From f69de3cc33cc6d3acd0b5138c1771efdd0e92b22 Mon Sep 17 00:00:00 2001
From: Anton Caceres <anton@caceres.me>
Date: Tue, 14 May 2024 11:01:43 +0200
Subject: [PATCH] fix: enable and set up provisioning

---
 .../values-umbrella.yaml.gotmpl               | 104 ++++++++++++++++--
 helmfile/environments/default/resources.yaml  |   7 ++
 helmfile/environments/default/secrets.gotmpl  |   4 -
 3 files changed, 101 insertions(+), 14 deletions(-)

diff --git a/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl
index 4f8cc343..b48e502b 100644
--- a/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl
@@ -440,7 +440,7 @@ portal-server:
     {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}
 
 provisioning:
-  enabled: false
+  enabled: true
   api:
     image:
       registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
@@ -451,6 +451,10 @@ provisioning:
         {{- range .Values.global.imagePullSecrets }}
         - name: {{ . | quote }}
         {{- end }}
+    config:
+      rootPath: "/univention/provisioning-api"
+    resources:
+      {{ .Values.resources.umsProvisioningEventsAndConsumerApi | toYaml | nindent 4 }}
     credentialSecretName: "ums-provisioning-api-credentials"
   dispatcher:
     image:
@@ -462,6 +466,10 @@ provisioning:
         {{- range .Values.global.imagePullSecrets }}
         - name: {{ . | quote }}
         {{- end }}
+    resources:
+      {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 4 }}
+    config:
+      UDM_HOST: "ums-udm-rest-api"
     credentialSecretName: "ums-provisioning-dispatcher-credentials"
   prefill:
     image:
@@ -473,7 +481,26 @@ provisioning:
         {{- range .Values.global.imagePullSecrets }}
         - name: {{ . | quote }}
         {{- end }}
+    resources:
+      {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 4 }}
+    config:
+      UDM_HOST: "ums-udm-rest-api"
     credentialSecretName: "ums-provisioning-prefill-credentials"
+  register_consumers:
+    image:
+      registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
+      repository: {{ .Values.images.umsWaitForDependency.repository }}
+      pullPolicy: {{ .Values.global.imagePullPolicy }}
+      tag: {{ .Values.images.umsWaitForDependency.tag }}
+      pullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . | quote }}
+        {{- end }}
+    resources:
+      {{ .Values.resources.umsProvisioningRegisterConsumer | toYaml | nindent 4 }}
+    credentialSecretName: "ums-provisioning-register-consumers-credentials"
+    jsonSecretName: "ums-provisioning-register-consumers-json-secrets"
+    provisioningApiBaseUrl: "http://ums-provisioning-api/internal/admin/v1/subscriptions"
   nats:
     config:
       authorization:
@@ -499,6 +526,17 @@ provisioning:
             permissions:
               publish: ">"
               subscribe: ">"
+          - user: "$NATS_UDMLISTENER_USER"
+            password: "$NATS_UDMLISTENER_PASSWORD"
+            permissions:
+              publish: ">"
+              subscribe: ">"
+          - user: "$NATS_ADMIN_USER"
+            password: "$NATS_ADMIN_PASSWORD"
+            permissions:
+              publish: ">"
+              subscribe: ">"
+
     extraEnvVars:
       - name: NATS_USER
         value: "admin"
@@ -537,6 +575,17 @@ provisioning:
           secretKeyRef:
             name: ums-provisioning-prefill-credentials
             key: NATS_PASSWORD
+      - name: NATS_UDMLISTENER_USER
+        valueFrom:
+          secretKeyRef:
+            name: ums-provisioning-udm-listener-credentials
+            key: NATS_USER
+      - name: NATS_UDMLISTENER_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: ums-provisioning-udm-listener-credentials
+            key: NATS_PASSWORD
+
   nats:
     nats:
       image:
@@ -564,7 +613,7 @@ provisioning:
       enabled: false
 
 udm-listener:
-  enabled: false
+  enabled: true
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }}
     repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }}
@@ -581,9 +630,17 @@ udm-listener:
     ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
     ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
     ldapPort: "389"
-    notifierServer: "ums-ldap-notifier"
+    notifierServer: {{ .Values.ldap.notifierHost | quote }}
     tlsMode: "off"
     natsHost: "ums-provisioning-nats"
+    natsUser: "udmlistener"
+    natsPassword: {{ .Values.secrets.univentionManagementStack.provisioning.udmListenerNatsPassword }}
+    eventsUsernameUdm: "udmproducer"
+    eventsPasswordUdm: {{ .Values.secrets.univentionManagementStack.provisioning.udmProducerPassword }}
+    internalApiHost: "ums-provisioning-api"
+
+  resources:
+    {{ .Values.resources.umsProvisioningUdmListener | toYaml | nindent 4 }}
 
 stack-data-ums:
   enabled: true
@@ -1526,20 +1583,47 @@ extraSecrets:
   - name: ums-provisioning-api-credentials
     stringData:
       NATS_USER: "api"
-      NATS_PASSWORD: "password"
+      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiNatsPassword }}
+      ADMIN_NATS_USER: "admin"
+      ADMIN_NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminNatsPassword }}
+      ADMIN_USERNAME: "admin"
+      ADMIN_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminPassword }}
+      PREFILL_USERNAME: "prefill"
+      PREFILL_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillPassword }}
+      EVENTS_USERNAME_UDM: "udmproducer"
+      EVENTS_PASSWORD_UDM: {{ .Values.secrets.univentionManagementStack.provisioning.udmProducerPassword }}
   - name: ums-provisioning-dispatcher-credentials
     stringData:
-      UDM_USERNAME: "cn=admin"
-      UDM_PASSWORD: "password"
       NATS_USER: "dispatcher"
-      NATS_PASSWORD: "password"
+      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherNatsPassword }}
   - name: ums-provisioning-prefill-credentials
     stringData:
       NATS_USER: "prefill"
-      NATS_PASSWORD: "password"
+      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillNatsPassword }}
+      UDM_USERNAME: "cn=admin"
+      UDM_PASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+      PREFILL_USERNAME: "prefill"
+      PREFILL_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillPassword }}
+  - name: ums-provisioning-udm-listener-credentials
+    stringData:
+      NATS_USER: "udmlistener"
+      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.udmListenerNatsPassword }}
   - name: ums-provisioning-nats-credentials
     stringData:
       admin_password: "nimda"
+  - name: ums-provisioning-register-consumers-credentials
+    stringData:
+      ADMIN_USERNAME: "admin"
+      ADMIN_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminPassword }}
+  - name: ums-provisioning-register-consumers-json-secrets
+    stringData:
+      selfservice-listener.json: |
+        {
+          "name": "selfservice-listener",
+          "realms_topics": [["udm", "users/user"]],
+          "request_prefill": true,
+          "password": {{ .Values.secrets.univentionManagementStack.selfserviceListener.provisioningApiPassword | quote }}
+        }
   - name: ums-udm-rest-api-credentials
     stringData:
       ldap.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
@@ -1556,8 +1640,8 @@ extraSecrets:
       GUARDIAN_MANAGEMENT_API_CLIENT_SECRET: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
   - name: "ums-selfservice-listener-credentials"
     stringData:
-      UMC_ADMIN_USER: "Administrator"
-      UMC_ADMIN_PASSWORD: {{ .Values.secrets.univentionManagementStack.selfserviceListener.umcAdminPassword | quote }}
+      UMC_ADMIN_USER: "default.admin"
+      UMC_ADMIN_PASSWORD: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
       PROVISIONING_API_USERNAME: "selfservice-listener"
       PROVISIONING_API_PASSWORD: {{ .Values.secrets.univentionManagementStack.selfserviceListener.provisioningApiPassword | quote }}
 ...
diff --git a/helmfile/environments/default/resources.yaml b/helmfile/environments/default/resources.yaml
index 635f7f24..5bbae6c3 100644
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -466,6 +466,13 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
+  umsProvisioningRegisterConsumer:
+    limits:
+      cpu: 0.5
+      memory: "256Mi"
+    requests:
+      cpu: 0.25
+      memory: "128Mi"
   umsProvisioningNats:
     limits:
       cpu: 99
diff --git a/helmfile/environments/default/secrets.gotmpl b/helmfile/environments/default/secrets.gotmpl
index 8d6f8aac..4dfa3081 100644
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -34,16 +34,12 @@ secrets:
       apiNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }}
       apiAdminNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "apiAdmin" "nats" | sha1sum | quote }}
       apiAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }}
-      dispatcherPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "dispatcher_service" | sha1sum | quote }}
       prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }}
       prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }}
       udmProducerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
       dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }}
-      dispatcherUdmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
       udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmlistener" "nats" | sha1sum | quote }}
-      udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
     selfserviceListener:
-      umcAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "Administrator" "umc" | sha1sum | quote }}
       provisioningApiPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "selfservice-listener" "selfservice-listener" | sha1sum | quote }}
   nats:
     natsAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "admin" "nats" | sha1sum | quote }}