fix: adjust ldap-notifier affinity

.gitlab-ci.yml

@@ -61,7 +61,8 @@ variables:
       - "yes"
       - "no"
   DEBUG_ENABLED:
-    description: "Allows to set `debug.enabled` to true for a deployment, needs to be supported by stage specific configuration containting: `debug.enabled: {{ env \"DEBUG_ENABLED\" | default false }}`"
+    description: "Allows to set `debug.enabled` to true for a deployment, needs to be supported by stage specific\
+     configuration containting: `debug.enabled: {{ env \"DEBUG_ENABLED\" | default false }}`"
     value: "no"
     options:
       - "yes"
@@ -636,7 +637,8 @@ release:
 
 renovate:
   rules:
-    - if: $RUN_RENOVATE == "yes"
+    - if: >
+        $RUN_RENOVATE == "yes"
       when: "on_success"
   # The `-full` image does not install the dependencies on the fly, that is our preferred approach
   image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/renovate/renovate:37.356-full"

.gitlab/lint/lint-opendesk.yml

@@ -8,7 +8,8 @@ lint-opendesk:
   extends: ".lint-common"
   image: "${OPENDESK_CI_CLI_IMAGE}"
   rules:
-    - if: $RUN_RENOVATE == "yes"
+    - if: >
+        $RUN_RENOVATE == "yes"
       when: "never"
     - when: "always"
   script:

.renovate/config.yaml

@@ -41,17 +41,17 @@ repositories:
           - "helmfile/environments/default/images.yaml"
         datasourceTemplate: "docker"
         matchStrings:
-          # yamllint disable rule:line-length
+          # yamllint disable rule:line-length rule:quoted-strings
           - ' providerResponsible: "(?<depType>.+?)"[\s\S]+? upstreamRegistry: "(?<registryUrl>.+?)"[\s\S]+? upstreamRepository: "(?<depName>.+?)"[\s\S]+? tag: "(?<currentValue>[^@]+)@(?<currentDigest>sha256:[a-f0-9]+)"'
-          # yamllint enable rule:line-length
+          # yamllint enable rule:line-length rule:quoted-strings
       - customType: "regex"
         fileMatch:
           - "helmfile/environments/default/charts.yaml"
         datasourceTemplate: "docker"
         matchStrings:
-          # yamllint disable rule:quoted-strings
+          # yamllint disable rule:line-length rule:quoted-strings
           - ' providerResponsible: "(?<depType>.+?)"[\s\S]+? upstreamRegistry: "(?<registryUrl>.+?)"[\s\S]+? upstreamRepository: "(?<depName>.+?)"[\s\S]+? version: "(?<currentValue>.+?)"'
-          # yamllint enable rule:line-length
+          # yamllint enable rule:line-length rule:quoted-strings
     # Rules for matching packages
     packageRules:
       - matchDatasources: [ "docker" ]

helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl

@@ -142,6 +142,16 @@ ldap-notifier:
   enabled: true
   podAnnotations:
     intents.otterize.com/service-name: "ums-ldap-notifier"
+  affinity:
+    podAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        - labelSelector:
+            matchExpressions:
+              - key: statefulset.kubernetes.io/pod-name
+                operator: In
+                values:
+                  - ums-ldap-server-primary-0
+          topologyKey: kubernetes.io/hostname
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapNotifier.registry | quote }}
     repository: {{ .Values.images.umsLdapNotifier.repository | quote }}
@@ -161,13 +171,22 @@ ldap-notifier:
       {{- .Values.seLinuxOptions.umsPortalListener | toYaml | nindent 6 }}
   volumes:
     claims:
-      shared-data: "shared-data-ums-ldap-server-0"
+      shared-data: "shared-data-ums-ldap-server-primary-0"
-      shared-run: "shared-run-ums-ldap-server-0"
+      shared-run: "shared-run-ums-ldap-server-primary-0"
 
 ldap-server:
   enabled: true
+  replicaCountPrimary: 2
+  replicaCountSecondary: 3
+  replicaCountProxy: 3
   additionalAnnotations:
     intents.otterize.com/service-name: "ums-ldap-server"
+  podAnnotationsPrimary:
+    intents.otterize.com/service-name: "ums-ldap-server-primary"
+  podAnnotationsSecondary:
+    intents.otterize.com/service-name: "ums-ldap-server-secondary"
+  podAnnotationsProxy:
+    intents.otterize.com/service-name: "ums-ldap-server"
   replicaCount: {{ .Values.replicas.umsLdapServer }}
   serviceAccount:
     annotations:
@@ -227,8 +246,12 @@ ldap-server:
     storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
     size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
 
-  resources:
+  resourcesPrimary:
-    {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
+    {{ .Values.resources.umsLdapServerPrimary | toYaml | nindent 4 }}
+  resourcesSecondary:
+    {{ .Values.resources.umsLdapServerSecondary | toYaml | nindent 4 }}
+  resourcesProxy:
+    {{ .Values.resources.umsLdapServerProxy | toYaml | nindent 4 }}
 
   initResources:
     {{ .Values.resources.umsLdapServerInit | toYaml | nindent 4 }}
@@ -343,7 +366,7 @@ portal-listener:
     ucsInternalPath: "portal-data"
 
     ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-    ldapHost: {{ .Values.ldap.host | quote }}
+    ldapHost: {{ .Values.ldap.hostPrimary | quote }}
     ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
     ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
     machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
@@ -577,7 +600,7 @@ udm-listener:
   config:
     debugLevel: "4"
     ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-    ldapHost: {{ .Values.ldap.host | quote }}
+    ldapHost: {{ .Values.ldap.hostPrimary | quote }}
     ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
     ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
     ldapPort: "389"
@@ -611,7 +634,8 @@ stack-data-ums:
     domainname: {{ .Values.global.domain | quote }}
     externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
     hostname: {{ .Values.global.hosts.univentionManagementStack | quote }}
-    ldapHost: {{ .Values.ldap.host | quote }}
+    ldapMasterHost: {{ .Values.ldap.hostPrimary | quote }}
+    ldapHost: {{ .Values.ldap.hostSecondary | quote }}
     ldapBase: {{ .Values.ldap.baseDn | quote }}
     ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
     idpSamlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
@@ -734,7 +758,7 @@ selfservice-listener:
 
   selfserviceListener:
     ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-    ldapHost: {{ .Values.ldap.host | quote }}
+    ldapHost: {{ .Values.ldap.hostPrimary | quote }}
     ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
     ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
     machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}

helmfile/environments/default/_helper.yaml

@@ -3,6 +3,8 @@
 ---
 ldap:
   host: "ums-ldap-server"
+  hostPrimary: "ums-ldap-server-primary"
+  hostSecondary: "ums-ldap-server-secondary"
   notifierHost: "ums-ldap-notifier"
   baseDn: "dc=swp-ldap,dc=internal"
 ## Define Keycloak realmname for openDesk

helmfile/environments/default/charts.yaml

@@ -120,7 +120,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi"
     name: "opendesk-jitsi"
-    version: "1.7.8"
+    version: "1.7.9"
     verify: true
   mariadb:
     # providerCategory: "Platform"
@@ -294,7 +294,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize"
     name: "opendesk-otterize"
-    version: "2.0.1"
+    version: "2.1.0-feat-ldap-server-scalability"
     verify: true
   oxConnector:
     # providerCategory: "Supplier"
@@ -378,7 +378,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "ums"
-    version: "0.13.0"
+    version: "0.16.0"
     verify: true
   umsKeycloakBootstrap:
     # providerCategory: "Supplier"

helmfile/environments/default/functional.yaml

@@ -3,7 +3,8 @@
 ---
 authentication:
   twoFactor:
-    # Define a list of groups to enable 2FA for. Removing a group from the list will not disable 2FA for the removed group.
+    # Define a list of groups to enable 2FA for.
+    # Note: Removing a group from the list will not disable 2FA for the removed group.
     groups:
       - "Domain Admins"
 ...

helmfile/environments/default/resources.yaml

@@ -60,10 +60,12 @@ resources:
     requests:
       cpu: 0.1
       memory: "64Mi"
+  # The Jibri container requires 2Gi /dev/shm so we need a limit based on the expected memory consumption of the
+  # service plus the 2Gi /dev/shm
   jibri:
     limits:
       cpu: 99
-      memory: "768Mi"
+      memory: "3Gi"
     requests:
       cpu: 0.1
       memory: "384Mi"
@@ -389,7 +391,21 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
-  umsLdapServer:
+  umsLdapServerPrimary:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsLdapServerSecondary:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsLdapServerProxy:
     limits:
       cpu: 99
       memory: "1Gi"