diff --git a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl deleted file mode 100644 index 423041b0..00000000 --- a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl +++ /dev/null @@ -1,889 +0,0 @@ -{{/* -SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -SPDX-License-Identifier: Apache-2.0 -*/}} ---- -global: - domain: "{{ .Values.global.domain }}" - hosts: - {{ .Values.global.hosts | toYaml | nindent 4 }} - imagePullSecrets: - {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} - -image: - registry: {{ .Values.global.imageRegistry | default .Values.images.opendeskKeycloakBootstrap.registry | quote }} - repository: {{ .Values.images.opendeskKeycloakBootstrap.repository | quote }} - tag: {{ .Values.images.opendeskKeycloakBootstrap.tag | quote }} - imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} - -cleanup: - deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }} - keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }} - -config: - custom: - clientScopes: - {{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }} - clients: - {{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }} - keycloak: - adminUser: "kcadmin" - adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }} - realm: {{ .Values.platform.realm | quote }} - intraCluster: - enabled: true - internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080" - twoFactorSettings: - additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }} - opendesk: - # We use client specific scopes as we bind them to Keycloak role membership which itself is linked - # to LDAP group membership to ensure a user cannot access an application without the required - # group membership. - # ToDo: - # - Jitsi does currently not care if it gets scopes/claims as long as the user is authenticated. - clientScopes: - - name: "read_contacts" - protocol: "openid-connect" - - name: "write_contacts" - protocol: "openid-connect" - - name: "opendesk-openproject-scope" - description: "Scope for the claims required by openDesk's OpenProject instance." - protocol: "openid-connect" - protocolMappers: - - name: "opendesk_useruuid" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "entryUUID" - id.token.claim: true - access.token.claim: true - claim.name: "opendesk_useruuid" - jsonType.label: "String" - - name: "opendesk_username" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "uid" - id.token.claim: true - access.token.claim: true - claim.name: "opendesk_username" - jsonType.label: "String" - - name: "opendeskProjectmanagementAdmin" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "opendeskProjectmanagementAdmin" - id.token.claim: true - access.token.claim: true - claim.name: "openproject_admin" - jsonType.label: "String" - - name: "email" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - introspection.token.claim: true - userinfo.token.claim: true - user.attribute: "email" - id.token.claim: true - access.token.claim: true - claim.name: "email" - jsonType.label: "String" - - name: "given name" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - introspection.token.claim: true - userinfo.token.claim: true - user.attribute: "firstName" - id.token.claim: true - access.token.claim: true - claim.name: "given_name" - jsonType.label: "String" - - name: "family name" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - introspection.token.claim: true - userinfo.token.claim: true - user.attribute: "lastName" - id.token.claim: true - access.token.claim: true - claim.name: "family_name" - jsonType.label: "String" - - name: "opendesk-jitsi-scope" - description: "Scope for the claims required by openDesk's Jitsi instance." - protocol: "openid-connect" - protocolMappers: - - name: "opendesk_useruuid" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "entryUUID" - id.token.claim: true - access.token.claim: true - claim.name: "opendesk_useruuid" - jsonType.label: "String" - - name: "opendesk_username" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "uid" - id.token.claim: true - access.token.claim: true - claim.name: "opendesk_username" - jsonType.label: "String" - - name: "full name" - protocol: "openid-connect" - protocolMapper: "oidc-full-name-mapper" - consentRequired: false - config: - id.token.claim: true - introspection.token.claim: true - access.token.claim: true - userinfo.token.claim: true - - name: "email" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - introspection.token.claim: true - userinfo.token.claim: true - user.attribute: "email" - id.token.claim: true - access.token.claim: true - claim.name: "email" - jsonType.label: "String" - - name: "opendesk-nextcloud-scope" - description: "Scope for the claims required by openDesk's Nextcloud instance." - protocol: "openid-connect" - protocolMappers: - - name: "opendesk_useruuid" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "entryUUID" - id.token.claim: true - access.token.claim: true - claim.name: "opendesk_useruuid" - jsonType.label: "String" - - name: "opendesk_username" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "uid" - id.token.claim: true - access.token.claim: true - claim.name: "opendesk_username" - jsonType.label: "String" - - name: "email" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - introspection.token.claim: true - userinfo.token.claim: true - user.attribute: "email" - id.token.claim: true - access.token.claim: true - claim.name: "email" - jsonType.label: "String" - - name: "context" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "oxContextIDNum" - id.token.claim: true - access.token.claim: true - claim.name: "context" - jsonType.label: "String" - - name: "opendesk-matrix-scope" - description: "Scope for the claims required by openDesk's Matrix instance." - protocol: "openid-connect" - protocolMappers: - - name: "opendesk_useruuid" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "entryUUID" - id.token.claim: true - access.token.claim: true - claim.name: "opendesk_useruuid" - jsonType.label: "String" - - name: "opendesk_username" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "uid" - id.token.claim: true - access.token.claim: true - claim.name: "opendesk_username" - jsonType.label: "String" - - name: "full name" - protocol: "openid-connect" - protocolMapper: "oidc-full-name-mapper" - consentRequired: false - config: - id.token.claim: true - introspection.token.claim: true - access.token.claim: true - userinfo.token.claim: true - - name: "email" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - introspection.token.claim: true - userinfo.token.claim: true - user.attribute: "email" - id.token.claim: true - access.token.claim: true - claim.name: "email" - jsonType.label: "String" - - name: "opendesk-xwiki-scope" - description: "Scope for the claims required by openDesk's XWiki instance." - protocol: "openid-connect" - protocolMappers: - - name: "opendesk_useruuid" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "entryUUID" - id.token.claim: true - access.token.claim: true - claim.name: "opendesk_useruuid" - jsonType.label: "String" - - name: "opendesk_username" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "uid" - id.token.claim: true - access.token.claim: true - claim.name: "opendesk_username" - jsonType.label: "String" - - name: "full name" - protocol: "openid-connect" - protocolMapper: "oidc-full-name-mapper" - consentRequired: false - config: - id.token.claim: true - introspection.token.claim: true - access.token.claim: true - userinfo.token.claim: true - - name: "email" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - introspection.token.claim: true - userinfo.token.claim: true - user.attribute: "email" - id.token.claim: true - access.token.claim: true - claim.name: "email" - jsonType.label: "String" - - name: "opendesk-dovecot-scope" - description: "Scope for the claims required by openDesk's Dovecot instance." - protocol: "openid-connect" - protocolMappers: - - name: "opendesk_useruuid" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "entryUUID" - id.token.claim: true - access.token.claim: true - claim.name: "opendesk_useruuid" - jsonType.label: "String" - - name: "opendesk_username" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "uid" - id.token.claim: true - access.token.claim: true - claim.name: "opendesk_username" - jsonType.label: "String" - - name: "opendesk-oxappsuite-scope" - description: "Scope for the claims required by openDesk's OX Appuite instance." - protocol: "openid-connect" - protocolMappers: - - name: "context" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "oxContextIDNum" - id.token.claim: true - access.token.claim: true - claim.name: "context" - jsonType.label: "String" - - name: "opendesk_useruuid" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "entryUUID" - id.token.claim: true - access.token.claim: true - claim.name: "opendesk_useruuid" - jsonType.label: "String" - - name: "opendesk_username" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "uid" - id.token.claim: true - access.token.claim: true - claim.name: "opendesk_username" - jsonType.label: "String" - clients: - - name: "opendesk-dovecot" - clientId: "opendesk-dovecot" - protocol: "openid-connect" - clientAuthenticatorType: "client-secret" - secret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }} - consentRequired: false - frontchannelLogout: false - publicClient: false - authorizationServicesEnabled: false - attributes: - backchannel.logout.session.required: false - defaultClientScopes: - - "opendesk-dovecot-scope" - - name: "opendesk-intercom" - clientId: "opendesk-intercom" - protocol: "openid-connect" - clientAuthenticatorType: "client-secret" - secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }} - redirectUris: - - "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback" - consentRequired: false - frontchannelLogout: false - publicClient: false - authorizationServicesEnabled: false - attributes: - backchannel.logout.session.required: true - backchannel.logout.revoke.offline.tokens: true - backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout" - protocolMappers: - - name: "intercom-audience" - protocol: "openid-connect" - protocolMapper: "oidc-audience-mapper" - consentRequired: false - config: - included.client.audience: "opendesk-intercom" - id.token.claim: false - access.token.claim: true - # temporary additional claim while entryuuid is a hardcoded attribute in IntercomService and we cannot set - # it to `opendesk_useruuid` standard claim. For reference: - # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/app.js#L89 - - name: "entryuuid_temp" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "entryUUID" - id.token.claim: true - access.token.claim: true - claim.name: "entryuuid" - jsonType.label: "String" - # temporary additional claim while phoenixusername is a hardcoded attribute in IntercomService and we cannot - # set it to `opendesk_username` standard claim. For reference: - # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/routes/navigation.js#L27 - - name: "phoenixusername_temp" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "uid" - id.token.claim: true - access.token.claim: true - claim.name: "phoenixusername" - jsonType.label: "String" - defaultClientScopes: - - "offline_access" - - name: "opendesk-jitsi" - clientId: "opendesk-jitsi" - protocol: "openid-connect" - clientAuthenticatorType: "client-secret" - redirectUris: - - "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}/*" - consentRequired: false - frontchannelLogout: false - publicClient: true - fullScopeAllowed: true - authorizationServicesEnabled: false - defaultClientScopes: - - "opendesk-jitsi-scope" - - name: "opendesk-matrix" - clientId: "opendesk-matrix" - protocol: "openid-connect" - clientAuthenticatorType: "client-secret" - secret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }} - redirectUris: - - "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*" - - "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*" - - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" - standardFlowEnabled: true - directAccessGrantsEnabled: true - serviceAccountsEnabled: true - consentRequired: false - frontchannelLogout: false - publicClient: false - authorizationServicesEnabled: false - attributes: - backchannel.logout.session.required: true - backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout" - post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" - defaultClientScopes: - - "opendesk-matrix-scope" - # The following is a temporary OIDC client for matrix, as the OIDC logout still uses "matrix" as client ID. - # Unless that is solved and also is able to use "opendesk-matrix" we keep that dummy client that - - name: "matrix" - clientId: "matrix" - protocol: "openid-connect" - clientAuthenticatorType: "client-secret" - standardFlowEnabled: true - directAccessGrantsEnabled: true - consentRequired: false - frontchannelLogout: false - publicClient: false - authorizationServicesEnabled: false - attributes: - post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" - defaultClientScopes: [] - optionalClientScopes: [] - - name: "opendesk-nextcloud" - clientId: "opendesk-nextcloud" - protocol: "openid-connect" - clientAuthenticatorType: "client-secret" - secret: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }} - redirectUris: - - "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*" - - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" - consentRequired: false - frontchannelLogout: false - publicClient: false - authorizationServicesEnabled: false - attributes: - backchannel.logout.session.required: true - backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/index.php/apps/user_oidc/backchannel-logout/opendesk" - post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" - defaultClientScopes: - - "opendesk-nextcloud-scope" - - "read_contacts" - - "write_contacts" - - name: "opendesk-openproject" - clientId: "opendesk-openproject" - protocol: "openid-connect" - clientAuthenticatorType: "client-secret" - secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }} - redirectUris: - - "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*" - - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" - consentRequired: false - frontchannelLogout: false - publicClient: false - serviceAccountsEnabled: true - authorizationServicesEnabled: false - attributes: - backchannel.logout.session.required: true - backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout" - post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" - defaultClientScopes: - - "opendesk-openproject-scope" - - name: "opendesk-oxappsuite" - clientId: "opendesk-oxappsuite" - protocol: "openid-connect" - clientAuthenticatorType: "client-secret" - secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }} - redirectUris: - - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*" - - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" - consentRequired: false - frontchannelLogout: false - publicClient: false - authorizationServicesEnabled: false - attributes: - backchannel.logout.session.required: true - backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout" - post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" - defaultClientScopes: - - "opendesk-oxappsuite-scope" - - "read_contacts" - - "write_contacts" - - name: "opendesk-xwiki" - clientId: "opendesk-xwiki" - protocol: "openid-connect" - clientAuthenticatorType: "client-secret" - secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }} - redirectUris: - - "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*" - - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" - consentRequired: false - frontchannelLogout: false - publicClient: false - authorizationServicesEnabled: false - attributes: - backchannel.logout.session.required: false - backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout" - post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*" - defaultClientScopes: - - "opendesk-xwiki-scope" - - name: "guardian-management-api" - clientId: "guardian-management-api" - rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" - baseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" - protocol: "openid-connect" - publicClient: false - clientAuthenticatorType: "client-secret" - secret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }} - redirectUris: - - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*" - fullScopeAllowed: true - standardFlowEnabled: true - implicitFlowEnabled: false - directAccessGrantsEnabled: false - serviceAccountsEnabled: true - protocolMappers: - - name: "Client Host" - protocol: "openid-connect" - protocolMapper: "oidc-usersessionmodel-note-mapper" - consentRequired: false - config: - user.session.note: "clientHost" - userinfo.token.claim: true - id.token.claim: true - access.token.claim: true - claim.name: "clientHost" - jsonType.label: "String" - - name: "Client ID" - protocol: "openid-connect" - protocolMapper: "oidc-usersessionmodel-note-mapper" - consentRequired: false - config: - user.session.note: "client_id" - userinfo.token.claim: true - id.token.claim: true - access.token.claim: true - claim.name: "client_id" - jsonType.label: "String" - - name: "guardian-audience" - protocol: "openid-connect" - protocolMapper: "oidc-audience-mapper" - consentRequired: false - config: - included.client.audience: "guardian" - userinfo.token.claim: false - id.token.claim: false - access.token.claim: true - - name: "audiencemap" - protocol: "openid-connect" - protocolMapper: "oidc-audience-mapper" - consentRequired: false - config: - included.client.audience: "guardian-cli" - userinfo.token.claim: true - id.token.claim: true - access.token.claim: true - - name: "dn" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: false - user.attribute: "LDAP_ENTRY_DN" - id.token.claim: false - access.token.claim: true - claim.name: "dn" - jsonType.label: "String" - - name: "username" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-property-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "username" - id.token.claim: true - access.token.claim: true - claim.name: "preferred_username" - jsonType.label: "String" - - name: "uid" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "uid" - id.token.claim: true - access.token.claim: true - claim.name: "uid" - jsonType.label: "String" - - name: "email" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-property-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "email" - id.token.claim: true - access.token.claim: true - claim.name: "email" - jsonType.label: "String" - - name: "Client IP Address" - protocol: "openid-connect" - protocolMapper: "oidc-usersessionmodel-note-mapper" - consentRequired: false - config: - user.session.note: "clientAddress" - userinfo.token.claim: true - id.token.claim: true - access.token.claim: true - claim.name: "clientAddress" - jsonType.label: "String" - - name: "guardian-scripts" - clientId: "guardian-scripts" - description: "" - rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" - adminUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" - baseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" - surrogateAuthRequired: false - enabled: true - alwaysDisplayInConsole: false - clientAuthenticatorType: "client-secret" - redirectUris: - - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*" - - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" - - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*" - webOrigins: - - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" - bearerOnly: false - consentRequired: false - standardFlowEnabled: true - implicitFlowEnabled: false - directAccessGrantsEnabled: true - serviceAccountsEnabled: false - publicClient: true - frontchannelLogout: false - protocol: "openid-connect" - fullScopeAllowed: true - protocolMappers: - - name: "email" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-property-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "email" - id.token.claim: true - access.token.claim: true - claim.name: "email" - jsonType.label: "String" - - name: "guardian-audience" - protocol: "openid-connect" - protocolMapper: "oidc-audience-mapper" - consentRequired: false - config: - included.client.audience: "guardian" - id.token.claim: false - access.token.claim: true - userinfo.token.claim: false - - name: "username" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-property-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "username" - id.token.claim: true - access.token.claim: true - claim.name: "preferred_username" - jsonType.label: "String" - - name: "uid" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "uid" - id.token.claim: true - access.token.claim: true - claim.name: "uid" - jsonType.label: "String" - - name: "audiencemap" - protocol: "openid-connect" - protocolMapper: "oidc-audience-mapper" - consentRequired: false - config: - included.client.audience: "guardian-scripts" - id.token.claim: true - access.token.claim: true - userinfo.token.claim: true - - name: "dn" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - aggregate.attrs: false - multivalued: false - userinfo.token.claim: false - user.attribute: "LDAP_ENTRY_DN" - id.token.claim: false - access.token.claim: true - claim.name: "dn" - jsonType.label: "String" - defaultClientScopes: - - "web-origins" - - "acr" - - "roles" - - "profile" - - "email" - optionalClientScopes: - - "address" - - "phone" - - "offline_access" - - "microprofile-jwt" - - name: "guardian-ui" - clientId: "guardian-ui" - rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" - baseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" - clientAuthenticatorType: "client-secret" - redirectUris: - - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*" - standardFlowEnabled: true - publicClient: true - implicitFlowEnabled: false - directAccessGrantsEnabled: false - serviceAccountsEnabled: false - protocol: "openid-connect" - fullScopeAllowed: true - protocolMappers: - - name: "uid" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "uid" - id.token.claim: true - access.token.claim: true - claim.name: "uid" - jsonType.label: "String" - - name: "username" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-property-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "username" - id.token.claim: true - access.token.claim: true - claim.name: "preferred_username" - jsonType.label: "String" - - name: "dn" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-attribute-mapper" - consentRequired: false - config: - userinfo.token.claim: "false" - user.attribute: "LDAP_ENTRY_DN" - id.token.claim: false - access.token.claim: true - claim.name: "dn" - jsonType.label: "String" - - name: "audiencemap" - protocol: "openid-connect" - protocolMapper: "oidc-audience-mapper" - consentRequired: false - config: - included.client.audience: "guardian" - id.token.claim: true - access.token.claim: true - userinfo.token.claim: true - - name: "email" - protocol: "openid-connect" - protocolMapper: "oidc-usermodel-property-mapper" - consentRequired: false - config: - userinfo.token.claim: true - user.attribute: "email" - id.token.claim: true - access.token.claim: true - claim.name: "email" - jsonType.label: "String" - - name: "guardian-audience" - protocol: "openid-connect" - protocolMapper: "oidc-audience-mapper" - consentRequired: false - config: - included.client.audience: "guardian" - id.token.claim: false - access.token.claim: true - userinfo.token.claim: false - -containerSecurityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - enabled: true - privileged: false - runAsUser: 1000 - runAsGroup: 1000 - seccompProfile: - type: "RuntimeDefault" - readOnlyRootFilesystem: true - runAsNonRoot: true - seLinuxOptions: - {{ .Values.seLinuxOptions.opendeskKeycloakBootstrap | toYaml | nindent 4 }} - -podAnnotations: - intents.otterize.com/service-name: "ums-keycloak-bootstrap" - -podSecurityContext: - enabled: true - fsGroup: 1000 - fsGroupChangePolicy: "OnRootMismatch" - -resources: - {{ .Values.resources.opendeskKeycloakBootstrap | toYaml | nindent 2 }} - -... diff --git a/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl deleted file mode 100644 index 89138423..00000000 --- a/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl +++ /dev/null @@ -1,1617 +0,0 @@ -# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" -# SPDX-License-Identifier: Apache-2.0 ---- -global: - configMapUcrDefaults: "ums-stack-data-ums-ucr" - configMapUcr: "ums-stack-data-swp-ucr" - configMapUcrForced: null - domain: {{ .Values.global.domain | quote }} - imagePullSecrets: - {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} - -tags: - pre-release: true - -guardian: - enabled: true - authorizationApi: - podAnnotations: - intents.otterize.com/service-name: "ums-guardian-authorization-api" - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianAuthorizationApi.registry | quote }} - repository: {{ .Values.images.umsGuardianAuthorizationApi.repository | quote }} - imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsGuardianAuthorizationApi.tag | quote }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - - config: - guardianAuthzLoggingStructured: false - oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration" - opaAdapterUrl: "http://ums-guardian-open-policy-agent/" - udmDataAdapterUrl: "http://ums-udm-rest-api/udm/" - secretRef: "ums-guardian-udm-secret" - ingress: - enabled: false - resources: - {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }} - - managementApi: - podAnnotations: - intents.otterize.com/service-name: "ums-guardian-management-api" - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementApi.registry | quote }} - repository: {{ .Values.images.umsGuardianManagementApi.repository | quote }} - imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsGuardianManagementApi.tag | quote }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - - config: - guardianManagementLoggingStructured: false - guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization" - oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration" - guardianManagementBaseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" - secretRef: "ums-guardian-keycloak-client-secret" - ingress: - enabled: false - resources: - {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }} - - managementUi: - podAnnotations: - intents.otterize.com/service-name: "ums-guardian-management-ui" - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementUi.registry | quote }} - repository: {{ .Values.images.umsGuardianManagementUi.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsGuardianManagementUi.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - - config: - viteApiDataAdapterUri: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/management" - viteKeycloakAuthenticationAdapterSsoUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" - viteKeycloakAuthenticationAdapterRealm: {{ .Values.platform.realm | quote }} - ingress: - enabled: false - resources: - {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }} - - openPolicyAgent: - podAnnotations: - intents.otterize.com/service-name: "ums-ums-open-policy-agent" - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsOpenPolicyAgent.registry | quote }} - repository: {{ .Values.images.umsOpenPolicyAgent.repository | quote }} - imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsOpenPolicyAgent.tag | quote }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - - config: - opaGuardianManagementUrl: "http://ums-guardian-management-api/guardian/management" - ingress: - enabled: false - resources: - {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }} - - - provisioning: - # Using openDesk keycloak provisioning - enabled: false - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianProvisioning.registry | quote }} - repository: {{ .Values.images.umsGuardianProvisioning.repository | quote }} - imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsGuardianProvisioning.tag | quote }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - config: - nubusBaseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" - keycloak: - url: "http://ums-keycloak:8080" - fqdn: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" - realm: {{ .Values.platform.realm | quote }} - admin: "kcadmin" - credentialSecret: - name: "ums-guardian-keycloak-secret" - key: "adminPassword" - managementApi: - credentialSecret: - name: "ums-guardian-keycloak-secret" - key: "managementApiClientSecret" - - postgresql: - bundled: false - connection: - host: {{ .Values.databases.umsGuardianManagementApi.host | quote }} - port: {{ .Values.databases.umsGuardianManagementApi.port | quote }} - auth: - username: {{ .Values.databases.umsGuardianManagementApi.username | quote }} - database: {{ .Values.databases.umsGuardianManagementApi.name | quote }} - password: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }} - -ldap-notifier: - enabled: true - podAnnotations: - intents.otterize.com/service-name: "ums-ldap-notifier" - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapNotifier.registry | quote }} - repository: {{ .Values.images.umsLdapNotifier.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsLdapNotifier.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - replicaCount: {{ .Values.replicas.umsLdapNotifier }} - resources: - {{ .Values.resources.umsLdapNotifier | toYaml | nindent 4 }} - securityContext: - seccompProfile: - type: "RuntimeDefault" - seLinuxOptions: - {{- .Values.seLinuxOptions.umsPortalListener | toYaml | nindent 6 }} - volumes: - claims: - shared-data: "shared-data-ums-ldap-server-0" - shared-run: "shared-run-ums-ldap-server-0" - -ldap-server: - enabled: true - additionalAnnotations: - intents.otterize.com/service-name: "ums-ldap-server" - replicaCount: {{ .Values.replicas.umsLdapServer }} - serviceAccount: - annotations: - intended.usage: "compliance" - waitForDependency: - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }} - repository: {{ .Values.images.umsWaitForDependency.repository }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - tag: {{ .Values.images.umsWaitForDependency.tag | quote }} - ldapServer: - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }} - repository: {{ .Values.images.umsLdapServer.repository | quote }} - imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - tag: {{ .Values.images.umsLdapServer.tag | quote }} - config: - domainName: "{{ .Release.Namespace }}.{{ .Values.global.domain}}" - ldapBaseDn: {{ .Values.ldap.baseDn | quote }} - samlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }} - samlMetadataUrlInternal: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }} - samlServiceProviders: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }} - credentialSecret: - name: ums-ldap-credentials - key: adminPassword - extraVolumes: - - name: "opendesk-schemas" - configMap: - name: "ums-stack-data-swp-schemas" - - extraVolumeMounts: - - name: "opendesk-schemas" - mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskFileshare.schema" - subPath: "opendeskFileshare.schema" - - name: "opendesk-schemas" - mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskKnowledgemanagement.schema" - subPath: "opendeskKnowledgemanagement.schema" - - name: "opendesk-schemas" - mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLearnmanagement.schema" - subPath: "opendeskLearnmanagement.schema" - - name: "opendesk-schemas" - mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLivecollaboration.schema" - subPath: "opendeskLivecollaboration.schema" - - name: "opendesk-schemas" - mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema" - subPath: "opendeskProjectmanagement.schema" - - persistence: - storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }} - size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }} - - resources: - {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }} - - initResources: - {{ .Values.resources.umsLdapServerInit | toYaml | nindent 4 }} - -notifications-api: - enabled: true - additionalAnnotations: - intents.otterize.com/service-name: "ums-notifications-api" - serviceAccount: - annotations: - intended.usage: "compliance" - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsNotificationsApi.registry | quote }} - repository: {{ .Values.images.umsNotificationsApi.repository }} - pullPolicy: {{ .Values.global.imagePullPolicy }} - tag: {{ .Values.images.umsNotificationsApi.tag }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - postgresql: - bundled: false - connection: - host: {{ .Values.databases.umsNotificationsApi.host | quote }} - port: {{ .Values.databases.umsNotificationsApi.port | quote }} - auth: - username: {{ .Values.databases.umsNotificationsApi.username | quote }} - database: {{ .Values.databases.umsNotificationsApi.name | quote }} - existingSecret: "ums-notifications-api-postgresql-credentials" - replicaCount: {{ .Values.replicas.umsNotificationsApi }} - notificationsapi: - apply_database_migrations: "True" - dev_mode: "False" - environment: "staging" - log_level: "DEBUG" - sql_echo: "False" - api_prefix: "/univention/portal/notifications-api" - resources: - {{ .Values.resources.umsNotificationsApi | toYaml | nindent 4 }} - -portal-frontend: - enabled: true - additionalAnnotations: - intents.otterize.com/service-name: "ums-portal-frontend" - serviceAccount: - annotations: - intended.usage: "compliance" - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalFrontend.registry | quote }} - repository: {{ .Values.images.umsPortalFrontend.repository }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - tag: {{ .Values.images.umsPortalFrontend.tag }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - extraVolumes: - - name: "opendesk-branding" - configMap: - name: "ums-stack-data-swp-branding" - extraVolumeMounts: - - name: "opendesk-branding" - mountPath: "/var/www/html/favicon.ico" - subPath: "favicon.ico" - - name: "opendesk-branding" - mountPath: "/var/www/html/css/custom.css" - subPath: "custom.css" - - name: "opendesk-branding" - mountPath: "/var/www/html/icons/logo.svg" - subPath: "logo.svg" - - name: "opendesk-branding" - mountPath: "/var/www/html/icons/logo_small_border.svg" - subPath: "logo_small_border.svg" - - name: "opendesk-branding" - mountPath: "/var/www/html/custom/portal_background_image.png" - subPath: "portal_background_image.png" - - name: "opendesk-branding" - mountPath: "/var/www/html/custom/portal_background_image.svg" - subPath: "portal_background_image.svg" - replicaCount: {{ .Values.replicas.umsPortalFrontend }} - resources: - {{ .Values.resources.umsPortalFrontend | toYaml | nindent 4 }} - -portal-listener: - enabled: true - podAnnotations: - intents.otterize.com/service-name: "ums-portal-listener" - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalListener.registry | quote }} - repository: {{ .Values.images.umsPortalListener.repository }} - pullPolicy: {{ .Values.global.imagePullPolicy }} - tag: {{ .Values.images.umsPortalListener.tag }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - waitForDependency: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }} - repository: {{ .Values.images.umsWaitForDependency.repository }} - pullPolicy: {{ .Values.global.imagePullPolicy }} - tag: {{ .Values.images.umsWaitForDependency.tag }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - persistence: - storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }} - size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }} - portalListener: - adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }} - assetsRootPath: "portal-assets" - ucsInternalPath: "portal-data" - - ldapBaseDn: {{ .Values.ldap.baseDn | quote }} - ldapHost: {{ .Values.ldap.host | quote }} - ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }} - ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - notifierServer: {{ .Values.ldap.notifierHost | quote }} - portalDefaultDn: {{ printf "%s,%s" "cn=domain,cn=portal,cn=portals,cn=univention" .Values.ldap.baseDn | quote }} - udmApiUrl: "http://ums-udm-rest-api/udm/" - udmApiUsername: "cn=admin" - debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }} - tlsMode: "off" - umcGetUrl: "http://ums-umc-server/get" - umcSessionUrl: "http://ums-umc-server/get/session-info" - objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }} - objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }} - objectStorageAccessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }} - objectStorageSecretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }} - replicaCount: {{ .Values.replicas.umsPortalListener }} - resources: - {{ .Values.resources.umsPortalListener | toYaml | nindent 4 }} - - resourcesWaitForDependency: - {{ .Values.resources.umsPortalListenerDependencies | toYaml | nindent 4 }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - add: - - "CHOWN" - - "DAC_OVERRIDE" - - "FOWNER" - - "FSETID" - - "KILL" - - "SETGID" - - "SETUID" - - "SETPCAP" - - "NET_BIND_SERVICE" - - "NET_RAW" - - "SYS_CHROOT" - privileged: false - seccompProfile: - type: "RuntimeDefault" - readOnlyRootFilesystem: false - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - seLinuxOptions: - {{- .Values.seLinuxOptions.umsPortalListener | toYaml | nindent 6 }} - -portal-server: - enabled: true - additionalAnnotations: - intents.otterize.com/service-name: "ums-portal-server" - serviceAccount: - annotations: - intended.usage: "compliance" - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalServer.registry | quote }} - repository: {{ .Values.images.umsPortalServer.repository }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - tag: {{ .Values.images.umsPortalServer.tag }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - portalServer: - authMode: "saml" - editable: "false" - adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }} - ucsInternalPath: "portal-data" - umcGetUrl: "http://ums-umc-server/get" - umcSessionUrl: "http://ums-umc-server/get/session-info" - objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }} - objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }} - centralNavigation: - enabled: true - objectStorageCredentialSecret: - name: "ums-portal-server-minio-credentials" - accessKeyKey: "nubus-s3-access-key-id" - secretKeyKey: "nubus-s3-secret-key-id" - - extraVolumes: - - name: authenticator-secret - secret: - secretName: ums-portal-server-authenticator-credentials - - extraVolumeMounts: - - name: authenticator-secret - mountPath: "/var/secrets/authenticator.secret" - subPath: "authenticator.secret" - - replicaCount: {{ .Values.replicas.umsPortalServer }} - - resources: - {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }} - -provisioning: - enabled: false - api: - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }} - repository: {{ .Values.images.umsProvisioningEventsAndConsumerApi.repository }} - pullPolicy: {{ .Values.global.imagePullPolicy }} - tag: {{ .Values.images.umsProvisioningEventsAndConsumerApi.tag }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - credentialSecretName: "ums-provisioning-api-credentials" - dispatcher: - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningDispatcher.registry | quote }} - repository: {{ .Values.images.umsProvisioningDispatcher.repository }} - pullPolicy: {{ .Values.global.imagePullPolicy }} - tag: {{ .Values.images.umsProvisioningDispatcher.tag }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - credentialSecretName: "ums-provisioning-dispatcher-credentials" - prefill: - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningPrefill.registry | quote }} - repository: {{ .Values.images.umsProvisioningPrefill.repository }} - pullPolicy: {{ .Values.global.imagePullPolicy }} - tag: {{ .Values.images.umsProvisioningPrefill.tag }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - credentialSecretName: "ums-provisioning-prefill-credentials" - nats: - config: - authorization: - enabled: false - users: - - user: "admin" - password: "$NATS_PASSWORD" - permissions: - publish: ">" - subscribe: ">" - - user: "$NATS_API_USER" - password: "$NATS_API_PASSWORD" - permissions: - publish: ">" - subscribe: ">" - - user: "$NATS_DISPATCHER_USER" - password: "$NATS_DISPATCHER_PASSWORD" - permissions: - publish: ">" - subscribe: ">" - - user: "$NATS_PREFILL_USER" - password: "$NATS_PREFILL_PASSWORD" - permissions: - publish: ">" - subscribe: ">" - extraEnvVars: - - name: NATS_USER - value: "admin" - - name: NATS_PASSWORD - valueFrom: - secretKeyRef: - name: ums-provisioning-nats-credentials - key: admin_password - - name: NATS_API_USER - valueFrom: - secretKeyRef: - name: ums-provisioning-api-credentials - key: NATS_USER - - name: NATS_API_PASSWORD - valueFrom: - secretKeyRef: - name: ums-provisioning-api-credentials - key: NATS_PASSWORD - - name: NATS_DISPATCHER_USER - valueFrom: - secretKeyRef: - name: ums-provisioning-dispatcher-credentials - key: NATS_USER - - name: NATS_DISPATCHER_PASSWORD - valueFrom: - secretKeyRef: - name: ums-provisioning-dispatcher-credentials - key: NATS_PASSWORD - - name: NATS_PREFILL_USER - valueFrom: - secretKeyRef: - name: ums-provisioning-prefill-credentials - key: NATS_USER - - name: NATS_PREFILL_PASSWORD - valueFrom: - secretKeyRef: - name: ums-provisioning-prefill-credentials - key: NATS_PASSWORD - nats: - nats: - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsNats.registry | quote }} - repository: {{ .Values.images.umsNats.repository | quote }} - imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsNats.tag | quote }} - natsBox: - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsNatsBox.registry | quote }} - repository: {{ .Values.images.umsNatsBox.repository | quote }} - imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsNatsBox.tag | quote }} - reloader: - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsNatsReloader.registry | quote }} - repository: {{ .Values.images.umsNatsReloader.repository | quote }} - imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsNatsReloader.tag | quote }} - - - ingress: - host: "localhost" - tls: - enabled: false - -udm-listener: - enabled: false - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }} - repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - config: - debugLevel: "4" - ldapBaseDn: {{ .Values.ldap.baseDn | quote }} - ldapHost: {{ .Values.ldap.host | quote }} - ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }} - ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - ldapPort: "389" - notifierServer: "ums-ldap-notifier" - tlsMode: "off" - natsHost: "ums-provisioning-nats" - -stack-data-ums: - enabled: true - additionalAnnotations: - intents.otterize.com/service-name: "ums-stack-data-ums" - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsDataLoader.registry | quote }} - repository: {{ .Values.images.umsDataLoader.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsDataLoader.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - stackDataUms: - loadDevData: true - udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - udmApiUrl: "http://ums-udm-rest-api/udm/" - udmApiUser: "cn=admin" - stackDataContext: - idpSamlMetadataUrlInternal: null - umcSamlSchemes: "https" - # The openDesk configuration brings its own UMC policies. - installUmcPolicies: false - domainname: {{ .Values.global.domain | quote }} - externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }} - hostname: {{ .Values.global.hosts.univentionManagementStack | quote }} - ldapHost: {{ .Values.ldap.host | quote }} - ldapBase: {{ .Values.ldap.baseDn | quote }} - ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }} - idpSamlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }} - umcSamlSpFqdn: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }} - idpFqdn: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }} - ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }} - initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.systemAccounts.administratorPassword | quote }} - initialPasswordSysIdpUser: {{ .Values.secrets.univentionManagementStack.systemAccounts.sysIdpUserPassword | quote }} - umcPostgresqlHostname: {{ .Values.databases.umsSelfservice.host | quote }} - umcPostgresqlUsername: {{ .Values.databases.umsSelfservice.username | quote }} - umcMemcachedHostname: {{ .Values.cache.umsSelfservice.host | quote }} - umcMemcachedUsername: "" - -stack-data-swp: - enabled: true - additionalAnnotations: - intents.otterize.com/service-name: "ums-stack-data-swp" - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsDataLoader.registry | quote }} - repository: {{ .Values.images.umsDataLoader.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsDataLoader.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - stackDataContext: - ldapBase: {{ .Values.ldap.baseDn }} - oxDefaultContext: "1" - smtpStartTls: true - ldapSearchUsers: - {{- range $username, $password := .Values.secrets.univentionManagementStack.ldapSearch }} - - username: {{ printf "ldapsearch_%s" $username | quote }} - password: {{ $password | quote }} - lastname: "LDAP-Search-User" - {{- end }} - - externalDomainName: {{ .Values.global.domain | quote }} - externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }} - - portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain | quote }} - portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain | quote }} - portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain | quote }} - portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain | quote }} - portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain | quote }} - portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain | quote }} - portalTitleDE: "{{ .Values.theme.texts.productName }} Portal" - portalTitleEN: "{{ .Values.theme.texts.productName }} Portal" - - smtpHost: {{ .Values.smtp.host | quote }} - smtpPort: {{ .Values.smtp.port | quote }} - smtpUser: {{ .Values.smtp.username | quote }} - - userPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.userPassword | quote }} - adminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }} - - stackDataSwp: - udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - {{- if .Values.functional.admin.portal.deploymentInformation.enabled }} - systemInformation: - deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}" - releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}" - {{- end }} - udmApiUser: "cn=admin" - udmApiUrl: "http://ums-udm-rest-api/udm/" - loadDevData: true - resources: - {{ .Values.resources.umsStackDataSwp | toYaml | nindent 2 }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - privileged: false - seccompProfile: - type: "RuntimeDefault" - readOnlyRootFilesystem: false - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - seLinuxOptions: - {{- .Values.seLinuxOptions.umsDataLoader | toYaml | nindent 6 }} - -selfservice-listener: - enabled: true - podAnnotations: - intents.otterize.com/service-name: "ums-selfservice-listener" - image: - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - - selfserviceListener: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsSelfserviceListener.registry | quote }} - repository: {{ .Values.images.umsSelfserviceListener.repository | quote }} - tag: {{ .Values.images.umsSelfserviceListener.tag | quote }} - - selfserviceInvitation: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsSelfserviceInvitation.registry | quote }} - repository: {{ .Values.images.umsSelfserviceInvitation.repository | quote }} - tag: {{ .Values.images.umsSelfserviceInvitation.tag | quote }} - - waitForDependency: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }} - repository: {{ .Values.images.umsWaitForDependency.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsWaitForDependency.tag | quote }} - - persistence: - storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }} - size: {{ .Values.persistence.size.univentionManagementStack.selfserviceListener | quote }} - - resources: - {{ .Values.resources.umsSelfserviceListener | toYaml | nindent 4 }} - - resourcesDependencyWaiter: - {{ .Values.resources.umsSelfserviceListenerDependencies | toYaml | nindent 4 }} - - replicaCount: {{ .Values.replicas.umsSelfserviceListener }} - - selfserviceListener: - ldapBaseDn: {{ .Values.ldap.baseDn | quote }} - ldapHost: {{ .Values.ldap.host | quote }} - ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }} - ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - notifierServer: {{ .Values.ldap.notifierHost | quote }} - umcAdminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }} - debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }} - tlsMode: "off" - umcServerUrl: "http://ums-umc-server" - umcAdminUser: "default.admin" - - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - add: - - "CHOWN" - - "DAC_OVERRIDE" - - "FOWNER" - - "FSETID" - - "KILL" - - "SETGID" - - "SETUID" - - "SETPCAP" - - "NET_BIND_SERVICE" - - "NET_RAW" - - "SYS_CHROOT" - privileged: false - seccompProfile: - type: "RuntimeDefault" - readOnlyRootFilesystem: false - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - seLinuxOptions: {{ .Values.seLinuxOptions.umsSelfserviceListener }} - -udm-rest-api: - enabled: true - additionalAnnotations: - intents.otterize.com/service-name: "ums-udm-rest-api" - serviceAccount: - annotations: - intended.usage: "compliance" - udmRestApi: - secretRef: ums-udm-rest-api-credentials - ldap: - uri: "ldap://ums-ldap-server:389" - baseDn: {{ .Values.ldap.baseDn | quote }} - tls: - enabled: false - secretName: "portal.{{ .Release.Namespace }}.gaia.open-desk.cloud" - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsUdmRestApi.registry | quote }} - repository: {{ .Values.images.umsUdmRestApi.repository | quote }} - imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsUdmRestApi.tag | quote }} - extraVolumes: - - name: "attribute-to-group-mapper-hook" - configMap: - name: "ums-stack-data-swp-attribute-to-group-mapper-hook" - extraVolumeMounts: - - name: "attribute-to-group-mapper-hook" - mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py" - subPath: "AttributeToGroupMapper.py" - - name: "attribute-to-group-mapper-hook" - mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json" - subPath: "flag_to_group_mapping.json" - resources: - {{ .Values.resources.umsUdmRestApi | toYaml | nindent 4 }} - initResources: - {{ .Values.resources.umsUdmRestApiInit | toYaml | nindent 4 }} - replicaCount: {{ .Values.replicas.umsUdmRestApi }} - -umc-gateway: - enabled: true - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcGateway.registry | quote }} - repository: {{ .Values.images.umsUmcGateway.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsUmcGateway.tag | quote }} - replicaCount: {{ .Values.replicas.umsUmcGateway }} - umcGateway: - umcHtmlTitle: "openDesk - Admin" - extraVolumes: - - name: "entrypoint-swp-patches" - configMap: - name: "ums-stack-data-swp-umc-gateway-entrypoint" - defaultMode: 0555 - - name: "announcements-customization" - configMap: - name: "ums-stack-data-swp-umc-server-announcements" - defaultMode: 0444 - extraVolumeMounts: - - name: "entrypoint-swp-patches" - mountPath: "/entrypoint.d/90-swp.sh" - subPath: "90-swp.sh" - - name: "announcements-customization" - mountPath: - "/usr/share/univention-management-console-frontend/js/dijit/themes\ - /umc/icons/16x16/udm-portals-announcement.png" - subPath: "udm-portals-announcement.png" - ingress: - host: localhost - enabled: false - tls: - enabled: false - - resources: - {{ .Values.resources.umsUmcGateway | toYaml | nindent 2 }} - - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - add: - - "CHOWN" - - "DAC_OVERRIDE" - - "FOWNER" - - "FSETID" - - "KILL" - - "SETGID" - - "SETUID" - - "SETPCAP" - - "NET_BIND_SERVICE" - - "NET_RAW" - - "SYS_CHROOT" - privileged: false - seccompProfile: - type: "RuntimeDefault" - readOnlyRootFilesystem: false - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcGateway }} - -umc-server: - enabled: true - additionalAnnotations: - intents.otterize.com/service-name: "ums-umc-server" - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcServer.registry | quote }} - repository: {{ .Values.images.umsUmcServer.repository | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.umsUmcServer.tag | quote }} - pullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . | quote }} - {{- end }} - replicaCount: {{ .Values.replicas.umsUmcServer }} - umcServer: - certPemFile: "/var/secrets/ssl/tls.crt" - caCert: "Cg==" - certPem: "Cg==" - privateKey: "Cg==" - ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - smtpSecret: {{ .Values.smtp.password | quote }} - privateKeyFile: "/var/secrets/ssl/tls.key" - extraVolumes: - - name: "certificates" - secret: - secretName: "opendesk-certificates-tls" - - name: "entrypoint-swp-patches" - configMap: - name: "ums-stack-data-swp-umc-server-entrypoint" - defaultMode: 0555 - - name: "self-service-emails" - configMap: - name: "ums-stack-data-swp-self-service-emails" - defaultMode: 0444 - - name: "attribute-to-group-mapper-hook" - configMap: - name: "ums-stack-data-swp-attribute-to-group-mapper-hook" - - name: "announcements-customization" - configMap: - name: "ums-stack-data-swp-umc-server-announcements" - defaultMode: 0444 - extraVolumeMounts: - - name: "certificates" - mountPath: "/var/secrets/ssl" - - name: "entrypoint-swp-patches" - mountPath: "/entrypoint.d/90-customization.sh" - subPath: "90-customization.sh" - - name: "self-service-emails" - mountPath: "/usr/share/univention-self-service/email_bodies" - - name: "attribute-to-group-mapper-hook" - mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py" - subPath: "AttributeToGroupMapper.py" - - name: "attribute-to-group-mapper-hook" - mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json" - subPath: "flag_to_group_mapping.json" - - name: "announcements-customization" - mountPath: "/usr/share/univention-management-console/modules/udm-portals-announcement.xml" - subPath: "udm-portals-announcement.xml" - ingress: - host: localhost - enabled: false - tls: - enabled: false - memcached: - bundled: false - server: {{ .Values.cache.umsSelfservice.host | quote }} - - postgresql: - bundled: false - connection: - host: {{ .Values.databases.umsSelfservice.host | quote }} - port: {{ .Values.databases.umsSelfservice.port | quote }} - auth: - username: {{ .Values.databases.umsSelfservice.username | quote }} - database: {{ .Values.databases.umsSelfservice.name | quote }} - password: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }} - postgresPassword: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }} - - resources: - {{ .Values.resources.umsUmcServer | toYaml | nindent 2 }} - - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - add: - - "CHOWN" - - "DAC_OVERRIDE" - - "FOWNER" - - "FSETID" - - "KILL" - - "SETGID" - - "SETUID" - - "SETPCAP" - - "NET_BIND_SERVICE" - - "NET_RAW" - - "SYS_CHROOT" - privileged: false - seccompProfile: - type: "RuntimeDefault" - readOnlyRootFilesystem: false - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcServer }} - -keycloak: - enabled: true - podAnnotations: - intents.otterize.com/service-name: "ums-keycloak" - serviceAccount: - annotations: - intended.usage: "compliance" - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloak.registry | quote }} - repository: {{ .Values.images.umsKeycloak.repository | quote }} - tag: {{ .Values.images.umsKeycloak.tag | quote }} - imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} - - config: - logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }} - enableMetrics: true - # The availability of the admin console is already restricted through the path settings in the Keycloak Extensions - # Proxy which is used in openDesk. The setting here is just relevant when Keycloak endpoints are exposed directly - # through an own ingress. - exposeAdminConsole: false - - postgresql: - connection: - host: {{ .Values.databases.keycloak.host | quote }} - port: {{ .Values.databases.keycloak.port }} - auth: - username: {{ .Values.databases.keycloak.username | quote }} - database: {{ .Values.databases.keycloak.name | quote }} - credentialSecret: - name: "ums-keycloak-postgresql-credentials" - key: "keycloakDatabasePassword" - - keycloak: - auth: - username: "kcadmin" - password: {{ .Values.secrets.keycloak.adminPassword | quote }} - - containerSecurityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - seccompProfile: - type: "RuntimeDefault" - privileged: false - readOnlyRootFilesystem: false - runAsUser: 1000 - runAsGroup: 1000 - runAsNonRoot: true - seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloak }} - - podSecurityContext: - fsGroup: 1000 - fsGroupChangePolicy: "OnRootMismatch" - - theme: - univentionTheme: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/theme.css" - univentionCustomTheme: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/css/custom.css" - favIcon: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/favicon.ico" - - replicaCount: {{ .Values.replicas.keycloak }} - - resources: - {{ .Values.resources.umsKeycloak | toYaml | nindent 2 }} - -keycloak-bootstrap: - enabled: true - serviceAccount: - annotations: - intended.usage: "compliance" - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakBootstrap.registry | quote }} - repository: {{ .Values.images.umsKeycloakBootstrap.repository | quote }} - tag: {{ .Values.images.umsKeycloakBootstrap.tag | quote }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - - cleanup: - deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }} - keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }} - - keycloak: - connection: - baseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080" - auth: - username: "kcadmin" - password: {{ .Values.secrets.keycloak.adminPassword | quote }} - realm: {{ .Values.platform.realm | quote }} - ldap: - baseDn: {{ .Values.ldap.baseDn | quote }} - connection: - host: {{ .Values.ldap.host | quote }} - port: "389" - protocol: "ldap" - auth: - bindDn: "uid=ldapsearch_keycloak,cn=users,dc=swp-ldap,dc=internal" - password: {{ .Values.secrets.univentionManagementStack.ldapSearch.keycloak | quote }} - - bootstrap: - ldapMappers: - - ldapAndUserModelAttributeName: "opendeskProjectmanagementAdmin" - - ldapAndUserModelAttributeName: "oxContextIDNum" - loginLinks: - - link_number: 1 - language: "de" - description: "Passwort vergessen?" - href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten" - - link_number: 1 - language: "en" - description: "Forgot password?" - href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten" - twoFactorAuthentication: - enabled: true - group: "2fa-users" - - config: - saml: - serviceProviderHostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" - - containerSecurityContext: - enabled: true - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - readOnlyRootFilesystem: false - privileged: false - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: "RuntimeDefault" - seLinuxOptions: - {{ .Values.seLinuxOptions.umsKeycloakBootstrap | toYaml | nindent 6 }} - - podAnnotations: - intents.otterize.com/service-name: "ums-keycloak-bootstrap" - - podSecurityContext: - enabled: true - fsGroup: 1000 - fsGroupChangePolicy: "Always" - - resources: - {{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 2 }} - -keycloak-extensions: - enabled: true - keycloak: - connection: - host: "ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}" - auth: - username: "kcadmin" - password: {{ .Values.secrets.keycloak.adminPassword | quote }} - masterRealm: "master" - realm: {{ .Values.platform.realm | quote }} - postgresql: - connection: - host: {{ .Values.databases.keycloakExtension.host | quote }} - port: {{ .Values.databases.keycloakExtension.port }} - auth: - database: {{ .Values.databases.keycloakExtension.name | quote }} - username: {{ .Values.databases.keycloakExtension.username | quote }} - password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }} - smtp: - connection: - host: {{ .Values.smtp.host | quote }} - port: {{ .Values.smtp.port | quote }} - auth: - username: {{ .Values.smtp.username | quote }} - password: {{ .Values.smtp.password | quote }} - handler: - replicaCount: {{ .Values.replicas.umsKeycloakExtensionsHandler }} - podAnnotations: - intents.otterize.com/service-name: "ums-keycloak-extensions-handler" - # nameOverride: "keycloak-extensions-handler" - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakExtensionHandler.registry | quote }} - repository: {{ .Values.images.umsKeycloakExtensionHandler.repository | quote }} - tag: {{ .Values.images.umsKeycloakExtensionHandler.tag | quote }} - imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} - imagePullSecrets: {{ .Values.global.imagePullSecrets }} - appConfig: - captchaProtectionEnable: false - deviceProtectionEnable: true - ipProtectionEnable: true - logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }} - newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account" - mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - seccompProfile: - type: "RuntimeDefault" - readOnlyRootFilesystem: true - privileged: false - runAsUser: 1000 - runAsGroup: 1000 - runAsNonRoot: true - seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler }} - resources: - {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 6 }} - proxy: - replicaCount: {{ .Values.replicas.umsKeycloakExtensionsProxy }} - podAnnotations: - intents.otterize.com/service-name: "ums-keycloak-extensions-proxy" - # nameOverride: "keycloak-extensions-proxy" - appConfig: - logLevel: {{ if .Values.debug.enabled }}"debug"{{ else }}"warn"{{ end }} - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakExtensionProxy.registry | quote }} - repository: {{ .Values.images.umsKeycloakExtensionProxy.repository | quote }} - tag: {{ .Values.images.umsKeycloakExtensionProxy.tag | quote }} - imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} - imagePullSecrets: {{ .Values.global.imagePullSecrets }} - ingress: - paths: - {{- if .Values.debug.enabled }} - - pathType: "Prefix" - path: "/admin/" - {{- end }} - - pathType: "Prefix" - path: "/realms/" - - pathType: "Prefix" - path: "/js/" - - pathType: "Prefix" - path: "/resources/" - - pathType: "Prefix" - path: "/fingerprintjs" - - pathType: "Exact" - path: "/univention/meta.json" - backend: - service: - name: "ums-stack-gateway" - port: - name: "http" - - enabled: {{ .Values.ingress.enabled }} - ingressClassName: {{ .Values.ingress.ingressClassName | default "nginx" | quote }} - host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" - tls: - enabled: {{ .Values.ingress.tls.enabled }} - secretName: {{ .Values.ingress.tls.secretName | quote }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - seccompProfile: - type: "RuntimeDefault" - privileged: false - readOnlyRootFilesystem: true - runAsUser: 1000 - runAsGroup: 1000 - runAsNonRoot: true - seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionProxy }} - resources: - {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }} - -keycloak-postgresql: - enabled: false - -stack-gateway: - enabled: true - additionalAnnotations: - intents.otterize.com/service-name: "ums-stack-gateway" - fullnameOverride: "ums-stack-gateway" - image: - registry: {{ .Values.global.imageRegistry | default .Values.images.umsStackGateway.registry | quote }} - repository: {{ .Values.images.umsStackGateway.repository | quote }} - tag: {{ .Values.images.umsStackGateway.tag | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - ingress: - annotations: - # Ensure that the ingress controller can handle responses with plenty of - # headers. This is a requirement from the UDM Rest API. - nginx.org/proxy-buffer-size: "64k" - nginx.org/proxy-buffers: "4 128k" - enabled: {{ .Values.ingress.enabled }} - extraTls: - - hosts: - - {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }} - secretName: {{ .Values.ingress.tls.secretName | quote }} - hostname: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }} - ingressClassName: {{ .Values.ingress.ingressClassName | default "nginx" | quote }} - tls: false - - podSecurityContext: - enabled: true - fsGroup: 1001 - replicaCount: {{ .Values.replicas.umsStackGateway }} - - resources: - {{ .Values.resources.umsStackGateway | toYaml | nindent 4 }} - - containerSecurityContext: - enabled: true - runAsUser: 1001 - runAsGroup: 0 - runAsNonRoot: true - privileged: false - readOnlyRootFilesystem: false - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - seccompProfile: - type: "RuntimeDefault" - seLinuxOptions: {{ .Values.seLinuxOptions.umsStackGateway }} - - service: - type: "ClusterIP" - - serviceAccount: - create: true - - # The content of the "serverBlock" does resemble the Ingress configuration of - # the UMS components. The "location" entries do intentionally reflect precisely - # the respective paths which are configured. - serverBlock: | - server { - listen 8080; - - proxy_http_version 1.1; - - proxy_set_header Host $http_host; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $http_x_forwarded_host; - proxy_set_header X-Forwarded-Port $http_x_forwarded_port; - proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; - - - {{ if .Values.functional.externalServices.nubus.udmRestApi.enabled }} - ## udm-rest-api - location /univention/udm/ { - # The UDM Rest API does return on some endpoints a lot of headers - proxy_busy_buffers_size 128k; - proxy_buffers 4 128k; - proxy_buffer_size 64k; - - rewrite ^/univention(/udm/.*)$ $1 break; - proxy_pass http://ums-udm-rest-api:80; - } - {{ end }} - - - ## portal-frontend - # The frontend does not own "/univention/portal" nor - # "/univention/selfservice", only these two bits - location = /univention/portal/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80/; - } - location = /univention/portal/index.html { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80/; - } - location = /univention/selfservice/ { - rewrite ^/univention/selfservice(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80/; - } - - # The following prefixes are owned by the frontend - location /univention/portal/css/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/portal/fonts/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/portal/i18n/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/portal/media/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/portal/js/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/portal/oidc/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/selfservice/css/ { - rewrite ^/univention/selfservice(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/selfservice/fonts/ { - rewrite ^/univention/selfservice(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/selfservice/i18n/ { - rewrite ^/univention/selfservice(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/selfservice/media/ { - rewrite ^/univention/selfservice(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/selfservice/js/ { - rewrite ^/univention/selfservice(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - location /univention/selfservice/oidc/ { - rewrite ^/univention/selfservice(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80; - } - - - ## frontend redirects - location = / { - absolute_redirect off; - return 302 /univention/portal/; - } - location = /univention { - absolute_redirect off; - return 302 /univention/portal/; - } - location = /univention/ { - absolute_redirect off; - return 302 /univention/portal/; - } - location = /univention/portal { - absolute_redirect off; - return 302 /univention/portal/; - } - location = /univention/selfservice { - absolute_redirect off; - return 302 /univention/selfservice/; - } - - - ## portal-server - location = /univention/portal/portal.json { - proxy_pass http://ums-portal-server:80; - } - location = /univention/selfservice/portal.json { - proxy_pass http://ums-portal-server:80; - } - location = /univention/portal/navigation.json { - proxy_pass http://ums-portal-server:80; - } - - - ## umc-gateway - location = /univention/languages.json { - proxy_pass http://ums-umc-gateway:80; - } - location = /univention/meta.json { - proxy_pass http://ums-umc-gateway:80; - } - location = /univention/theme.css { - proxy_pass http://ums-umc-gateway:80; - } - location /univention/js/ { - proxy_pass http://ums-umc-gateway:80; - } - location /univention/login/main.js { - proxy_pass http://ums-umc-gateway:80; - } - location /univention/login/LoginDialog.js { - proxy_pass http://ums-umc-gateway:80; - } - location /univention/login/i18n/ { - proxy_pass http://ums-umc-gateway:80; - } - location /univention/management/ { - proxy_pass http://ums-umc-gateway:80; - } - location /univention/themes/ { - proxy_pass http://ums-umc-gateway:80; - } - - - ### umc-server - ## Do not support local authentication - #location = /univention/auth { - # rewrite ^/univention(/.*)$ $1 break; - # proxy_pass http://ums-umc-server:80; - # proxy_set_header X-UMC-HTTPS 'on'; - #} - location /univention/logout { - rewrite ^/univention(/.*)$ $1 break; - proxy_pass http://ums-umc-server:80; - } - location /univention/saml { - rewrite ^/univention(/.*)$ $1 break; - proxy_pass http://ums-umc-server:80; - proxy_set_header X-UMC-HTTPS 'on'; - } - location /univention/get { - rewrite ^/univention(/.*)$ $1 break; - proxy_pass http://ums-umc-server:80; - } - location /univention/set { - rewrite ^/univention(/.*)$ $1 break; - proxy_pass http://ums-umc-server:80; - } - location /univention/command { - rewrite ^/univention(/.*)$ $1 break; - proxy_pass http://ums-umc-server:80; - } - location /univention/upload { - rewrite ^/univention(/.*)$ $1 break; - proxy_pass http://ums-umc-server:80; - } - - - ## notifications-api - location /univention/portal/notifications-api/ { - rewrite ^/univention/portal/notifications-api(/.*)$ $1 break; - proxy_pass http://ums-notifications-api:80; - } - - ## openDesk branding - location = /favicon.ico { - proxy_pass http://ums-portal-frontend:80/; - } - location /univention/portal/custom/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80/; - } - location /univention/portal/icons/ { - rewrite ^/univention/portal(/.*)$ $1 break; - proxy_pass http://ums-portal-frontend:80/; - } - - ## provisioning-api - # location /univention/provisioning-api/ { - # rewrite ^/univention/provisioning-api(/.*)$ $1 break; - # proxy_pass http://ums-provisioning-api:80; - # } - - ## guardian - location /univention/guardian/management-ui { - proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui; - } - location /guardian/management { - proxy_pass http://ums-guardian-management-api:80/guardian/management; - } - location /guardian/authorization { - proxy_pass http://ums-guardian-authorization-api:80/guardian/authorization; - } - - ## object storage (minio) - location /univention/portal/icons/entries/ { - rewrite ^/univention/portal(/icons/entries/.*)$ /ums/portal-assets$1 break; - # proxy_pass {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "http://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) }}:9000; - proxy_pass http://minio:9000; - } - location /univention/portal/icons/logos/ { - rewrite ^/univention/portal(/icons/logos/.*)$ /ums/portal-assets$1 break; - # proxy_pass {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "http://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) }}:9000; - proxy_pass http://minio:9000; - } - location /univention/selfservice/icons/entries/ { - rewrite ^/univention/selfservice(/icons/entries/.*)$ /ums/portal-assets$1 break; - # proxy_pass {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "http://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) }}:9000; - proxy_pass http://minio:9000; - } - location /univention/selfservice/icons/logos/ { - rewrite ^/univention/selfservice(/icons/logos/.*)$ /ums/portal-assets$1 break; - # proxy_pass {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "http://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) }}:9000; - proxy_pass http://minio:9000; - } - - } - -minio: - enabled: false - -extraSecrets: - - name: ums-ldap-credentials - stringData: - adminPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - - name: ums-notifications-api-postgresql-credentials - stringData: - password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }} - - name: ums-keycloak-extensions-postgresql-credentials - stringData: - password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }} - - name: ums-portal-server-minio-credentials - stringData: - nubus-s3-access-key-id: {{ .Values.objectstores.univentionManagementStack.username | quote }} - nubus-s3-secret-key-id: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }} - - name: ums-portal-server-authenticator-credentials - stringData: - authenticator.secret: {{ .Values.secrets.centralnavigation.apiKey | quote }} - - name: ums-provisioning-api-credentials - stringData: - NATS_USER: "api" - NATS_PASSWORD: "password" - - name: ums-provisioning-dispatcher-credentials - stringData: - UDM_USERNAME: "cn=admin" - UDM_PASSWORD: "password" - NATS_USER: "dispatcher" - NATS_PASSWORD: "password" - - name: ums-provisioning-prefill-credentials - stringData: - NATS_USER: "prefill" - NATS_PASSWORD: "password" - - name: ums-provisioning-nats-credentials - stringData: - admin_password: "nimda" - - name: ums-udm-rest-api-credentials - stringData: - ldap.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - machine.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - - name: "ums-guardian-udm-secret" - stringData: - udmDataAdapterUsername: "cn=admin" - udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} - - name: "ums-guardian-keycloak-client-secret" - stringData: - oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }} - - name: "ums-keycloak-postgresql-credentials" - stringData: - keycloakDatabasePassword: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }} - - name: "ums-guardian-keycloak-secret" - stringData: - adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }} - managementApiClientSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }} -...