feat(nubus): Configure migration scripts from ldap 2.4 to 2.5

Adjusts the configuration of the guardian related clientids.

.gitlab-ci.yml

@@ -171,7 +171,16 @@ variables:
       - "no"
   TESTS_BRANCH:
     description: "Branch of E2E-tests on which the test pipeline is triggered"
-    value: "main"
+    value: "develop"
+  TESTS_PROJECT_URL:
+    description: "Project url for e2e-tests (`<domain of gitlab>/api/v4/projects/<id>`)"
+    value: "gitlab.opencode.de/api/v4/projects/1506"
+  TESTS_TESTSET:
+    description: "Selects testset for E2E-tests"
+    value: "Smoke"
+    options:
+      - "Regression"
+      - "Smoke"
 
 .deploy-common:
   cache: {}
@@ -486,27 +495,27 @@ run-tests:
         \"ref\": \"${TESTS_BRANCH}\", \
         \"token\": \"${CI_JOB_TOKEN}\", \
         \"variables\": { \
-          \"url\": \"https://portal.${DOMAIN}\", \
+          \"operator\": \"${OPERATOR}\", \
+          \"cluster\": \"${CLUSTER}\", \
+          \"namespace\": \"${NAMESPACE}\", \
+          \"url\": \"https://portal.${DOMAIN}/\", \
           \"user_name\": \"${DEFAULT_USER_NAME}\", \
           \"user_password\": \"${DEFAULT_USER_PASSWORD}\", \
           \"admin_name\": \"${DEFAULT_ADMIN_NAME}\", \
           \"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
-          \"DEPLOY_ALL_COMPONENTS\": \"${DEPLOY_ALL_COMPONENTS}\", \
-          \"DEPLOY_COLLABORA\": \"${DEPLOY_COLLABORA}\", \
-          \"DEPLOY_ELEMENT\": \"${DEPLOY_ELEMENT}\", \
-          \"DEPLOY_ICS\": \"${DEPLOY_ICS}\", \
-          \"DEPLOY_JITSI\": \"${DEPLOY_JITSI}\", \
-          \"DEPLOY_KEYCLOAK\": \"${DEPLOY_UMS}\", \
-          \"DEPLOY_NEXTCLOUD\": \"${DEPLOY_NEXTCLOUD}\", \
-          \"DEPLOY_OPENPROJECT\": \"${DEPLOY_OPENPROJECT}\", \
-          \"DEPLOY_OX\": \"${DEPLOY_OX}\", \
-          \"DEPLOY_SERVICES\": \"${DEPLOY_SERVICES}\", \
-          \"DEPLOY_UCS\": \"${DEPLOY_UMS}\", \
-          \"DEPLOY_XWIKI\": \"${DEPLOY_XWIKI}\", \
-          \"DEPLOY_PROVISIONING\": \"${DEPLOY_PROVISIONING}\" \
+          \"screenshot_test\": \"yes\", \
+          \"screenshot_before_step\": \"yes\", \
+          \"screenshot_after_step\": \"yes\", \
+          \"screenshot_redirect_step\": \"yes\", \
+          \"testset\": \"${TESTS_TESTSET}\", \
+          \"testprofile\": \"Namespace\", \
+          \"gitlab_functional_yaml\": \"https://gitlab.opencode.de/api/v4/projects/1317/repository/files/helmfile%2Fenvironments%2Fdefault%2Ffunctional.yaml?ref=develop\", \
+          \"gitlab_env_namespace_template\": \"https://gitlab.opencode.de/api/v4/projects/1564/repository/files/environments%2F{operator}%2F{cluster}%2F{namespace}.yaml.gotmpl?ref=main\", \
+          \"gitlab_default_env_namespace\": \"values\" \
         } \
       }" \
       "https://${TESTS_PROJECT_URL}/trigger/pipeline"
+  retry: 1
 
 avscan-prepare:
   stage: ".pre"

docs/ci.md

@@ -33,10 +33,11 @@ You might want to set credential variables in the GitLab project at `Settings` >
 # Tests
 
 The GitLab CI pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another GitLab project.
-The `DEPLOY_`-variables are used to determine which components should be tested.
 In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this GitLab project's CI variables
 that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
 `<domain of gitlab>/api/v4/projects/<id>`.
-
+To select the current testset, use the variable `TESTS_TESTSET`. Default: `Smoke`.
 If the branch of the test pipeline is not `main` this can be set with the `.gitlab-ci.yml` variable
 `TESTS_BRANCH` while creating a new pipeline.
+
+The variable `testprofile` within the job is set to `Namespace`, which tells the e2e tests to use environment specific settings that will be read from the cluster and namespace specific file in the opendesk-env repository.

docs/development.md

@@ -138,6 +138,9 @@ configured to pull artifacts that do not originate from Open CoDE into projects
 
 The mirror script takes the information on what artifacts to mirror from the annotation inside the two yaml files:
 - `# upstreamRegistry` *required*: To identify the source registry
+- `# upstreamRegistryCredentialId`: *optional*: In case the source registry is not public the access credentials have to be specified as ENV variables containing the value of this key in their name, so you want to specific that key all uppercase:
+  - `MIRROR_CREDENTIALS_SRC_<upstreamRegistryCredentialId>_USERNAME`
+  - `MIRROR_CREDENTIALS_SRC_<upstreamRegistryCredentialId>_PASSWORT`
 - `# upstreamRepository` *required*: To identify the source repository
 - `# upstreamMirrorTagFilterRegEx` *required*: If this annotation is set it activates the mirror for the component. Only tags are being mirrored that match the given regular expression. **Note:** You have to use single quotes for this attribute's value in case you use backslash leading regex notation like `\d`.
 - `# upstreamMirrorStartFrom` *optional*: Array of numeric values in case you want to mirror only artifacts beginning with a specific version. You must use capturing groups

helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl

@@ -143,6 +143,56 @@ nubusLdapServer:
   persistence:
     storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
     size: {{ .Values.persistence.size.nubus.ldapServerData | quote }}
+  extraVolumes:
+    - name: "migration-scripts"
+      secret:
+        secretName: "ums-ldap-server-migration"
+        defaultMode: 0555
+  extraVolumeMounts:
+    - name: "migration-scripts"
+      mountPath: "/entrypoint.d/30-purge.sh"
+      subPath: "30-purge.sh"
+    - name: "migration-scripts"
+      mountPath: "/entrypoint.d/95-slapadd-24-ldiff.sh"
+      subPath: "95-slapadd-24-ldif.sh"
+  extraSecrets:
+    - name: "ums-ldap-server-migration"
+      stringData:
+        30-purge.sh: |
+          #!/usr/bin/env bash
+
+          me=$(basename "$0")
+          echo "- Running ${me}"
+
+          if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
+            echo "- Cleaning up /var/lib/univention-ldap."
+            cd /var/lib/univention-ldap
+            rm -rf internal
+            rm -rf ldap
+            ls -l
+          else
+            echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
+          fi
+        95-slapadd-24-ldif.sh: |
+          #!/usr/bin/env bash
+
+          me=$(basename "$0")
+          echo "- Running ${me}"
+
+          ls -l /var/lib/univention-ldap
+
+          if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
+            echo "- slapadd-ing /var/lib/univention-ldap/ldap-24-export.ldif, but not before deleting the directories /var/lib/univention-ldap/ldap and ./internal"
+            rm -rf /var/lib/univention-ldap/ldap
+            rm -rf /var/lib/univention-ldap/internal
+            mkdir /var/lib/univention-ldap/ldap
+            mkdir /var/lib/univention-ldap/internal
+            /usr/sbin/slapadd -l /var/lib/univention-ldap/ldap-24-export.ldif
+            mv /var/lib/univention-ldap/ldap-24-export.ldif /var/lib/univention-ldap/ldap-24-export.ldif-imported
+          else
+            echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
+          fi
+
 
 nubusPortalFrontend:
   additionalAnnotations:

helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl

@@ -10,16 +10,6 @@ image:
   pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   tag: {{ .Values.images.oxConnector.tag | quote }}
 
-  waitForDependency:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.nubusWaitForDependency.registry | quote }}
-    repository: {{ .Values.images.nubusWaitForDependency.repository }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy }}
-    pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-    tag: {{ .Values.images.nubusWaitForDependency.tag | quote }}
-
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
   - name: {{ . | quote }}
@@ -29,8 +19,16 @@ ingress:
   enabled: false
 
 oxConnector:
+  caCert: "ucctempldapstring"
+  debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
   domainName: {{ .Values.global.domain | quote }}
-  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
+  ldapHost: "{{ .Values.ldap.host }}-primary"
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
+  ldapPassword: {{ .Values.secrets.nubus.ldapSecret | quote }}
+  ldapBaseDn: "dc=swp-ldap,dc=internal"
+  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
+  tlsMode: "off"
+  notifierServer: {{ .Values.ldap.notifierHost | quote }}
   oxDefaultContext: "1"
   oxImapServer: "imap://127.0.0.1:143"
   oxLocalTimezone: "Europe/Berlin"
@@ -40,13 +38,6 @@ oxConnector:
   oxSmtpServer: "smtp://127.0.0.1:587"
   oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
 
-provisioningApi:
-  connection:
-    baseUrl: "http://ums-provisioning-api"
-  auth:
-    username: "ox-connector"
-    password: {{ .Values.secrets.oxConnector.provisioningApiPassword | quote }}
-
 resources:
   {{ .Values.resources.oxConnector | toYaml | nindent 2 }}
 

helmfile/environments/default/charts.yaml

@@ -132,7 +132,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi"
     name: "opendesk-jitsi"
-    version: "1.9.3"
+    version: "1.11.3"
     verify: true
   mariadb:
     # providerCategory: "Platform"
@@ -261,11 +261,10 @@ charts:
     # upstreamRepository: "nubus/charts/nubus"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "19", "3"]
-    # TODO: return back mirror registry and repository, set the correct version before merging
-    registry: "artifacts.software-univention.de"
-    repository: "nubus-dev/charts"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "nubus"
-    version: "0.59.0-pre-acaceres-register-ox-connector"
+    version: "0.57.3"
     verify: true
   opendeskKeycloakBootstrap:
     # providerCategory: "Platform"
@@ -341,7 +340,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "ox-connector"
-    version: "0.14.2"
+    version: "0.4.2"
     verify: true
   postfix:
     # providerCategory: "Platform"

helmfile/environments/default/images.yaml

@@ -743,7 +743,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "4", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-connector-standalone"
-    tag: "0.14.2@sha256:105a076bda63e6723a631bbe4e312273ea8ad6cae14e4aa8a46df4604aebfe4c"
+    tag: "0.4.2@sha256:308489c0c0e0436bbbedbd757f78875d44468992c46c8d371c584dc778b30770"
   postfix:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"

helmfile/environments/default/secrets.gotmpl

@@ -19,8 +19,6 @@ secrets:
     shareCryptKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_crypt_key" | sha1sum | quote }}
     sessiondEncryptionKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "sessiond_encryption_key" | sha1sum | quote }}
     synapseAsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "as_token" | sha1sum | quote }}
-  oxConnector:
-    provisioningApiPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ox-connector" | sha1sum | quote }}
   nubus:
     ldapSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "ldap" | sha1sum | quote }}
     ldapSearch:

helmfile/environments/default/theme.gotmpl

@@ -46,6 +46,9 @@ theme:
     favicon144PngB64: {{ readFile "./../../files/theme/favicon144.png" | b64enc | quote }}
     logoHeaderSvgB64: {{ readFile "./../../files/theme/logoHeader.svg" | b64enc | quote }}
 
+    # Jitsi
+    logoHeaderInvertedSvgB64: {{ readFile "./../../files/theme/logoHeaderInverted.svg" | b64enc | quote }}
+
     # Portal
     logoPortalBackgroundSvgB64: {{ readFile "./../../files/theme/logoPortalBackground.svg" | b64enc | quote }}
     portalCss: {{ readFile "./../../files/theme/portal.css" | b64enc }}