap-server"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-ldap-notifier"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-portal-listener"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-selfservice-listener"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-provisioning-nats"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-guardian-management-api"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-guardian-management-ui"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-guardian-authorization-api"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-open-policy-agent"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "open-xchange-core-mw-default"
kind: "StatefulSet"
app: "open-xchange"
- resource: "jitsi-prosody"
kind: "StatefulSet"
app: "jitsi"
- resource: "opendesk-synapse"
kind: "StatefulSet"
app: "element"
- resource: "xwiki"
kind: "StatefulSet"
app: "xwiki"
- resource: "ox-connector"
kind: "StatefulSet"
app: "provisioning"
- resource: "minio"
kind: "Deployment"
app: "services"
- resource: "memcached"
kind: "Deployment"
app: "services"
- resource: "postfix"
kind: "Deployment"
app: "services"
- resource: "ums-keycloak"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-stack-gateway"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-udm-rest-api"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-portal-server"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-notifications-api"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-portal-frontend"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-umc-gateway"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-umc-server"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-provisioning-nats-box"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-keycloak-extensions-handler"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-keycloak-extensions-proxy"
kind: "Deployment"
app: "univention-management-stack"
- resource: "intercom-service"
kind: "Deployment"
app: "intercom-service"
- resource: "dovecot"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-core-documentconverter"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-core-guidedtours"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-core-imageconverter"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-gotenberg"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-core-ui-middleware"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-core-ui-middleware-updater"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-core-ui"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-core-user-guide"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-guard-ui"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-nextcloud-integration-ui"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-public-sector-ui"
kind: "Deployment"
app: "open-xchange"
- resource: "opendesk-nextcloud-apache2"
kind: "Deployment"
app: "nextcloud"
- resource: "opendesk-nextcloud-exporter"
kind: "Deployment"
app: "nextcloud"
- resource: "opendesk-nextcloud-php"
kind: "Deployment"
app: "nextcloud"
- resource: "collabora"
kind: "Deployment"
app: "collabora"
- resource: "jitsi-jibri"
kind: "Deployment"
app: "jitsi"
- resource: "jitsi-jicofo"
kind: "Deployment"
app: "jitsi"
- resource: "jitsi-jvb"
kind: "Deployment"
app: "jitsi"
- resource: "jitsi-web"
kind: "Deployment"
app: "jitsi"
- resource: "jitsi-opendesk-jitsi-keycloak-adapter"
kind: "Deployment"
app: "jitsi"
- resource: "opendesk-element"
kind: "Deployment"
app: "element"
- resource: "opendesk-well-known"
kind: "Deployment"
app: "element"
- resource: "opendesk-synapse-web"
kind: "Deployment"
app: "element"
- resource: "opendesk-matrix-user-verification-service"
kind: "Deployment"
app: "element"
- resource: "matrix-neoboard-widget"
kind: "Deployment"
app: "element"
- resource: "matrix-neochoice-widget"
kind: "Deployment"
app: "element"
- resource: "matrix-neodatefix-widget"
kind: "Deployment"
app: "element"
- resource: "matrix-neodatefix-bot"
kind: "Deployment"
app: "element"
- resource: "openproject-web"
kind: "Deployment"
app: "openproject"
- resource: "openproject-worker"
kind: "Deployment"
app: "openproject"
- resource: "mariadb-bootstrap"
kind: "Job"
app: "services"
- resource: "postgresql-bootstrap"
kind: "Job"
app: "services"
- resource: "minio-provisioning"
kind: "Job"
app: "services"
- resource: "ums-stack-data-ums-1"
kind: "Job"
app: "univention-management-stack"
- resource: "ums-stack-data-swp-1"
kind: "Job"
app: "univention-management-stack"
- resource: "ums-keycloak-bootstrap-bootstrap-1"
kind: "Job"
app: "univention-management-stack"
- resource: "opendesk-keycloak-bootstrap-bootstrap-1"
kind: "Job"
app: "univention-management-stack"
- resource: "opendesk-open-xchange-bootstrap"
kind: "Job"
app: "open-xchange"
- resource: "opendesk-nextcloud-management-1"
kind: "Job"
app: "nextcloud"
- resource: "jitsi-opendesk-jitsi"
kind: "Job"
app: "jitsi"
- resource: "opendesk-matrix-user-verification-service-bootstrap"
kind: "Job"
app: "element"
- resource: "matrix-neodatefix-bot-bootstrap"
kind: "Job"
app: "element"
- resource: "opendesk-openproject-bootstrap-bootstrap-1"
kind: "Job"
app: "openproject-bootstrap"
# # Has timestamp in resource name - not supported yet.
# - resource: "openproject-seeder-*"
# kind: "Job"
# - resource: "ums-store-dav-test-connection"
# kind: "Pod"
# - resource: "ums-udm-rest-api-test-connection"
# kind: "Pod"
# - resource: "ums-portal-server-test-connection"
# kind: "Pod"
# - resource: "ums-notifications-api-test-connection"
# kind: "Pod"
# - resource: "ums-portal-frontend-test-connection"
# kind: "Pod"
# - resource: "ums-provisioning-nats-test-request-reply"
# kind: "Pod"
# - resource: "ums-provisioning-provisioning-api-test-connection"
# kind: "Pod"
# - resource: "open-xchange-core-guidedtours-test-connection"
# kind: "Pod"
# - resource: "open-xchange-gotenberg-test-connection"
# kind: "Pod"
# - resource: "open-xchange-core-ui-test-connection"
# kind: "Pod"
# - resource: "open-xchange-core-user-guide-test-connection"
# kind: "Pod"
# - resource: "open-xchange-guard-ui-test-connection"
# kind: "Pod"
# - resource: "open-xchange-nextcloud-integration-ui-test-connection"
# kind: "Pod"
# - resource: "open-xchange-public-sector-ui-test-connection"
# kind: "Pod"
# - resource: "jitsi-prosody-test-connection"
# kind: "Pod"
# - resource: "jitsi-web-test-connection"
# kind: "Pod"
# - resource: "openproject-test-connection"
# kind: "Pod"
...

55
.kyverno/policies/_policies.yaml Normal file
View File

@@ -0,0 +1,55 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
pod:
- name: "require-tag-and-digest"
rule: "require-tag-and-digest"
type: "required"
- name: "disallow-default-serviceaccount"
rule: "require-sa"
type: "required"
- name: "require-imagepullsecrets"
rule: "require-imagepullsecrets"
type: "required"
- name: "disallow-latest-tag"
rule: "validate-image-tag"
type: "required"
- name: "require-imagepullpolicy-always"
rule: "require-imagepullpolicy-always"
type: "required"
- name: "require-health-and-liveness-check"
rule: "require-health-and-liveness-check"
type: "required"
excludeKinds:
- "Job"
- name: "require-requests-limits"
rule: "validate-resources"
type: "required"
- name: "restrict-image-registries"
rule: "validate-registries"
type: "required"
- name: "require-containersecuritycontext"
rule: "require-ro-rootfs"
type: "optional"
- name: "require-containersecuritycontext"
rule: "require-no-privilege-escalation"
type: "optional"
- name: "require-containersecuritycontext"
rule: "require-all-capabilities-dropped"
type: "optional"
- name: "require-containersecuritycontext"
rule: "require-no-privileged"
type: "optional"
- name: "require-containersecuritycontext"
rule: "require-run-as-user"
type: "optional"
- name: "require-containersecuritycontext"
rule: "require-run-as-group"
type: "optional"
- name: "require-containersecuritycontext"
rule: "require-seccomp-profile"
type: "required"
- name: "require-containersecuritycontext"
rule: "require-run-as-non-root"
type: "optional"
...

22
.kyverno/policies/disallow-default-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,22 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
apiVersion: "kyverno.io/v1"
kind: "ClusterPolicy"
metadata:
name: "disallow-default-serviceaccount"
spec:
background: true
rules:
- match:
resources:
kinds:
- "Pod"
name: "require-sa"
validate:
message: "serviceAccountName must be set to anything other than 'default'."
pattern:
spec:
serviceAccountName: "!default"
validationFailureAction: "audit"
...

27
.kyverno/policies/disallow-latest-tag.yaml Normal file
View File

@@ -0,0 +1,27 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
apiVersion: "kyverno.io/v1"
kind: "ClusterPolicy"
metadata:
name: "disallow-latest-tag"
spec:
background: true
rules:
- match:
resources:
kinds:
- "Pod"
name: "validate-image-tag"
validate:
message: "Using a mutable image tag e.g. 'latest' is not allowed."
pattern:
spec:
=(ephemeralContainers):
- image: "!*:latest"
=(initContainers):
- image: "!*:latest"
containers:
- image: "!*:latest"
validationFailureAction: "audit"
...

173
.kyverno/policies/require-containersecuritycontext.yaml Normal file
View File

@@ -0,0 +1,173 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
apiVersion: "kyverno.io/v1"
kind: "ClusterPolicy"
metadata:
name: "require-containersecuritycontext"
spec:
background: true
rules:
- name: "require-ro-rootfs"
match:
resources:
kinds:
- "Pod"
validate:
message: "Root filesystem must be read-only."
pattern:
spec:
=(ephemeralContainers):
- securityContext:
readOnlyRootFilesystem: true
=(initContainers):
- securityContext:
readOnlyRootFilesystem: true
containers:
- securityContext:
readOnlyRootFilesystem: true
- name: "require-no-privilege-escalation"
match:
resources:
kinds:
- "Pod"
validate:
message: "Disallow privilege escalation."
pattern:
spec:
=(ephemeralContainers):
- securityContext:
allowPrivilegeEscalation: false
=(initContainers):
- securityContext:
allowPrivilegeEscalation: false
containers:
- securityContext:
allowPrivilegeEscalation: false
- name: "require-all-capabilities-dropped"
match:
resources:
kinds:
- "Pod"
validate:
message: "Required to drop ALL linux capabilities."
pattern:
spec:
=(ephemeralContainers):
- securityContext:
capabilities:
drop:
- "ALL"
=(initContainers):
- securityContext:
capabilities:
drop:
- "ALL"
containers:
- securityContext:
capabilities:
drop:
- "ALL"
- name: "require-no-privileged"
match:
resources:
kinds:
- "Pod"
validate:
message: "Disallow privileged container."
pattern:
spec:
=(ephemeralContainers):
- securityContext:
privileged: false
=(initContainers):
- securityContext:
privileged: false
containers:
- securityContext:
privileged: false
- name: "require-run-as-user"
match:
resources:
kinds:
- "Pod"
validate:
message: "Container must run as non-root user."
pattern:
spec:
=(ephemeralContainers):
- securityContext:
runAsUser: ">0"
=(initContainers):
- securityContext:
runAsUser: ">0"
containers:
- securityContext:
runAsUser: ">0"
- name: "require-run-as-group"
match:
resources:
kinds:
- "Pod"
validate:
message: "Container must run as non-root group."
pattern:
spec:
=(ephemeralContainers):
- securityContext:
runAsGroup: ">0"
=(initContainers):
- securityContext:
runAsGroup: ">0"
containers:
- securityContext:
runAsGroup: ">0"
- name: "require-seccomp-profile"
match:
resources:
kinds:
- "Pod"
validate:
message: "Container must have seccompProfile"
pattern:
spec:
=(ephemeralContainers):
- securityContext:
seccompProfile:
type: "RuntimeDefault | Localhost"
=(initContainers):
- securityContext:
seccompProfile:
type: "RuntimeDefault | Localhost"
containers:
- securityContext:
seccompProfile:
type: "RuntimeDefault | Localhost"
- name: "require-run-as-non-root"
match:
resources:
kinds:
- "Pod"
validate:
message: "Container must run in non-root mode."
pattern:
spec:
=(ephemeralContainers):
- securityContext:
runAsNonRoot: true
=(initContainers):
- securityContext:
runAsNonRoot: true
containers:
- securityContext:
runAsNonRoot: true
validationFailureAction: "audit"
...

27
.kyverno/policies/require-health-and-liveness-check.yaml Normal file
View File

@@ -0,0 +1,27 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
apiVersion: "kyverno.io/v1"
kind: "ClusterPolicy"
metadata:
name: "require-health-and-liveness-check"
spec:
background: true
rules:
- match:
resources:
kinds:
- "Pod"
name: "require-health-and-liveness-check"
validate:
message: "Liveness and readiness probes are required. spec.containers[*].livenessProbe.periodSeconds
must be set to a value greater than 0."
pattern:
spec:
containers:
- livenessProbe:
periodSeconds: ">0"
readinessProbe:
periodSeconds: ">0"
validationFailureAction: "audit"
...

40
.kyverno/policies/require-imagepullpolicy-always.yaml Normal file
View File

@@ -0,0 +1,40 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
apiVersion: "kyverno.io/v1"
kind: "ClusterPolicy"
metadata:
name: "require-imagepullpolicy-always"
spec:
background: true
rules:
- match:
resources:
kinds:
- "Pod"
name: "require-imagepullpolicy-always"
validate:
message: "The imagePullPolicy must be set to `Always` when the tag `latest` is used."
anyPattern:
- spec:
=(ephemeralContainers):
- (image): "*:latest"
imagePullPolicy: "Always"
=(initContainers):
- (image): "*:latest"
imagePullPolicy: "Always"
containers:
- (image): "*:latest"
imagePullPolicy: "Always"
- spec:
=(ephemeralContainers):
- (image): "!*:latest"
imagePullPolicy: "IfNotPresent"
=(initContainers):
- (image): "!*:latest"
imagePullPolicy: "IfNotPresent"
containers:
- (image): "!*:latest"
imagePullPolicy: "IfNotPresent"
validationFailureAction: "audit"
...

23
.kyverno/policies/require-imagepullsecets.yaml Normal file
View File

@@ -0,0 +1,23 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
apiVersion: "kyverno.io/v1"
kind: "ClusterPolicy"
metadata:
name: "require-imagepullsecrets"
spec:
background: true
rules:
- match:
resources:
kinds:
- "Pod"
name: "require-imagepullsecrets"
validate:
message: "ImagePullSecrets are required."
pattern:
spec:
imagePullSecrets:
- name: "*"
validationFailureAction: "audit"
...

28
.kyverno/policies/require-requests-limits.yaml Normal file
View File

@@ -0,0 +1,28 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
apiVersion: "kyverno.io/v1"
kind: "ClusterPolicy"
metadata:
name: "require-requests-limits"
spec:
background: true
rules:
- match:
resources:
kinds:
- "Pod"
name: "validate-resources"
validate:
message: "CPU and memory resource requests and limits are required."
pattern:
spec:
containers:
- resources:
limits:
memory: "?*"
requests:
cpu: "?*"
memory: "?*"
validationFailureAction: "audit"
...

27
.kyverno/policies/require-tag-and-digest.yaml Normal file
View File

@@ -0,0 +1,27 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
apiVersion: "kyverno.io/v1"
kind: "ClusterPolicy"
metadata:
name: "require-tag-and-digest"
spec:
background: true
rules:
- match:
resources:
kinds:
- "Pod"
name: "require-tag-and-digest"
validate:
message: "An image tag and digest required."
pattern:
spec:
=(ephemeralContainers):
- image: "*:*@sha256:*"
=(initContainers):
- image: "*:*@sha256:*"
containers:
- image: "*:*@sha256:*"
validationFailureAction: "audit"
...

27
.kyverno/policies/restrict-image-registries.yaml Normal file
View File

@@ -0,0 +1,27 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
apiVersion: "kyverno.io/v1"
kind: "ClusterPolicy"
metadata:
name: "restrict-image-registries"
spec:
background: true
rules:
- match:
resources:
kinds:
- "Pod"
name: "validate-registries"
validate:
message: "Unknown image registry."
pattern:
spec:
=(ephemeralContainers):
- image: "external-registry.souvap-univention.de/*"
=(initContainers):
- image: "external-registry.souvap-univention.de/*"
containers:
- image: "external-registry.souvap-univention.de/*"
validationFailureAction: "audit"
...

6
helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
View File

@@ -56,9 +56,8 @@ ingress:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
# TODO: The health endpoint does not work with the haproxy configuration, yet
livenessProbe:
enabled: false
enabled: true
persistence:
size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
@@ -68,9 +67,8 @@ podSecurityContext:
enabled: true
fsGroup: 101
# TODO: The health endpoint does not work with the haproxy configuration, yet
readinessProbe:
enabled: false
enabled: true
replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}

14
helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
View File

@@ -21,4 +21,18 @@ image:
tag: {{ .Values.images.synapseCreateUser.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
fullnameOverride: "opendesk-matrix-user-verification-service-bootstrap"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
...

17
helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
View File

@@ -62,6 +62,9 @@ jitsi:
TURN_ENABLE: "1"
resources:
{{ .Values.resources.jitsi | toYaml | nindent 6 }}
securityContext:
seccompProfile:
type: "RuntimeDefault"
prosody:
image:
repository: "{{ .Values.global.imageRegistry | default .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
@@ -98,6 +101,9 @@ jitsi:
persistence:
size: {{ .Values.persistence.size.prosody | quote }}
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
securityContext:
seccompProfile:
type: "RuntimeDefault"
jicofo:
replicaCount: {{ .Values.replicas.jicofo }}
image:
@@ -108,6 +114,9 @@ jitsi:
componentSecret: {{ .Values.secrets.jitsi.jicofoComponentPassword | quote }}
resources:
{{ .Values.resources.jicofo | toYaml | nindent 6 }}
securityContext:
seccompProfile:
type: "RuntimeDefault"
jvb:
replicaCount: {{ .Values.replicas.jvb }}
image:
@@ -119,6 +128,9 @@ jitsi:
{{ .Values.resources.jvb | toYaml | nindent 6 }}
service:
type: {{ .Values.cluster.service.type | quote }}
securityContext:
seccompProfile:
type: "RuntimeDefault"
jibri:
replicaCount: {{ .Values.replicas.jibri }}
image:
@@ -130,6 +142,9 @@ jitsi:
password: {{ .Values.secrets.jitsi.jibriXmppPassword | quote }}
resources:
{{ .Values.resources.jibri | toYaml | nindent 6 }}
securityContext:
seccompProfile:
type: "RuntimeDefault"
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
@@ -143,6 +158,8 @@ patchJVB:
allowPrivilegeEscalation: false
enabled: true
readOnlyRootFilesystem: true
seccompProfile:
type: "RuntimeDefault"
image:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiPatchJVB.registry | quote }}

6
helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
View File

@@ -92,6 +92,8 @@ appsuite:
masterAdmin: "admin"
masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
serviceAccount:
create: true
features:
status:
# enable admin pack
@@ -413,6 +415,8 @@ appsuite:
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
core-documents-collaboration:
enabled: false
@@ -481,6 +485,8 @@ appsuite:
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
guard-ui:
enabled: true

4
helmfile/apps/openproject/values.yaml.gotmpl
View File

@@ -71,7 +71,7 @@ environment:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.openproject.registry | quote }}
repository: {{ .Values.images.openproject.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.openproject.tag | quote }}
initdb:
@@ -79,7 +79,7 @@ initdb:
registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectInitDb.registry | quote }}
repository: {{ .Values.images.openprojectInitDb.repository | quote }}
tag: {{ .Values.images.openprojectInitDb.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
memcached:
bundled: false

21
helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
View File

@@ -59,6 +59,27 @@ probes:
failureThreshold: 30
successThreshold: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
serviceAccount:
create: true

2
helmfile/apps/services/values-minio.yaml.gotmpl
View File

@@ -167,6 +167,8 @@ provisioning:
policies:
- "nextcloud-bucket-policy"
setPolicies: true
resources:
{{ .Values.resources.minio | toYaml | nindent 4 }}
readinessProbe:
enabled: true

1
helmfile/apps/services/values-postgresql.yaml.gotmpl
View File

@@ -7,6 +7,7 @@ containerSecurityContext:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1001
runAsGroup: 1001
seccompProfile:

9
helmfile/apps/services/values-redis.yaml.gotmpl
View File

@@ -20,6 +20,15 @@ image:
master:
containerSecurityContext:
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
allowPrivilegeEscalation: false
seccompProfile:
type: "RuntimeDefault"
capabilities:
drop:
- "ALL"
count: {{ .Values.replicas.redis }}
persistence:
size: {{ .Values.persistence.size.redis | quote }}

22
helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
View File

@@ -1,5 +1,7 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioning.registry | quote }}
@@ -11,6 +13,22 @@ image:
- name: {{ . | quote }}
{{- end }}
nats:
global:
image:
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
pullSecretNames: {{ .Values.global.imagePullSecrets }}
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningNats.registry | quote }}
container:
image:
repository: {{ .Values.images.umsProvisioningNats.repository | quote }}
tag: {{ .Values.images.umsProvisioningNats.tag | quote }}
natsBox:
container:
image:
repository: {{ .Values.images.umsProvisioningNatsBox.repository | quote }}
tag: {{ .Values.images.umsProvisioningNatsBox.tag | quote }}
provisioningApi:
rootPath: "/univention/provisioning-api"

27
helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
View File

@@ -1,6 +1,10 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
fullnameOverride: "ums-stack-gateway"
image:
@@ -28,19 +32,27 @@ podSecurityContext:
enabled: true
fsGroup: 1001
securityContext:
containerSecurityContext:
enabled: true
runAsUser: 1001
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: false
runAsUser: 1001
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
service:
type: "ClusterIP"
serviceAccount:
create: true
fullnameOverride: "ums-stack-gateway"
# The content of the "serverBlock" does resemble the Ingress configuration of
# the UMS components. The "location" entries do intentionally reflect precisely
# the respective paths which are configured.
@@ -289,7 +301,4 @@ serverBlock: |
}
service:
type: "ClusterIP"
...

4
helmfile/apps/xwiki/values.yaml.gotmpl
View File

@@ -15,6 +15,8 @@ externalDB:
database: {{ .Values.databases.xwiki.name | quote }}
user: {{ .Values.databases.xwiki.username | quote }}
host: {{ .Values.databases.xwiki.host | quote }}
customKeyRef:
enabled: false
containerSecurityContext:
allowPrivilegeEscalation: false
@@ -25,6 +27,8 @@ containerSecurityContext:
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
customConfigs:
xwiki.cfg:

28
helmfile/environments/default/charts.yaml
View File

@@ -85,7 +85,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
name: "opendesk-element"
version: "2.6.3"
version: "2.6.6"
verify: true
# @supplier: "openDesk"
@@ -97,7 +97,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
name: "opendesk-well-known"
version: "2.6.3"
version: "2.6.6"
verify: true
# @supplier: "openDesk"
@@ -135,7 +135,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi"
name: "opendesk-jitsi"
version: "1.7.4"
version: "1.7.8"
verify: true
# @supplier: "openDesk"
@@ -159,7 +159,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
name: "matrix-neoboard-widget"
version: "3.4.0"
version: "3.4.1"
verify: true
# @supplier: "openDesk"
@@ -171,7 +171,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
name: "matrix-neochoice-widget"
version: "3.4.0"
version: "3.4.1"
verify: true
# @supplier: "openDesk"
@@ -183,7 +183,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
name: "matrix-neodatefix-bot"
version: "3.4.0"
version: "3.4.1"
verify: true
# @supplier: "openDesk"
@@ -195,7 +195,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
name: "matrix-neodatefix-widget"
version: "3.4.0"
version: "3.4.1"
verify: true
# @supplier: "openDesk"
@@ -207,7 +207,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
name: "opendesk-matrix-user-verification-service"
version: "2.6.3"
version: "2.6.6"
verify: true
# @supplier: "openDesk"
@@ -279,7 +279,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
name: "opendesk-keycloak-bootstrap"
version: "1.0.5"
version: "1.0.6"
verify: true
# @supplier: "openDesk"
@@ -305,7 +305,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-openproject-bootstrap"
name: "opendesk-openproject-bootstrap"
version: "1.2.3"
version: "1.3.0"
verify: true
# @supplier: "openDesk"
@@ -404,7 +404,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
name: "opendesk-synapse"
version: "2.6.3"
version: "2.6.6"
verify: true
# @supplier: "openDesk"
@@ -416,7 +416,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
name: "opendesk-synapse-create-account"
version: "2.6.3"
version: "2.6.6"
verify: true
# @supplier: "openDesk"
@@ -428,7 +428,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
name: "opendesk-synapse-web"
version: "2.6.3"
version: "2.6.6"
verify: true
# @supplier: "openDesk"
@@ -510,7 +510,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "keycloak-extensions"
version: "0.0.5"
version: "0.1.0"
verify: true
# @supplier: "Univention"
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'

16
helmfile/environments/default/images.yaml
View File

@@ -698,6 +698,22 @@ images:
# @supplier: "Univention"
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
# @mirrorFrom: ['0', '4', '0']
umsProvisioningNats:
# renovate:
# upstreamRegistry=docker.io
# upstreamRepository=nats
# dependencyType=external
registry: "docker.io"
repository: "nats"
tag: "2.10.5-alpine@sha256:85319e5e541b6f273dbffc722e001601f391028e004c90a4fadab53475789e79"
umsProvisioningNatsBox:
# renovate:
# upstreamRegistry=docker.io
# upstreamRepository=nats
# dependencyType=external
registry: "docker.io"
repository: "natsio/nats-box"
tag: "0.14.1@sha256:a67913df95f1d5b265117e49e4c83228091d13d6783d80215ddcf84aba695ef4"
umsSelfserviceInvitation:
# renovate:
# upstreamRegistry=registry.souvap-univention.de

8
helmfile/environments/test/values.yaml.gotmpl Normal file
View File

@@ -0,0 +1,8 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
...