From e778a59cddecc7c73b827e03af5e47ddd5c3dcee Mon Sep 17 00:00:00 2001 From: Dominik Kaminski Date: Wed, 17 Jan 2024 18:17:44 +0100 Subject: [PATCH] fix(ci): Add Kyverno CI Lint --- .gitignore | 5 +- .gitlab-ci.yml | 38 +-- .gitlab/lint/lint-common.yml | 17 ++ .gitlab/lint/lint-kyverno.yml | 35 +++ .gitlab/lint/lint-opendesk.yml | 13 + .kyverno/_apps.yaml | 276 ++++++++++++++++++ .kyverno/policies/_policies.yaml | 55 ++++ .../disallow-default-serviceaccount.yaml | 22 ++ .kyverno/policies/disallow-latest-tag.yaml | 27 ++ .../require-containersecuritycontext.yaml | 173 +++++++++++ .../require-health-and-liveness-check.yaml | 27 ++ .../require-imagepullpolicy-always.yaml | 40 +++ .../policies/require-imagepullsecets.yaml | 23 ++ .../policies/require-requests-limits.yaml | 28 ++ .kyverno/policies/require-tag-and-digest.yaml | 27 ++ .../policies/restrict-image-registries.yaml | 27 ++ .../values-matrix-neodatefix-bot.yaml.gotmpl | 6 +- ...verification-service-bootstrap.yaml.gotmpl | 14 + helmfile/apps/jitsi/values-jitsi.yaml.gotmpl | 17 ++ .../values-openxchange.yaml.gotmpl | 6 + helmfile/apps/openproject/values.yaml.gotmpl | 4 +- .../values-oxconnector.yaml.gotmpl | 21 ++ .../apps/services/values-minio.yaml.gotmpl | 2 + .../services/values-postgresql.yaml.gotmpl | 1 + .../apps/services/values-redis.yaml.gotmpl | 9 + .../values-provisioning.yaml.gotmpl | 22 +- .../values-ums-stack-gateway.yaml.gotmpl | 27 +- helmfile/apps/xwiki/values.yaml.gotmpl | 4 + helmfile/environments/default/charts.yaml | 28 +- helmfile/environments/default/images.yaml | 16 + helmfile/environments/test/values.yaml.gotmpl | 8 + 31 files changed, 967 insertions(+), 51 deletions(-) create mode 100644 .gitlab/lint/lint-common.yml create mode 100644 .gitlab/lint/lint-kyverno.yml create mode 100644 .gitlab/lint/lint-opendesk.yml create mode 100644 .kyverno/_apps.yaml create mode 100644 .kyverno/policies/_policies.yaml create mode 100644 .kyverno/policies/disallow-default-serviceaccount.yaml create mode 100644 .kyverno/policies/disallow-latest-tag.yaml create mode 100644 .kyverno/policies/require-containersecuritycontext.yaml create mode 100644 .kyverno/policies/require-health-and-liveness-check.yaml create mode 100644 .kyverno/policies/require-imagepullpolicy-always.yaml create mode 100644 .kyverno/policies/require-imagepullsecets.yaml create mode 100644 .kyverno/policies/require-requests-limits.yaml create mode 100644 .kyverno/policies/require-tag-and-digest.yaml create mode 100644 .kyverno/policies/restrict-image-registries.yaml create mode 100644 helmfile/environments/test/values.yaml.gotmpl diff --git a/.gitignore b/.gitignore index 32ce09ac..074dc27a 100755 --- a/.gitignore +++ b/.gitignore @@ -6,5 +6,8 @@ # Ignore changes to sample environments helmfile/environments/dev/values.yaml.gotmpl -helmfile/environments/test/values.yaml.gotmpl helmfile/environments/prod/values.yaml.gotmpl + +# Ignore in CI generated files +.kyverno/opendesk.yaml +.kyverno/kyverno-test.yaml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 65f50f1b..761ec13b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -12,6 +12,16 @@ include: file: "gitlab/environments.yaml" rules: - if: "$INCLUDE_ENVIRONMENTS_ENABLED != 'false'" + - local: "/.gitlab/lint/lint-opendesk.yml" + rules: + - if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'" + when: "never" + - when: "always" + - local: "/.gitlab/lint/lint-kyverno.yml" + rules: + - if: "$JOB_KYVERNO_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'" + when: "never" + - when: "always" stages: - ".pre" @@ -137,8 +147,8 @@ variables: cache: {} dependencies: [] extends: ".environments" - image: "external-registry.souvap-univention.de/registry-souvap-univention-de/souvap/tooling/images/helm\ - @sha256:5a53455af45f4af5c97a01ee2dd5f9ef683f365b59f1ab0102505bc0fd37f6c5" + image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/helm:1.0.1\ + @sha256:d38f41b88374e055332860018f2936db8807b763caf6089735db0484cbb2842a" script: - "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}" # MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD @@ -517,22 +527,6 @@ generate-release-assets: variables: ASSET_GENERATOR_REPO_PATH: "bmi/opendesk/tooling/opendesk-asset-generator" -opendesk-linter: - cache: {} - image: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:1.0.1" - needs: [] - rules: - - if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'" - when: "never" - - when: "always" - script: - - "node /app/src/index.js sort-images ${CI_PROJECT_DIR}/helmfile/environments/default/images.yaml" - - "node /app/src/index.js sort-charts ${CI_PROJECT_DIR}/helmfile/environments/default/charts.yaml" - - "git diff --exit-code" - stage: "lint" - tags: - - "docker" - # Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false. # 'cache' is used because job must contain at least one key, so cache is just a dummy key. .environments: @@ -613,7 +607,13 @@ release: "@semantic-release/release-notes-generator", "@semantic-release/changelog", ["@semantic-release/git", { - "assets": ["charts/**/Chart.yaml", "CHANGELOG.md", "charts/**/README.md", "helmfile/environments/default/global.generated.yaml"], + "assets": [ + "charts/**/Chart.yaml", + "CHANGELOG.md", + "charts/**/README.md", + "helmfile/environments/default/global.generated.yaml", + ".kyverno/kyverno-test.yaml" + ], "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}" }] ] diff --git a/.gitlab/lint/lint-common.yml b/.gitlab/lint/lint-common.yml new file mode 100644 index 00000000..ec548b3c --- /dev/null +++ b/.gitlab/lint/lint-common.yml @@ -0,0 +1,17 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +variables: + OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.2.0\ + @sha256:b36b1fc8a19605306dffef2c919c2a6bf5a3099e8a42ecb39a416394410b75d7" + OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.1\ + @sha256:5b1bd85cc73ba0cede1f37d79fa7eeebffa653afa7944406eea9287c29a7769a" + +.lint-common: + cache: {} + needs: [] + stage: "lint" + tags: + - "docker" + +... diff --git a/.gitlab/lint/lint-kyverno.yml b/.gitlab/lint/lint-kyverno.yml new file mode 100644 index 00000000..6e536f36 --- /dev/null +++ b/.gitlab/lint/lint-kyverno.yml @@ -0,0 +1,35 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +include: + - local: "/.gitlab/lint/lint-common.yml" + +lint-kyverno: + allow_failure: true + extends: ".lint-common" + image: "${OPENDESK_LINT_IMAGE}" + parallel: + matrix: + - APP: + - "collabora" + - "cryptpad" + - "element" + - "intercom-service" + - "jitsi" + - "nextcloud" + - "open-xchange" + - "openproject" + - "openproject-bootstrap" + - "provisioning" + - "services" + - "univention-management-stack" + - "xwiki" + script: + - "cd ${CI_PROJECT_DIR}/helmfile/apps/${APP}" + - "helmfile template -e test --include-needs > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml" + - "node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests -d ${CI_PROJECT_DIR}/.kyverno -t required ${APP}" + - "node /app/opendesk-ci-cli/src/index.js filter-for-kinds -f ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml" + - "cd ${CI_PROJECT_DIR}/.kyverno" + - "kyverno test ." + +... diff --git a/.gitlab/lint/lint-opendesk.yml b/.gitlab/lint/lint-opendesk.yml new file mode 100644 index 00000000..85f422c0 --- /dev/null +++ b/.gitlab/lint/lint-opendesk.yml @@ -0,0 +1,13 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +include: + - local: "/.gitlab/lint/lint-common.yml" + +lint-opendesk: + extends: ".lint-common" + image: "${OPENDESK_CI_CLI_IMAGE}" + script: + - "node /app/src/index.js sort-all -d ${CI_PROJECT_DIR}/helmfile" + - "git diff --exit-code" +... diff --git a/.kyverno/_apps.yaml b/.kyverno/_apps.yaml new file mode 100644 index 00000000..ec390763 --- /dev/null +++ b/.kyverno/_apps.yaml @@ -0,0 +1,276 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +pod: + - resource: "mariadb" + kind: "StatefulSet" + app: "services" + - resource: "postgresql" + kind: "StatefulSet" + app: "services" + - resource: "clamav-simple" + kind: "StatefulSet" + app: "services" + - resource: "redis-master" + kind: "StatefulSet" + app: "services" + - resource: "ums-store-dav" + kind: "StatefulSet" + app: "univention-management-stack" + - resource: "ums-ldap-server" + kind: "StatefulSet" + app: "univention-management-stack" + - resource: "ums-ldap-notifier" + kind: "StatefulSet" + app: "univention-management-stack" + - resource: "ums-portal-listener" + kind: "StatefulSet" + app: "univention-management-stack" + - resource: "ums-selfservice-listener" + kind: "StatefulSet" + app: "univention-management-stack" + - resource: "ums-provisioning-nats" + kind: "StatefulSet" + app: "univention-management-stack" + - resource: "ums-guardian-management-api" + kind: "StatefulSet" + app: "univention-management-stack" + - resource: "ums-guardian-management-ui" + kind: "StatefulSet" + app: "univention-management-stack" + - resource: "ums-guardian-authorization-api" + kind: "StatefulSet" + app: "univention-management-stack" + - resource: "ums-open-policy-agent" + kind: "StatefulSet" + app: "univention-management-stack" + - resource: "open-xchange-core-mw-default" + kind: "StatefulSet" + app: "open-xchange" + - resource: "jitsi-prosody" + kind: "StatefulSet" + app: "jitsi" + - resource: "opendesk-synapse" + kind: "StatefulSet" + app: "element" + - resource: "xwiki" + kind: "StatefulSet" + app: "xwiki" + - resource: "ox-connector" + kind: "StatefulSet" + app: "provisioning" + - resource: "minio" + kind: "Deployment" + app: "services" + - resource: "memcached" + kind: "Deployment" + app: "services" + - resource: "postfix" + kind: "Deployment" + app: "services" + - resource: "ums-keycloak" + kind: "Deployment" + app: "univention-management-stack" + - resource: "ums-stack-gateway" + kind: "Deployment" + app: "univention-management-stack" + - resource: "ums-udm-rest-api" + kind: "Deployment" + app: "univention-management-stack" + - resource: "ums-portal-server" + kind: "Deployment" + app: "univention-management-stack" + - resource: "ums-notifications-api" + kind: "Deployment" + app: "univention-management-stack" + - resource: "ums-portal-frontend" + kind: "Deployment" + app: "univention-management-stack" + - resource: "ums-umc-gateway" + kind: "Deployment" + app: "univention-management-stack" + - resource: "ums-umc-server" + kind: "Deployment" + app: "univention-management-stack" + - resource: "ums-provisioning-nats-box" + kind: "Deployment" + app: "univention-management-stack" + - resource: "ums-keycloak-extensions-handler" + kind: "Deployment" + app: "univention-management-stack" + - resource: "ums-keycloak-extensions-proxy" + kind: "Deployment" + app: "univention-management-stack" + - resource: "intercom-service" + kind: "Deployment" + app: "intercom-service" + - resource: "dovecot" + kind: "Deployment" + app: "open-xchange" + - resource: "open-xchange-core-documentconverter" + kind: "Deployment" + app: "open-xchange" + - resource: "open-xchange-core-guidedtours" + kind: "Deployment" + app: "open-xchange" + - resource: "open-xchange-core-imageconverter" + kind: "Deployment" + app: "open-xchange" + - resource: "open-xchange-gotenberg" + kind: "Deployment" + app: "open-xchange" + - resource: "open-xchange-core-ui-middleware" + kind: "Deployment" + app: "open-xchange" + - resource: "open-xchange-core-ui-middleware-updater" + kind: "Deployment" + app: "open-xchange" + - resource: "open-xchange-core-ui" + kind: "Deployment" + app: "open-xchange" + - resource: "open-xchange-core-user-guide" + kind: "Deployment" + app: "open-xchange" + - resource: "open-xchange-guard-ui" + kind: "Deployment" + app: "open-xchange" + - resource: "open-xchange-nextcloud-integration-ui" + kind: "Deployment" + app: "open-xchange" + - resource: "open-xchange-public-sector-ui" + kind: "Deployment" + app: "open-xchange" + - resource: "opendesk-nextcloud-apache2" + kind: "Deployment" + app: "nextcloud" + - resource: "opendesk-nextcloud-exporter" + kind: "Deployment" + app: "nextcloud" + - resource: "opendesk-nextcloud-php" + kind: "Deployment" + app: "nextcloud" + - resource: "collabora" + kind: "Deployment" + app: "collabora" + - resource: "jitsi-jibri" + kind: "Deployment" + app: "jitsi" + - resource: "jitsi-jicofo" + kind: "Deployment" + app: "jitsi" + - resource: "jitsi-jvb" + kind: "Deployment" + app: "jitsi" + - resource: "jitsi-web" + kind: "Deployment" + app: "jitsi" + - resource: "jitsi-opendesk-jitsi-keycloak-adapter" + kind: "Deployment" + app: "jitsi" + - resource: "opendesk-element" + kind: "Deployment" + app: "element" + - resource: "opendesk-well-known" + kind: "Deployment" + app: "element" + - resource: "opendesk-synapse-web" + kind: "Deployment" + app: "element" + - resource: "opendesk-matrix-user-verification-service" + kind: "Deployment" + app: "element" + - resource: "matrix-neoboard-widget" + kind: "Deployment" + app: "element" + - resource: "matrix-neochoice-widget" + kind: "Deployment" + app: "element" + - resource: "matrix-neodatefix-widget" + kind: "Deployment" + app: "element" + - resource: "matrix-neodatefix-bot" + kind: "Deployment" + app: "element" + - resource: "openproject-web" + kind: "Deployment" + app: "openproject" + - resource: "openproject-worker" + kind: "Deployment" + app: "openproject" + - resource: "mariadb-bootstrap" + kind: "Job" + app: "services" + - resource: "postgresql-bootstrap" + kind: "Job" + app: "services" + - resource: "minio-provisioning" + kind: "Job" + app: "services" + - resource: "ums-stack-data-ums-1" + kind: "Job" + app: "univention-management-stack" + - resource: "ums-stack-data-swp-1" + kind: "Job" + app: "univention-management-stack" + - resource: "ums-keycloak-bootstrap-bootstrap-1" + kind: "Job" + app: "univention-management-stack" + - resource: "opendesk-keycloak-bootstrap-bootstrap-1" + kind: "Job" + app: "univention-management-stack" + - resource: "opendesk-open-xchange-bootstrap" + kind: "Job" + app: "open-xchange" + - resource: "opendesk-nextcloud-management-1" + kind: "Job" + app: "nextcloud" + - resource: "jitsi-opendesk-jitsi" + kind: "Job" + app: "jitsi" + - resource: "opendesk-matrix-user-verification-service-bootstrap" + kind: "Job" + app: "element" + - resource: "matrix-neodatefix-bot-bootstrap" + kind: "Job" + app: "element" + - resource: "opendesk-openproject-bootstrap-bootstrap-1" + kind: "Job" + app: "openproject-bootstrap" +# # Has timestamp in resource name - not supported yet. +# - resource: "openproject-seeder-*" +# kind: "Job" +# - resource: "ums-store-dav-test-connection" +# kind: "Pod" +# - resource: "ums-udm-rest-api-test-connection" +# kind: "Pod" +# - resource: "ums-portal-server-test-connection" +# kind: "Pod" +# - resource: "ums-notifications-api-test-connection" +# kind: "Pod" +# - resource: "ums-portal-frontend-test-connection" +# kind: "Pod" +# - resource: "ums-provisioning-nats-test-request-reply" +# kind: "Pod" +# - resource: "ums-provisioning-provisioning-api-test-connection" +# kind: "Pod" +# - resource: "open-xchange-core-guidedtours-test-connection" +# kind: "Pod" +# - resource: "open-xchange-gotenberg-test-connection" +# kind: "Pod" +# - resource: "open-xchange-core-ui-test-connection" +# kind: "Pod" +# - resource: "open-xchange-core-user-guide-test-connection" +# kind: "Pod" +# - resource: "open-xchange-guard-ui-test-connection" +# kind: "Pod" +# - resource: "open-xchange-nextcloud-integration-ui-test-connection" +# kind: "Pod" +# - resource: "open-xchange-public-sector-ui-test-connection" +# kind: "Pod" +# - resource: "jitsi-prosody-test-connection" +# kind: "Pod" +# - resource: "jitsi-web-test-connection" +# kind: "Pod" +# - resource: "openproject-test-connection" +# kind: "Pod" +... diff --git a/.kyverno/policies/_policies.yaml b/.kyverno/policies/_policies.yaml new file mode 100644 index 00000000..32bd10c4 --- /dev/null +++ b/.kyverno/policies/_policies.yaml @@ -0,0 +1,55 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +pod: + - name: "require-tag-and-digest" + rule: "require-tag-and-digest" + type: "required" + - name: "disallow-default-serviceaccount" + rule: "require-sa" + type: "required" + - name: "require-imagepullsecrets" + rule: "require-imagepullsecrets" + type: "required" + - name: "disallow-latest-tag" + rule: "validate-image-tag" + type: "required" + - name: "require-imagepullpolicy-always" + rule: "require-imagepullpolicy-always" + type: "required" + - name: "require-health-and-liveness-check" + rule: "require-health-and-liveness-check" + type: "required" + excludeKinds: + - "Job" + - name: "require-requests-limits" + rule: "validate-resources" + type: "required" + - name: "restrict-image-registries" + rule: "validate-registries" + type: "required" + - name: "require-containersecuritycontext" + rule: "require-ro-rootfs" + type: "optional" + - name: "require-containersecuritycontext" + rule: "require-no-privilege-escalation" + type: "optional" + - name: "require-containersecuritycontext" + rule: "require-all-capabilities-dropped" + type: "optional" + - name: "require-containersecuritycontext" + rule: "require-no-privileged" + type: "optional" + - name: "require-containersecuritycontext" + rule: "require-run-as-user" + type: "optional" + - name: "require-containersecuritycontext" + rule: "require-run-as-group" + type: "optional" + - name: "require-containersecuritycontext" + rule: "require-seccomp-profile" + type: "required" + - name: "require-containersecuritycontext" + rule: "require-run-as-non-root" + type: "optional" +... diff --git a/.kyverno/policies/disallow-default-serviceaccount.yaml b/.kyverno/policies/disallow-default-serviceaccount.yaml new file mode 100644 index 00000000..c0d03064 --- /dev/null +++ b/.kyverno/policies/disallow-default-serviceaccount.yaml @@ -0,0 +1,22 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +apiVersion: "kyverno.io/v1" +kind: "ClusterPolicy" +metadata: + name: "disallow-default-serviceaccount" +spec: + background: true + rules: + - match: + resources: + kinds: + - "Pod" + name: "require-sa" + validate: + message: "serviceAccountName must be set to anything other than 'default'." + pattern: + spec: + serviceAccountName: "!default" + validationFailureAction: "audit" +... diff --git a/.kyverno/policies/disallow-latest-tag.yaml b/.kyverno/policies/disallow-latest-tag.yaml new file mode 100644 index 00000000..0f7480f5 --- /dev/null +++ b/.kyverno/policies/disallow-latest-tag.yaml @@ -0,0 +1,27 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +apiVersion: "kyverno.io/v1" +kind: "ClusterPolicy" +metadata: + name: "disallow-latest-tag" +spec: + background: true + rules: + - match: + resources: + kinds: + - "Pod" + name: "validate-image-tag" + validate: + message: "Using a mutable image tag e.g. 'latest' is not allowed." + pattern: + spec: + =(ephemeralContainers): + - image: "!*:latest" + =(initContainers): + - image: "!*:latest" + containers: + - image: "!*:latest" + validationFailureAction: "audit" +... diff --git a/.kyverno/policies/require-containersecuritycontext.yaml b/.kyverno/policies/require-containersecuritycontext.yaml new file mode 100644 index 00000000..ec1e9b44 --- /dev/null +++ b/.kyverno/policies/require-containersecuritycontext.yaml @@ -0,0 +1,173 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +apiVersion: "kyverno.io/v1" +kind: "ClusterPolicy" +metadata: + name: "require-containersecuritycontext" +spec: + background: true + rules: + - name: "require-ro-rootfs" + match: + resources: + kinds: + - "Pod" + validate: + message: "Root filesystem must be read-only." + pattern: + spec: + =(ephemeralContainers): + - securityContext: + readOnlyRootFilesystem: true + =(initContainers): + - securityContext: + readOnlyRootFilesystem: true + containers: + - securityContext: + readOnlyRootFilesystem: true + + - name: "require-no-privilege-escalation" + match: + resources: + kinds: + - "Pod" + validate: + message: "Disallow privilege escalation." + pattern: + spec: + =(ephemeralContainers): + - securityContext: + allowPrivilegeEscalation: false + =(initContainers): + - securityContext: + allowPrivilegeEscalation: false + containers: + - securityContext: + allowPrivilegeEscalation: false + + - name: "require-all-capabilities-dropped" + match: + resources: + kinds: + - "Pod" + validate: + message: "Required to drop ALL linux capabilities." + pattern: + spec: + =(ephemeralContainers): + - securityContext: + capabilities: + drop: + - "ALL" + =(initContainers): + - securityContext: + capabilities: + drop: + - "ALL" + containers: + - securityContext: + capabilities: + drop: + - "ALL" + + - name: "require-no-privileged" + match: + resources: + kinds: + - "Pod" + validate: + message: "Disallow privileged container." + pattern: + spec: + =(ephemeralContainers): + - securityContext: + privileged: false + =(initContainers): + - securityContext: + privileged: false + containers: + - securityContext: + privileged: false + + - name: "require-run-as-user" + match: + resources: + kinds: + - "Pod" + validate: + message: "Container must run as non-root user." + pattern: + spec: + =(ephemeralContainers): + - securityContext: + runAsUser: ">0" + =(initContainers): + - securityContext: + runAsUser: ">0" + containers: + - securityContext: + runAsUser: ">0" + + - name: "require-run-as-group" + match: + resources: + kinds: + - "Pod" + validate: + message: "Container must run as non-root group." + pattern: + spec: + =(ephemeralContainers): + - securityContext: + runAsGroup: ">0" + =(initContainers): + - securityContext: + runAsGroup: ">0" + containers: + - securityContext: + runAsGroup: ">0" + + - name: "require-seccomp-profile" + match: + resources: + kinds: + - "Pod" + validate: + message: "Container must have seccompProfile" + pattern: + spec: + =(ephemeralContainers): + - securityContext: + seccompProfile: + type: "RuntimeDefault | Localhost" + =(initContainers): + - securityContext: + seccompProfile: + type: "RuntimeDefault | Localhost" + containers: + - securityContext: + seccompProfile: + type: "RuntimeDefault | Localhost" + + - name: "require-run-as-non-root" + match: + resources: + kinds: + - "Pod" + validate: + message: "Container must run in non-root mode." + pattern: + spec: + =(ephemeralContainers): + - securityContext: + runAsNonRoot: true + =(initContainers): + - securityContext: + runAsNonRoot: true + containers: + - securityContext: + runAsNonRoot: true + + validationFailureAction: "audit" +... diff --git a/.kyverno/policies/require-health-and-liveness-check.yaml b/.kyverno/policies/require-health-and-liveness-check.yaml new file mode 100644 index 00000000..87021d21 --- /dev/null +++ b/.kyverno/policies/require-health-and-liveness-check.yaml @@ -0,0 +1,27 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +apiVersion: "kyverno.io/v1" +kind: "ClusterPolicy" +metadata: + name: "require-health-and-liveness-check" +spec: + background: true + rules: + - match: + resources: + kinds: + - "Pod" + name: "require-health-and-liveness-check" + validate: + message: "Liveness and readiness probes are required. spec.containers[*].livenessProbe.periodSeconds + must be set to a value greater than 0." + pattern: + spec: + containers: + - livenessProbe: + periodSeconds: ">0" + readinessProbe: + periodSeconds: ">0" + validationFailureAction: "audit" +... diff --git a/.kyverno/policies/require-imagepullpolicy-always.yaml b/.kyverno/policies/require-imagepullpolicy-always.yaml new file mode 100644 index 00000000..b4da3842 --- /dev/null +++ b/.kyverno/policies/require-imagepullpolicy-always.yaml @@ -0,0 +1,40 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +apiVersion: "kyverno.io/v1" +kind: "ClusterPolicy" +metadata: + name: "require-imagepullpolicy-always" +spec: + background: true + rules: + - match: + resources: + kinds: + - "Pod" + name: "require-imagepullpolicy-always" + validate: + message: "The imagePullPolicy must be set to `Always` when the tag `latest` is used." + anyPattern: + - spec: + =(ephemeralContainers): + - (image): "*:latest" + imagePullPolicy: "Always" + =(initContainers): + - (image): "*:latest" + imagePullPolicy: "Always" + containers: + - (image): "*:latest" + imagePullPolicy: "Always" + - spec: + =(ephemeralContainers): + - (image): "!*:latest" + imagePullPolicy: "IfNotPresent" + =(initContainers): + - (image): "!*:latest" + imagePullPolicy: "IfNotPresent" + containers: + - (image): "!*:latest" + imagePullPolicy: "IfNotPresent" + validationFailureAction: "audit" +... diff --git a/.kyverno/policies/require-imagepullsecets.yaml b/.kyverno/policies/require-imagepullsecets.yaml new file mode 100644 index 00000000..16211cea --- /dev/null +++ b/.kyverno/policies/require-imagepullsecets.yaml @@ -0,0 +1,23 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +apiVersion: "kyverno.io/v1" +kind: "ClusterPolicy" +metadata: + name: "require-imagepullsecrets" +spec: + background: true + rules: + - match: + resources: + kinds: + - "Pod" + name: "require-imagepullsecrets" + validate: + message: "ImagePullSecrets are required." + pattern: + spec: + imagePullSecrets: + - name: "*" + validationFailureAction: "audit" +... diff --git a/.kyverno/policies/require-requests-limits.yaml b/.kyverno/policies/require-requests-limits.yaml new file mode 100644 index 00000000..692ef52e --- /dev/null +++ b/.kyverno/policies/require-requests-limits.yaml @@ -0,0 +1,28 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +apiVersion: "kyverno.io/v1" +kind: "ClusterPolicy" +metadata: + name: "require-requests-limits" +spec: + background: true + rules: + - match: + resources: + kinds: + - "Pod" + name: "validate-resources" + validate: + message: "CPU and memory resource requests and limits are required." + pattern: + spec: + containers: + - resources: + limits: + memory: "?*" + requests: + cpu: "?*" + memory: "?*" + validationFailureAction: "audit" +... diff --git a/.kyverno/policies/require-tag-and-digest.yaml b/.kyverno/policies/require-tag-and-digest.yaml new file mode 100644 index 00000000..8ba1cd27 --- /dev/null +++ b/.kyverno/policies/require-tag-and-digest.yaml @@ -0,0 +1,27 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +apiVersion: "kyverno.io/v1" +kind: "ClusterPolicy" +metadata: + name: "require-tag-and-digest" +spec: + background: true + rules: + - match: + resources: + kinds: + - "Pod" + name: "require-tag-and-digest" + validate: + message: "An image tag and digest required." + pattern: + spec: + =(ephemeralContainers): + - image: "*:*@sha256:*" + =(initContainers): + - image: "*:*@sha256:*" + containers: + - image: "*:*@sha256:*" + validationFailureAction: "audit" +... diff --git a/.kyverno/policies/restrict-image-registries.yaml b/.kyverno/policies/restrict-image-registries.yaml new file mode 100644 index 00000000..7cb6c4b2 --- /dev/null +++ b/.kyverno/policies/restrict-image-registries.yaml @@ -0,0 +1,27 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +apiVersion: "kyverno.io/v1" +kind: "ClusterPolicy" +metadata: + name: "restrict-image-registries" +spec: + background: true + rules: + - match: + resources: + kinds: + - "Pod" + name: "validate-registries" + validate: + message: "Unknown image registry." + pattern: + spec: + =(ephemeralContainers): + - image: "external-registry.souvap-univention.de/*" + =(initContainers): + - image: "external-registry.souvap-univention.de/*" + containers: + - image: "external-registry.souvap-univention.de/*" + validationFailureAction: "audit" +... diff --git a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl index 615bd5ad..9aab0973 100644 --- a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl +++ b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl @@ -56,9 +56,8 @@ ingress: enabled: {{ .Values.ingress.tls.enabled }} secretName: {{ .Values.ingress.tls.secretName | quote }} -# TODO: The health endpoint does not work with the haproxy configuration, yet livenessProbe: - enabled: false + enabled: true persistence: size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }} @@ -68,9 +67,8 @@ podSecurityContext: enabled: true fsGroup: 101 -# TODO: The health endpoint does not work with the haproxy configuration, yet readinessProbe: - enabled: false + enabled: true replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }} diff --git a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl index 57367e04..a81943ec 100644 --- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl +++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl @@ -21,4 +21,18 @@ image: tag: {{ .Values.images.synapseCreateUser.tag | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} +fullnameOverride: "opendesk-matrix-user-verification-service-bootstrap" + +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 101 + runAsNonRoot: true + runAsUser: 101 + seccompProfile: + type: "RuntimeDefault" ... diff --git a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl index cbb7a8fb..cd24b31f 100644 --- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl +++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl @@ -62,6 +62,9 @@ jitsi: TURN_ENABLE: "1" resources: {{ .Values.resources.jitsi | toYaml | nindent 6 }} + securityContext: + seccompProfile: + type: "RuntimeDefault" prosody: image: repository: "{{ .Values.global.imageRegistry | default .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}" @@ -98,6 +101,9 @@ jitsi: persistence: size: {{ .Values.persistence.size.prosody | quote }} storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }} + securityContext: + seccompProfile: + type: "RuntimeDefault" jicofo: replicaCount: {{ .Values.replicas.jicofo }} image: @@ -108,6 +114,9 @@ jitsi: componentSecret: {{ .Values.secrets.jitsi.jicofoComponentPassword | quote }} resources: {{ .Values.resources.jicofo | toYaml | nindent 6 }} + securityContext: + seccompProfile: + type: "RuntimeDefault" jvb: replicaCount: {{ .Values.replicas.jvb }} image: @@ -119,6 +128,9 @@ jitsi: {{ .Values.resources.jvb | toYaml | nindent 6 }} service: type: {{ .Values.cluster.service.type | quote }} + securityContext: + seccompProfile: + type: "RuntimeDefault" jibri: replicaCount: {{ .Values.replicas.jibri }} image: @@ -130,6 +142,9 @@ jitsi: password: {{ .Values.secrets.jitsi.jibriXmppPassword | quote }} resources: {{ .Values.resources.jibri | toYaml | nindent 6 }} + securityContext: + seccompProfile: + type: "RuntimeDefault" imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . | quote }} @@ -143,6 +158,8 @@ patchJVB: allowPrivilegeEscalation: false enabled: true readOnlyRootFilesystem: true + seccompProfile: + type: "RuntimeDefault" image: imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiPatchJVB.registry | quote }} diff --git a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl index 2aa6895d..3c125b25 100644 --- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl +++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl @@ -92,6 +92,8 @@ appsuite: masterAdmin: "admin" masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }} hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" + serviceAccount: + create: true features: status: # enable admin pack @@ -413,6 +415,8 @@ appsuite: capabilities: drop: - "ALL" + seccompProfile: + type: "RuntimeDefault" core-documents-collaboration: enabled: false @@ -481,6 +485,8 @@ appsuite: capabilities: drop: - "ALL" + seccompProfile: + type: "RuntimeDefault" guard-ui: enabled: true diff --git a/helmfile/apps/openproject/values.yaml.gotmpl b/helmfile/apps/openproject/values.yaml.gotmpl index 2bb24ec1..fe3f7686 100644 --- a/helmfile/apps/openproject/values.yaml.gotmpl +++ b/helmfile/apps/openproject/values.yaml.gotmpl @@ -71,7 +71,7 @@ environment: image: registry: {{ .Values.global.imageRegistry | default .Values.images.openproject.registry | quote }} repository: {{ .Values.images.openproject.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} tag: {{ .Values.images.openproject.tag | quote }} initdb: @@ -79,7 +79,7 @@ initdb: registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectInitDb.registry | quote }} repository: {{ .Values.images.openprojectInitDb.repository | quote }} tag: {{ .Values.images.openprojectInitDb.tag | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} memcached: bundled: false diff --git a/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl b/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl index a4ae476e..fa3d8d3e 100644 --- a/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl +++ b/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl @@ -59,6 +59,27 @@ probes: failureThreshold: 30 successThreshold: 1 +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + add: + - "CHOWN" + - "DAC_OVERRIDE" + - "FOWNER" + - "FSETID" + - "KILL" + - "SETGID" + - "SETUID" + - "SETPCAP" + - "NET_BIND_SERVICE" + - "NET_RAW" + - "SYS_CHROOT" + privileged: false + seccompProfile: + type: "RuntimeDefault" + serviceAccount: create: true diff --git a/helmfile/apps/services/values-minio.yaml.gotmpl b/helmfile/apps/services/values-minio.yaml.gotmpl index ae4e80d0..82dfa48b 100644 --- a/helmfile/apps/services/values-minio.yaml.gotmpl +++ b/helmfile/apps/services/values-minio.yaml.gotmpl @@ -167,6 +167,8 @@ provisioning: policies: - "nextcloud-bucket-policy" setPolicies: true + resources: + {{ .Values.resources.minio | toYaml | nindent 4 }} readinessProbe: enabled: true diff --git a/helmfile/apps/services/values-postgresql.yaml.gotmpl b/helmfile/apps/services/values-postgresql.yaml.gotmpl index 3bd17048..16210868 100644 --- a/helmfile/apps/services/values-postgresql.yaml.gotmpl +++ b/helmfile/apps/services/values-postgresql.yaml.gotmpl @@ -7,6 +7,7 @@ containerSecurityContext: drop: - "ALL" enabled: true + privileged: false runAsUser: 1001 runAsGroup: 1001 seccompProfile: diff --git a/helmfile/apps/services/values-redis.yaml.gotmpl b/helmfile/apps/services/values-redis.yaml.gotmpl index 7063efae..36d5a498 100644 --- a/helmfile/apps/services/values-redis.yaml.gotmpl +++ b/helmfile/apps/services/values-redis.yaml.gotmpl @@ -20,6 +20,15 @@ image: master: containerSecurityContext: readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + allowPrivilegeEscalation: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" count: {{ .Values.replicas.redis }} persistence: size: {{ .Values.persistence.size.redis | quote }} diff --git a/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl index 2fceebfa..7bf58146 100644 --- a/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl @@ -1,5 +1,7 @@ -# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} --- image: registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioning.registry | quote }} @@ -11,6 +13,22 @@ image: - name: {{ . | quote }} {{- end }} +nats: + global: + image: + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + pullSecretNames: {{ .Values.global.imagePullSecrets }} + registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningNats.registry | quote }} + container: + image: + repository: {{ .Values.images.umsProvisioningNats.repository | quote }} + tag: {{ .Values.images.umsProvisioningNats.tag | quote }} + natsBox: + container: + image: + repository: {{ .Values.images.umsProvisioningNatsBox.repository | quote }} + tag: {{ .Values.images.umsProvisioningNatsBox.tag | quote }} + provisioningApi: rootPath: "/univention/provisioning-api" diff --git a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl index 6637611f..e6038f7a 100644 --- a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl @@ -1,6 +1,10 @@ # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0 --- +global: + imagePullSecrets: + {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} + fullnameOverride: "ums-stack-gateway" image: @@ -28,19 +32,27 @@ podSecurityContext: enabled: true fsGroup: 1001 -securityContext: +containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: false allowPrivilegeEscalation: false capabilities: drop: - "ALL" - enabled: true - privileged: false - readOnlyRootFilesystem: false - runAsUser: 1001 - runAsNonRoot: true seccompProfile: type: "RuntimeDefault" +service: + type: "ClusterIP" + +serviceAccount: + create: true + +fullnameOverride: "ums-stack-gateway" + # The content of the "serverBlock" does resemble the Ingress configuration of # the UMS components. The "location" entries do intentionally reflect precisely # the respective paths which are configured. @@ -289,7 +301,4 @@ serverBlock: | } -service: - type: "ClusterIP" - ... diff --git a/helmfile/apps/xwiki/values.yaml.gotmpl b/helmfile/apps/xwiki/values.yaml.gotmpl index d43877f3..80ff0061 100644 --- a/helmfile/apps/xwiki/values.yaml.gotmpl +++ b/helmfile/apps/xwiki/values.yaml.gotmpl @@ -15,6 +15,8 @@ externalDB: database: {{ .Values.databases.xwiki.name | quote }} user: {{ .Values.databases.xwiki.username | quote }} host: {{ .Values.databases.xwiki.host | quote }} + customKeyRef: + enabled: false containerSecurityContext: allowPrivilegeEscalation: false @@ -25,6 +27,8 @@ containerSecurityContext: capabilities: drop: - "ALL" + seccompProfile: + type: "RuntimeDefault" customConfigs: xwiki.cfg: diff --git a/helmfile/environments/default/charts.yaml b/helmfile/environments/default/charts.yaml index 2e34357e..127bbd72 100644 --- a/helmfile/environments/default/charts.yaml +++ b/helmfile/environments/default/charts.yaml @@ -85,7 +85,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-element" name: "opendesk-element" - version: "2.6.3" + version: "2.6.6" verify: true # @supplier: "openDesk" @@ -97,7 +97,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-element" name: "opendesk-well-known" - version: "2.6.3" + version: "2.6.6" verify: true # @supplier: "openDesk" @@ -135,7 +135,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi" name: "opendesk-jitsi" - version: "1.7.4" + version: "1.7.8" verify: true # @supplier: "openDesk" @@ -159,7 +159,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets" name: "matrix-neoboard-widget" - version: "3.4.0" + version: "3.4.1" verify: true # @supplier: "openDesk" @@ -171,7 +171,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets" name: "matrix-neochoice-widget" - version: "3.4.0" + version: "3.4.1" verify: true # @supplier: "openDesk" @@ -183,7 +183,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets" name: "matrix-neodatefix-bot" - version: "3.4.0" + version: "3.4.1" verify: true # @supplier: "openDesk" @@ -195,7 +195,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets" name: "matrix-neodatefix-widget" - version: "3.4.0" + version: "3.4.1" verify: true # @supplier: "openDesk" @@ -207,7 +207,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-element" name: "opendesk-matrix-user-verification-service" - version: "2.6.3" + version: "2.6.6" verify: true # @supplier: "openDesk" @@ -279,7 +279,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap" name: "opendesk-keycloak-bootstrap" - version: "1.0.5" + version: "1.0.6" verify: true # @supplier: "openDesk" @@ -305,7 +305,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-openproject-bootstrap" name: "opendesk-openproject-bootstrap" - version: "1.2.3" + version: "1.3.0" verify: true # @supplier: "openDesk" @@ -404,7 +404,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-element" name: "opendesk-synapse" - version: "2.6.3" + version: "2.6.6" verify: true # @supplier: "openDesk" @@ -416,7 +416,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-element" name: "opendesk-synapse-create-account" - version: "2.6.3" + version: "2.6.6" verify: true # @supplier: "openDesk" @@ -428,7 +428,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-element" name: "opendesk-synapse-web" - version: "2.6.3" + version: "2.6.6" verify: true # @supplier: "openDesk" @@ -510,7 +510,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/charts-mirror" name: "keycloak-extensions" - version: "0.0.5" + version: "0.1.0" verify: true # @supplier: "Univention" # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$' diff --git a/helmfile/environments/default/images.yaml b/helmfile/environments/default/images.yaml index af295d52..422b53e1 100644 --- a/helmfile/environments/default/images.yaml +++ b/helmfile/environments/default/images.yaml @@ -698,6 +698,22 @@ images: # @supplier: "Univention" # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$' # @mirrorFrom: ['0', '4', '0'] + umsProvisioningNats: + # renovate: + # upstreamRegistry=docker.io + # upstreamRepository=nats + # dependencyType=external + registry: "docker.io" + repository: "nats" + tag: "2.10.5-alpine@sha256:85319e5e541b6f273dbffc722e001601f391028e004c90a4fadab53475789e79" + umsProvisioningNatsBox: + # renovate: + # upstreamRegistry=docker.io + # upstreamRepository=nats + # dependencyType=external + registry: "docker.io" + repository: "natsio/nats-box" + tag: "0.14.1@sha256:a67913df95f1d5b265117e49e4c83228091d13d6783d80215ddcf84aba695ef4" umsSelfserviceInvitation: # renovate: # upstreamRegistry=registry.souvap-univention.de diff --git a/helmfile/environments/test/values.yaml.gotmpl b/helmfile/environments/test/values.yaml.gotmpl new file mode 100644 index 00000000..8275fec8 --- /dev/null +++ b/helmfile/environments/test/values.yaml.gotmpl @@ -0,0 +1,8 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +global: + imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace" +...