fix: enable and set up provisioning

2025-12-06 07:21:36 +01:00 · 2024-05-14 11:01:43 +02:00
parent 5766d0fedd
commit f69de3cc33
3 changed files with 101 additions and 14 deletions
--- a/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl
@@ -440,7 +440,7 @@ portal-server:
    {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}

 provisioning:
-  enabled: false
+  enabled: true
  api:
    image:
      registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
@@ -451,6 +451,10 @@ provisioning:
        {{- range .Values.global.imagePullSecrets }}
        - name: {{ . | quote }}
        {{- end }}
+    config:
+      rootPath: "/univention/provisioning-api"
+    resources:
+      {{ .Values.resources.umsProvisioningEventsAndConsumerApi | toYaml | nindent 4 }}
    credentialSecretName: "ums-provisioning-api-credentials"
  dispatcher:
    image:
@@ -462,6 +466,10 @@ provisioning:
        {{- range .Values.global.imagePullSecrets }}
        - name: {{ . | quote }}
        {{- end }}
+    resources:
+      {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 4 }}
+    config:
+      UDM_HOST: "ums-udm-rest-api"
    credentialSecretName: "ums-provisioning-dispatcher-credentials"
  prefill:
    image:
@@ -473,7 +481,26 @@ provisioning:
        {{- range .Values.global.imagePullSecrets }}
        - name: {{ . | quote }}
        {{- end }}
+    resources:
+      {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 4 }}
+    config:
+      UDM_HOST: "ums-udm-rest-api"
    credentialSecretName: "ums-provisioning-prefill-credentials"
+  register_consumers:
+    image:
+      registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
+      repository: {{ .Values.images.umsWaitForDependency.repository }}
+      pullPolicy: {{ .Values.global.imagePullPolicy }}
+      tag: {{ .Values.images.umsWaitForDependency.tag }}
+      pullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . | quote }}
+        {{- end }}
+    resources:
+      {{ .Values.resources.umsProvisioningRegisterConsumer | toYaml | nindent 4 }}
+    credentialSecretName: "ums-provisioning-register-consumers-credentials"
+    jsonSecretName: "ums-provisioning-register-consumers-json-secrets"
+    provisioningApiBaseUrl: "http://ums-provisioning-api/internal/admin/v1/subscriptions"
  nats:
    config:
      authorization:
@@ -499,6 +526,17 @@ provisioning:
            permissions:
              publish: ">"
              subscribe: ">"
+          - user: "$NATS_UDMLISTENER_USER"
+            password: "$NATS_UDMLISTENER_PASSWORD"
+            permissions:
+              publish: ">"
+              subscribe: ">"
+          - user: "$NATS_ADMIN_USER"
+            password: "$NATS_ADMIN_PASSWORD"
+            permissions:
+              publish: ">"
+              subscribe: ">"
+
    extraEnvVars:
      - name: NATS_USER
        value: "admin"
@@ -537,6 +575,17 @@ provisioning:
          secretKeyRef:
            name: ums-provisioning-prefill-credentials
            key: NATS_PASSWORD
+      - name: NATS_UDMLISTENER_USER
+        valueFrom:
+          secretKeyRef:
+            name: ums-provisioning-udm-listener-credentials
+            key: NATS_USER
+      - name: NATS_UDMLISTENER_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: ums-provisioning-udm-listener-credentials
+            key: NATS_PASSWORD
+
  nats:
    nats:
      image:
@@ -564,7 +613,7 @@ provisioning:
      enabled: false

 udm-listener:
-  enabled: false
+  enabled: true
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }}
    repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }}
@@ -581,9 +630,17 @@ udm-listener:
    ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
    ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
    ldapPort: "389"
-    notifierServer: "ums-ldap-notifier"
+    notifierServer: {{ .Values.ldap.notifierHost | quote }}
    tlsMode: "off"
    natsHost: "ums-provisioning-nats"
+    natsUser: "udmlistener"
+    natsPassword: {{ .Values.secrets.univentionManagementStack.provisioning.udmListenerNatsPassword }}
+    eventsUsernameUdm: "udmproducer"
+    eventsPasswordUdm: {{ .Values.secrets.univentionManagementStack.provisioning.udmProducerPassword }}
+    internalApiHost: "ums-provisioning-api"
+
+  resources:
+    {{ .Values.resources.umsProvisioningUdmListener | toYaml | nindent 4 }}

 stack-data-ums:
  enabled: true
@@ -1526,20 +1583,47 @@ extraSecrets:
  - name: ums-provisioning-api-credentials
    stringData:
      NATS_USER: "api"
-      NATS_PASSWORD: "password"
+      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiNatsPassword }}
+      ADMIN_NATS_USER: "admin"
+      ADMIN_NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminNatsPassword }}
+      ADMIN_USERNAME: "admin"
+      ADMIN_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminPassword }}
+      PREFILL_USERNAME: "prefill"
+      PREFILL_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillPassword }}
+      EVENTS_USERNAME_UDM: "udmproducer"
+      EVENTS_PASSWORD_UDM: {{ .Values.secrets.univentionManagementStack.provisioning.udmProducerPassword }}
  - name: ums-provisioning-dispatcher-credentials
    stringData:
-      UDM_USERNAME: "cn=admin"
-      UDM_PASSWORD: "password"
      NATS_USER: "dispatcher"
-      NATS_PASSWORD: "password"
+      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherNatsPassword }}
  - name: ums-provisioning-prefill-credentials
    stringData:
      NATS_USER: "prefill"
-      NATS_PASSWORD: "password"
+      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillNatsPassword }}
+      UDM_USERNAME: "cn=admin"
+      UDM_PASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+      PREFILL_USERNAME: "prefill"
+      PREFILL_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillPassword }}
+  - name: ums-provisioning-udm-listener-credentials
+    stringData:
+      NATS_USER: "udmlistener"
+      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.udmListenerNatsPassword }}
  - name: ums-provisioning-nats-credentials
    stringData:
      admin_password: "nimda"
+  - name: ums-provisioning-register-consumers-credentials
+    stringData:
+      ADMIN_USERNAME: "admin"
+      ADMIN_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminPassword }}
+  - name: ums-provisioning-register-consumers-json-secrets
+    stringData:
+      selfservice-listener.json: |
+        {
+          "name": "selfservice-listener",
+          "realms_topics": [["udm", "users/user"]],
+          "request_prefill": true,
+          "password": {{ .Values.secrets.univentionManagementStack.selfserviceListener.provisioningApiPassword | quote }}
+        }
  - name: ums-udm-rest-api-credentials
    stringData:
      ldap.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
@@ -1556,8 +1640,8 @@ extraSecrets:
      GUARDIAN_MANAGEMENT_API_CLIENT_SECRET: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
  - name: "ums-selfservice-listener-credentials"
    stringData:
-      UMC_ADMIN_USER: "Administrator"
-      UMC_ADMIN_PASSWORD: {{ .Values.secrets.univentionManagementStack.selfserviceListener.umcAdminPassword | quote }}
+      UMC_ADMIN_USER: "default.admin"
+      UMC_ADMIN_PASSWORD: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
      PROVISIONING_API_USERNAME: "selfservice-listener"
      PROVISIONING_API_PASSWORD: {{ .Values.secrets.univentionManagementStack.selfserviceListener.provisioningApiPassword | quote }}
 ...
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -466,6 +466,13 @@ resources:
    requests:
      cpu: 0.1
      memory: "256Mi"
+  umsProvisioningRegisterConsumer:
+    limits:
+      cpu: 0.5
+      memory: "256Mi"
+    requests:
+      cpu: 0.25
+      memory: "128Mi"
  umsProvisioningNats:
    limits:
      cpu: 99
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -34,16 +34,12 @@ secrets:
      apiNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }}
      apiAdminNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "apiAdmin" "nats" | sha1sum | quote }}
      apiAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }}
-      dispatcherPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "dispatcher_service" | sha1sum | quote }}
      prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }}
      prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }}
      udmProducerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
      dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }}
-      dispatcherUdmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
      udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmlistener" "nats" | sha1sum | quote }}
-      udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
    selfserviceListener:
-      umcAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "Administrator" "umc" | sha1sum | quote }}
      provisioningApiPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "selfservice-listener" "selfservice-listener" | sha1sum | quote }}
  nats:
    natsAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "admin" "nats" | sha1sum | quote }}