mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-06 07:21:36 +01:00
Compare commits
46 Commits
jtorres/ic
...
fischer/re
| Author | SHA1 | Date | |
|---|---|---|---|
|
5474764a13 | ||
|
|
469ba40ed2 | ||
|
|
11eea81f4d | ||
|
|
b2eefbab83 | ||
|
|
381b4e7988 | ||
|
|
6d300304ee | ||
|
|
da79f3b286 | ||
|
|
ed5bf231cc | ||
|
|
f4faebaf68 | ||
|
|
574acb5976 | ||
|
|
44d5e5a2b5 | ||
|
|
984b23c73b | ||
|
|
abca53d02f | ||
|
|
a159724abd | ||
|
|
8c1b0802a0 | ||
|
|
000af5a604 | ||
|
|
ba9560d14b | ||
|
|
0c91117575 | ||
|
|
6c67eca7aa | ||
|
|
0e21d2cea5 | ||
|
|
a13cf63024 | ||
|
|
28a6528528 | ||
|
|
2926e2c93a | ||
|
|
6796f320f7 | ||
|
|
63562c1aae | ||
|
|
1c643ac8ff | ||
|
|
4811b570e7 | ||
|
|
0e69f38fef | ||
|
|
3983c608be | ||
|
|
174951cd51 | ||
|
|
16dfd255c6 | ||
|
|
669995bb95 | ||
|
|
6d329e18cf | ||
|
|
6438284090 | ||
|
|
a63d7cb861 | ||
|
|
4602396583 | ||
|
|
b9656772a9 | ||
|
|
4403dfe720 | ||
|
|
31ec1003c0 | ||
|
|
4cda827f55 | ||
|
|
96f18196c5 | ||
|
|
eac214e364 | ||
|
|
3ad285a869 | ||
|
|
e4d9106c45 | ||
|
|
7f60ab3b7a | ||
|
|
4c7422a411 |
@@ -1,12 +1,11 @@
|
||||
# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
include:
|
||||
- project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
|
||||
ref: "v2.4.3"
|
||||
ref: "v2.4.8"
|
||||
file:
|
||||
- "ci/common/automr.yml"
|
||||
- "ci/common/lint.yml"
|
||||
- "ci/release-automation/semantic-release.yml"
|
||||
- local: "/.gitlab/generate/generate-docs.yml"
|
||||
@@ -32,7 +31,6 @@ stages:
|
||||
- ".pre"
|
||||
- "renovate"
|
||||
- "scan"
|
||||
- "automr"
|
||||
- "env-cleanup"
|
||||
- "env"
|
||||
- "pre-services-deploy"
|
||||
@@ -70,7 +68,7 @@ variables:
|
||||
- "no"
|
||||
DEBUG_ENABLED:
|
||||
description: "Allows to set `debug.enabled` to true for a deployment, needs to be supported by stage specific\
|
||||
configuration containting: `debug.enabled: {{ env \"DEBUG_ENABLED\" | default false }}`"
|
||||
configuration containing: `debug.enabled: {{ env \"DEBUG_ENABLED\" | default false }}`"
|
||||
value: "no"
|
||||
options:
|
||||
- "yes"
|
||||
@@ -154,6 +152,12 @@ variables:
|
||||
options:
|
||||
- "yes"
|
||||
- "no"
|
||||
DEPLOY_NOTES:
|
||||
description: "Enable Notes deployment."
|
||||
value: "no"
|
||||
options:
|
||||
- "yes"
|
||||
- "no"
|
||||
RUN_TESTS:
|
||||
description: "Triggers execution of E2E-tests."
|
||||
value: "no"
|
||||
@@ -183,10 +187,17 @@ variables:
|
||||
GRACE_PERIOD is the period in seconds that should be waited before running the tests."
|
||||
value: "0"
|
||||
|
||||
# Declare .environments which is in `opendesk-env` repository. In case it is not available
|
||||
# 'cache' is used because job as a dummy key, as the job is not allowed to be empty.
|
||||
.environments:
|
||||
cache: {}
|
||||
|
||||
.deploy-common:
|
||||
cache: {}
|
||||
dependencies: []
|
||||
extends: ".environments"
|
||||
environment:
|
||||
name: "${NAMESPACE}"
|
||||
image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/helm:1.1.0\
|
||||
@sha256:74f349066ac5d20e3afaa6abd28781b4c8dc086f67e3d3c1b8345e4a9c3371b1"
|
||||
script:
|
||||
@@ -208,9 +219,6 @@ variables:
|
||||
|
||||
env-cleanup:
|
||||
extends: ".deploy-common"
|
||||
environment:
|
||||
name: "${NAMESPACE}"
|
||||
action: "stop"
|
||||
needs: []
|
||||
rules:
|
||||
- if: >
|
||||
@@ -302,6 +310,8 @@ migrations-pre:
|
||||
migrations-post:
|
||||
stage: "090-migrations-post"
|
||||
extends: ".deploy-common"
|
||||
environment:
|
||||
url: "https://${DOMAIN}"
|
||||
rules:
|
||||
- if: >
|
||||
$CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" &&
|
||||
@@ -310,6 +320,8 @@ migrations-post:
|
||||
when: "on_success"
|
||||
variables:
|
||||
COMPONENT: "opendesk-migrations-post"
|
||||
after_script:
|
||||
- echo ${DOMAIN}
|
||||
|
||||
services-external-deploy:
|
||||
stage: "030-services"
|
||||
@@ -444,6 +456,18 @@ jitsi-deploy:
|
||||
variables:
|
||||
COMPONENT: "jitsi"
|
||||
|
||||
notes-deploy:
|
||||
stage: "050-components"
|
||||
extends: ".deploy-common"
|
||||
rules:
|
||||
- if: >
|
||||
$CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" &&
|
||||
$NAMESPACE =~ /.+/ &&
|
||||
($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_NOTES != "no")
|
||||
when: "on_success"
|
||||
variables:
|
||||
COMPONENT: "notes"
|
||||
|
||||
element-deploy:
|
||||
stage: "050-components"
|
||||
extends: ".deploy-common"
|
||||
@@ -458,8 +482,6 @@ element-deploy:
|
||||
|
||||
fetch-administrator-credentials:
|
||||
extends: ".deploy-common"
|
||||
environment:
|
||||
name: "${NAMESPACE}"
|
||||
stage: "post-prepare"
|
||||
rules:
|
||||
- if: >
|
||||
@@ -592,7 +614,7 @@ avscan-prepare:
|
||||
| del(.[].repository)
|
||||
| del(.[].tag)
|
||||
| del(.[].registry)'
|
||||
helmfile/environments/default/images.yaml
|
||||
helmfile/environments/default/images.yaml.gotmpl
|
||||
>> dynamic-scans.yml
|
||||
artifacts:
|
||||
paths:
|
||||
@@ -613,11 +635,6 @@ avscan-start:
|
||||
job: "avscan-prepare"
|
||||
strategy: "depend"
|
||||
|
||||
# Declare .environments which is in `opendesk-env` repository. In case it is not available
|
||||
# 'cache' is used because job as a dummy key, as the job is not allowed to be empty.
|
||||
.environments:
|
||||
cache: {}
|
||||
|
||||
# Overwrite shared settings
|
||||
.common-semantic-release:
|
||||
image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/semantic-release:1.1.0"
|
||||
@@ -685,7 +702,7 @@ release:
|
||||
- |
|
||||
cat << 'EOF' > ${CI_PROJECT_DIR}/.releaserc
|
||||
{
|
||||
"branches": ["${RELEASE_BRANCH}"],
|
||||
"branches": ["main"],
|
||||
"plugins": [
|
||||
"@semantic-release/gitlab",
|
||||
"@semantic-release/release-notes-generator",
|
||||
|
||||
@@ -2,10 +2,10 @@
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
variables:
|
||||
OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.5.3\
|
||||
@sha256:1296e8590b59f02311881307bb14c58b72bafc92a58e7e7e7212508abf902b00"
|
||||
OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.8\
|
||||
@sha256:59e714cad38e873cf8a9a132af76ad868b46a51ed12d0bd45477f328c0136991"
|
||||
OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.7.1\
|
||||
@sha256:f09e36a4ad4b3a3a9ed260d6f36293002e39866a877c0a6b1efa16a88b8fd107"
|
||||
OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.14\
|
||||
@sha256:34d2a96e5fc25155abd48fef4d335b131c71d8cbc00ad531df0cae9918b9f2ab"
|
||||
|
||||
.common:
|
||||
cache: {}
|
||||
|
||||
@@ -16,6 +16,7 @@ lint-kyverno:
|
||||
- "element"
|
||||
- "jitsi"
|
||||
- "nextcloud"
|
||||
- "notes"
|
||||
- "nubus"
|
||||
- "open-xchange"
|
||||
- "opendesk-migrations-post"
|
||||
@@ -30,7 +31,11 @@ lint-kyverno:
|
||||
- >
|
||||
node /app/opendesk-ci-cli/src/index.js generate-kyverno-env
|
||||
-d ${CI_PROJECT_DIR}/helmfile/environments
|
||||
-x ${CI_PROJECT_DIR}/.kyverno/_overwrite.yaml
|
||||
- "helmfile template -e test --include-needs --skip-tests > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
|
||||
- >
|
||||
node /app/opendesk-ci-cli/src/index.js remove-empty-keys
|
||||
-f ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml
|
||||
- "cd ${CI_PROJECT_DIR}/.kyverno"
|
||||
# Test optional
|
||||
- >
|
||||
|
||||
6
.kyverno/_overwrite.yaml
Normal file
6
.kyverno/_overwrite.yaml
Normal file
@@ -0,0 +1,6 @@
|
||||
# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
replicas:
|
||||
umsLdapServerPrimary: 2
|
||||
...
|
||||
84
CHANGELOG.md
84
CHANGELOG.md
@@ -1,3 +1,87 @@
|
||||
# [1.1.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.0.0...v1.1.0) (2024-12-24)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **cassandra:** Prepare cassandra for openDesk Enterprise. ([508e286](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/508e28623258542a4082e79ed75ce1e5758ae2e0))
|
||||
* **cassandra:** Remove values in charts.yaml for enterprise components. ([c0cbb76](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c0cbb76921b5108d084640baf3e607e9fc6557c7))
|
||||
* **ci:** Explicitly set RELEASE_BRANCH (to `main`) for scan and release steps ([e5ad0bb](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e5ad0bb2e028dafab0ba29fb2e9b0d207b8795fd))
|
||||
* **ci:** Reduce Kyverno linting issues ([e4d9106](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e4d9106c457e018922dcc730df0570d41f3ec2aa))
|
||||
* **collabora:** Add/update Helmfile for Collabora Controller to be used in EE deployments ([a63d7cb](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a63d7cb8614bfa7d26d997ffdf3ea807ae187664))
|
||||
* **collabora:** Update to 24.04.9.2. ([407f2be](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/407f2be2ad2d40813bb37e0ba302ef14e3a06bd9))
|
||||
* **docs:** Add `architecture.md` and `apis.md` ([7710858](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/77108587c71dee16ecf539608838c8c9064a66f8))
|
||||
* **docs:** Add GitOps / Argo CD documentation ([bbe7550](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bbe7550c4617b4799190192b5316ac04295e9e88))
|
||||
* **docs:** Update and streamline README.md and migrations.md. ([a86c0af](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a86c0afdbb7fa1230aa90cf210323969fd580431))
|
||||
* **element:** Add extensive database options ([9e102e2](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9e102e2d1b9d6621b9c5d6ed0643432e8879f663))
|
||||
* **element:** Prepare element for openDesk Enterprise. ([00a1a93](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/00a1a9394ee3544b1a0d7b3e975c36830ba8b13c))
|
||||
* **element:** Rename release opendesk-element to opendesk-element-web ([1213ecc](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1213ecc425041ac4adba99a0ae2d8188932a7d9f))
|
||||
* **element:** Switch `element-web` base image to Alpine ([47ce294](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/47ce29440388370f7d63e373eeda90d067830ebd))
|
||||
* **element:** Toggle IPv4-only mode depending on cluster.networking.ipFamilies ([627b9c1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/627b9c1e8464fd9529ddf50f171031053710323c))
|
||||
* **element:** Update Matrix Meetings Bot to 2.8.2 ([4403dfe](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/4403dfe720982a8339043951a4dfc88bfb0af57c))
|
||||
* **element:** Update Synapse to 1.120.2 and Element to 1.11.87 update also related containers ([9d7644d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9d7644dc04c9ef97449680e5197f2129d62d56f8))
|
||||
* **helmfile:** Add `opendesk-static-files` to `opendesk-services` to serve favicons ([6438284](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6438284090f3e552843679c1ea62b5538be5dff9))
|
||||
* **helmfile:** Add Redis username and tls option ([564fb2d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/564fb2d7c7190a91446293ce21950701503ecbb7))
|
||||
* **helmfile:** Allow usage of pre-defined CA certificates. ([0738fa0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0738fa080d61f0e6c084dd8fd5e09635469b1dca))
|
||||
* **helmfile:** Auto-redirect user to login dialogue, please read migrations.md for more details ([a9c8dfe](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a9c8dfeab125510a7d9a137e16b14685155aa441))
|
||||
* **helmfile:** Remove `default.user` and `default.admin` for new deployments. ([54f9e4c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/54f9e4c3f8fd425bde1272e3eec490efa30461f7))
|
||||
* **helmfile:** Remove `theme` subtree from the migration's `.Values` secret to avoid a bloated secret hitting limits in certain clusters setups and GitOps tools. ([b6725dd](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b6725dddc19f22e142a214c02aef5139b2921d5a))
|
||||
* **helmfile:** Splitting the directory `./helmfile/apps/services` into `-external` and `opendesk-` services, please read migrations.md for more details ([277a1f5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/277a1f5a65e340180feeb84cce2097be5a2157e1))
|
||||
* **helmfile:** Streamline `commonLabels.deployStage`. ([f969425](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f96942536f931e8f8eb714ce0503716b873b593b))
|
||||
* **helmfile:** Streamline `requests.cpu` in `resources.yaml` ([43f427e](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/43f427e06a83aea8979e1b54f7ea7f2d24ab28cf))
|
||||
* **helmfile:** Streamline file extensions in `/helmfile/environments/default` to ([0e3b661](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0e3b6615653d7bbe30b09e57428b1f5c19f171f8))
|
||||
* **helmfile:** Unify templating name for Open-Xchange to `openxchange` and for OX App Suite to `oxAppSuite`. ([6ff1fcd](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6ff1fcd438103534e78a5898f25fcea1080dfb86))
|
||||
* **helmfile:** Use dictionaries for defining `customization.yaml`, please read migrations.md for more details ([86ef0be](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/86ef0be542b0e34d76a85cb226e223a3e7dbc76e))
|
||||
* **jitsi:** Update Jitsi Helm chart and images. ([5c691e4](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5c691e450821c81b363040b68ffba96e38d1712b))
|
||||
* **jitsi:** Update to 2.0.9823 and chart to 2.1.1 ([56ce335](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/56ce3355fcedf60595f33609848f6c8bd8644914))
|
||||
* **jitsi:** Update to switch the colors of `Hang up` and `End meeting for all` buttons. ([9dbb2b7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9dbb2b755caa8e6bda80bed691c54e66b1a63eb9))
|
||||
* **migrations:** Cleanup of jobs ([539a302](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/539a30263c9ce25ab7c6aa6607fd41cd1099315b))
|
||||
* **migrations:** Update to support Nubus 1.5.1 ([7f60ab3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7f60ab3b7a155c8f95bfcf139fa896cbc41ca767))
|
||||
* **nextcloud:** Add Redis TLS option ([1402593](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1402593556af9cf039878a1261b656424fc45c88))
|
||||
* **nextcloud:** Fix templating for nextcloud database name ([7f1f6cd](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7f1f6cdcd4385d24cf13cdf9425b615337a131de))
|
||||
* **nextcloud:** Fix templating for nextcloud database user ([c8c12a2](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c8c12a278e8d00f04c1c7b6dd7fbdf3826c89a19))
|
||||
* **nextcloud:** Support IPv4 only clusters ([b25ada1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b25ada1f603659cd551be23d62992e8fa6a0603d))
|
||||
* **nextcloud:** Trusted Proxy setting. ([bc0ca8b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bc0ca8b4c1dfdcd046c9b4ddd1f63a28e6a5531a))
|
||||
* **nextcloud:** Update Chart to 3.6.1 and Image to 2.3.3 (including rollback to 29.0.8). Introducing setting for `functional.filestore.sharing.external.sendPasswordMail` ([18fcaa0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/18fcaa0331c9c94bb2f260f97fbadad44b019bb6))
|
||||
* **nextcloud:** Update to 29.0.9 incl. latest apps. ([c63cca7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c63cca72a35cdeb35b8ea48d98a5c5d55982d145))
|
||||
* **notes:** Add `favicon.ico` via `opendesk-static-files` ([669995b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/669995bb95235a56f7b2387c4c582d6e7250e4a9))
|
||||
* **notes:** Add https to all endpoints ([174951c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/174951cd5145e83d776a9b4bda4f091d5b827402))
|
||||
* **nubus:** Add nginx s3 proxy when minio disabled ([b3b6ab5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b3b6ab5a61dc5bca13c8b1f4e6b716bbcad64e8c))
|
||||
* **nubus:** Enable Keycloak debug mode logging; add Keycloak specific section to debugging.md ([3b3679b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3b3679bab150ece327ce1e132933820b1e3afa88))
|
||||
* **nubus:** Fix selfsigned certificate mounts ([b90bff3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b90bff30b35b91fff792f2d5d617de4cdba30f23))
|
||||
* **nubus:** Leader election on re-deployments ([b965677](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b9656772a9c743c9119a850e0b48cb39d68f48fa))
|
||||
* **nubus:** Start ums keycloak bootstrap already during Sync phase ([16dfd25](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/16dfd255c621b1da311fd6fee775f7397e5f6792))
|
||||
* **nubus:** Update external portal links and login screen background. ([901b1f5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/901b1f529e7d16a8164511bebac1e7f9a475d111))
|
||||
* **nubus:** Update to 1.4.0 ([2a94f2d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2a94f2dd4bdfa039b4459b3711e171ee46172583))
|
||||
* **nubus:** Update to v1.5.1 ([4c7422a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/4c7422a411a4fa1ddc36430d363ae06226efb31d))
|
||||
* **nubus:** Use favicon with transparent background for portal ([1b13c3e](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1b13c3ea658786420d960c8e67aed81f40067c0a))
|
||||
* **open-xchange:** Extend Dovecot LDAP filter to also match OX-Resources ([31ea6e0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/31ea6e0e08226afb8d9cba4370033fd6f742459b))
|
||||
* **open-xchange:** Fix truststore decrypt error on self-signed deployments ([8611d95](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8611d95e5a4ab7b158ed8322676589c3d196b548))
|
||||
* **open-xchange:** Update AppSuite to 8.30, update Helm chart to 2.12.85 ([0c88699](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0c886999174f87030af268c7fdd0beee11f01346))
|
||||
* **opendesk-services:** Update minio to 2024.12.13 ([4cda827](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/4cda827f5554ed7ff92a85fc62f6908183181f9b))
|
||||
* **opendesk-services:** Update otterize Network Policies ([4602396](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/4602396583c454a23b3458c54cb40e259f245163))
|
||||
* **openproject:** Bump Helm chart to 9.2 ([718eb45](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/718eb45e9c9961f1f792b59e232fd7da66916c7d))
|
||||
* **openproject:** Bump version to 15.0.2 ([c06e0bb](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c06e0bb8d4d04c8794dafddecc189d5f376d661e))
|
||||
* **openproject:** Update 15.1.0 image ([6d329e1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6d329e18cff8c6ebbbf1b0965801827079904f88))
|
||||
* **openproject:** Update branding and Helm chart to 9.0.1 ([d3b1916](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d3b191644b0bf20cac1cd9f85ed4b4dc7c6b549d))
|
||||
* **openproject:** Update to 14.6.3 incl. latest Helm chart (8.3.2). ([4c82adf](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/4c82adf668c7f90489bc4ae46426cf607e3425d8))
|
||||
* **postfix:** Added service type definition analogous to dovecot ([31ec100](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/31ec1003c0874a2920132c61d48a1a88e5569cb8))
|
||||
* **services:** Add template for certificate issuerRef.kind ([df144fe](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/df144fe3d3ffd70ca0b7e5aa4c2894b96d0138f1))
|
||||
* **services:** Update MariaDB chart to v3.0.3 in preparation for the use of external secrets. ([08feab1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/08feab1cfcc099d9b8caed2c4db9a97d4542a5ac))
|
||||
* **services:** Update Redis to 7.4.1 as required by OX Appsuite, please read migrations.md for more details ([5e0b2e2](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5e0b2e26fc33d7befcb3f94d748e8e9d6f93f383))
|
||||
* **xwiki:** Fix templating for xwiki database port ([de15071](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/de15071ae9d6194d93f9a5fbb0033650b266eaf9))
|
||||
* **xwiki:** Set superadmin password account only when debug is enabled ([e2b3bd5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e2b3bd543fab7be512cef58382c4d62c48cd79b4))
|
||||
|
||||
|
||||
### Features
|
||||
|
||||
* **helmfile:** Add grafana dashboards ([1441c57](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1441c5734f42b995505e6aa97f59bdb1eae32b1b))
|
||||
* **helmfile:** Add openDesk specific alerts ([f630a36](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f630a369da12ef7f19d5553c6dbd5955e414868f))
|
||||
* **helmfile:** Add template support for antivirus icap/milter ([83da87e](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/83da87e9623be294753302686a8d8270c28bcc58))
|
||||
* **helmfile:** Allow custom/self-signed ca-certificates ([c71faf5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c71faf5e8011c42b02fd5025a9b1629300a4f1e3))
|
||||
* **jitsi:** Enable Jitsi room history by default. ([45add79](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/45add7981c3a50045caeadb7f2b0bc11254ae562))
|
||||
* Newsfeed in Portal based on XWiki blog feature ([3ad285a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3ad285a8695a32607c4bf0faea0747c7e685dcd6))
|
||||
* **notes:** Integrate Preview of Notes app ([96f1819](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/96f18196c53267dbd72cd28e6fbadf06448db93a))
|
||||
|
||||
# [1.0.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.9.0...v1.0.0) (2024-10-14)
|
||||
|
||||
|
||||
|
||||
15
README.md
15
README.md
@@ -13,7 +13,9 @@ SPDX-License-Identifier: Apache-2.0
|
||||
* [Getting started](#getting-started)
|
||||
* [Advanced customization](#advanced-customization)
|
||||
* [Architecture](#architecture)
|
||||
* [Permissions](#permissions)
|
||||
* [Releases](#releases)
|
||||
* [Data Storage](#data-storage)
|
||||
* [Feedback](#feedback)
|
||||
* [Development](#development)
|
||||
* [License](#license)
|
||||
@@ -29,13 +31,13 @@ openDesk currently features the following functional main components:
|
||||
|
||||
| Function | Functional Component | Component<br/>Version | Upstream Documentation |
|
||||
| -------------------- | --------------------------- | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| Chat & collaboration | Element ft. Nordeck widgets | [1.11.87](https://github.com/element-hq/element-desktop/releases/tag/v1.11.87) | [For the most recent release](https://element.io/user-guide) |
|
||||
| Chat & collaboration | Element ft. Nordeck widgets | [1.11.89](https://github.com/element-hq/element-desktop/releases/tag/v1.11.89) | [For the most recent release](https://element.io/user-guide) |
|
||||
| Diagram editor | CryptPad ft. diagrams.net | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0) | [For the most recent release](https://docs.cryptpad.org/en/) |
|
||||
| File management | Nextcloud | [29.0.8](https://nextcloud.com/de/changelog/#29-0-8) | [Nextcloud 29](https://docs.nextcloud.com/) |
|
||||
| Groupware | OX App Suite | [8.30](https://documentation.open-xchange.com/appsuite/releases/8.30/) | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
|
||||
| Knowledge management | XWiki | [16.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.4.4/) | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation) |
|
||||
| Portal & IAM | Nubus | [1.4.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html) |
|
||||
| Project management | OpenProject | [15.1.0](https://www.openproject.org/docs/release-notes/15-1-0/) | [For the most recent release](https://www.openproject.org/docs/user-guide/) |
|
||||
| Project management | OpenProject | [15.1.1](https://www.openproject.org/docs/release-notes/15-1-1/) | [For the most recent release](https://www.openproject.org/docs/user-guide/) |
|
||||
| Videoconferencing | Jitsi | [2.0.9823](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9823) | [For the most recent release](https://jitsi.github.io/handbook/docs/category/user-guide/) |
|
||||
| Weboffice | Collabora | [24.04.9.2](https://www.collaboraoffice.com/code-24-04-release-notes/) | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/) |
|
||||
|
||||
@@ -77,6 +79,10 @@ You would like to install openDesk in your own infrastructure?
|
||||
|
||||
More information on openDesk's architecture can be found in our [Architecture docs](./docs/architecture.md).
|
||||
|
||||
# Permissions
|
||||
|
||||
Find out more about the permission system in the[roles & permissions concept](./docs/permissions.md)
|
||||
|
||||
# Releases
|
||||
|
||||
All technical releases are created using [Semantic Versioning](https://semver.org/lang/de/).
|
||||
@@ -92,6 +98,11 @@ in the files from the release's git-tag:
|
||||
|
||||
Find more information in our [Workflow documentation](./docs/workflow.md).
|
||||
|
||||
# Data Storage
|
||||
|
||||
More information about different data storages used within openDesk are described in the
|
||||
[Data Storage documentation](./docs/data-storage.md).
|
||||
|
||||
# Feedback
|
||||
|
||||
We love to get feedback from you!
|
||||
|
||||
@@ -14,7 +14,7 @@ SPDX-FileCopyrightText = "2023 Bundesministerium des Innern und für Heimat, PG
|
||||
SPDX-License-Identifier = "CC0-1.0"
|
||||
|
||||
[[annotations]]
|
||||
path = "helmfile/files/theme/*"
|
||||
path = "helmfile/files/theme/**"
|
||||
SPDX-FileCopyrightText = "2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH"
|
||||
SPDX-License-Identifier = "Apache-2.0"
|
||||
|
||||
|
||||
133
cspell.json
133
cspell.json
@@ -4,79 +4,82 @@
|
||||
"dictionaryDefinitions": [],
|
||||
"dictionaries": [],
|
||||
"words": [
|
||||
"openDesk",
|
||||
"Addressbooks",
|
||||
"AppSuite",
|
||||
"Collabora",
|
||||
"Digitale",
|
||||
"Jitsi",
|
||||
"Nextcloud",
|
||||
"Öffentlichen",
|
||||
"OpenProject",
|
||||
"Souveränität",
|
||||
"Verwaltung",
|
||||
"Zentrum",
|
||||
"Keycloak",
|
||||
"NATS",
|
||||
"slapadd",
|
||||
"slapcat",
|
||||
"RDBMS",
|
||||
"Velero",
|
||||
"Univention",
|
||||
"OIDC",
|
||||
"kcadmin",
|
||||
"DMARC",
|
||||
"homeserver",
|
||||
"Bundesministerium",
|
||||
"Innern",
|
||||
"Heimat",
|
||||
"Projektgruppe",
|
||||
"Arbeitsplatz",
|
||||
"Aufbau",
|
||||
"Filepicker",
|
||||
"Weboffice",
|
||||
"Xchange",
|
||||
"opencode",
|
||||
"seccomp",
|
||||
"psql",
|
||||
"databasename",
|
||||
"helmfile",
|
||||
"gotmpl",
|
||||
"containerd",
|
||||
"letsencrypt",
|
||||
"CNCF",
|
||||
"kubespray",
|
||||
"ICAP",
|
||||
"bootstrap",
|
||||
"Bundesministerium",
|
||||
"Ceph",
|
||||
"clamav",
|
||||
"CNCF",
|
||||
"Collabora",
|
||||
"commandline",
|
||||
"configurability",
|
||||
"containerd",
|
||||
"Coturn",
|
||||
"Minio",
|
||||
"Kyverno",
|
||||
"Otterize",
|
||||
"IBAC",
|
||||
"pubkeys",
|
||||
"Grundschutz",
|
||||
"Kubescape",
|
||||
"Gitflow",
|
||||
"hadolint",
|
||||
"cryptpad",
|
||||
"databasename",
|
||||
"Digitale",
|
||||
"DMARC",
|
||||
"explorative",
|
||||
"Filepicker",
|
||||
"filestore",
|
||||
"Gitflow",
|
||||
"gotmpl",
|
||||
"Grundschutz",
|
||||
"hadolint",
|
||||
"Heimat",
|
||||
"helmfile",
|
||||
"helmfiles",
|
||||
"homeserver",
|
||||
"IBAC",
|
||||
"ICAP",
|
||||
"IMAPS",
|
||||
"Innern",
|
||||
"Jitsi",
|
||||
"kcadmin",
|
||||
"Keycloak",
|
||||
"Kubescape",
|
||||
"kubespray",
|
||||
"Kyverno",
|
||||
"letsencrypt",
|
||||
"localpart",
|
||||
"Minio",
|
||||
"NATS",
|
||||
"Nextcloud",
|
||||
"nindent",
|
||||
"Nordeck",
|
||||
"Nubus",
|
||||
"Souveräne",
|
||||
"Arbeitsplatz",
|
||||
"commandline",
|
||||
"helmfiles",
|
||||
"SMTPS",
|
||||
"IMAPS",
|
||||
"xwiki",
|
||||
"cryptpad",
|
||||
"clamav",
|
||||
"templating",
|
||||
"localpart",
|
||||
"Addressbooks",
|
||||
"filestore",
|
||||
"trashbin",
|
||||
"bootstrap",
|
||||
"configurability",
|
||||
"Öffentlichen",
|
||||
"OIDC",
|
||||
"opencode",
|
||||
"openDesk",
|
||||
"OpenProject",
|
||||
"Otterize",
|
||||
"Projektgruppe",
|
||||
"psql",
|
||||
"pubkeys",
|
||||
"RDBMS",
|
||||
"seccomp",
|
||||
"selfsigned",
|
||||
"truststore"
|
||||
"slapadd",
|
||||
"slapcat",
|
||||
"SMTPS",
|
||||
"Souveräne",
|
||||
"Souveränität",
|
||||
"templating",
|
||||
"trashbin",
|
||||
"truststore",
|
||||
"Univention",
|
||||
"Velero",
|
||||
"Verwaltung",
|
||||
"Videokonferenz",
|
||||
"Weboffice",
|
||||
"Xchange",
|
||||
"xwiki",
|
||||
"Zentrum",
|
||||
"analysed"
|
||||
],
|
||||
"ignoreWords": [],
|
||||
"import": []
|
||||
|
||||
@@ -5,6 +5,7 @@ SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
<h1>Architecture</h1>
|
||||
|
||||
<!-- TOC -->
|
||||
* [Overview](#overview)
|
||||
* [Nubus (IAM)](#nubus-iam)
|
||||
* [Authentication](#authentication)
|
||||
@@ -23,6 +24,7 @@ SPDX-License-Identifier: Apache-2.0
|
||||
* [Central Contacts](#central-contacts)
|
||||
* [Central Navigation](#central-navigation)
|
||||
* [Filepicker](#filepicker)
|
||||
* [Newsfeed](#newsfeed)
|
||||
* [(OpenProject) File Store](#openproject-file-store)
|
||||
* [Applications vs. Services](#applications-vs-services)
|
||||
* [Collabora (Office)](#collabora-office)
|
||||
@@ -36,6 +38,7 @@ SPDX-License-Identifier: Apache-2.0
|
||||
* [XWiki (Knowledge management)](#xwiki-knowledge-management)
|
||||
* [Application specific user accounts](#application-specific-user-accounts)
|
||||
* [Footnotes](#footnotes)
|
||||
<!-- TOC -->
|
||||
|
||||
openDesk is designed as a [Kubernetes](https://kubernetes.io) deployment.
|
||||
|
||||
@@ -234,7 +237,7 @@ The [OX SOAP API](https://oxpedia.org/wiki/index.php?title=Open-Xchange_Provisio
|
||||
- (Managed) Resources
|
||||
- Users
|
||||
|
||||
To find out more, see [Roles & Permissions](roles-and-permissions.md).
|
||||
To find out more, see [Roles & Permissions](permissions.md).
|
||||
|
||||
## SCIM
|
||||
|
||||
@@ -256,6 +259,7 @@ flowchart TD
|
||||
Intercom_Service-->|Silent Login, Token Exchange|IdP
|
||||
Intercom_Service-->|Filepicker|Nextcloud
|
||||
Intercom_Service-->|Central Navigations|Portal
|
||||
Intercom_Service-->|Newsfeed|XWiki
|
||||
OX-AppSuite_Backend-->|Filepicker|Nextcloud
|
||||
OX-AppSuite_Backend-->|Videoconferences|Element
|
||||
Nextcloud-->|Central Navigation|Portal
|
||||
@@ -264,6 +268,7 @@ flowchart TD
|
||||
XWiki-->|Central Navigation|Portal
|
||||
Nextcloud-->|Central Contacts|OX-AppSuite_Backend
|
||||
OX-AppSuite_Frontend-->|Filepicker|OX-AppSuite_Backend
|
||||
Portal-->|Newsfeed|Intercom_Service
|
||||
```
|
||||
|
||||
Details can be found in the upstream documentation that is linked in the respective sections.
|
||||
@@ -325,6 +330,14 @@ when adding a file to an email or storing a file into Nextcloud to avoid passing
|
||||
**Links**
|
||||
- [OX AppSuite Nextcloud Integration upstream documentation](https://gitlab.open-xchange.com/extensions/nextcloud-integration/-/tree/main/documentation).
|
||||
|
||||
## Newsfeed
|
||||
|
||||
The portal renders a newsfeed based on entries of a predefined openDesk blog in XWiki. It accesses the required XWiki
|
||||
service through the Intercom Service's `/wiki` endpoint, in combination with the previously described silent login.
|
||||
|
||||
**Links:**
|
||||
- [XWiki Blog feature](https://extensions.xwiki.org/xwiki/bin/view/Extension/Blog%20Application)
|
||||
|
||||
## (OpenProject) File Store
|
||||
|
||||
While OpenProject allows you to attach files to work packages directly, it is often preferred that the files are
|
||||
|
||||
@@ -51,6 +51,10 @@ This chapter presents APIs available in openDesk grouped by applications.
|
||||
* [Matrix Server-Server API](#matrix-server-server-api)
|
||||
* [Matrix Push Gateway API](#matrix-push-gateway-api)
|
||||
* [Matrix Identity Service API](#matrix-identity-service-api)
|
||||
* [Matrix React SDK Module API](#matrix-react-sdk-module-api)
|
||||
* [Matrix Widget API](#matrix-widget-api)
|
||||
* [NeoBoard Data Model API](#neoboard-data-model-api)
|
||||
* [NeoDateFix REST API](#neodatefix-rest-api)
|
||||
* [Knowledge management - XWiki](#knowledge-management---xwiki)
|
||||
* [REST API](#rest-api-1)
|
||||
* [Scripting API](#scripting-api)
|
||||
@@ -647,7 +651,56 @@ Following are APIs used by the Project management application:
|
||||
|
||||
While Jitsi is available as standalone videoconferencing in openDesk, it is also used in [Element as videoconferencing backend](https://github.com/element-hq/element-web/blob/develop/docs/jitsi.md).
|
||||
|
||||
|
||||
```mermaid
|
||||
---
|
||||
config:
|
||||
class:
|
||||
hideEmptyMembersBox: true
|
||||
---
|
||||
classDiagram
|
||||
class CommunicationService["Communication Service"] {
|
||||
<<interface>>
|
||||
}
|
||||
|
||||
class MxChat["Element Matrix Chat"] {
|
||||
<<interface>>
|
||||
}
|
||||
class JitsiVideoConference["Jitsi Video Conference"] {
|
||||
<<interface>>
|
||||
}
|
||||
|
||||
CommunicationService <|.. MxChat
|
||||
CommunicationService <|.. JitsiVideoConference
|
||||
MxChat <-- JitsiVideoConference
|
||||
|
||||
class MxAppServiceApi["Matrix Application Service API"]
|
||||
class MxClientServerApi["Matrix Client Server API"]
|
||||
class MxServerServerApi["Matrix Server Server API"]
|
||||
class MxPushGatewayApi["Matrix Push Gateway API"]
|
||||
class MxIdentityServiceApi["Matrix Identity Service API"]
|
||||
class MxRtc["Matrix RTC"]
|
||||
class MxElementWebModuleApi["Matrix React SDK Module API"]
|
||||
class MxWidgetApi["Matrix Widget API"]
|
||||
class NeoBoardDataModelApi["NeoBoard Data Model API"]
|
||||
class NeoDateFixRestApi["NeoDateFix REST API"]
|
||||
|
||||
MxChat *-- MxAppServiceApi
|
||||
MxChat *-- MxClientServerApi
|
||||
MxChat *-- MxServerServerApi
|
||||
MxChat *-- MxPushGatewayApi
|
||||
MxChat *-- MxIdentityServiceApi
|
||||
MxChat *-- MxRtc
|
||||
MxChat *-- MxElementWebModuleApi
|
||||
MxChat *-- MxWidgetApi
|
||||
|
||||
class JitsiIframeApi["Jitsi iFrame API"]
|
||||
class JitsiMeetApi["Jitsi Meet API"]
|
||||
class JitsiMeetReactSdk["Jitsi Meet React SDK"]
|
||||
|
||||
JitsiVideoConference *-- JitsiIframeApi
|
||||
JitsiVideoConference *-- JitsiMeetApi
|
||||
JitsiVideoConference *-- JitsiMeetReactSdk
|
||||
```
|
||||
|
||||
Following are APIs used by the Chat application:
|
||||
|
||||
@@ -741,6 +794,74 @@ Following are APIs used by the Chat application:
|
||||
| Supported standards | [Matrix](https://spec.matrix.org/latest/identity-service-api/) |
|
||||
| Documentation | [Synapse](https://element-hq.github.io/synapse/latest/) is the reference implementation of the Matrix protocol, see standard for API details |
|
||||
|
||||
## Matrix React SDK Module API
|
||||
|
||||
| Name | Matrix React SDK Module API |
|
||||
| ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| Purpose | The module system in Element Web is a way to add or modify functionality of Element Web itself, bundled at compile time for the app. |
|
||||
| Versioning | [Releases in the Git repository](https://github.com/matrix-org/matrix-react-sdk-module-api/releases); [Dependency in `package.json` in Element (Chat Web-UI)](https://github.com/element-hq/element-web/blob/develop/package.json) |
|
||||
| Authentication | n/a - used as a library |
|
||||
| In openDesk provided by | Element (Chat Web-UI) |
|
||||
| Transport protocol | n/a - used as a library |
|
||||
| Usage within component | [Element (Chat-Web-UI) Modules](https://github.com/nordeck/element-web-modules/) |
|
||||
| Usage within openDesk | none |
|
||||
| Usage for external integration | n/a - uses as a library |
|
||||
| Parallel access | Allowed |
|
||||
| Message protocol | n/a - used as a library |
|
||||
| Supported standards | n/a - Element (Chat Web-UI) specific |
|
||||
| Documentation | [Element (Chat Web-UI) Documentation](https://github.com/element-hq/element-web/blob/develop/docs/modules.md); [matrix-react-sdk-module-api Git repository](https://github.com/matrix-org/matrix-react-sdk-module-api) |
|
||||
|
||||
## Matrix Widget API
|
||||
|
||||
| Name | Matrix Widget API |
|
||||
| ------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| Purpose | Matrix Widgets are HTML and Javascript content / applications that can be embedded within, and communicate with Matrix clients. |
|
||||
| Versioning | n/a |
|
||||
| Authentication | Widgets request capabilities. They must be confirmed by a user or by the [Widget Lifecycle Module](https://github.com/nordeck/element-web-modules/blob/main/packages/element-web-widget-lifecycle-module/README.md). |
|
||||
| In openDesk provided by | Element (Chat Web-UI) |
|
||||
| Transport protocol | [HTML window.postMessage API](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) |
|
||||
| Usage within component | [NeoDateFix](https://github.com/nordeck/matrix-meetings/), [NeoBoard](https://github.com/nordeck/matrix-neoboard), [NeoChoice](https://github.com/nordeck/matrix-poll) |
|
||||
| Usage within openDesk | none |
|
||||
| Usage for external integration | none |
|
||||
| Parallel access | Allowed |
|
||||
| Message protocol | JSON |
|
||||
| Supported standards | [Matrix - MSC2764](https://github.com/matrix-org/matrix-spec-proposals/pull/2764) |
|
||||
| Documentation | [Matrix - MSC2764](https://github.com/matrix-org/matrix-spec-proposals/pull/2764) |
|
||||
|
||||
## NeoBoard Data Model API
|
||||
|
||||
| Name | NeoBoard Data Model API |
|
||||
| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| Purpose | The NeoBoard data model can be used to generate whiteboard documents. |
|
||||
| Versioning | `version` field in the [NeoBoard data model](https://github.com/nordeck/matrix-neoboard/blob/main/docs/model/export-format.md#fields) |
|
||||
| Authentication | n/a |
|
||||
| In openDesk provided by | [NeoBoard](https://github.com/nordeck/matrix-neoboard) |
|
||||
| Transport protocol | n/a |
|
||||
| Usage within component | [NeoBoard](https://github.com/nordeck/matrix-neoboard) |
|
||||
| Usage within openDesk | none |
|
||||
| Usage for external integration | none |
|
||||
| Parallel access | n/a |
|
||||
| Message protocol | JSON |
|
||||
| Supported standards | n/a |
|
||||
| Documentation | [NeoBoard data model](https://github.com/nordeck/matrix-neoboard/tree/main/docs/model) |
|
||||
|
||||
## NeoDateFix REST API
|
||||
|
||||
| Name | NeoDateFix REST API |
|
||||
| ------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| Purpose | Can be used to query and set up NeoDateFix Matrix meetings. |
|
||||
| Versioning | Path segment in the [Meetings Bot API](https://github.com/nordeck/matrix-meetings/blob/main/docs/data-model.md#http-api) |
|
||||
| Authentication | n/a |
|
||||
| In openDesk provided by | [NeoDateFix](https://github.com/nordeck/matrix-meetings) |
|
||||
| Transport protocol | HTTP(S) |
|
||||
| Usage within component | [NeoDateFix](https://github.com/nordeck/matrix-meetings) |
|
||||
| Usage within openDesk | Used by OX to sync calendar entries to NeoDateFix |
|
||||
| Usage for external integration | none |
|
||||
| Parallel access | n/a |
|
||||
| Message protocol | JSON |
|
||||
| Supported standards | n/a |
|
||||
| Documentation | [NeoDateFix ADR001](https://github.com/nordeck/matrix-meetings/blob/main/docs/adrs/adr001-use-the-widget-api-to-interact-with-the-meetings-bot.md) |
|
||||
|
||||
# Knowledge management - XWiki
|
||||
|
||||
Following are APIs used by the Knowledge management application:
|
||||
@@ -804,7 +925,7 @@ Following are APIs used by the Knowledge management application:
|
||||
|
||||
## JavaScript API
|
||||
|
||||
| Name | Javascript API |
|
||||
| Name | JavaScript API |
|
||||
| ------------------------------ | -------------------------------------------------------------------------------------------- |
|
||||
| Purpose | Include dynamic components in XWiki/web pages |
|
||||
| Versioning | |
|
||||
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 28 KiB |
117
docs/data-storage.md
Normal file
117
docs/data-storage.md
Normal file
@@ -0,0 +1,117 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
|
||||
<h1>Application Data Storages</h1>
|
||||
|
||||
To provide a feasible backup and restore concept, a thorough overview of all openDesk
|
||||
applications and their related data storages (ephemeral & persistent) is provided in the
|
||||
following subsection.
|
||||
|
||||
<!-- TOC -->
|
||||
* [Overview](#overview)
|
||||
* [Details](#details)
|
||||
<!-- TOC -->
|
||||
|
||||
# Overview
|
||||
|
||||
The provided diagram shows all relevant openDesk applications on the left and
|
||||
their utilized data storages on the right. For more detailed information about each
|
||||
application refer to the table show in Section [Details](#details)
|
||||
|
||||
```mermaid
|
||||
---
|
||||
config:
|
||||
sankey:
|
||||
showValues: false
|
||||
linkColor: target
|
||||
---
|
||||
sankey-beta
|
||||
|
||||
ClamAV,PersistentVolume,1
|
||||
|
||||
Dovecot,PersistentVolume,1
|
||||
|
||||
Element/Synapse,PostgreSQL,1
|
||||
Element/Synapse,PersistentVolume,1
|
||||
|
||||
Intercom-Service,Redis,1
|
||||
|
||||
Jitsi,PersistentVolume,1
|
||||
|
||||
Nextcloud,MariaDB,1
|
||||
Nextcloud,S3,1
|
||||
Nextcloud,Redis,1
|
||||
|
||||
Nubus,PostgreSQL,1
|
||||
Nubus,S3,1
|
||||
Nubus,PersistentVolume,1
|
||||
Nubus,Memcached,1
|
||||
|
||||
OpenProject,PostgreSQL,1
|
||||
OpenProject,S3,1
|
||||
OpenProject,PersistentVolume,1
|
||||
OpenProject,Memcached,1
|
||||
|
||||
Open-Xchange,MariaDB,1
|
||||
Open-Xchange,PersistentVolume,1
|
||||
Open-Xchange,Redis,1
|
||||
|
||||
Postfix,PersistentVolume,1
|
||||
|
||||
XWiki,MariaDB,1
|
||||
XWiki,PersistentVolume,1
|
||||
```
|
||||
|
||||
# Details
|
||||
|
||||
| Application | Data Storage | Backup | Content | Identifier | Details |
|
||||
| -------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------ | ---------------------------------------------- | ----------------------------------------------------- |
|
||||
| **ClamAV** | PVC | No | ClamAV Database | `clamav-database-clamav-simple-0` | `/var/lib/clamav` |
|
||||
| **Dovecot** | PVC | Yes | User mail directories (openDesk CE only, openDesk EE uses Dovecot Pro with Object Storage) | `dovecot` | `/srv/mail` |
|
||||
| **Element/Synapse** | PostgreSQL | Yes | Application's main database | `matrix` | |
|
||||
| | PVC | Yes | Attachments | `media-opendesk-synapse-0` | `/media` |
|
||||
| | | Yes | Sync and state data | `matrix-neodatefix-bot` | `/app/storage` |
|
||||
| **Intercom-Service** | Redis | No | Shared session data | | |
|
||||
| **Jitsi** | PVC | Optional | Meeting recordings (feature not enabled in openDesk) | `prosody-data-jitsi-prosody-0` | `/config/data` |
|
||||
| **Nextcloud** | MariaDB | Yes | Application's main database Meta-Data | `nextcloud` | |
|
||||
| | S3 | Yes | The Nextcloud managed user files | `nextcloud` | |
|
||||
| | Redis | No | Distributed caching, as well as transactional file locking | | |
|
||||
| **Nubus** | PostgreSQL | Yes | Main database for Nubus' IdP Keycloak | `keycloak` | |
|
||||
| | | Yes | Login actions and device-fingerprints | `keycloak_extensions` | |
|
||||
| | | Optional | Store of the temporary password reset token | `selfservice` | |
|
||||
| | | No | Notification features are not used in openDesk 1.1 | `notificationsapi` | |
|
||||
| | | No | Guardian features are currently not used in openDesk 1.1 | `guardianmanagementapi` | |
|
||||
| | S3 | No | Static files for Portal | `ums` | |
|
||||
| | PVC | Yes | openLDAP database (primary R/W Pods), when restore select the one from the leader | `shared-data-ums-ldap-server-primary-0` | `/var/lib/univention-ldap` |
|
||||
| | | Yes | openLDAP process data | `shared-run-ums-ldap-server-primary-0` | `/var/run/slapd` |
|
||||
| | | No | openLDAP database (secondary R/O Pods), secondaries can sync from the primary | `shared-data-ums-ldap-server-secondary-0` | `/var/lib/univention-ldap` |
|
||||
| | | No | openLDAP process data | `shared-run-ums-ldap-server-secondary-0` | `/var/run/slapd` |
|
||||
| | | Yes | The state of the listener | `data-ums-provisioning-listener-0` | `/var/log/univention` and two others |
|
||||
| | | No | Cache | `group-membership-cache-ums-portal-consumer-0` | `/usr/share/univention-group-membership-cache/caches` |
|
||||
| | | Yes | Queued provisioning objects | `nats-data-ums-provisioning-nats-0` | `/data` |
|
||||
| | Memcached | No | Cache for UMC Server | | |
|
||||
| **OpenProject** | PostgreSQL | Yes | Application's main database | `openproject` | |
|
||||
| | S3 | Yes | Attachments, custom styles | `openproject` | |
|
||||
| | Memcached | No | Cache | | |
|
||||
| | PVC | No | PVC backed `emptyDir` as K8s cannot set the sticky bit on standard emptyDirs | `openproject-<web/worker>-*-tmp` | `/tmp` |
|
||||
| | | No | PVC backed `emptyDir` as K8s cannot set the sticky bit on standard emptyDirs | `openproject-<web/worker>-app-*-tmp` | `/app/tmp` |
|
||||
| **Open-Xchange** | MariaDB | Yes | Application's control database to coordiate dynamically created ones | `configdb` | |
|
||||
| | | Yes | Dynamically creates databases of schema `PRIMARYDB_n`containing multiple contexts | `PRIMARYDB_*` | |
|
||||
| | | Yes | OX Guard related settings | `oxguard*` | |
|
||||
| | Redis | Optional | Cache, session related data, distributed maps | | |
|
||||
| | PVC | Yes | OX-Connector: OXAPI access details | `ox-connector-appcenter-ox-connector-0` | `/var/lib/univention-appcenter/apps/ox-connector` |
|
||||
| | | Yes | OX-Connector: Application's meta data | `ox-connector-ox-contexts-ox-connector-0` | `/etc/ox-secrets` |
|
||||
| **Postfix** | PVC | Yes | Mail spool | `postfix` | `/var/spool/postfix` |
|
||||
| **XWiki** | Database | Yes | Application's main database | `xwiki` | |
|
||||
| | PVC | Yes | Attachments | `xwiki-data-xwiki-0` | `/usr/local/xwiki/data` |
|
||||
|
||||
Additionally, the following persistent volumes are mounted by pods that serve as a data storage for the applications mentioned above.
|
||||
|
||||
| Service | Pod | Volume Name | PVC | MountPath |
|
||||
| ---------- | ---------------- | ------------ | --------------------------- | --------------------- |
|
||||
| MariaDB | `mariadb-*` | `data` | `data-mariadb-0` | `/var/lib/mysql` |
|
||||
| MinIO | `minio-*-*` | `data` | `minio` | `/bitnami/minio/data` |
|
||||
| PostgreSQL | `postgresql-*` | `data` | `data-postgresql-0` | `/mnt/postgresql` |
|
||||
| Redis | `redis-master-*` | `redis-data` | `redis-data-redis-master-0` | `/data` |
|
||||
@@ -12,6 +12,7 @@ SPDX-License-Identifier: Apache-2.0
|
||||
* [Adding a container to a pod/deployment - Dev/Test only](#adding-a-container-to-a-poddeployment---devtest-only)
|
||||
* [Temporary/ephemeral containers](#temporaryephemeral-containers)
|
||||
* [Components](#components)
|
||||
* [Helmfile](#helmfile)
|
||||
* [MariaDB](#mariadb)
|
||||
* [Nextcloud](#nextcloud)
|
||||
* [OpenProject](#openproject)
|
||||
@@ -29,7 +30,7 @@ We for sure do not want to reinvent the wheel, so we might link to external sour
|
||||
information where available.
|
||||
|
||||
> **Warning**<br>
|
||||
> You should never enable the debug option in production environments! By looking up `debug.enable` in the deployment, you
|
||||
> You should never enable the debug option in production environments! By looking up `debug.enabled` in the deployment, you
|
||||
will find the various places changes are applied when enabling debugging. So, outside of development and test
|
||||
environments, you should use them thoughtfully and carefully if needed.
|
||||
|
||||
@@ -38,7 +39,7 @@ environments, you should use them thoughtfully and carefully if needed.
|
||||
Check the openDesk [`debug.yaml.gotmpl`](../helmfile/environments/default/debug.yaml.gotmpl) and set for your deployment
|
||||
```
|
||||
debug:
|
||||
enable: true
|
||||
enabled: true
|
||||
```
|
||||
|
||||
This will result in:
|
||||
@@ -142,6 +143,15 @@ kubectl -n ${NAMESPACE} attach -it -c ${EPH_CONTAINER_NAME} ${POD_NAME}
|
||||
|
||||
# Components
|
||||
|
||||
## Helmfile
|
||||
|
||||
When refactoring the Helmfile structure you want to ensure that there are not unintended mistakes by e.g. `diff`
|
||||
comparing the output of Helmfile from before and after the change by calling:
|
||||
|
||||
```shell
|
||||
helmfile template -e dev >output_to_compare.yaml
|
||||
```
|
||||
|
||||
## MariaDB
|
||||
|
||||
When using the openDesk bundled MariaDB, you can explore the database(s) using the MariaDB interactive terminal from the Pod's command line: `mariadb -u root -p`. On the password prompt, provide the value for `MARIADB_ROOT_PASSWORD` found in the Pod's environment.
|
||||
|
||||
@@ -44,6 +44,10 @@ References:
|
||||
|
||||
Afterwards, you can use the resulting manifests within an standard Argo CD workflow.
|
||||
|
||||
> **Note**<br>
|
||||
> When creating the Argo CD application based on the resulting manifests you must not use the `Automated Sync Policy`
|
||||
> offered by Argo CD, as you have to manually ensure the applications are updated in the required sequence.
|
||||
|
||||
## Option 2: Helmfile plugin
|
||||
|
||||
It is possible to deploy openDesk via Argo CD with community developed
|
||||
@@ -52,4 +56,5 @@ It is possible to deploy openDesk via Argo CD with community developed
|
||||
You can find an example for this approach in the
|
||||
[Argo CD Deployments](https://gitlab.opencode.de/bmi/opendesk/deployment/options/argocd-deploy) repository.
|
||||
It contains an example Helm chart (`opendesk-parent`) to create Argo CD Applications via a Helm chart (`opendesk`)
|
||||
according to `app of apps pattern` and is using sync waves to follow dependencies.
|
||||
according to `app of apps pattern` and is using sync waves to ensure to required deployment and update sequence
|
||||
for openDesk is met.
|
||||
|
||||
@@ -41,7 +41,7 @@ deploy openDesk onto your Kubernetes infrastructure.
|
||||
|
||||
# Requirements
|
||||
|
||||
Detailed system requirements are covered on the [requirements](requirements.md) page.
|
||||
Detailed system requirements are covered on the [requirements](./docs/requirements.md) page.
|
||||
|
||||
# Customize environment
|
||||
|
||||
@@ -49,7 +49,7 @@ Before deploying openDesk, you must configure the deployment to fit your environ
|
||||
To keep your deployment up to date, we recommend customizing in `dev`, `test`, or `prod` and not in `default` environment
|
||||
files.
|
||||
|
||||
> All configuration options and their default values can be found in files at `helmfile/environments/default/`
|
||||
> All configuration options and their default values can be found in files at [`helmfile/environments/default/`](../helmfile/environments/default/)
|
||||
|
||||
For the following guide, we will use `dev` as environment where variables can be set in
|
||||
`helmfile/environments/dev/values.yaml.gotmpl`.
|
||||
@@ -141,7 +141,7 @@ like Docker Hub.
|
||||
Doing a test deployment will be fine with this setup. In case you want to deploy multiple times a day
|
||||
and fetch from the same IP address, you might run into rate limits at Docker Hub. In that case and in cases you
|
||||
prefer the use of a private image registry, you can configure such for
|
||||
[your target environment](./../helmfile/environments/dev/values.yaml.gotmpl.sample) by setting
|
||||
[your target environment](../helmfile/environments/dev/values.yaml.gotmpl.sample) by setting
|
||||
- `global.imageRegistry` for a private image registry and
|
||||
- `global.helmRegistry` for a private Helm chart registry.
|
||||
|
||||
@@ -221,7 +221,7 @@ cluster:
|
||||
|
||||
By default, the `ingressClassName` is empty to select your default ingress controller. You may want to customize it by
|
||||
setting the following attribute to the name of the currently only supported ingress controller `ingress-nginx` (see
|
||||
[requirements.md](./requirements.md)) for reference) within your deployment if that is not the cluster's default ingress.
|
||||
[requirements.md](requirements.md)) for reference) within your deployment if that is not the cluster's default ingress.
|
||||
|
||||
```yaml
|
||||
ingress:
|
||||
|
||||
@@ -7,10 +7,14 @@ SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
<!-- TOC -->
|
||||
* [Disclaimer](#disclaimer)
|
||||
* [openDesk supported upgrade path](#opendesk-supported-upgrade-path)
|
||||
* [Releases upgrade details](#releases-upgrade-details)
|
||||
* [From v1.0.0](#from-v100)
|
||||
* [Pre-upgrade: Manual checks/steps](#pre-upgrade-manual-checkssteps)
|
||||
* [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
|
||||
* [Manual update steps](#manual-update-steps)
|
||||
* [From v1.1.0: Manual checks/steps](#from-v110-manual-checkssteps)
|
||||
* [Pre-upgrade](#pre-upgrade)
|
||||
* [Helmfile new secret: `secrets.nubus.masterpassword`](#helmfile-new-secret-secretsnubusmasterpassword)
|
||||
* [From v1.0.0: Manual checks/steps](#from-v100-manual-checkssteps)
|
||||
* [Pre-upgrade](#pre-upgrade-1)
|
||||
* [Helmfile Cleanup: Restructured `/helmfile/files/theme` folder](#helmfile-cleanup-restructured-helmfilefilestheme-folder)
|
||||
* [Helmfile Cleanup: Consistent use of `*.yaml.gotmpl`](#helmfile-cleanup-consistent-use-of-yamlgotmpl)
|
||||
* [Helmfile Cleanup: Prefixing certain app directories with `opendesk-`](#helmfile-cleanup-prefixing-certain-app-directories-with-opendesk-)
|
||||
* [Helmfile Cleanup: Helmfile Cleanup: Splitting external vs. openDesk services](#helmfile-cleanup-helmfile-cleanup-splitting-external-vs-opendesk-services)
|
||||
@@ -19,59 +23,81 @@ SPDX-License-Identifier: Apache-2.0
|
||||
* [openDesk defaults (new): Enforce login](#opendesk-defaults-new-enforce-login)
|
||||
* [openDesk defaults (changed): Jitsi room history enabled](#opendesk-defaults-changed-jitsi-room-history-enabled)
|
||||
* [External requirements: Redis 7.4](#external-requirements-redis-74)
|
||||
* [From v0.9.0](#from-v090)
|
||||
* [From v0.9.0: Manual checks/steps](#from-v090-manual-checkssteps)
|
||||
* [Pre-upgrade: Manual steps](#pre-upgrade-manual-steps)
|
||||
* [Configuration Cleanup: Removal of unnecessary OX-Profiles in Nubus](#configuration-cleanup-removal-of-unnecessary-ox-profiles-in-nubus)
|
||||
* [Configuration Cleanup: Updated `global.imagePullSecrets`](#configuration-cleanup-updated-globalimagepullsecrets)
|
||||
* [Changed openDesk defaults: Matrix presence status disabled](#changed-opendesk-defaults-matrix-presence-status-disabled)
|
||||
* [Changed openDesk defaults: Matrix ID](#changed-opendesk-defaults-matrix-id)
|
||||
* [Changed openDesk defaults: File-share configurability](#changed-opendesk-defaults-file-share-configurability)
|
||||
* [Changed openDesk defaults: Updated default subdomains in `global.hosts`](#changed-opendesk-defaults-updated-default-subdomains-in-globalhosts)
|
||||
* [Changed openDesk defaults: Dedicated group for access to the UDM REST API](#changed-opendesk-defaults-dedicated-group-for-access-to-the-udm-rest-api)
|
||||
* [Automated migrations](#automated-migrations)
|
||||
* [Post-upgrade: Manual steps](#post-upgrade-manual-steps)
|
||||
* [Post-upgrade](#post-upgrade)
|
||||
* [Configuration Improvement: Separate user permission for using Video Conference component](#configuration-improvement-separate-user-permission-for-using-video-conference-component)
|
||||
* [Optional Cleanup](#optional-cleanup)
|
||||
* [From v0.8.1](#from-v081)
|
||||
* [From v1.1.0: Manual checks/steps](#from-v110-manual-checkssteps-1)
|
||||
* [Pre-upgrade](#pre-upgrade-2)
|
||||
* [Updated `cluster.networking.cidr`](#updated-clusternetworkingcidr)
|
||||
* [Updated customizable template attributes](#updated-customizable-template-attributes)
|
||||
* [`migrations` S3 bucket](#migrations-s3-bucket)
|
||||
* [Automated migrations - Details](#automated-migrations---details)
|
||||
* [From v1.1.0: Automated migrations](#from-v110-automated-migrations)
|
||||
* [From v0.9.0: Automated migrations](#from-v090-automated-migrations)
|
||||
* [Related components and artifacts](#related-components-and-artifacts)
|
||||
* [Development](#development)
|
||||
<!-- TOC -->
|
||||
|
||||
# Disclaimer
|
||||
|
||||
With openDesk 1.0, we aim to offer hassle-free updates/upgrades.
|
||||
Starting with openDesk 1.0, we aim to offer hassle-free updates/upgrades.
|
||||
|
||||
But openDesk requires a defined upgrade path that is described in the section [openDesk supported upgrade path](#opendesk-supported-upgrade-path).
|
||||
Therefore openDesk contains automated migrations between versions to lower the requirements for manual interaction. These automated migrations can have limitations in the way that they need a certain openDesk version to be installed causing a mandatory upgrade path that is described in the section [Automated migrations](#automated-migrations).
|
||||
|
||||
Some upgrades even require manual interaction, which are referenced in the aforementioned section and described further down this document.
|
||||
Manual checks and possible activities are also required by openDesk updates, they are described in the section [Manual update steps](#manual-update-steps).
|
||||
|
||||
> **Known limitations:**<br>
|
||||
> **Note**<br>
|
||||
> Please be sure you read / follow the requirements before you update / upgrade thoroughly.
|
||||
|
||||
> **Known limitations**<br>
|
||||
> We assume that the PV reclaim policy is set to `delete`, resulting in PVs getting deleted as soon as the related PVC was deleted; we will not address explicit deletion for PVs.
|
||||
|
||||
# openDesk supported upgrade path
|
||||
# Automated migrations - Overview and mandatory upgrade path
|
||||
|
||||
When updating your openDesk installation you have to install the releases listed below in the sequential order from
|
||||
the lowest version number you are already on to the more current version you are looking to install.
|
||||
The following table gives an overview of the mandatory upgrade path of openDesk for the automated migrations to work as expected.
|
||||
|
||||
Explanation of the table's columns:
|
||||
- *Coming from*: Check the column for the release you are currently on.
|
||||
- *Mandatory release*: Defines which release(s) support the upgrade from your currently installed version.
|
||||
- *Automatic migration*: Summary of, or link to openDesk's automatic migration details.
|
||||
- *Manual activities*: Reference to required manual steps to upgrade your openDesk installation to the *Mandatory release*.
|
||||
To upgrade existing deployments, you cannot skip any version mentioned in the column *Mandatory version*. When a version number is not fully defined (e.g. `v1.1.x`), you can install any version matching the given schema.
|
||||
|
||||
| Coming from | Mandatory (minimum) release | Automatic migration | Manual activities |
|
||||
| ------------- | --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------- |
|
||||
| v0.9.0 | v1.x.x | [run_2.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_2.py) | See [From v0.9.0](#from-v090) |
|
||||
| v0.8.1 | v0.9.0 | Initializes migration system | See [From v0.8.1](#from-v081) |
|
||||
| not supported | v0.8.1 | First release that supporting updates | |
|
||||
| Mandatory version |
|
||||
| ----------------- |
|
||||
| v1.1.x |
|
||||
| v1.0.0 |
|
||||
| v0.9.0 |
|
||||
| v0.8.1 |
|
||||
|
||||
# Releases upgrade details
|
||||
> **Note**<br>
|
||||
> Be sure you check out the table in the release version you are going to install, an not the one that is currently installed.
|
||||
|
||||
## From v1.0.0
|
||||
When interested in more details about the automated migrations, please read section [Automated migrations - Details](#automated-migrations---details).
|
||||
|
||||
### Pre-upgrade: Manual checks/steps
|
||||
# Manual update steps
|
||||
|
||||
Be sure you check all the sections for the releases your are going to update your current deployment from.
|
||||
|
||||
## From v1.1.0: Manual checks/steps
|
||||
|
||||
### Pre-upgrade
|
||||
|
||||
#### Helmfile new secret: `secrets.nubus.masterpassword`
|
||||
|
||||
A not yet templated secret was discovered in the Nubus deployment that is now defined in [`secrets.yaml.gotmpl`](../helmfile/environments/default/theme.yaml.gotmpl) with the key `secrets.nubus.masterpassword`. If you define your own secrets, please be sure this new secret is set to the value of the `MASTER_PASSWORD` environment variable used in your deployment.
|
||||
|
||||
## From v1.0.0: Manual checks/steps
|
||||
|
||||
### Pre-upgrade
|
||||
|
||||
#### Helmfile Cleanup: Restructured `/helmfile/files/theme` folder
|
||||
|
||||
If you make use of the [theme folder](../helmfile/files/theme/) or the [`theme.yaml.gotmpl`](../helmfile/environments/default/theme.yaml.gotmpl), e.g. to applying your own imagery, please ensure you adhere to the new structure of the folder and the yaml-file.
|
||||
|
||||
#### Helmfile Cleanup: Consistent use of `*.yaml.gotmpl`
|
||||
|
||||
@@ -228,7 +254,7 @@ The update from openDesk 1.0.0 contains Redis 7.4.1, like the other openDesk bun
|
||||
|
||||
Please ensure for the Redis you are using that it is updated to at least 7.4 to support the requirement of OX App Suite.
|
||||
|
||||
## From v0.9.0
|
||||
## From v0.9.0: Manual checks/steps
|
||||
|
||||
### Pre-upgrade: Manual steps
|
||||
|
||||
@@ -272,6 +298,19 @@ global:
|
||||
- "external-registry"
|
||||
```
|
||||
|
||||
#### Changed openDesk defaults: Matrix presence status disabled
|
||||
|
||||
Show other user's Matrix presence status is now disabled by default to comply with data protection requirements.
|
||||
|
||||
To enable it or keep the v0.9.0 default please set:
|
||||
|
||||
```yaml
|
||||
functional:
|
||||
dataProtection:
|
||||
matrixPresence:
|
||||
enabled: true
|
||||
```
|
||||
|
||||
#### Changed openDesk defaults: Matrix ID
|
||||
|
||||
Until 0.9.0 openDesk used the LDAP entryUUID of a user to generate the user's Matrix ID. Due to restrictions on the
|
||||
@@ -401,15 +440,7 @@ The IAMs admin account `Administrator` is a member of this group by default, but
|
||||
|
||||
If you need other accounts to use the API, please assign them to the aforementioned group.
|
||||
|
||||
### Automated migrations
|
||||
|
||||
The `migrations-pre` and `migrations-post` jobs in the openDesk deployment address the automated migration tasks.
|
||||
|
||||
The permissions required to execute the migrations can be found in the migration's Helm chart [`role.yaml'](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-migrations/-/blob/v1.3.5/charts/opendesk-migrations/templates/role.yaml?ref_type=tags#L29)
|
||||
|
||||
The actual actions are described as code comments in the related run module [`run_2.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_2.py).
|
||||
|
||||
### Post-upgrade: Manual steps
|
||||
### Post-upgrade
|
||||
|
||||
#### Configuration Improvement: Separate user permission for using Video Conference component
|
||||
|
||||
@@ -439,14 +470,16 @@ kubectl -n ${NAMESPACE} delete pvc shared-run-ums-ldap-server-0
|
||||
kubectl -n ${NAMESPACE} delete pvc ox-connector-ox-contexts-ox-connector-0
|
||||
```
|
||||
|
||||
## From v0.8.1
|
||||
## From v1.1.0: Manual checks/steps
|
||||
|
||||
### Updated `cluster.networking.cidr`
|
||||
### Pre-upgrade
|
||||
|
||||
#### Updated `cluster.networking.cidr`
|
||||
|
||||
- Action: `cluster.networking.cidr` is now an array (was a string until 0.8.1); please update your setup accordingly if you explicitly set this value.
|
||||
- Reference:[cluster.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/cluster.yaml)
|
||||
|
||||
### Updated customizable template attributes
|
||||
#### Updated customizable template attributes
|
||||
|
||||
- Action: Please update your custom deployment values according to the updated default value structure.
|
||||
- References:
|
||||
@@ -455,12 +488,34 @@ kubectl -n ${NAMESPACE} delete pvc ox-connector-ox-contexts-ox-connector-0
|
||||
- `monitoring.` prefix for `prometheus.*` and `graphana.*`, see [monitoring.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/monitoring.yaml).
|
||||
- `smtp.` prefix for `localpartNoReply`, see [smtp.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/smtp.yaml).
|
||||
|
||||
### `migrations` S3 bucket
|
||||
#### `migrations` S3 bucket
|
||||
|
||||
- Action: For self-managed/external S3/object storages, please ensure you add a bucket `migrations` to your S3.
|
||||
- Reference: `objectstores.migrations` in [objectstores.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/objectstores.yaml)
|
||||
|
||||
# Related components and artifacts
|
||||
# Automated migrations - Details
|
||||
|
||||
## From v1.1.0: Automated migrations
|
||||
|
||||
With openDesk v1.1.0 the IAM stack supports HA LDAP primary as well as scalable LDAP secondary pods.
|
||||
|
||||
openDesk's automated migrations takes care of this upgrade requirement described here for
|
||||
[Nubus 1.5.1](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.5.1/en/changelog.html#migrate-existing-ldap-server-to-mirror-mode-readiness),
|
||||
creating the config map with the mentioned label.
|
||||
|
||||
> **Note**<br>
|
||||
> Details can be found in [run_3.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_3.py).
|
||||
|
||||
## From v0.9.0: Automated migrations
|
||||
|
||||
The `migrations-pre` and `migrations-post` jobs in the openDesk deployment address the automated migration tasks.
|
||||
|
||||
The permissions required to execute the migrations can be found in the migration's Helm chart [`role.yaml'](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-migrations/-/blob/v1.3.5/charts/opendesk-migrations/templates/role.yaml?ref_type=tags#L29)
|
||||
|
||||
> **Note**<br>
|
||||
> Details can be found in [run_2.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_3.py).
|
||||
|
||||
## Related components and artifacts
|
||||
|
||||
openDesk comes with two upgrade steps as part of the deployment; they can be found in the folder [/helmfile/apps](../helmfile/apps/) as all other components:
|
||||
|
||||
|
||||
202
docs/permissions.md
Normal file
202
docs/permissions.md
Normal file
@@ -0,0 +1,202 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
|
||||
<h1>Roles & Permissions</h1>
|
||||
|
||||
openDesk uses role-based access control (RBAC) to manage permissions. This system ensures that users have access only to the resources necessary for their role.
|
||||
|
||||
<!-- TOC -->
|
||||
* [Identity and Access Management (IAM)](#identity-and-access-management-iam)
|
||||
* [Permissions](#permissions)
|
||||
* [Roles](#roles)
|
||||
* [Application usage](#application-usage)
|
||||
* [Application administration](#application-administration)
|
||||
* [Groups](#groups)
|
||||
* [Global groups](#global-groups)
|
||||
* [Application groups](#application-groups)
|
||||
* [Standard access to applications](#standard-access-to-applications)
|
||||
* [Administrative access to applications](#administrative-access-to-applications)
|
||||
* [Custom groups](#custom-groups)
|
||||
* [Assigning roles/groups and permissions](#assigning-rolesgroups-and-permissions)
|
||||
* [Predefined roles / user templates](#predefined-roles--user-templates)
|
||||
* [*openDesk User*](#opendesk-user)
|
||||
* [*openDesk Administrator*](#opendesk-administrator)
|
||||
* [Managing permissions](#managing-permissions)
|
||||
* [Hierarchies and delegation](#hierarchies-and-delegation)
|
||||
* [Audit/Logging](#auditlogging)
|
||||
* [Reporting](#reporting)
|
||||
* [Delegation](#delegation)
|
||||
* [Regular review](#regular-review)
|
||||
* [Applications](#applications)
|
||||
* [Roles/groups](#rolesgroups)
|
||||
<!-- TOC -->
|
||||
|
||||
# Identity and Access Management (IAM)
|
||||
|
||||
Within openDesk's Identity and Access Management component Nubus the openDesk user accounts are managed, as well as some core roles and permissions.
|
||||
|
||||
## Permissions
|
||||
|
||||
A permission represents a specific authorization that defines an action a user is allowed to perform on a resource.
|
||||
|
||||
As openDesk consists of multiple applications, each application may have different needs regarding its fine-grained internal permissions, usually these permissions are manged within each component.
|
||||
|
||||
The overall permissions to access the application as well as group membership of users is managed in the IAM.
|
||||
|
||||
## Roles
|
||||
|
||||
Roles are defined sets of permissions that can be assigned to users. Each role corresponds to a specific set of tasks and responsibilities within the system. In openDesk's IAM, two roles are defined by default:
|
||||
|
||||
- **openDesk Administrator**: Manages openDesk-global settings, such as users and groups.
|
||||
- **openDesk User**: Can login to openDesk to make use of defined openDesk applications.
|
||||
|
||||
> **Note**<br>
|
||||
> It is strongly recommended that a user account is not granted both roles at the same time to address the segregation of duties, though it is not enforced by openDesk.
|
||||
|
||||
### Application usage
|
||||
|
||||
To access and use applications in openDesk and to address [the principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), a user needs to have the necessary permissions set. openDesk defines the following permissions to access applications:
|
||||
|
||||
- **Groupware**: Use email, calendar and address book applications.
|
||||
- **Chat**: Use the chat application.
|
||||
- **Knowledge Management**: Use the wiki application.
|
||||
- **Project Management**: Use the project management application.
|
||||
- **File Sharing**: Use the file sharing application.
|
||||
- **Video Conference**: Use the video conferencing application.
|
||||
|
||||
### Application administration
|
||||
|
||||
For applications that provide application-specific administrative settings, openDesk defines the following permissions:
|
||||
|
||||
- **Knowledge Management Admin**: Manage the wiki application.
|
||||
- **Project Management Admin**: Manage the project management application settings.
|
||||
- **File Sharing Admin**: Manage the file sharing administrative settings.
|
||||
|
||||
## Groups
|
||||
|
||||
Groups help in clustering users with similar responsibilities and enable easier assignment of roles or permissions. It is often the case that a group maps directly to a role.
|
||||
|
||||
openDesk predefines the following groups.
|
||||
|
||||
### Global groups
|
||||
|
||||
- **Domain Users**: Members of this group are *openDesk Users*.
|
||||
- **Domain Admins**: Members of this group are *openDesk IAM Administrators*. By default this group is also enable for two-factor authentication (2FA).
|
||||
- **2fa-users**: Members of this group that are forced to use two-factor authentication (2FA).
|
||||
- **IAM API - Full Access**: Members of this group have full (read and write) access to the IAM's REST API.
|
||||
|
||||
### Application groups
|
||||
|
||||
When editing a user in the IAM you can select if a user can access or get elevated admin permission for a specific application within the "openDesk" tab. The selection is stored as an attribute on the user object, but for other applications it is helpful to also expose the information as a group membership. Therefore openDesk comes with the following [groups](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-nubus/-/blob/main/udm/udm-data-loader/63-groups.yaml).
|
||||
|
||||
To easily identify these groups all of them are prefixed with `managed-by-Attribute-`.
|
||||
|
||||
> **Note**<br>
|
||||
> The membership of these groups is automatically managed, based on the user's attributes from the "openDesk" tab. So any changes directly to the groups will be overwritten, please always use the "openDesk" of the respective user. The IAM supports to edit user attributes in multiple accounts at once.
|
||||
|
||||
#### Standard access to applications
|
||||
|
||||
Unless a user is member of a group the respective application is not shown in the portal.
|
||||
|
||||
> **Note**<br>
|
||||
> In openDesk's identity provider the required OIDC claims to access an application are only granted when the respective group membership is available. So even if a user who is not a member of an application group, knows the link to the application and calls it directly, the single sign-on will not be successful.
|
||||
|
||||
- **managed-by-Attribute-Groupware**: Members of this group have access to the groupware applications.
|
||||
- **managed-by-Attribute-Fileshare**: Members of this group have access to the file sharing application.
|
||||
- **managed-by-Attribute-Projectmanagement**: Members of this group have access to the project management application.
|
||||
- **managed-by-Attribute-Knowledgemanagement**: Members of this group have access to the wiki application.
|
||||
- **managed-by-Attribute-Livecollaboration**: Members of this group have access to the chat application.
|
||||
- **managed-by-Attribute-Videoconference**: Members of this group have access to the video conferencing application.
|
||||
|
||||
#### Administrative access to applications
|
||||
|
||||
Within some applications it is possible to grant users elevated permissions, these are also primarily managed by attributes from the "openDesk" tab when editing a user, but are also automatically mapped to the following groups:
|
||||
|
||||
- **managed-by-Attribute-FileshareAdmin**: Members of this group can administrate the file sharing application.
|
||||
- **managed-by-Attribute-ProjectmanagementAdmin**: Members of this group can administrate the project management application.
|
||||
- **managed-by-Attribute-KnowledgemanagementAdmin**: Members of this group can administrate the wiki application.
|
||||
|
||||
### Custom groups
|
||||
|
||||
While openDesk ships with predefined groups, additional groups can be [created](https://docs.opendesk.eu/administration/gruppen/) by an *IAM Administrator*.
|
||||
|
||||
## Assigning roles/groups and permissions
|
||||
|
||||
Users get roles assigned based on their responsibilities and the tasks they need to perform. This assignment can be done by an admin through the [administration portal](https://docs.opendesk.eu/administration/).
|
||||
|
||||
## Predefined roles / user templates
|
||||
|
||||
openDesk defines [templates](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-nubus/-/blob/main/udm/udm-data-loader/65-usertemplate.yaml) for the *User* and *Administrator* roles. The templates can be used to create users with these roles by an *openDesk Administrator* using the [administration portal](https://docs.opendesk.eu/administration/).
|
||||
|
||||
> **Notes**<br>
|
||||
> Additional/custom templates can be created using the UDM REST API.
|
||||
|
||||
### *openDesk User*
|
||||
|
||||
The *openDesk User* template sets the primary group to *Domain Users* and initially sets the following permissions:
|
||||
|
||||
- **Groupware**: Enabled
|
||||
- **Chat**: Enabled
|
||||
- **Knowledge Management**: Enabled
|
||||
- **Project Management**: Enabled
|
||||
- **File Sharing**: Enabled
|
||||
- **Video Conference**: Enabled
|
||||
- **Knowledge Management Admin**: Disabled
|
||||
- **Project Management Admin**: Disabled
|
||||
- **File Sharing Admin**: Disabled
|
||||
|
||||
### *openDesk Administrator*
|
||||
|
||||
The *openDesk Administrator* template sets the primary group to *Domain Admins* and initially sets the following permissions:
|
||||
|
||||
- **Groupware**: Disabled
|
||||
- **Chat**: Disabled
|
||||
- **Knowledge Management**: Disabled
|
||||
- **Project Management**: Disabled
|
||||
- **File Sharing**: Disabled
|
||||
- **Video Conference**: Disabled
|
||||
- **Knowledge Management Admin**: Disabled
|
||||
- **Project Management Admin**: Disabled
|
||||
- **File Sharing Admin**: Disabled
|
||||
|
||||
## Managing permissions
|
||||
|
||||
*Administrators* can manage permissions of *Users* using the [administration portal](https://docs.opendesk.eu/administration/).
|
||||
|
||||
By using roles and permissions, openDesk ensures that users have the appropriate level of access, enhancing both security and efficiency.
|
||||
|
||||
## Hierarchies and delegation
|
||||
|
||||
The IAM allows the nesting of groups, in that case a group has no or not only users as members but other groups.
|
||||
|
||||
## Audit/Logging
|
||||
|
||||
Univention is about to provide an audit logging which brings the idea of the [UCS based directory logger](https://docs.software-univention.de/manual/5.0/en/domain-ldap/ldap-directory.html#audit-proof-logging-of-ldap-changes) to Nubus. openDesk will offer this feature as soon as it is made available in Nubus.
|
||||
|
||||
## Reporting
|
||||
|
||||
The IAM webinterface supports the export of reports for users and groups, which are the essential objects when it comes to permissions. These data exports can be subject to custom data analysis.
|
||||
|
||||
## Delegation
|
||||
|
||||
Currently the temporary assignment of roles is not supported. Role membership must be managed at the time of granting / revoking the membership.
|
||||
|
||||
## Regular review
|
||||
|
||||
While the overall role and permission setup must be checked by the customer including the respective custom roles, the openDesk team is challenging and improving the role and permission management on a regular basis, e.g. to address the need for a distinct "support" role.
|
||||
|
||||
# Applications
|
||||
|
||||
As managing all the application permissions within the IAM would require a superset of permissions to be available in the IAM causing a high level of administrative complexity, the permissions are usually managed within an application itself and mapped to roles/groups that are managed in the IAM.
|
||||
|
||||
## Roles/groups
|
||||
|
||||
For each IAM group it can be configured for which openDesk application the group should be visible. Like with users this is done in the "openDesk" tab of the [group administration](https://docs.opendesk.eu/administration/gruppen/).
|
||||
|
||||
> **Note**<br>
|
||||
> Currently the openDesk applications do not support nested groups. As a result only direct group memberships of users are processed in the application.<br>
|
||||
> The plan is to enable the openDesk applications to either support nested groups or to actively provision users into an application while resolving the nested group memberships for the application.
|
||||
|
||||
Within an application each available group can get a set of application specific permissions assigned.
|
||||
@@ -48,7 +48,8 @@ Any self-hosted or managed K8s cluster >= 1.24 listed in
|
||||
|
||||
The deployment is tested against [kubespray](https://github.com/kubernetes-sigs/kubespray) based clusters.
|
||||
|
||||
> **Note:** The deployment is not tested against OpenShift.
|
||||
> **Note**<br>
|
||||
> The deployment is not tested against OpenShift.
|
||||
|
||||
# Ingress controller
|
||||
|
||||
|
||||
@@ -12,6 +12,16 @@ repositories:
|
||||
oci: true
|
||||
url: "{{ .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}"
|
||||
|
||||
# Collabora Controller - Enterprise Only
|
||||
# Source: https://github.com/CollaboraOnline/online
|
||||
- name: "collabora-controller-repo"
|
||||
keyring: "../../files/gpg-pubkeys/collaboraoffice-com.gpg"
|
||||
verify: {{ .Values.charts.collaboraController.verify }}
|
||||
username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
|
||||
password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
|
||||
oci: true
|
||||
url: "{{ .Values.global.helmRegistry | default .Values.charts.collaboraController.registry }}/{{ .Values.charts.collaboraController.repository }}"
|
||||
|
||||
releases:
|
||||
- name: "collabora-online"
|
||||
chart: "collabora-online-repo/{{ .Values.charts.collabora.name }}"
|
||||
@@ -22,6 +32,14 @@ releases:
|
||||
- {{ . }}
|
||||
{{ end }}
|
||||
installed: {{ .Values.collabora.enabled }}
|
||||
- name: "collabora-controller"
|
||||
chart: "collabora-controller-repo/{{ .Values.charts.collaboraController.name }}"
|
||||
version: "{{ .Values.charts.collaboraController.version }}"
|
||||
values:
|
||||
{{ range .Values.customization.release.collaboraController }}
|
||||
- {{ . }}
|
||||
{{ end }}
|
||||
installed: {{ .Values.collaboraController.enabled }}
|
||||
|
||||
commonLabels:
|
||||
deployStage: "050-components"
|
||||
|
||||
@@ -8,17 +8,32 @@ autoscaling:
|
||||
enabled: false
|
||||
|
||||
collabora:
|
||||
aliasgroups:
|
||||
- host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
|
||||
env:
|
||||
- name: "POD_NAME"
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: "metadata.name"
|
||||
extra_params: >
|
||||
--o:ssl.enable=false
|
||||
--o:ssl.termination=true
|
||||
--o:fetch_update_check=0
|
||||
--o:num_prespawn_children={{ .Values.technical.collabora.numPrespawnChildren }}
|
||||
--o:remote_font_config.url=https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/richdocuments/settings/fonts.json
|
||||
--o:net.proto={{ if eq .Values.cluster.networking.ipFamilies "DualStack" }}all{{ else }}{{ .Values.cluster.networking.ipFamilies }}{{ end }}
|
||||
|
||||
{{- if .Values.debug.enabled }}
|
||||
--o:logging.level=debug
|
||||
{{- else }}
|
||||
--o:logging.anonymize.anonymize_user_data=true
|
||||
{{- end }}
|
||||
{{- if .Values.collaboraController.enabled }}
|
||||
--o:indirection_endpoint.url=https://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}/controller/routeToken
|
||||
--o:monitors.monitor[0]=wss://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}/controller/ws
|
||||
--o:monitors.monitor[0][@retryInterval]=5
|
||||
{{- end }}
|
||||
username: "collabora-internal-admin"
|
||||
password: {{ .Values.secrets.collabora.adminPassword | quote }}
|
||||
aliasgroups:
|
||||
- host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
|
||||
|
||||
fullnameOverride: "collabora"
|
||||
|
||||
@@ -34,8 +49,11 @@ imagePullSecrets:
|
||||
|
||||
ingress:
|
||||
annotations:
|
||||
# Ingress NGINX
|
||||
{{- if .Values.collaboraController.enabled }}
|
||||
nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_RouteToken"
|
||||
{{- else }}
|
||||
nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc"
|
||||
{{- end }}
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: "{{ .Values.ingress.parameters.bodySize.collabora }}"
|
||||
nginx.ingress.kubernetes.io/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}"
|
||||
nginx.ingress.kubernetes.io/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}"
|
||||
@@ -44,32 +62,6 @@ ingress:
|
||||
location /cool/getMetrics { deny all; return 403; }
|
||||
location /cool/adminws/ { deny all; return 403; }
|
||||
location /browser/dist/admin/admin.html { deny all; return 403; }
|
||||
# NGINX
|
||||
nginx.org/websocket-services: "collabora"
|
||||
nginx.org/lb-method: "hash $arg_WOPISrc consistent"
|
||||
nginx.org/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s"
|
||||
nginx.org/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s"
|
||||
nginx.org/client-max-body-size: "{{ .Values.ingress.parameters.bodySize.collabora }}"
|
||||
nginx.org/server-snippets: |
|
||||
# block admin and metrics endpoint from outside by default
|
||||
location /cool/getMetrics { deny all; return 403; }
|
||||
location /cool/adminws/ { deny all; return 403; }
|
||||
location /browser/dist/admin/admin.html { deny all; return 403; }
|
||||
# HAProxy
|
||||
haproxy.org/timeout-tunnel: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s"
|
||||
haproxy.org/backend-config-snippet: |
|
||||
balance url_param WOPISrc check_post
|
||||
hash-type consistent
|
||||
# HAProxy - Community: https://haproxy-ingress.github.io/
|
||||
haproxy-ingress.github.io/timeout-tunnel: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s"
|
||||
haproxy-ingress.github.io/balance-algorithm: "url_param WOPISrc check_post"
|
||||
haproxy-ingress.github.io/config-backend: |
|
||||
hash-type consistent
|
||||
# block admin urls from outside
|
||||
acl admin_url path_beg /cool/getMetrics
|
||||
acl admin_url path_beg /cool/adminws/
|
||||
acl admin_url path_beg /browser/dist/admin/admin.html
|
||||
http-request deny if admin_url
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
className: {{ .Values.ingress.ingressClassName | quote }}
|
||||
hosts:
|
||||
|
||||
@@ -112,15 +112,9 @@ repositories:
|
||||
url: "{{ .Values.global.helmRegistry | default .Values.charts.synapsePipe.registry }}/{{ .Values.charts.synapsePipe.repository }}"
|
||||
|
||||
releases:
|
||||
# During upgrade 1.0.0 -> 1.1.0 the chart 'opendesk-element' has been moved to 'opendesk-element-web'
|
||||
- name: "opendesk-element"
|
||||
chart: "element-repo/{{ .Values.charts.element.name }}"
|
||||
version: "{{ .Values.charts.element.version }}"
|
||||
installed: false
|
||||
|
||||
- name: "opendesk-element-web"
|
||||
chart: "element-repo/{{ .Values.charts.elementWeb.name }}"
|
||||
version: "{{ .Values.charts.elementWeb.version }}"
|
||||
values:
|
||||
- "values-element.yaml.gotmpl"
|
||||
{{ range .Values.customization.release.opendeskElement }}
|
||||
|
||||
@@ -149,6 +149,7 @@ resources:
|
||||
{{ .Values.resources.element | toYaml | nindent 2 }}
|
||||
|
||||
theme:
|
||||
title: "Chat - {{ .Values.theme.texts.productName }}"
|
||||
{{ .Values.theme | toYaml | nindent 2 }}
|
||||
|
||||
...
|
||||
|
||||
@@ -63,6 +63,7 @@ settings:
|
||||
keycloakClientId: "opendesk-jitsi"
|
||||
|
||||
theme:
|
||||
title: "Videokonferenz - {{ .Values.theme.texts.productName }}"
|
||||
{{ .Values.theme | toYaml | nindent 2 }}
|
||||
|
||||
jitsi:
|
||||
|
||||
@@ -12,7 +12,7 @@ global:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "opendesk-nextcloud-php"
|
||||
intents.otterize.com/service-name: "opendesk-nextcloud-management"
|
||||
|
||||
cleanup:
|
||||
deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
|
||||
|
||||
@@ -50,7 +50,7 @@ exporter:
|
||||
|
||||
aio:
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "opendesk-nextcloud"
|
||||
intents.otterize.com/service-name: "opendesk-nextcloud-aio"
|
||||
configuration:
|
||||
cache:
|
||||
auth:
|
||||
|
||||
31
helmfile/apps/notes/helmfile-child.yaml.gotmpl
Normal file
31
helmfile/apps/notes/helmfile-child.yaml.gotmpl
Normal file
@@ -0,0 +1,31 @@
|
||||
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
repositories:
|
||||
# Notes
|
||||
# Source: https://github.com/numerique-gouv/impress
|
||||
- name: "notes-repo"
|
||||
keyring: "../../files/gpg-pubkeys/opencode.gpg"
|
||||
verify: {{ .Values.charts.notes.verify }}
|
||||
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
|
||||
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
|
||||
oci: true
|
||||
url: "{{ .Values.global.helmRegistry | default .Values.charts.notes.registry }}/{{ .Values.charts.notes.repository }}"
|
||||
|
||||
releases:
|
||||
- name: "impress"
|
||||
chart: "notes-repo/{{ .Values.charts.notes.name }}"
|
||||
version: "{{ .Values.charts.notes.version }}"
|
||||
wait: true
|
||||
values:
|
||||
- "values.yaml.gotmpl"
|
||||
{{ range .Values.customization.release.notes }}
|
||||
- {{ . }}
|
||||
{{ end }}
|
||||
installed: {{ .Values.notes.enabled }}
|
||||
timeout: 1800
|
||||
|
||||
commonLabels:
|
||||
deploy-stage: "component-1"
|
||||
component: "notes"
|
||||
...
|
||||
11
helmfile/apps/notes/helmfile.yaml.gotmpl
Normal file
11
helmfile/apps/notes/helmfile.yaml.gotmpl
Normal file
@@ -0,0 +1,11 @@
|
||||
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
---
|
||||
helmfiles:
|
||||
- path: "./helmfile-child.yaml.gotmpl"
|
||||
values:
|
||||
- {{ toYaml .Values | nindent 8 }}
|
||||
...
|
||||
230
helmfile/apps/notes/values.yaml.gotmpl
Normal file
230
helmfile/apps/notes/values.yaml.gotmpl
Normal file
@@ -0,0 +1,230 @@
|
||||
{{/*
|
||||
SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
image:
|
||||
repository: {{ printf "%s/%s" (coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.notesBackend.registry) (.Values.images.notesBackend.repository) | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
tag: {{ .Values.images.notesBackend.tag }}
|
||||
credentials:
|
||||
name: {{ .Values.global.imagePullSecrets | first | quote }}
|
||||
|
||||
ingress:
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
className: {{ .Values.ingress.ingressClassName }}
|
||||
host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
|
||||
tls:
|
||||
enabled: "{{ .Values.ingress.tls.enabled }}"
|
||||
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
|
||||
ingressCollaborationWS:
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
className: {{ .Values.ingress.ingressClassName }}
|
||||
host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
|
||||
path: "/collaboration/ws/"
|
||||
tls:
|
||||
enabled: "{{ .Values.ingress.tls.enabled }}"
|
||||
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/auth-response-headers: "Authorization, X-Can-Edit, X-User-Id"
|
||||
nginx.ingress.kubernetes.io/auth-url: https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/api/v1.0/documents/collaboration-auth/
|
||||
nginx.ingress.kubernetes.io/enable-websocket: "true"
|
||||
nginx.ingress.kubernetes.io/proxy-read-timeout: "86400"
|
||||
nginx.ingress.kubernetes.io/proxy-send-timeout: "86400"
|
||||
nginx.ingress.kubernetes.io/upstream-hash-by: $arg_room
|
||||
|
||||
ingressAdmin:
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
className: {{ .Values.ingress.ingressClassName }}
|
||||
host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
|
||||
tls:
|
||||
enabled: "{{ .Values.ingress.tls.enabled }}"
|
||||
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
|
||||
ingressMedia:
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
className: {{ .Values.ingress.ingressClassName }}
|
||||
host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/auth-response-headers: "Authorization, X-Amz-Date, X-Amz-Content-SHA256"
|
||||
nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/api/v1.0/documents/retrieve-auth/"
|
||||
nginx.ingress.kubernetes.io/upstream-vhost: {{ .Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
|
||||
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
|
||||
nginx.ingress.kubernetes.io/use-regex: "true"
|
||||
nginx.ingress.kubernetes.io/rewrite-target: /{{ .Values.objectstores.notes.bucket }}/$1
|
||||
nginx.ingress.kubernetes.io/session-cookie-path: /media
|
||||
tls:
|
||||
enabled: "{{ .Values.ingress.tls.enabled }}"
|
||||
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
|
||||
ingressCollaborationApi:
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
className: {{ .Values.ingress.ingressClassName }}
|
||||
host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
|
||||
path: /collaboration/api/
|
||||
tls:
|
||||
enabled: "{{ .Values.ingress.tls.enabled }}"
|
||||
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
|
||||
|
||||
serviceMedia:
|
||||
host: {{ .Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
|
||||
port: {{ .Values.objectstores.notes.port | default 443 }}
|
||||
|
||||
frontend:
|
||||
image:
|
||||
repository: {{ printf "%s/%s" (coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesFrontend.registry) (.Values.images.notesFrontend.repository) | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
tag: {{ .Values.images.notesFrontend.tag }}
|
||||
envVars:
|
||||
PORT: 8080
|
||||
NEXT_PUBLIC_API_ORIGIN: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
|
||||
NEXT_PUBLIC_Y_PROVIDER_URL: {{ printf "wss://%s.%s/ws" .Values.global.hosts.notes .Values.global.domain | quote }}
|
||||
NEXT_PUBLIC_MEDIA_URL: {{ printf "https://%s" (.Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
|
||||
runtimeEnvs:
|
||||
ICS_BASE_URL: {{ printf "https://%s.%s" .Values.global.hosts.intercomService .Values.global.domain | quote }}
|
||||
PORTAL_BASE_URL: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
|
||||
replicas: {{ .Values.replicas.notesFrontend }}
|
||||
resources:
|
||||
{{ .Values.resources.notesFrontend | toYaml | nindent 4 }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
privileged: false
|
||||
runAsUser: 1001
|
||||
runAsGroup: 1001
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.notesFrontend | toYaml | nindent 6 }}
|
||||
|
||||
yProvider:
|
||||
image:
|
||||
repository: {{ printf "%s/%s" (coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.notesYProvider.registry) (.Values.images.notesYProvider.repository) | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
tag: {{ .Values.images.notesYProvider.tag }}
|
||||
resources:
|
||||
{{ .Values.resources.notesYProvider | toYaml | nindent 4 }}
|
||||
replicas: {{ .Values.replicas.notesYProvider }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
privileged: false
|
||||
runAsUser: 1001
|
||||
runAsGroup: 1001
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }}
|
||||
envVars:
|
||||
COLLABORATION_LOGGING: {{ if .Values.debug.enabled }}"true"{{ else }}"false"{{ end }}
|
||||
COLLABORATION_SERVER_ORIGIN: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
|
||||
COLLABORATION_SERVER_SECRET: {{ .Values.secrets.notes.collaborationSecret | quote }}
|
||||
Y_PROVIDER_API_KEY: {{ .Values.secrets.notes.collaborationSecret | quote }}
|
||||
|
||||
oidc:
|
||||
clientId: "opendesk-notes"
|
||||
clientSecret: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
|
||||
|
||||
aiApiKey: {{ .Values.ai.apiKey }}
|
||||
aiBaseUrl: {{ .Values.ai.endpoint }}
|
||||
|
||||
djangoSuperUserEmail: "default.admin@{{ .Values.global.domain }}"
|
||||
djangoSuperUserPass: {{ .Values.secrets.notes.superuser }}
|
||||
djangoSecretKey: {{ .Values.secrets.notes.djangoSecretKey }}
|
||||
|
||||
backend:
|
||||
replicas: {{ .Values.replicas.notesBackend }}
|
||||
envVars:
|
||||
DB_HOST: {{ .Values.databases.notes.host | quote }}
|
||||
DB_NAME: {{ .Values.databases.notes.name | quote }}
|
||||
DB_USER: {{ .Values.databases.notes.username | quote }}
|
||||
DB_PASSWORD: {{ .Values.databases.notes.password | default .Values.secrets.postgresql.notesUser | quote }}
|
||||
DB_PORT: {{ .Values.databases.notes.port | quote }}
|
||||
POSTGRES_DB: {{ .Values.databases.notes.name | quote }}
|
||||
POSTGRES_USER: {{ .Values.databases.notes.username | quote }}
|
||||
POSTGRES_PASSWORD: {{ .Values.databases.notes.password | default .Values.secrets.postgresql.notesUser | quote }}
|
||||
FRONTEND_THEME: "openDesk"
|
||||
REDIS_URL: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7"
|
||||
AWS_S3_ENDPOINT_URL: {{ printf "https://%s" (.Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
|
||||
AWS_S3_ACCESS_KEY_ID: {{ .Values.objectstores.notes.username }}
|
||||
AWS_S3_SECRET_ACCESS_KEY: {{ .Values.objectstores.notes.secretKey | default .Values.secrets.minio.notesUser | quote }}
|
||||
AWS_STORAGE_BUCKET_NAME: {{ .Values.objectstores.notes.bucket }}
|
||||
DJANGO_CSRF_TRUSTED_ORIGINS: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
|
||||
DJANGO_CONFIGURATION: Production
|
||||
DJANGO_ALLOWED_HOSTS: "*"
|
||||
DJANGO_SECRET_KEY: {{ .Values.secrets.notes.djangoSecretKey }}
|
||||
DJANGO_SETTINGS_MODULE: impress.settings
|
||||
DJANGO_SUPERUSER_PASSWORD: {{ .Values.secrets.notes.superuser }}
|
||||
DJANGO_EMAIL_HOST: "postfix"
|
||||
DJANGO_EMAIL_PORT: 25
|
||||
DJANGO_EMAIL_USE_SSL: False
|
||||
OIDC_RP_CLIENT_ID: "opendesk-notes"
|
||||
OIDC_RP_CLIENT_SECRET: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
|
||||
OIDC_OP_JWKS_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
|
||||
OIDC_OP_AUTHORIZATION_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
|
||||
OIDC_OP_TOKEN_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
|
||||
OIDC_OP_USER_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
|
||||
OIDC_OP_LOGOUT_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
|
||||
OIDC_RP_SIGN_ALGO: RS256
|
||||
OIDC_RP_SCOPES: "openid opendesk-notes-scope"
|
||||
USER_OIDC_FIELD_TO_SHORTNAME: "given_name"
|
||||
USER_OIDC_FIELDS_TO_FULLNAME: "given_name family_name"
|
||||
OIDC_REDIRECT_ALLOWED_HOSTS: {{ printf "https://%s.%s/*" .Values.global.hosts.notes .Values.global.domain | quote }}
|
||||
OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{}"
|
||||
OIDC_RENEW_ID_TOKEN: "False"
|
||||
LOGIN_REDIRECT_URL: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
|
||||
LOGIN_REDIRECT_URL_FAILURE: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
|
||||
LOGOUT_REDIRECT_URL: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
|
||||
AI_BASE_URL: {{ .Values.ai.endpoint | quote }}
|
||||
AI_API_KEY: {{ .Values.ai.apiKey | quote }}
|
||||
AI_MODEL: {{ .Values.ai.model | quote }}
|
||||
Y_PROVIDER_API_KEY: {{ .Values.secrets.notes.collaborationSecret | quote }}
|
||||
Y_PROVIDER_API_BASE_URL: {{ printf "https://%s.%s/api/" .Values.global.hosts.notes .Values.global.domain | quote }}
|
||||
COLLABORATION_API_URL: {{ printf "https://%s.%s/collaboration/api/" .Values.global.hosts.notes .Values.global.domain | quote }}
|
||||
COLLABORATION_SERVER_ORIGIN: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
|
||||
COLLABORATION_SERVER_SECRET: {{ .Values.secrets.notes.collaborationSecret | quote }}
|
||||
COLLABORATION_WS_URL: {{ printf "wss://%s.%s/collaboration/ws/" .Values.global.hosts.notes .Values.global.domain | quote }}
|
||||
migrate:
|
||||
command:
|
||||
- "/bin/sh"
|
||||
- "-c"
|
||||
- |
|
||||
python manage.py migrate --no-input &&
|
||||
python manage.py create_demo --force
|
||||
restartPolicy: Never
|
||||
|
||||
createsuperuser:
|
||||
command:
|
||||
- "/bin/sh"
|
||||
- "-c"
|
||||
- |
|
||||
python manage.py createsuperuser --email default.admin@{{ .Values.global.domain }} --password {{ .Values.secrets.notes.superuser }}
|
||||
restartPolicy: Never
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.notesBackend | toYaml | nindent 4 }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
privileged: false
|
||||
runAsUser: 1001
|
||||
runAsGroup: 1001
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }}
|
||||
...
|
||||
@@ -44,8 +44,6 @@ releases:
|
||||
version: "{{ .Values.charts.nubus.version }}"
|
||||
values:
|
||||
- "values-nubus.yaml.gotmpl"
|
||||
- "values-opendesk-customization.yaml.gotmpl"
|
||||
- "values-opendesk-images.yaml.gotmpl"
|
||||
{{ range .Values.customization.release.ums }}
|
||||
- {{ . }}
|
||||
{{ end }}
|
||||
|
||||
@@ -53,7 +53,8 @@ ics:
|
||||
secret: {{ .Values.secrets.intercom.secret | quote }}
|
||||
issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
|
||||
originRegex: "{{ .Values.global.domain }}"
|
||||
userUniqueMapper: {{ if .Values.functional.chat.matrix.profile.useImmutableIdentifierForLocalpart }}"entryuuid"{{ else }}"phoenixusername"{{ end }}
|
||||
userUniqueMapper: {{ if .Values.functional.chat.matrix.profile.useImmutableIdentifierForLocalpart }}"opendesk_useruuid"{{ else }}"opendesk_username"{{ end }}
|
||||
usernameClaim: "opendesk_username"
|
||||
keycloak:
|
||||
realm: {{ .Values.platform.realm | quote }}
|
||||
default:
|
||||
@@ -77,6 +78,9 @@ ics:
|
||||
oci: true
|
||||
url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
|
||||
audience: "opendesk-oxappsuite"
|
||||
xwiki:
|
||||
subdomain: {{ .Values.global.hosts.xwiki | quote }}
|
||||
audience: "opendesk-xwiki"
|
||||
nextcloud:
|
||||
origin: {{ .Values.global.hosts.nextcloud | quote }}
|
||||
subdomain: {{ .Values.global.hosts.nextcloud | quote }}
|
||||
@@ -103,7 +107,9 @@ podSecurityContext:
|
||||
fsGroupChangePolicy: "Always"
|
||||
|
||||
provisioning:
|
||||
enabled: true
|
||||
# intercom OIDC client is created by opendesk-keycloak-bootstrap, as we have control over the
|
||||
# client's claims this way.
|
||||
enabled: false
|
||||
config:
|
||||
nubusBaseUrl: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
|
||||
keycloak:
|
||||
@@ -130,6 +136,8 @@ provisioning:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }}
|
||||
repository: {{ .Values.images.nubusKeycloakBootstrap.repository | quote }}
|
||||
tag: {{ .Values.images.nubusKeycloakBootstrap.tag | quote }}
|
||||
resources:
|
||||
{{ .Values.resources.intercomService | toYaml | nindent 4 }}
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -1,722 +0,0 @@
|
||||
{{/*
|
||||
SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
keycloak:
|
||||
enabled: true
|
||||
ingress:
|
||||
enabled: false
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsKeycloak | toYaml | nindent 6 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-keycloak"
|
||||
replicaCount: {{ .Values.replicas.keycloak }}
|
||||
resources:
|
||||
{{ .Values.resources.umsKeycloak | toYaml | nindent 4 }}
|
||||
|
||||
nubusGuardian:
|
||||
authorizationApi:
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-guardian-authorization-api"
|
||||
podSecurityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: "Always"
|
||||
replicaCount: {{ .Values.replicas.umsGuardianAuthorizationApi }}
|
||||
resources:
|
||||
{{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }}
|
||||
managementApi:
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-guardian-management-api"
|
||||
podSecurityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: "Always"
|
||||
replicaCount: {{ .Values.replicas.umsGuardianManagementApi }}
|
||||
resources:
|
||||
{{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 8 }}
|
||||
managementUi:
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-guardian-management-ui"
|
||||
replicaCount: {{ .Values.replicas.umsGuardianManagementUi }}
|
||||
resources:
|
||||
{{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 8 }}
|
||||
openPolicyAgent:
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
|
||||
podSecurityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: "Always"
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-ums-open-policy-agent"
|
||||
replicaCount: {{ .Values.replicas.umsGuardianOpenPolicyAgent }}
|
||||
resources:
|
||||
{{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsGuardianOpenPolicyAgent | toYaml | nindent 8 }}
|
||||
provisioning:
|
||||
# Using openDesk keycloak provisioning
|
||||
enabled: false
|
||||
|
||||
nubusNotificationsApi:
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-notifications-api"
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsNotificationsApi | toYaml | nindent 6 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
serviceAccount:
|
||||
create: true
|
||||
replicaCount: {{ .Values.replicas.umsNotificationsApi }}
|
||||
resources:
|
||||
{{ .Values.resources.umsNotificationsApi | toYaml | nindent 4 }}
|
||||
|
||||
nubusUmcServer:
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-umc-server"
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
|
||||
containerSecurityContextInit:
|
||||
enabled: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
|
||||
containerSecurityContextSssd:
|
||||
enabled: true
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
add:
|
||||
- "DAC_OVERRIDE"
|
||||
- "SETGID"
|
||||
- "AUDIT_WRITE"
|
||||
- "SETUID"
|
||||
- "CHOWN"
|
||||
- "SETPCAP"
|
||||
- "FOWNER"
|
||||
- "FSETID"
|
||||
- "KILL"
|
||||
- "MKNOD"
|
||||
- "NET_BIND_SERVICE"
|
||||
- "SYS_CHROOT"
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
proxy:
|
||||
replicaCount: {{ .Values.replicas.umsUmcServerProxy }}
|
||||
replicaCount: {{ .Values.replicas.umsUmcServer }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.umsUmcServer | toYaml | nindent 4 }}
|
||||
selfService:
|
||||
passwordresetEmailBody: |
|
||||
Sehr geehrte Benutzerin, sehr geehrter Benutzer,
|
||||
|
||||
Ihr Benutzername für {domainname} lautet: {username}
|
||||
|
||||
Sie erhalten diese Nachricht, da Sie Ihr Passwort zurücksetzen möchten oder weil Ihr Benutzer neu im System angelegt wurde.
|
||||
|
||||
Klicken Sie bitte auf den folgenden Link, um Ihr Passwort zu setzen:
|
||||
https://{fqdn}/univention/portal/#/selfservice/newpassword/?token={token}&username={username}
|
||||
|
||||
Der genannte Link ist nur 48 Stunden gültig, danach fordern Sie ihn bitte erneut an unter:
|
||||
https://{fqdn}/univention/portal/#/selfservice/passwordforgotten
|
||||
|
||||
Mit freundlichen Grüßen
|
||||
Ihr {domainname} Passwort-Service
|
||||
|
||||
nubusKeycloakExtensions:
|
||||
enabled: true
|
||||
handler:
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
|
||||
replicaCount: {{ .Values.replicas.umsKeycloakExtensionsHandler }}
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-keycloak-extensions-handler"
|
||||
resources:
|
||||
{{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 6 }}
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }}
|
||||
proxy:
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
|
||||
replicaCount: {{ .Values.replicas.umsKeycloakExtensionsProxy }}
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-keycloak-extensions-proxy"
|
||||
resources:
|
||||
{{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }}
|
||||
|
||||
nubusPortalConsumer:
|
||||
portalConsumer:
|
||||
image:
|
||||
pullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-portal-consumer"
|
||||
replicaCount: {{ .Values.replicas.umsPortalConsumer }}
|
||||
resources:
|
||||
{{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }}
|
||||
resourcesWaitForDependency:
|
||||
{{ .Values.resources.umsPortalConsumerDependencies | toYaml | nindent 4 }}
|
||||
persistence:
|
||||
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
size: {{ .Values.persistence.size.nubus.portalConsumer | quote }}
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsPortalConsumer | toYaml | nindent 6 }}
|
||||
{{- if .Values.certificate.selfSigned }}
|
||||
extraVolumes:
|
||||
- name: "trusted-cert-secret-volume"
|
||||
secret:
|
||||
secretName: "opendesk-certificates-ca-tls"
|
||||
items:
|
||||
- key: "ca.crt"
|
||||
path: "ca-certificates.crt"
|
||||
- key: "ca.crt"
|
||||
path: "cacert.pem"
|
||||
extraVolumeMounts:
|
||||
- name: "trusted-cert-secret-volume"
|
||||
mountPath: "/etc/ssl/certs/ca-certificates.crt"
|
||||
subPath: "ca-certificates.crt"
|
||||
waitForDependency:
|
||||
extraVolumeMounts:
|
||||
- name: "trusted-cert-secret-volume"
|
||||
readOnly: true
|
||||
mountPath: "/etc/ssl/certs/ca-certificates.crt"
|
||||
subPath: "ca-certificates.crt"
|
||||
- name: "trusted-cert-secret-volume"
|
||||
readOnly: true
|
||||
mountPath: "/usr/local/lib/python3.11/dist-packages/certifi/cacert.pem"
|
||||
subPath: "cacert.pem"
|
||||
extraEnvVars:
|
||||
- name: "REQUESTS_CA_BUNDLE"
|
||||
value: "/etc/ssl/certs/ca-certificates.crt"
|
||||
- name: "DEFAULT_CA_BUNDLE_PATH"
|
||||
value: "/etc/ssl/certs/ca-certificates.crt"
|
||||
- name: "SSL_CERT_FILE"
|
||||
value: "/etc/ssl/certs/ca-certificates.crt"
|
||||
{{- end }}
|
||||
|
||||
nubusUdmListener:
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 102
|
||||
runAsGroup: 65534
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsUdmListener | toYaml | nindent 6 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
replicaCount: {{ .Values.replicas.umsUdmListener }}
|
||||
resources:
|
||||
{{ .Values.resources.umsUdmListener | toYaml | nindent 4 }}
|
||||
|
||||
nubusPortalServer:
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-portal-server"
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsPortalServer | toYaml | nindent 6 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
serviceAccount:
|
||||
create: true
|
||||
replicaCount: {{ .Values.replicas.umsPortalServer }}
|
||||
resources:
|
||||
{{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}
|
||||
{{- if .Values.certificate.selfSigned }}
|
||||
extraVolumes:
|
||||
- name: "trusted-cert-crt-secret-volume"
|
||||
secret:
|
||||
secretName: "opendesk-certificates-ca-tls"
|
||||
items:
|
||||
- key: "ca.crt"
|
||||
path: "ca-certificates.crt"
|
||||
- key: "ca.crt"
|
||||
path: "cacert.pem"
|
||||
extraVolumeMounts:
|
||||
- name: "trusted-cert-crt-secret-volume"
|
||||
readOnly: true
|
||||
mountPath: "/etc/ssl/certs/ca-certificates.crt"
|
||||
subPath: "ca-certificates.crt"
|
||||
- name: "trusted-cert-crt-secret-volume"
|
||||
readOnly: true
|
||||
mountPath: "/usr/local/lib/python3.11/dist-packages/certifi/cacert.pem"
|
||||
subPath: "cacert.pem"
|
||||
- name: "trusted-cert-crt-secret-volume"
|
||||
readOnly: true
|
||||
mountPath: "/usr/lib/python3/dist-packages/botocore/cacert.pem"
|
||||
subPath: "cacert.pem"
|
||||
- name: "trusted-cert-crt-secret-volume"
|
||||
readOnly: true
|
||||
mountPath: "/usr/lib/python3/dist-packages/certifi/cacert.pem"
|
||||
subPath: "cacert.pem"
|
||||
{{- end }}
|
||||
|
||||
nubusLdapNotifier:
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 101
|
||||
runAsGroup: 102
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsLdapNotifier | toYaml | nindent 6 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-ldap-notifier"
|
||||
replicaCount: {{ .Values.replicas.umsLdapNotifier }}
|
||||
resources:
|
||||
{{ .Values.resources.umsLdapNotifier | toYaml | nindent 4 }}
|
||||
|
||||
nubusLdapServer:
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
highAvailabilityMode: false
|
||||
replicaCountPrimary: 1
|
||||
replicaCountSecondary: 0 # {{ .Values.replicas.umsLdapServerSecondary }}
|
||||
replicaCountProxy: 0 # {{ .Values.replicas.umsLdapServerProxy }}
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-ldap-server"
|
||||
serviceAccount:
|
||||
create: true
|
||||
initResources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
|
||||
resources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
|
||||
persistence:
|
||||
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
size: {{ .Values.persistence.size.nubus.ldapServerData | quote }}
|
||||
extraVolumes:
|
||||
- name: "migration-scripts"
|
||||
secret:
|
||||
secretName: "ums-ldap-server-migration"
|
||||
defaultMode: 0555
|
||||
extraVolumeMounts:
|
||||
- name: "migration-scripts"
|
||||
mountPath: "/entrypoint.d/30-purge.sh"
|
||||
subPath: "30-purge.sh"
|
||||
- name: "migration-scripts"
|
||||
mountPath: "/entrypoint.d/95-slapadd-24-ldiff.sh"
|
||||
subPath: "95-slapadd-24-ldif.sh"
|
||||
extraSecrets:
|
||||
- name: "ums-ldap-server-migration"
|
||||
stringData:
|
||||
30-purge.sh: |
|
||||
#!/usr/bin/env bash
|
||||
me=$(basename "$0")
|
||||
echo "- Running ${me}"
|
||||
if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
|
||||
echo "- Cleaning up /var/lib/univention-ldap."
|
||||
cd /var/lib/univention-ldap
|
||||
rm -rf internal
|
||||
rm -rf ldap
|
||||
ls -l
|
||||
else
|
||||
echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
|
||||
fi
|
||||
95-slapadd-24-ldif.sh: |
|
||||
#!/usr/bin/env bash
|
||||
me=$(basename "$0")
|
||||
echo "- Running ${me}"
|
||||
ls -l /var/lib/univention-ldap
|
||||
if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
|
||||
echo "- slapadd-ing /var/lib/univention-ldap/ldap-24-export.ldif"
|
||||
ls -l /var/lib/univention-ldap/
|
||||
rm -rf /var/lib/univention-ldap/ldap
|
||||
rm -rf /var/lib/univention-ldap/internal
|
||||
echo "- deleted /var/lib/univention-ldap/ldap and /var/lib/univention-ldap/internal"
|
||||
ls -l /var/lib/univention-ldap/
|
||||
mkdir /var/lib/univention-ldap/ldap
|
||||
mkdir /var/lib/univention-ldap/internal
|
||||
echo "- created /var/lib/univention-ldap/ldap and /var/lib/univention-ldap/internal"
|
||||
ls -l /var/lib/univention-ldap/
|
||||
/usr/sbin/slapadd -v -l /var/lib/univention-ldap/ldap-24-export.ldif
|
||||
echo "- slapadd executed"
|
||||
ls -l /var/lib/univention-ldap/
|
||||
mv /var/lib/univention-ldap/ldap-24-export.ldif /var/lib/univention-ldap/ldap-24-export.ldif-imported
|
||||
echo "- import file renamed"
|
||||
ls -l /var/lib/univention-ldap/
|
||||
else
|
||||
echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
|
||||
fi
|
||||
nubusPortalFrontend:
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-portal-frontend"
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsPortalFrontend | toYaml | nindent 6 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
serviceAccount:
|
||||
create: true
|
||||
replicaCount: {{ .Values.replicas.umsPortalFrontend }}
|
||||
resources:
|
||||
{{ .Values.resources.umsPortalFrontend | toYaml | nindent 4 }}
|
||||
portalFrontend:
|
||||
branding:
|
||||
css: {{ .Values.theme.styles.portalCss | toJson }}
|
||||
# Requires .ico, .svg does not work.
|
||||
favicon: {{ .Values.theme.imagery.faviconIcoB64 | toJson }}
|
||||
# The actual `logo` is set in customizing image, the logo down here is for for waiting spinner.
|
||||
logo: {{ .Values.theme.imagery.portalWaitingSpinnerSvgB64 | toJson }}
|
||||
backgroundImage: {{ .Values.theme.imagery.portalLogoBackgroundSvgB64 | toJson }}
|
||||
|
||||
nubusStackDataUms:
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsStackDataUms | toYaml | nindent 6 }}
|
||||
pullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-stack-data-ums"
|
||||
resources:
|
||||
{{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
|
||||
|
||||
nubusSelfServiceConsumer:
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsSelfserviceConsumer | toYaml | nindent 6 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-selfservice-listener"
|
||||
resources:
|
||||
{{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
|
||||
replicaCount: {{ .Values.replicas.umsSelfserviceConsumer }}
|
||||
|
||||
nubusUdmRestApi:
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-udm-rest-api"
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsUdmRestApi | toYaml | nindent 6 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
serviceAccount:
|
||||
annotations:
|
||||
intended.usage: "compliance"
|
||||
resources:
|
||||
{{ .Values.resources.umsUdmRestApi | toYaml | nindent 4 }}
|
||||
initResources:
|
||||
{{ .Values.resources.umsUdmRestApiInit | toYaml | nindent 4 }}
|
||||
replicaCount: {{ .Values.replicas.umsUdmRestApi }}
|
||||
|
||||
nubusUmcGateway:
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsUmcGateway | toYaml | nindent 6 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
replicaCount: {{ .Values.replicas.umsUmcGateway }}
|
||||
resources:
|
||||
{{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
|
||||
|
||||
nubusKeycloakBootstrap:
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: false
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsKeycloakBootstrap | toYaml | nindent 6 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-keycloak-bootstrap"
|
||||
serviceAccount:
|
||||
annotations:
|
||||
intended.usage: "compliance"
|
||||
resources:
|
||||
{{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 4 }}
|
||||
|
||||
nubusProvisioning:
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsProvisioning | toYaml | nindent 6 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
replicaCount:
|
||||
dispatcher: {{ .Values.replicas.umsProvisioningDispatcher }}
|
||||
udmTransformer: {{ .Values.replicas.umsProvisioningUdmTransformer }}
|
||||
prefill: {{ .Values.replicas.umsProvisioningPrefill }}
|
||||
api: {{ .Values.replicas.umsProvisioningApi }}
|
||||
|
||||
serviceAccount:
|
||||
create: true
|
||||
nats:
|
||||
config:
|
||||
cluster:
|
||||
replicas: {{ .Values.replicas.umsProvisioningNats }}
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsProvisioningNats | toYaml | nindent 8 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
|
||||
persistence:
|
||||
size: {{ .Values.persistence.size.nubus.provisioningNats }}
|
||||
resources:
|
||||
{{ .Values.resources.umsProvisioningNats | toYaml | nindent 6 }}
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-provisioning-nats"
|
||||
serviceAccount:
|
||||
create: true
|
||||
api:
|
||||
resources:
|
||||
{{ .Values.resources.umsProvisioningApi | toYaml | nindent 6 }}
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-provisioning-api"
|
||||
dispatcher:
|
||||
resources:
|
||||
{{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 6 }}
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-provisioning-dispatcher"
|
||||
prefill:
|
||||
resources:
|
||||
{{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 6 }}
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-provisioning-prefill"
|
||||
registerConsumers:
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-provisioning-register-consumers"
|
||||
udmTransformer:
|
||||
resources:
|
||||
{{ .Values.resources.umsProvisioningUdmTransformer | toYaml | nindent 6 }}
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-provisioning-udm-transformer"
|
||||
resources:
|
||||
registerConsumers:
|
||||
{{ .Values.resources.umsProvisioningRegisterConsumers | toYaml | nindent 6 }}
|
||||
@@ -1,260 +0,0 @@
|
||||
{{/*
|
||||
SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
keycloak:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloak.registry | quote }}
|
||||
repository: {{ .Values.images.nubusKeycloak.repository }}
|
||||
tag: {{ .Values.images.nubusKeycloak.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusKeycloakBootstrap:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }}
|
||||
repository: {{ .Values.images.nubusKeycloakBootstrap.repository }}
|
||||
tag: {{ .Values.images.nubusKeycloakBootstrap.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusKeycloakExtensions:
|
||||
handler:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionHandler.registry | quote }}
|
||||
repository: {{ .Values.images.nubusKeycloakExtensionHandler.repository }}
|
||||
tag: {{ .Values.images.nubusKeycloakExtensionHandler.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
proxy:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionProxy.registry | quote }}
|
||||
repository: {{ .Values.images.nubusKeycloakExtensionProxy.repository }}
|
||||
tag: {{ .Values.images.nubusKeycloakExtensionProxy.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusLdapNotifier:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapNotifier.registry | quote }}
|
||||
repository: {{ .Values.images.nubusLdapNotifier.repository }}
|
||||
tag: {{ .Values.images.nubusLdapNotifier.tag }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusLdapServer:
|
||||
ldapServer:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServer.registry | quote }}
|
||||
repository: {{ .Values.images.nubusLdapServer.repository }}
|
||||
tag: {{ .Values.images.nubusLdapServer.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
dhInitcontainer:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServerDhInitContainer.registry | quote }}
|
||||
repository: {{ .Values.images.nubusLdapServerDhInitContainer.repository }}
|
||||
tag: {{ .Values.images.nubusLdapServerDhInitContainer.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
waitForDependency:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
|
||||
repository: {{ .Values.images.nubusWaitForDependency.repository }}
|
||||
tag: {{ .Values.images.nubusWaitForDependency.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusNotificationsApi:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusNotificationsApi.registry | quote }}
|
||||
repository: {{ .Values.images.nubusNotificationsApi.repository }}
|
||||
tag: {{ .Values.images.nubusNotificationsApi.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusPortalFrontend:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalFrontend.registry | quote }}
|
||||
repository: {{ .Values.images.nubusPortalFrontend.repository }}
|
||||
tag: {{ .Values.images.nubusPortalFrontend.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusPortalConsumer:
|
||||
portalConsumer:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalConsumer.registry | quote }}
|
||||
repository: {{ .Values.images.nubusPortalConsumer.repository }}
|
||||
tag: {{ .Values.images.nubusPortalConsumer.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
waitForDependency:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
|
||||
repository: {{ .Values.images.nubusWaitForDependency.repository }}
|
||||
tag: {{ .Values.images.nubusWaitForDependency.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusPortalServer:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalServer.registry | quote }}
|
||||
repository: {{ .Values.images.nubusPortalServer.repository }}
|
||||
tag: {{ .Values.images.nubusPortalServer.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusProvisioning:
|
||||
api:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }}
|
||||
repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
|
||||
tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
dispatcher:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningDispatcher.registry | quote }}
|
||||
repository: {{ .Values.images.nubusProvisioningDispatcher.repository }}
|
||||
tag: {{ .Values.images.nubusProvisioningDispatcher.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
udmTransformer:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmTransformer.registry | quote }}
|
||||
repository: {{ .Values.images.nubusProvisioningUdmTransformer.repository }}
|
||||
tag: {{ .Values.images.nubusProvisioningUdmTransformer.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
prefill:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }}
|
||||
repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
|
||||
tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
registerConsumers:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
|
||||
repository: {{ .Values.images.nubusWaitForDependency.repository }}
|
||||
tag: {{ .Values.images.nubusWaitForDependency.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
nats:
|
||||
nats:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNats.registry | quote }}
|
||||
repository: {{ .Values.images.nubusNats.repository }}
|
||||
tag: {{ .Values.images.nubusNats.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
reloader:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsReloader.registry | quote }}
|
||||
repository: {{ .Values.images.nubusNatsReloader.repository }}
|
||||
tag: {{ .Values.images.nubusNatsReloader.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
natsBox:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsBox.registry | quote }}
|
||||
repository: {{ .Values.images.nubusNatsBox.repository }}
|
||||
tag: {{ .Values.images.nubusNatsBox.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusProvisioningEventsAndConsumerApi:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }}
|
||||
repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
|
||||
tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusProvisioningPrefill:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }}
|
||||
repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
|
||||
tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusUdmListener:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmListener.registry | quote }}
|
||||
repository: {{ .Values.images.nubusProvisioningUdmListener.repository }}
|
||||
tag: {{ .Values.images.nubusProvisioningUdmListener.tag }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusSelfServiceConsumer:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfServiceConsumer.registry | quote }}
|
||||
repository: {{ .Values.images.nubusSelfServiceConsumer.repository }}
|
||||
tag: {{ .Values.images.nubusSelfServiceConsumer.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
waitForDependency:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
|
||||
repository: {{ .Values.images.nubusWaitForDependency.repository }}
|
||||
tag: {{ .Values.images.nubusWaitForDependency.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusUdmRestApi:
|
||||
udmRestApi:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUdmRestApi.registry | quote }}
|
||||
repository: {{ .Values.images.nubusUdmRestApi.repository }}
|
||||
tag: {{ .Values.images.nubusUdmRestApi.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusUmcGateway:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcGateway.registry | quote }}
|
||||
repository: {{ .Values.images.nubusUmcGateway.repository }}
|
||||
tag: {{ .Values.images.nubusUmcGateway.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusUmcServer:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcServer.registry | quote }}
|
||||
repository: {{ .Values.images.nubusUmcServer.repository }}
|
||||
tag: {{ .Values.images.nubusUmcServer.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
proxy:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusUmcServerProxy.registry | quote }}
|
||||
repository: {{ .Values.images.nubusUmcServerProxy.repository }}
|
||||
tag: {{ .Values.images.nubusUmcServerProxy.tag }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusWaitForDependency:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
|
||||
repository: {{ .Values.images.nubusWaitForDependency.repository }}
|
||||
tag: {{ .Values.images.nubusWaitForDependency.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
|
||||
nubusGuardian:
|
||||
provisioning:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianProvisioning.registry | quote }}
|
||||
repository: {{ .Values.images.nubusGuardianProvisioning.repository }}
|
||||
tag: {{ .Values.images.nubusGuardianProvisioning.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
authorizationApi:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianAuthorizationApi.registry | quote }}
|
||||
repository: {{ .Values.images.nubusGuardianAuthorizationApi.repository }}
|
||||
tag: {{ .Values.images.nubusGuardianAuthorizationApi.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
managementApi:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementApi.registry | quote }}
|
||||
repository: {{ .Values.images.nubusGuardianManagementApi.repository }}
|
||||
tag: {{ .Values.images.nubusGuardianManagementApi.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
managementUi:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementUi.registry | quote }}
|
||||
repository: {{ .Values.images.nubusGuardianManagementUi.repository }}
|
||||
tag: {{ .Values.images.nubusGuardianManagementUi.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
openPolicyAgent:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpenPolicyAgent.registry | quote }}
|
||||
repository: {{ .Values.images.nubusOpenPolicyAgent.repository }}
|
||||
tag: {{ .Values.images.nubusOpenPolicyAgent.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusStackDataUms:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }}
|
||||
repository: {{ .Values.images.nubusDataLoader.repository }}
|
||||
tag: {{ .Values.images.nubusDataLoader.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
@@ -21,6 +21,8 @@ cleanup:
|
||||
keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
|
||||
|
||||
config:
|
||||
componentEnabled:
|
||||
notes: {{ .Values.notes.enabled }}
|
||||
custom:
|
||||
clientScopes:
|
||||
{{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }}
|
||||
@@ -28,7 +30,7 @@ config:
|
||||
{{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }}
|
||||
managed:
|
||||
clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list', 'offline_access', 'roles', 'address', 'phone' ]
|
||||
clients: [ 'opendesk-intercom', 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
|
||||
clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
|
||||
keycloak:
|
||||
adminUser: "kcadmin"
|
||||
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
|
||||
@@ -42,7 +44,6 @@ config:
|
||||
# We use client specific scopes as we bind them to Keycloak role membership which itself is linked
|
||||
# to LDAP group membership to ensure a user cannot access an application without the required
|
||||
# group membership.
|
||||
# ToDo: Ensure all applications verify the token's signature to ensure it is not tampered.
|
||||
clientScopes:
|
||||
- name: "read_contacts"
|
||||
protocol: "openid-connect"
|
||||
@@ -374,7 +375,136 @@ config:
|
||||
access.token.claim: true
|
||||
claim.name: "opendesk_username"
|
||||
jsonType.label: "String"
|
||||
{{ if .Values.notes.enabled }}
|
||||
- name: "opendesk-notes-scope"
|
||||
description: "Scope for the claims required by openDesk's Notes instance."
|
||||
protocol: "openid-connect"
|
||||
protocolMappers:
|
||||
- name: "email"
|
||||
protocol: "openid-connect"
|
||||
protocolMapper: "oidc-usermodel-attribute-mapper"
|
||||
consentRequired: false
|
||||
config:
|
||||
introspection.token.claim: true
|
||||
userinfo.token.claim: true
|
||||
user.attribute: "email"
|
||||
id.token.claim: true
|
||||
access.token.claim: true
|
||||
claim.name: "email"
|
||||
jsonType.label: "String"
|
||||
- name: "given name"
|
||||
protocol: "openid-connect"
|
||||
protocolMapper: "oidc-usermodel-attribute-mapper"
|
||||
consentRequired: false
|
||||
config:
|
||||
introspection.token.claim: true
|
||||
userinfo.token.claim: true
|
||||
user.attribute: "firstName"
|
||||
id.token.claim: true
|
||||
access.token.claim: true
|
||||
claim.name: "given_name"
|
||||
jsonType.label: "String"
|
||||
- name: "family name"
|
||||
protocol: "openid-connect"
|
||||
protocolMapper: "oidc-usermodel-attribute-mapper"
|
||||
consentRequired: false
|
||||
config:
|
||||
introspection.token.claim: true
|
||||
userinfo.token.claim: true
|
||||
user.attribute: "lastName"
|
||||
id.token.claim: true
|
||||
access.token.claim: true
|
||||
claim.name: "family_name"
|
||||
jsonType.label: "String"
|
||||
{{ end }}
|
||||
clients:
|
||||
- name: "opendesk-intercom"
|
||||
clientId: "opendesk-intercom"
|
||||
protocol: "openid-connect"
|
||||
clientAuthenticatorType: "client-secret"
|
||||
secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
|
||||
redirectUris:
|
||||
- "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback"
|
||||
consentRequired: false
|
||||
frontchannelLogout: false
|
||||
publicClient: false
|
||||
authorizationServicesEnabled: false
|
||||
attributes:
|
||||
backchannel.logout.session.required: true
|
||||
backchannel.logout.revoke.offline.tokens: true
|
||||
backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
|
||||
protocolMappers:
|
||||
- name: "intercom-audience"
|
||||
protocol: "openid-connect"
|
||||
protocolMapper: "oidc-audience-mapper"
|
||||
consentRequired: false
|
||||
config:
|
||||
included.client.audience: "opendesk-intercom"
|
||||
id.token.claim: false
|
||||
access.token.claim: true
|
||||
- name: "opendesk_username"
|
||||
protocol: "openid-connect"
|
||||
protocolMapper: "oidc-usermodel-attribute-mapper"
|
||||
consentRequired: false
|
||||
config:
|
||||
userinfo.token.claim: true
|
||||
user.attribute: "uid"
|
||||
id.token.claim: true
|
||||
access.token.claim: true
|
||||
claim.name: "opendesk_username"
|
||||
jsonType.label: "String"
|
||||
- name: "opendesk_useruuid"
|
||||
protocol: "openid-connect"
|
||||
protocolMapper: "oidc-usermodel-attribute-mapper"
|
||||
consentRequired: false
|
||||
config:
|
||||
userinfo.token.claim: true
|
||||
user.attribute: "entryUUID"
|
||||
id.token.claim: true
|
||||
access.token.claim: true
|
||||
claim.name: "opendesk_useruuid"
|
||||
jsonType.label: "String"
|
||||
defaultClientScopes:
|
||||
- "offline_access"
|
||||
{{ if .Values.notes.enabled }}
|
||||
- name: "opendesk-notes"
|
||||
clientId: "opendesk-notes"
|
||||
protocol: "openid-connect"
|
||||
clientAuthenticatorType: "client-secret"
|
||||
secret: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
|
||||
redirectUris:
|
||||
- "https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/api/v1.0/callback/"
|
||||
standardFlowEnabled: true
|
||||
implicitFlowEnabled: false
|
||||
alwaysDisplayInConsole: false
|
||||
bearerOnly: false
|
||||
directAccessGrantsEnabled: true
|
||||
serviceAccountsEnabled: false
|
||||
consentRequired: false
|
||||
frontchannelLogout: false
|
||||
publicClient: false
|
||||
authorizationServicesEnabled: false
|
||||
surrogateAuthRequired: false
|
||||
attributes:
|
||||
backchannel.logout.revoke.offline.tokens: false
|
||||
backchannel.logout.session.required: false
|
||||
client.introspection.response.allow.jwt.claim.enabled: false
|
||||
client.use.lightweight.access.token.enabled: false
|
||||
client_credentials.use_refresh_token: false
|
||||
display.on.consent.screen: false
|
||||
oauth2.device.authorization.grant.enabled: false
|
||||
oidc.ciba.grant.enabled: false
|
||||
post.logout.redirect.uris: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/*"
|
||||
require.pushed.authorization.requests: false
|
||||
tls.client.certificate.bound.access.tokens: false
|
||||
token.response.type.bearer.lower-case: false
|
||||
use.jwks.url: false
|
||||
use.refresh.tokens: false
|
||||
# it is probably not even required to set this value explicitly.
|
||||
user.info.response.signature.alg: "RS256"
|
||||
defaultClientScopes:
|
||||
- "opendesk-notes-scope"
|
||||
{{ end }}
|
||||
- name: "opendesk-dovecot"
|
||||
clientId: "opendesk-dovecot"
|
||||
protocol: "openid-connect"
|
||||
|
||||
@@ -422,6 +422,9 @@ appsuite:
|
||||
replicas: {{ .Values.replicas.openxchangeCoreMW }}
|
||||
resources:
|
||||
{{ .Values.resources.openxchangeCoreMW | toYaml | nindent 6 }}
|
||||
initContainer:
|
||||
resources:
|
||||
{{ .Values.resources.openxchangeCoreMW | toYaml | nindent 8 }}
|
||||
|
||||
core-ui:
|
||||
enabled: true
|
||||
|
||||
@@ -23,9 +23,8 @@ image:
|
||||
repository: {{ .Values.images.oxConnector.repository | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
tag: {{ .Values.images.oxConnector.tag | quote }}
|
||||
|
||||
waitForDependency:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.nubusWaitForDependency.registry | quote }}
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
|
||||
repository: {{ .Values.images.nubusWaitForDependency.repository }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
||||
pullSecrets:
|
||||
@@ -63,30 +62,14 @@ provisioningApi:
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.oxConnector | toYaml | nindent 2 }}
|
||||
resourcesWaitForDependency:
|
||||
{{ .Values.resources.oxConnector | toYaml | nindent 2 }}
|
||||
|
||||
persistence:
|
||||
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
|
||||
podAnnotations: {}
|
||||
|
||||
## Container deployment probes
|
||||
probes:
|
||||
liveness:
|
||||
enabled: true
|
||||
initialDelaySeconds: 120
|
||||
timeoutSeconds: 3
|
||||
periodSeconds: 30
|
||||
failureThreshold: 3
|
||||
successThreshold: 1
|
||||
|
||||
readiness:
|
||||
enabled: true
|
||||
initialDelaySeconds: 30
|
||||
timeoutSeconds: 3
|
||||
periodSeconds: 15
|
||||
failureThreshold: 30
|
||||
successThreshold: 1
|
||||
|
||||
replicaCount: {{ .Values.replicas.oxConnector }}
|
||||
|
||||
securityContext:
|
||||
|
||||
@@ -44,7 +44,7 @@ repositories:
|
||||
|
||||
# openDesk Grafana Dashboards
|
||||
# https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dashboards
|
||||
- name: "dashboards-repo"
|
||||
- name: "opendesk-dashboards-repo"
|
||||
keyring: "../../files/gpg-pubkeys/opencode.gpg"
|
||||
verify: {{ .Values.charts.opendeskDashboards.verify }}
|
||||
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
|
||||
@@ -52,6 +52,16 @@ repositories:
|
||||
oci: true
|
||||
url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskDashboards.registry }}/{{ .Values.charts.opendeskDashboards.repository }}"
|
||||
|
||||
# openDesk Static Files
|
||||
# https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-static-files
|
||||
- name: "opendesk-static-files-repo"
|
||||
keyring: "../../files/gpg-pubkeys/opencode.gpg"
|
||||
verify: {{ .Values.charts.opendeskStaticFiles.verify }}
|
||||
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
|
||||
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
|
||||
oci: true
|
||||
url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskStaticFiles.registry }}/{{ .Values.charts.opendeskStaticFiles.repository }}"
|
||||
|
||||
releases:
|
||||
- name: "opendesk-otterize"
|
||||
chart: "otterize-repo/{{ .Values.charts.otterize.name }}"
|
||||
@@ -97,14 +107,23 @@ releases:
|
||||
timeout: 900
|
||||
|
||||
- name: "opendesk-dashboards"
|
||||
chart: "dashboards-repo/{{ .Values.charts.opendeskDashboards.name }}"
|
||||
chart: "opendesk-dashboards-repo/{{ .Values.charts.opendeskDashboards.name }}"
|
||||
version: "{{ .Values.charts.opendeskDashboards.version }}"
|
||||
values:
|
||||
- "values-dashboards.yaml.gotmpl"
|
||||
- "values-opendesk-dashboards.yaml.gotmpl"
|
||||
- {{ .Values.customization.release.opendeskDashboards | default "additionalValues: false" }}
|
||||
installed: {{ .Values.monitoring.grafana.dashboards.enabled }}
|
||||
timeout: 900
|
||||
|
||||
- name: "opendesk-static-files"
|
||||
chart: "opendesk-static-files-repo/{{ .Values.charts.opendeskStaticFiles.name }}"
|
||||
version: "{{ .Values.charts.opendeskStaticFiles.version }}"
|
||||
values:
|
||||
- "values-opendesk-static-files.yaml.gotmpl"
|
||||
- {{ .Values.customization.release.opendeskStaticFiles | default "additionalValues: false" }}
|
||||
installed: {{ .Values.staticFiles.enabled }}
|
||||
timeout: 900
|
||||
|
||||
commonLabels:
|
||||
deployStage: "030-opendesk-services"
|
||||
component: "opendesk-services"
|
||||
|
||||
@@ -10,7 +10,6 @@ global:
|
||||
|
||||
ingress:
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
|
||||
host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
|
||||
tls:
|
||||
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
...
|
||||
|
||||
@@ -0,0 +1,119 @@
|
||||
{{/*
|
||||
SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
hosts:
|
||||
{{ .Values.global.hosts | toYaml | nindent 4 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
assets:
|
||||
element:
|
||||
subdomain: {{ .Values.global.hosts.element }}
|
||||
paths:
|
||||
- path: "/vector-icons/favicon.........ico"
|
||||
data: {{ .Values.theme.imagery.chat.faviconIco }}
|
||||
jitsi:
|
||||
subdomain: {{ .Values.global.hosts.jitsi }}
|
||||
paths:
|
||||
- path: "/images/favicon.svg"
|
||||
data: {{ .Values.theme.imagery.videoconference.faviconSvg }}
|
||||
keycloak:
|
||||
subdomain: {{ .Values.global.hosts.keycloak }}
|
||||
paths:
|
||||
- path: "/resources/...../login/UCS/img/favicon.ico"
|
||||
data: {{ .Values.theme.imagery.login.faviconIco }}
|
||||
- path: "/static-files/login/logo.svg"
|
||||
data: {{ .Values.theme.imagery.login.logoSvg }}
|
||||
nextcloud:
|
||||
subdomain: {{ .Values.global.hosts.nextcloud }}
|
||||
paths:
|
||||
- path: "/core/img/favicon-touch.png"
|
||||
data: {{ .Values.theme.imagery.files.faviconPng }}
|
||||
- path: "/core/img/favicon.ico"
|
||||
data: {{ .Values.theme.imagery.files.faviconIco }}
|
||||
notes:
|
||||
subdomain: {{ .Values.global.hosts.notes }}
|
||||
paths:
|
||||
- path: "/favicon.ico"
|
||||
data: {{ .Values.theme.imagery.notes.faviconIco }}
|
||||
openproject:
|
||||
subdomain: {{ .Values.global.hosts.openproject }}
|
||||
paths:
|
||||
- path: "/custom_style/........../favicon/favicon.svg"
|
||||
data: {{ .Values.theme.imagery.projects.faviconSvg }}
|
||||
openxchange:
|
||||
subdomain: {{ .Values.global.hosts.openxchange }}
|
||||
paths:
|
||||
- path: "/appsuite/favicon.ico"
|
||||
data: {{ .Values.theme.imagery.groupware.faviconIco }}
|
||||
- path: "/appsuite/favicon.svg"
|
||||
data: {{ .Values.theme.imagery.groupware.faviconSvg }}
|
||||
portal:
|
||||
subdomain: {{ .Values.global.hosts.nubus }}
|
||||
paths:
|
||||
- path: "/favicon.ico"
|
||||
data: {{ .Values.theme.imagery.portal.faviconIco }}
|
||||
- path: "/static-files/portal/background.svg"
|
||||
data: {{ .Values.theme.imagery.portal.backgroundSvg }}
|
||||
- path: "/static-files/portal/waiting-spinner.svg"
|
||||
data: {{ .Values.theme.imagery.portal.waitingSpinnerSvg }}
|
||||
- path: "/static-files/login/background.jpg"
|
||||
data: {{ .Values.theme.imagery.login.backgroundJpg }}
|
||||
|
||||
xwiki:
|
||||
subdomain: {{ .Values.global.hosts.xwiki }}
|
||||
paths:
|
||||
- path: "/resources/icons/xwiki/favicon.svg"
|
||||
data: {{ .Values.theme.imagery.knowledge.faviconSvg }}
|
||||
- path: "/resources/icons/xwiki/favicon16.png"
|
||||
data: {{ .Values.theme.imagery.knowledge.faviconPng }}
|
||||
|
||||
cleanup:
|
||||
deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
|
||||
deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
|
||||
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 101
|
||||
runAsGroup: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.opendeskStaticFiles | toYaml | nindent 4 }}
|
||||
|
||||
ingress:
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
|
||||
host: "{{ .Values.global.hosts.static }}.{{ .Values.global.domain }}"
|
||||
tls:
|
||||
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.opendeskStaticFiles.registry | quote }}
|
||||
repository: {{ .Values.images.opendeskStaticFiles.repository | quote }}
|
||||
tag: {{ .Values.images.opendeskStaticFiles.tag | quote }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 101
|
||||
fsGroupChangePolicy: "Always"
|
||||
|
||||
replicaCount: {{ .Values.replicas.opendeskStaticFiles }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.opendeskStaticFiles | toYaml | nindent 2 }}
|
||||
|
||||
service:
|
||||
type: "ClusterIP"
|
||||
...
|
||||
@@ -3,6 +3,11 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
hosts:
|
||||
{{ .Values.global.hosts | toYaml | nindent 4 }}
|
||||
|
||||
apps:
|
||||
clamavDistributed:
|
||||
enabled: {{ .Values.clamavDistributed.enabled }}
|
||||
@@ -12,6 +17,8 @@ apps:
|
||||
enabled: {{ .Values.collabora.enabled }}
|
||||
cryptpad:
|
||||
enabled: {{ .Values.cryptpad.enabled }}
|
||||
dkimpy:
|
||||
enabled: {{ .Values.dkimpy.enabled }}
|
||||
dovecot:
|
||||
enabled: {{ .Values.dovecot.enabled }}
|
||||
element:
|
||||
@@ -22,10 +29,16 @@ apps:
|
||||
enabled: {{ .Values.mariadb.enabled }}
|
||||
memcached:
|
||||
enabled: {{ .Values.memcached.enabled }}
|
||||
migrations:
|
||||
enabled: {{ .Values.migrations.enabled }}
|
||||
minio:
|
||||
enabled: {{ .Values.minio.enabled }}
|
||||
nextcloud:
|
||||
enabled: {{ .Values.nextcloud.enabled }}
|
||||
notes:
|
||||
enabled: {{ .Values.notes.enabled }}
|
||||
nubus:
|
||||
enabled: {{ .Values.nubus.enabled }}
|
||||
openproject:
|
||||
enabled: {{ .Values.openproject.enabled }}
|
||||
oxAppsuite:
|
||||
@@ -36,8 +49,6 @@ apps:
|
||||
enabled: {{ .Values.postgresql.enabled }}
|
||||
redis:
|
||||
enabled: {{ .Values.redis.enabled }}
|
||||
univentionManagementStack:
|
||||
enabled: {{ .Values.nubus.enabled }}
|
||||
xwiki:
|
||||
enabled: {{ .Values.xwiki.enabled }}
|
||||
|
||||
|
||||
@@ -40,7 +40,7 @@ dbInit:
|
||||
environment:
|
||||
# For more details and more options see
|
||||
# https://www.openproject.org/docs/installation-and-operations/configuration/environment/
|
||||
OPENPROJECT_APP__TITLE: "Projects | {{ .Values.theme.texts.productName }}"
|
||||
OPENPROJECT_APP__TITLE: "Projekte - {{ .Values.theme.texts.productName }}"
|
||||
OPENPROJECT_LOG__LEVEL: {{ if .Values.debug.enabled }}"debug"{{ else }}"info"{{ end }}
|
||||
OPENPROJECT_LOGIN__REQUIRED: "true"
|
||||
OPENPROJECT_USER__DEFAULT__TIMEZONE: "Europe/Berlin"
|
||||
|
||||
@@ -83,15 +83,14 @@ repositories:
|
||||
oci: true
|
||||
url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
|
||||
|
||||
# openDesk Enterprise Repositories
|
||||
|
||||
# openDesk Enterprise
|
||||
# Cassandra
|
||||
# Source: https://github.com/bitnami/charts/
|
||||
- name: "cassandra-repo"
|
||||
keyring: "../../files/gpg-pubkeys/opencode.gpg"
|
||||
verify: {{ .Values.charts.cassandra.verify }}
|
||||
username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
|
||||
password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
|
||||
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
|
||||
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
|
||||
oci: true
|
||||
url: "{{ .Values.global.helmRegistry | default .Values.charts.cassandra.registry }}/{{ .Values.charts.cassandra.repository }}"
|
||||
|
||||
|
||||
@@ -26,26 +26,34 @@ containerSecurityContext:
|
||||
drop:
|
||||
- "ALL"
|
||||
privileged: false
|
||||
runAsUser: 1000
|
||||
runAsGroup: 0
|
||||
runAsUser: 1001
|
||||
runAsGroup: 1001
|
||||
runAsNonRoot: true
|
||||
readOnlyRootFilesystem: false
|
||||
readOnlyRootFilesystem: true
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.minio | toYaml | nindent 4 }}
|
||||
|
||||
defaultBuckets: "openproject,openxchange,ums,nextcloud"
|
||||
|
||||
global:
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
security:
|
||||
allowInsecureImages: true
|
||||
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.minio.registry | quote }}
|
||||
repository: "{{ .Values.images.minio.repository }}"
|
||||
tag: "{{ .Values.images.minio.tag }}"
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
repository: {{ .Values.images.minio.repository | quote }}
|
||||
tag: {{ .Values.images.minio.tag | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
volumePermissions:
|
||||
enabled: true
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.minio.registry | quote }}
|
||||
repository: {{ .Values.images.bitnamiOSShell.repository | quote }}
|
||||
tag: {{ .Values.images.bitnamiOSShell.tag | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
{{- if .Values.debug.enabled }}
|
||||
ingress:
|
||||
@@ -79,7 +87,7 @@ networkPolicy:
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 1000
|
||||
fsGroup: 1001
|
||||
|
||||
persistence:
|
||||
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
|
||||
@@ -94,16 +102,19 @@ provisioning:
|
||||
- "mc anonymous set download provisioning/ums/portal-assets"
|
||||
buckets:
|
||||
- name: {{ .Values.objectstores.migrations.bucket | quote }}
|
||||
versioning: false
|
||||
versioning: "Suspended"
|
||||
withLock: false
|
||||
- name: {{ .Values.objectstores.nextcloud.bucket | quote }}
|
||||
versioning: true
|
||||
versioning: "Suspended"
|
||||
withLock: false
|
||||
- name: {{ .Values.objectstores.notes.bucket | quote }}
|
||||
versioning: "Versioned"
|
||||
withLock: false
|
||||
- name: {{ .Values.objectstores.openproject.bucket | quote }}
|
||||
versioning: true
|
||||
versioning: "Suspended"
|
||||
withLock: false
|
||||
- name: {{ .Values.objectstores.nubus.bucket | quote }}
|
||||
versioning: false
|
||||
versioning: "Suspended"
|
||||
withLock: false
|
||||
policies:
|
||||
- name: "migrations-bucket-policy"
|
||||
@@ -130,6 +141,18 @@ provisioning:
|
||||
effect: "Allow"
|
||||
actions:
|
||||
- "s3:*"
|
||||
- name: "notes-bucket-policy"
|
||||
statements:
|
||||
- resources:
|
||||
- "arn:aws:s3:::notes"
|
||||
effect: "Allow"
|
||||
actions:
|
||||
- "s3:*"
|
||||
- resources:
|
||||
- "arn:aws:s3:::notes/*"
|
||||
effect: "Allow"
|
||||
actions:
|
||||
- "s3:*"
|
||||
- name: "openproject-bucket-policy"
|
||||
statements:
|
||||
- resources:
|
||||
@@ -167,6 +190,12 @@ provisioning:
|
||||
policies:
|
||||
- "nextcloud-bucket-policy"
|
||||
setPolicies: true
|
||||
- username: {{ .Values.objectstores.notes.username | quote }}
|
||||
password: {{ .Values.secrets.minio.notesUser | quote }}
|
||||
disabled: false
|
||||
policies:
|
||||
- "notes-bucket-policy"
|
||||
setPolicies: true
|
||||
- username: {{ .Values.objectstores.openproject.username | quote }}
|
||||
password: {{ .Values.secrets.minio.openprojectUser | quote }}
|
||||
disabled: false
|
||||
@@ -200,6 +229,7 @@ startupProbe:
|
||||
|
||||
statefulset:
|
||||
replicaCount: {{ .Values.replicas.minio }}
|
||||
drivesPerNode: {{ if gt .Values.replicas.minio 1 }}2{{ else }}1{{ end }}
|
||||
|
||||
{{- if .Values.certificate.selfSigned }}
|
||||
extraVolumes:
|
||||
|
||||
@@ -86,4 +86,11 @@ replicaCount: {{ .Values.replicas.postfix }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.postfix | toYaml | nindent 2 }}
|
||||
|
||||
{{- if or (eq .Values.cluster.service.type "NodePort") (eq .Values.cluster.service.type "LoadBalancer") }}
|
||||
service:
|
||||
external:
|
||||
enabled: true
|
||||
type: {{ .Values.cluster.service.type | quote }}
|
||||
{{- end }}
|
||||
...
|
||||
|
||||
@@ -48,6 +48,9 @@ job:
|
||||
- username: {{ .Values.databases.keycloak.username | quote }}
|
||||
password: {{ .Values.secrets.postgresql.keycloakUser | quote }}
|
||||
connectionLimit: {{ .Values.databases.keycloak.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
|
||||
- username: {{ .Values.databases.notes.username | quote }}
|
||||
password: {{ .Values.secrets.postgresql.notesUser | quote }}
|
||||
connectionLimit: {{ .Values.databases.notes.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
|
||||
- username: {{ .Values.databases.openproject.username | quote }}
|
||||
password: {{ .Values.secrets.postgresql.openprojectUser | quote }}
|
||||
connectionLimit: {{ .Values.databases.openproject.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
|
||||
@@ -71,6 +74,8 @@ job:
|
||||
user: {{ .Values.databases.keycloak.username | quote }}
|
||||
- name: {{ .Values.databases.keycloakExtension.name | quote }}
|
||||
user: {{ .Values.databases.keycloakExtension.username | quote }}
|
||||
- name: {{ .Values.databases.notes.name | quote }}
|
||||
user: {{ .Values.databases.notes.username | quote }}
|
||||
- name: {{ .Values.databases.openproject.name | quote }}
|
||||
user: {{ .Values.databases.openproject.username | quote }}
|
||||
- name: {{ .Values.databases.synapse.name | quote }}
|
||||
|
||||
@@ -141,12 +141,10 @@ postgresql:
|
||||
|
||||
properties:
|
||||
"attachment:xwiki:FlamingoThemes.Iceberg@logo.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.logoHeaderSvgB64 }}"
|
||||
"attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.faviconSvgB64 }}"
|
||||
"attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon16.png": "data:image/png;base64,{{ .Values.theme.imagery.favicon16PngB64 }}"
|
||||
"attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon144.png": "data:image/png;base64,{{ .Values.theme.imagery.favicon144PngB64 }}"
|
||||
"property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.secure": 1
|
||||
"property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.server": "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
|
||||
"property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.port": 443
|
||||
|
||||
## This option overwrites the LDAP group mappings including all dynamically created mappings, therefore on XWiki restart an LDAP sync is triggered to load the dynamic mapping.
|
||||
"property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.ldap_group_mapping": "xwiki:XWiki.XWikiAdminGroup=cn=managed-by-attribute-KnowledgemanagementAdmin,cn=groups,dc=swp-ldap,dc=internal"
|
||||
## SMTP settings
|
||||
@@ -175,7 +173,7 @@ properties:
|
||||
# yamllint disable-line rule:line-length
|
||||
"property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.lessCode": "li#tmWorkplaceServices { padding-left: 16px; padding-top: 5px; } .navbar-right { padding-top: 8px; } .navbar { border-bottom: 1px solid #ddd !important; height: 64px;} div#companylogo { width: 90px; height: auto; padding-top: 7px; padding-left: 9px; }"
|
||||
|
||||
"property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "oidc"
|
||||
"property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "keycloak-bridge-auth"
|
||||
## Fields to search in when importing users from the administration UI (not completely in scope for now)
|
||||
"property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapUserAttributes":
|
||||
"sn,givenname,uid,mailPrimaryAddress"
|
||||
@@ -192,7 +190,7 @@ properties:
|
||||
## LDAP filter to only synchronize some groups
|
||||
"property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
|
||||
"(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
|
||||
"property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.title": "{{ .Values.theme.texts.productName }} Wissen - $!tdoc.displayTitle"
|
||||
"property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.title": "Wissen - $!tdoc.displayTitle - {{ .Values.theme.texts.productName }}"
|
||||
|
||||
cluster:
|
||||
replicas: {{ .Values.replicas.xwiki }}
|
||||
|
||||
8
helmfile/environments/default/ai.yaml.gotmpl
Normal file
8
helmfile/environments/default/ai.yaml.gotmpl
Normal file
@@ -0,0 +1,8 @@
|
||||
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
ai:
|
||||
endpoint: ""
|
||||
apiKey: ""
|
||||
model: ""
|
||||
...
|
||||
@@ -13,6 +13,10 @@ cache:
|
||||
username: "default"
|
||||
password: ""
|
||||
tls: false
|
||||
notes:
|
||||
host: "redis-headless"
|
||||
port: 6379
|
||||
password: ""
|
||||
openproject:
|
||||
host: "memcached"
|
||||
port: 11211
|
||||
|
||||
@@ -21,7 +21,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-certificates"
|
||||
name: "opendesk-certificates"
|
||||
version: "3.1.0"
|
||||
version: "3.1.1"
|
||||
verify: true
|
||||
clamav:
|
||||
# providerCategory: "Platform"
|
||||
@@ -55,6 +55,13 @@ charts:
|
||||
name: "collabora-online"
|
||||
version: "1.1.21"
|
||||
verify: true
|
||||
collaboraController:
|
||||
# Component is required for openDesk Enterprise only.
|
||||
registry: ""
|
||||
repository: ""
|
||||
name: ""
|
||||
version: ""
|
||||
verify: true
|
||||
cryptpad:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "XWiki"
|
||||
@@ -97,7 +104,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
|
||||
name: "opendesk-element"
|
||||
version: "5.0.1"
|
||||
version: "6.0.0"
|
||||
verify: true
|
||||
elementWeb:
|
||||
# providerCategory: "Platform"
|
||||
@@ -107,7 +114,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
|
||||
name: "opendesk-element-web"
|
||||
version: "5.0.1"
|
||||
version: "6.0.0"
|
||||
verify: true
|
||||
elementWellKnown:
|
||||
# providerCategory: "Platform"
|
||||
@@ -117,7 +124,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
|
||||
name: "opendesk-well-known"
|
||||
version: "5.0.1"
|
||||
version: "6.0.0"
|
||||
verify: true
|
||||
home:
|
||||
# providerCategory: "Platform"
|
||||
@@ -139,7 +146,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
|
||||
name: "intercom-service"
|
||||
version: "2.4.0"
|
||||
version: "2.7.3"
|
||||
verify: true
|
||||
jitsi:
|
||||
# providerCategory: "Platform"
|
||||
@@ -149,7 +156,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi"
|
||||
name: "opendesk-jitsi"
|
||||
version: "2.1.1"
|
||||
version: "3.0.1"
|
||||
verify: true
|
||||
mariadb:
|
||||
# providerCategory: "Platform"
|
||||
@@ -209,7 +216,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
|
||||
name: "opendesk-matrix-user-verification-service"
|
||||
version: "5.0.1"
|
||||
version: "6.0.1"
|
||||
verify: true
|
||||
memcached:
|
||||
# providerCategory: "Community"
|
||||
@@ -229,7 +236,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-migrations"
|
||||
name: "opendesk-migrations"
|
||||
version: "1.3.6"
|
||||
version: "1.4.0"
|
||||
verify: true
|
||||
minio:
|
||||
# providerCategory: "Community"
|
||||
@@ -239,7 +246,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/external/charts/bitnami-charts"
|
||||
name: "minio"
|
||||
version: "12.10.11"
|
||||
version: "14.10.1"
|
||||
verify: true
|
||||
nextcloud:
|
||||
# providerCategory: "Platform"
|
||||
@@ -281,6 +288,16 @@ charts:
|
||||
name: "nginx-s3-gateway"
|
||||
version: "1.0.1"
|
||||
verify: true
|
||||
notes:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "openDesk"
|
||||
# upstreamRegistry: "https://gitlab.opencode.de"
|
||||
# packageName=bmi/opendesk/components/supplier/dinum/charts/notes
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/dinum/charts/notes"
|
||||
name: "impress"
|
||||
version: "2.0.0"
|
||||
verify: true
|
||||
nubus:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "Univention"
|
||||
@@ -291,7 +308,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
|
||||
name: "nubus"
|
||||
version: "1.4.0"
|
||||
version: "1.5.1"
|
||||
verify: true
|
||||
opendeskAlerts:
|
||||
# providerCategory: "Platform"
|
||||
@@ -301,7 +318,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-alerts"
|
||||
name: "opendesk-alerts"
|
||||
version: "1.1.0"
|
||||
version: "1.1.1"
|
||||
verify: true
|
||||
opendeskDashboards:
|
||||
# providerCategory: "Platform"
|
||||
@@ -311,7 +328,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-dashboards"
|
||||
name: "opendesk-dashboards"
|
||||
version: "1.1.0"
|
||||
version: "1.1.1"
|
||||
verify: true
|
||||
opendeskKeycloakBootstrap:
|
||||
# providerCategory: "Platform"
|
||||
@@ -321,7 +338,17 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
|
||||
name: "opendesk-keycloak-bootstrap"
|
||||
version: "2.1.3"
|
||||
version: "2.2.0"
|
||||
verify: true
|
||||
opendeskStaticFiles:
|
||||
# providerCategory: "Platform"
|
||||
# providerResponsible: "openDesk"
|
||||
# upstreamRegistry: "https://registry.opencode.de"
|
||||
# upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-static-files/opendesk-static-files"
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-static-files"
|
||||
name: "opendesk-static-files"
|
||||
version: "4.0.1"
|
||||
verify: true
|
||||
openproject:
|
||||
# providerCategory: "Supplier"
|
||||
@@ -333,7 +360,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/openproject/charts-mirror"
|
||||
name: "openproject"
|
||||
version: "9.2.0"
|
||||
version: "9.4.1"
|
||||
verify: true
|
||||
openprojectBootstrap:
|
||||
# providerCategory: "Platform"
|
||||
@@ -353,7 +380,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize"
|
||||
name: "opendesk-otterize"
|
||||
version: "2.1.0"
|
||||
version: "2.1.3"
|
||||
verify: true
|
||||
oxAppSuite:
|
||||
# providerCategory: "Supplier"
|
||||
@@ -387,7 +414,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
|
||||
name: "ox-connector"
|
||||
version: "0.14.5"
|
||||
version: "0.14.11"
|
||||
verify: true
|
||||
postfix:
|
||||
# providerCategory: "Platform"
|
||||
@@ -427,7 +454,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
|
||||
name: "opendesk-synapse"
|
||||
version: "5.0.1"
|
||||
version: "6.0.1"
|
||||
verify: true
|
||||
synapseAdmin:
|
||||
# Component is required for openDesk Enterprise only.
|
||||
@@ -451,7 +478,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
|
||||
name: "opendesk-synapse-create-account"
|
||||
version: "5.0.1"
|
||||
version: "6.0.0"
|
||||
verify: true
|
||||
synapseGroupsync:
|
||||
# Component is required for openDesk Enterprise only.
|
||||
@@ -475,7 +502,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
|
||||
name: "opendesk-synapse-web"
|
||||
version: "5.0.1"
|
||||
version: "6.0.0"
|
||||
verify: true
|
||||
xwiki:
|
||||
# providerCategory: "Supplier"
|
||||
|
||||
@@ -34,6 +34,8 @@ customization:
|
||||
# nextcloud
|
||||
opendeskNextcloudManagement: {}
|
||||
opendeskNextcloud: {}
|
||||
# notes
|
||||
notes: {}
|
||||
# nubus
|
||||
ums: {}
|
||||
intercomService: {}
|
||||
@@ -48,12 +50,16 @@ customization:
|
||||
openproject: {}
|
||||
# openproject-bootstrap
|
||||
opendeskOpenprojectBootstrap: {}
|
||||
# services
|
||||
# xwiki
|
||||
xwiki: {}
|
||||
# openDesk services
|
||||
opendeskOtterize: {}
|
||||
opendeskHome: {}
|
||||
opendeskCertificates: {}
|
||||
opendeskAlerts: {}
|
||||
opendeskDashboards: {}
|
||||
opendeskStaticFiles: {}
|
||||
# external services
|
||||
redis: {}
|
||||
memcached: {}
|
||||
postgresql: {}
|
||||
@@ -63,11 +69,10 @@ customization:
|
||||
clamav: {}
|
||||
clamavSimple: {}
|
||||
minio: {}
|
||||
# xwiki
|
||||
xwiki: {}
|
||||
|
||||
# openDesk Enterprise Components
|
||||
cassandra: {}
|
||||
collaboraController: {}
|
||||
opendeskSynapseAdmin: {}
|
||||
opendeskSynapseAdminbotBootstrap: {}
|
||||
opendeskSynapseAdminbotPipe: {}
|
||||
@@ -75,4 +80,5 @@ customization:
|
||||
opendeskSynapseAuditbotBootstrap: {}
|
||||
opendeskSynapseAuditbotPipe: {}
|
||||
opendeskSynapseGroupsync: {}
|
||||
|
||||
...
|
||||
|
||||
@@ -25,6 +25,13 @@ databases:
|
||||
username: "nextcloud_user"
|
||||
password: ""
|
||||
connectionLimit: ~
|
||||
notes:
|
||||
name: "notes"
|
||||
host: "postgresql"
|
||||
port: 5432
|
||||
username: "notes_user"
|
||||
password: ""
|
||||
connectionLimit: ~
|
||||
openproject:
|
||||
name: "openproject"
|
||||
host: "postgresql"
|
||||
|
||||
@@ -7,9 +7,9 @@ debug:
|
||||
deletePodsOnSuccess: true
|
||||
# When deletePodsOnSuccess is enabled, the pod will be deleted after configured seconds.
|
||||
deletePodsOnSuccessTimeout: 60
|
||||
# Keep persistence on deletion of this release.
|
||||
# Keep persistence on deletion of a release.
|
||||
keepPVCOnDelete: false
|
||||
# Keep additional resources, like certificates on deletion of this release.
|
||||
# Keep additional resources, like certificates on deletion of a release.
|
||||
keepRessourceOnDelete: true
|
||||
# should activate debug output in all components and even allow e.g. successfully executed jobs
|
||||
# to stay available. This is going to be implemented on a case by case basis when we actually
|
||||
|
||||
@@ -3,5 +3,5 @@
|
||||
---
|
||||
global:
|
||||
systemInformation:
|
||||
releaseVersion: "v1.0.1"
|
||||
releaseVersion: "v1.1.1"
|
||||
...
|
||||
|
||||
@@ -44,9 +44,11 @@ global:
|
||||
minioApi: "objectstore"
|
||||
minioConsole: "objectstore-ui"
|
||||
nextcloud: "files"
|
||||
notes: "notes"
|
||||
nubus: "portal"
|
||||
openproject: "projects"
|
||||
openxchange: "webmail"
|
||||
static: "static"
|
||||
synapse: "matrix"
|
||||
synapseFederation: "matrix-federation"
|
||||
whiteboard: "whiteboard"
|
||||
|
||||
@@ -5,6 +5,14 @@
|
||||
# Please read the /docs/development.md for information about structure and annotations used in this file.
|
||||
---
|
||||
images:
|
||||
bitnamiOSShell:
|
||||
# providerCategory: "Community"
|
||||
# providerResponsible: "openDesk"
|
||||
# upstreamRegistry: "https://registry-1.docker.io"
|
||||
# upstreamRepository: "bitnami/os-shell"
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "bitnami/os-shell"
|
||||
tag: "12-debian-12-r34@sha256:41e0561b0f08011c24acc5e8ad4c0d09a36062cfab35d9ec7b3fdd4cfecc01e0"
|
||||
clamd:
|
||||
# providerCategory: "Community"
|
||||
# providerResponsible: "openDesk"
|
||||
@@ -53,7 +61,7 @@ images:
|
||||
# upstreamRepository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
|
||||
tag: "1.11.4@sha256:bfb0ce4afe737e7b6a0404c9e3f2d8dbe341ce72a930d0d5173a0145729cf646"
|
||||
tag: "1.11.6@sha256:1ac5eeea24c5fbfdfeda44cb00651fa22864e26d8cb32add150c4bf1aea0fb36"
|
||||
freshclam:
|
||||
# providerCategory: "Community"
|
||||
# providerResponsible: "openDesk"
|
||||
@@ -79,7 +87,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ["2", "1", "0"]
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/intercom-service"
|
||||
tag: "2.4.0@sha256:df743b7ea30077dc941815ccc60198820d67bbba94853fa7a6f939c0f36af335"
|
||||
tag: "2.7.3@sha256:bae60a9a14df53431f81846bf98520e3340dbfc1abae88622ccbd3c6e81cd930"
|
||||
jibri:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "Nordeck"
|
||||
@@ -122,12 +130,12 @@ images:
|
||||
tag: "v20241023@sha256:2391799c5168222f0e3ebb94d7c3cb3bcea6f075399458197f0c1bbbb8f293fe"
|
||||
jitsiPatchJVB:
|
||||
# providerCategory: "Community"
|
||||
# providerResponsible: "Nordeck"
|
||||
# providerResponsible: "openDesk"
|
||||
# upstreamRegistry: "https://registry-1.docker.io"
|
||||
# upstreamRepository: "bitnami/kubectl"
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "bitnami/kubectl"
|
||||
tag: "1.31.3@sha256:e90b9642d3daeabcfe73cf9aadcbbc624d1de7f88185095307c785f1c266bdb9"
|
||||
tag: "1.32.0@sha256:48c81b7aaf4fabf2733a0b888960f6982181fbcd2c3f8dfcebc4a1a065631162"
|
||||
jvb:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "Nordeck"
|
||||
@@ -175,7 +183,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ["2", "7", "0"]
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-meetings-bot"
|
||||
tag: "2.8.1@sha256:d23b08e3b6f322ffdc67029a35bd110cefb98de7a2a023b7f52fb7729886078b"
|
||||
tag: "2.8.2@sha256:1266f4af93cd82554e037125a7f6d753742bcde3dd90ecbeed8f6f5f64689c96"
|
||||
matrixNeoDateFixWidget:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "Nordeck"
|
||||
@@ -211,7 +219,7 @@ images:
|
||||
# upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
|
||||
tag: "1.3.18@sha256:d7f13322cc9cc7ab157f926280070850b0dfc6169c93a306ec4c3cf7c21eff69"
|
||||
tag: "1.4.0@sha256:0c74011e4c1216857b73695741196908afcacc2f531fd1c894b8f574ac98f9a2"
|
||||
milter:
|
||||
# providerCategory: "Community"
|
||||
# providerResponsible: "openDesk"
|
||||
@@ -227,7 +235,7 @@ images:
|
||||
# upstreamRepository: "bitnami/minio"
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "bitnami/minio"
|
||||
tag: "2023@sha256:bced4f2f9fc48b755ebb3e1b35e76195a978d4331bf2d0c6699dab412d3c0be7"
|
||||
tag: "2024.12.13-debian-12-r0@sha256:2a258ab6876f6ed3cd5609836d065f20927955a2ae721fd9edde8ca388b52135"
|
||||
nextcloud:
|
||||
# providerCategory: "Platform"
|
||||
# providerResponsible: "openDesk"
|
||||
@@ -252,6 +260,30 @@ images:
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "nginxinc/nginx-s3-gateway"
|
||||
tag: "unprivileged-oss-20241111@sha256:20d6b6ec5fc987b18c3e345de33674374a8335c593d6d0841ac64eb49ae2dea4"
|
||||
notesBackend:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "DINUM"
|
||||
# upstreamRegistry: "https://registry-1.docker.io"
|
||||
# upstreamRepository: "lasuite/impress-backend"
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "lasuite/impress-backend"
|
||||
tag: "v1.10.0-docs-production@sha256:62f31bf18335fec031f9ea3af828b84a8bb811793b63bc1c484e4ce14d437198"
|
||||
notesFrontend:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "DINUM"
|
||||
# upstreamRegistry: "https://registry-1.docker.io"
|
||||
# upstreamRepository: "lasuite/impress-frontend"
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/images/opendesk-notes"
|
||||
tag: "1.5.1@sha256:dad7dd60a5eb39b71b4911558cf7eac9ed6dc050593a046f5da0eaa75c65d344"
|
||||
notesYProvider:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "DINUM"
|
||||
# upstreamRegistry: "https://registry-1.docker.io"
|
||||
# upstreamRepository: "lasuite/impress-y-provider"
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "lasuite/impress-y-provider"
|
||||
tag: "v1.10.0-docs-production@sha256:9fcdb1fe7b20f0026b94765d64d83a2fe76cbe6e59c43d098fa21a7ea0c74803"
|
||||
nubusDataLoader:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "Univention"
|
||||
@@ -261,7 +293,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ["0", "41", "5"]
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
|
||||
tag: "0.80.0@sha256:61a8ed924c27578f40022ec7cb8d34337d0bdc890e46a09fee57a5428cd33037"
|
||||
tag: "0.80.2@sha256:04b4b928e5e957f6544b6e0af32c75340cfacf182a78e03bc1a65bdf9f8d9e5d"
|
||||
nubusGuardianAuthorizationApi:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "Univention"
|
||||
@@ -351,7 +383,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ["0", "8", "2"]
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
|
||||
tag: "0.26.5@sha256:2849bcea1c0d532d83d7d5ccd6036592af53ae6fee2ef5822eae7147ec0e094c"
|
||||
tag: "0.29.1@sha256:c06923e8d9190a83d94b2f3e429d8ae812f09fbb9f89b5689d3e221ccbbcd1ab"
|
||||
nubusLdapServer:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "Univention"
|
||||
@@ -361,7 +393,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ["0", "8", "2"]
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
|
||||
tag: "0.27.0@sha256:c8b2b4e6987deb37095a7dbfcc4e622a503e003dc9b667558edc2f9c2f58a072"
|
||||
tag: "0.29.1@sha256:0d3f136572849311490d2b616fa948bb6c97a6df9517fcc3770264ed8ee5c8e6"
|
||||
nubusLdapServerDhInitContainer:
|
||||
# providerCategory: 'Community'
|
||||
# providerResponsible: 'Univention'
|
||||
@@ -370,6 +402,16 @@ images:
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "natsio/nats-box"
|
||||
tag: "0.14.2@sha256:c9b8ebaabb2ca4c227feb4f6b856dc72d4775ac3d71f80d2c65aa82303079011"
|
||||
nubusLdapServerLeaderElector:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "Univention"
|
||||
# upstreamRegistry: "https://artifacts.software-univention.de"
|
||||
# upstreamRepository: "nubus/images/ldap-server-elector"
|
||||
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# upstreamMirrorStartFrom: ["0", "29", "1"]
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server-elector"
|
||||
tag: "0.31.1@sha256:70d23a5055acb2bcaaa629e78b2168355efebab20047a40a8f410b1ce0f624e2"
|
||||
nubusNats:
|
||||
# providerCategory: 'Community'
|
||||
# providerResponsible: 'Univention'
|
||||
@@ -403,7 +445,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ["0", "9", "4"]
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
|
||||
tag: "0.48.0@sha256:0d633fbe27c153e306b2887e597da138072e3b74218df27fbd27901daed31987"
|
||||
tag: "0.48.3@sha256:7d4e8e0a6fb6be2b3f1e5f0db49375d7a0a5820fc7517b685b2109dac00ea823"
|
||||
nubusOpendeskExtension:
|
||||
# providerCategory: "Platform"
|
||||
# providerResponsible: "openDesk"
|
||||
@@ -411,7 +453,7 @@ images:
|
||||
# upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
|
||||
tag: "1.8.2-trossner-nubus1-3@sha256:d8d7d851233e1360968417844c73b1b3822b4e8876194fd4dc3088112c66530a"
|
||||
tag: "1.9.1@sha256:4cc4d4bc39167d7dc305ab1787763fd1091fa1284ddf373e081c595d4dce39a9"
|
||||
nubusOpenPolicyAgent:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "Univention"
|
||||
@@ -441,7 +483,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ["0", "27", "0"]
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer"
|
||||
tag: "0.48.0@sha256:949b4e47b0f0f2cf8197c080eba709481e09d776a6293669404bceb749ac4a70"
|
||||
tag: "0.48.3@sha256:329ad2fbfdba2fb3cb0b170158f9fdff8786c0f1e24537d16a197432e0d0f2d0"
|
||||
nubusPortalExtension:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "Univention"
|
||||
@@ -459,7 +501,7 @@ images:
|
||||
# upstreamRepository: "nubus/images/portal-frontend"
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus-portal-update"
|
||||
tag: "1.10.5@sha256:75461683a2233c2e5c99499791ceb576b717c68baa28eef2c307e7052aaaf754"
|
||||
tag: "1.10.13@sha256:2f84f50af5d6ed31587e5ea9d043c9c30599d91350e13ea1ca31c9c9737a32cc"
|
||||
nubusPortalServer:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "Univention"
|
||||
@@ -469,7 +511,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ["0", "9", "4"]
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
|
||||
tag: "0.48.0@sha256:33860975dac733c1412a7ca0372324a15dc5cd60d73061666744bcab6de5f7c6"
|
||||
tag: "0.48.3@sha256:331a3f247d3c3d496ee1be78d71b6c737666f2fbf0bced1985e2edb295729e59"
|
||||
nubusProvisioningDispatcher:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "Univention"
|
||||
@@ -479,7 +521,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ["0", "14", "0"]
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
|
||||
tag: "0.45.1@sha256:0ba7867e68a3b76a9d094462d17c347839551f46548671c11688a22cc3315e6b"
|
||||
tag: "0.46.0@sha256:01464a4f2e1297ff2d1a507e69829fa7d0b84543e88280113bd9b9fb88bf2bce"
|
||||
nubusProvisioningEventsAndConsumerApi:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "Univention"
|
||||
@@ -489,7 +531,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ["0", "14", "0"]
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
|
||||
tag: "0.45.1@sha256:9f9d38002da6a9a6f6dc6d08f73055c6636cf63c3c348d7c8830ea8dc20a7766"
|
||||
tag: "0.46.0@sha256:c9025d0c058a36fb7926a6ad9768f9909efa4dff76022d7b7de862b000da6e6f"
|
||||
nubusProvisioningPrefill:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "Univention"
|
||||
@@ -499,7 +541,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ["0", "14", "0"]
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
|
||||
tag: "0.45.1@sha256:c38bb5c8591fb2fca74cbab742c897f194582c55151cae41bc029cbf64992f6a"
|
||||
tag: "0.46.0@sha256:e7dfa77a8fe5b6d40d734b04dda9583c03ae8cf48221e6f0af0b35052514a948"
|
||||
nubusProvisioningUdmListener:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "Univention"
|
||||
@@ -509,7 +551,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ["0", "14", "0"]
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
|
||||
tag: "0.45.1@sha256:09a837ceca9a5f1f5812f8ae242a9427959db9cfa50563a62f6daba9b92ce63d"
|
||||
tag: "0.46.0@sha256:648101e9115fa9c32583f2588a722201fed8b537167931cce3aee1111c6f50b2"
|
||||
nubusProvisioningUdmTransformer:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "Univention"
|
||||
@@ -519,7 +561,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ["0", "14", "0"]
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
|
||||
tag: "0.45.1@sha256:5fe7addb286230e185a9d688fdf0a4fa4a2602254412d50df340fde76d8adeba"
|
||||
tag: "0.46.0@sha256:e1877879044e5b0967362b5ec9a491e046d674407fbf081756b5e9e0e2dcd8e5"
|
||||
nubusSelfServiceConsumer:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "Univention"
|
||||
@@ -529,7 +571,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ["0", "3", "2"]
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
|
||||
tag: "0.12.2@sha256:99ec299e5a57a24f5dc9b437d6a66ae4afbbb23b66b09f7239acac0fd1399d03"
|
||||
tag: "0.12.3@sha256:8c20895767bb1972a3abb066ba8adc4034ce718b199fbe205a9ae67d5544a888"
|
||||
nubusUdmRestApi:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "Univention"
|
||||
@@ -549,7 +591,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ["0", "7", "3"]
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
|
||||
tag: "0.35.4@sha256:940b71bda766deb1325b2728845b669a61b511c3339976def588ec3488c69f77"
|
||||
tag: "0.35.5@sha256:f9a13261821de731f3c3a665aa128b16d7e48e6f3d79a9d4038f9667069542c8"
|
||||
nubusUmcServer:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "Univention"
|
||||
@@ -559,7 +601,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ["0", "7", "3"]
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
|
||||
tag: "0.35.4@sha256:5f6bed0b01df14eb5a8457a9109c1d87eb49c682ef818dc07c73009f7e7a0bdc"
|
||||
tag: "0.35.5@sha256:f81ce86b16f03d8c840c2f5f6d6814b8119caf2a08f0f01b0a5dab5a528d228a"
|
||||
nubusUmcServerProxy:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "Univention"
|
||||
@@ -586,16 +628,24 @@ images:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
|
||||
tag: "1.2.1@sha256:f5ce0be27580c6347c5e700c4fa271a811d45d8a0e4b40ffe8a4d0e3d47e670f"
|
||||
opendeskStaticFiles:
|
||||
# providerCategory: "Community"
|
||||
# providerResponsible: "Element"
|
||||
# upstreamRegistry: "https://registry-1.docker.io"
|
||||
# upstreamRepository: "library/nginx"
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "library/nginx"
|
||||
tag: "1.27.3-alpine3.20@sha256:41523187cf7d7a2f2677a80609d9caa14388bf5c1fbca9c410ba3de602aaaab4"
|
||||
openproject:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "OpenProject"
|
||||
# upstreamRegistry: "https://registry-1.docker.io"
|
||||
# upstreamRepository: "openproject/open_desk"
|
||||
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)-?\d*$'
|
||||
# upstreamMirrorStartFrom: ["13", "1", "1"]
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
|
||||
tag: "15.1.0@sha256:3868e97f0694ec747f52a890dafb107f7664a9c3c615d61aaec287ed3afa3305"
|
||||
tag: "15.1.1@sha256:e64133498e00ec7b42aeedd064416df86ecfa1f2bf068cd7256de4e11cfccc49"
|
||||
openprojectBootstrap:
|
||||
# providerCategory: "Platform"
|
||||
# providerResponsible: "openDesk"
|
||||
@@ -783,7 +833,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ["1", "91", "2"]
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/element/images-mirror/synapse"
|
||||
tag: "v1.120.2@sha256:daee887fa4ca6370e297439bb33a61896ff3413c9454540446a94e461f097d33"
|
||||
tag: "v1.121.1@sha256:5d8081b6004eb115635334dbc1ec2f87318f19d5ad0e7c62f7476d4cc16de277"
|
||||
synapseCreateUser:
|
||||
# providerCategory: "Community"
|
||||
# providerResponsible: "Nordeck"
|
||||
@@ -791,7 +841,7 @@ images:
|
||||
# upstreamRepository: "alpine/k8s"
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "alpine/k8s"
|
||||
tag: "1.31.3@sha256:77812543abe5649b286d5f0dc17a7dbaa4056433225f6f695150f329cb4b6803"
|
||||
tag: "1.32.0@sha256:6d49f7f37ae5f4c07bfe46edb44e3d3b6896974d1b87da76d8aa8d6e23b4d619"
|
||||
synapseGuestModule:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "Nordeck"
|
||||
@@ -817,7 +867,7 @@ images:
|
||||
# upstreamRepository: "library/nginx"
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "library/nginx"
|
||||
tag: "1.27.0-bookworm@sha256:1445eb9c6dc5e9619346c836ef6fbd6a95092e4663f27dcfce116f051cdbd232"
|
||||
tag: "1.27.3-alpine3.20@sha256:41523187cf7d7a2f2677a80609d9caa14388bf5c1fbca9c410ba3de602aaaab4"
|
||||
xwiki:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "XWiki"
|
||||
@@ -827,5 +877,5 @@ images:
|
||||
# upstreamMirrorStartFrom: ["0", "12"]
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/xwiki"
|
||||
tag: "0.22-mariadb-jetty-alpine@sha256:ba29f44befc558c4a4d969f103b216c13a55194dbc532adc43567bee4943d65f"
|
||||
tag: "0.23-mariadb-jetty-alpine@sha256:d358212cc5c3addc4be02cfd0f2b08aa8b88399ac5848e152111f231356558da"
|
||||
...
|
||||
|
||||
@@ -23,6 +23,12 @@ objectstores:
|
||||
useSSL: true
|
||||
pathStyle: true
|
||||
port: 443
|
||||
notes:
|
||||
bucket: "notes"
|
||||
endpoint: ""
|
||||
secretKey: ""
|
||||
username: "notes_user"
|
||||
port: 443
|
||||
openproject:
|
||||
bucket: "openproject"
|
||||
directUploads: true
|
||||
|
||||
@@ -49,6 +49,9 @@ minio:
|
||||
nextcloud:
|
||||
enabled: true
|
||||
namespace: ~
|
||||
notes:
|
||||
enabled: false
|
||||
namespace: ~
|
||||
nubus:
|
||||
enabled: true
|
||||
namespace: ~
|
||||
@@ -67,6 +70,9 @@ postgresql:
|
||||
redis:
|
||||
enabled: true
|
||||
namespace: ~
|
||||
staticFiles:
|
||||
enabled: true
|
||||
namespace: ~
|
||||
xwiki:
|
||||
enabled: true
|
||||
namespace: ~
|
||||
@@ -81,4 +87,7 @@ elementAdmin:
|
||||
elementGroupsync:
|
||||
enabled: false
|
||||
namespace: ~
|
||||
collaboraController:
|
||||
enabled: false
|
||||
namespace: ~
|
||||
...
|
||||
|
||||
@@ -66,7 +66,6 @@ replicas:
|
||||
# -- scalable: true
|
||||
keycloak: 1
|
||||
# -- scalable: false
|
||||
# -- comment: Will be removed soon.
|
||||
oxConnector: 1
|
||||
# -- scalable: tbd
|
||||
umsGuardianAuthorizationApi: 1
|
||||
@@ -85,13 +84,14 @@ replicas:
|
||||
umsKeycloakExtensionsProxy: 1
|
||||
# -- scalable: tbd
|
||||
umsLdapNotifier: 1
|
||||
# -- scalable: false
|
||||
# -- comment: Experimental feature and not supported.
|
||||
# -- scalable: true
|
||||
# -- comment: Please find details on the following `umsLdapServer*` entries in the upstream documentation:
|
||||
# https://docs.software-univention.de/nubus-kubernetes-operation/latest/en/configuration/ldap.html#directory-service-high-availability-and-scalability
|
||||
umsLdapServerPrimary: 1
|
||||
# -- scalable: true
|
||||
umsLdapServerSecondary: 1
|
||||
umsLdapServerSecondary: 0
|
||||
# -- scalable: true
|
||||
umsLdapServerProxy: 1
|
||||
umsLdapServerProxy: 0
|
||||
# -- scalable: tbd
|
||||
umsNotificationsApi: 1
|
||||
# -- scalable: true
|
||||
@@ -155,6 +155,10 @@ replicas:
|
||||
# -- scalable: true
|
||||
nextcloudExporter: 1
|
||||
|
||||
# -- component: openDesk Static Files
|
||||
# -- scalable: true
|
||||
opendeskStaticFiles: 1
|
||||
|
||||
# -- component: Project management (OpenProject)
|
||||
# -- scalable: true
|
||||
openprojectWeb: 1
|
||||
@@ -191,4 +195,12 @@ replicas:
|
||||
# -- component: Knowledge management (XWiki)
|
||||
# -- scalable: false
|
||||
xwiki: 1
|
||||
|
||||
# -- component: Note taking (Notes)
|
||||
# -- scalable: true
|
||||
notesBackend: 1
|
||||
# -- scalable: true
|
||||
notesFrontend: 1
|
||||
# -- scalable: true
|
||||
notesYProvider: 1
|
||||
...
|
||||
|
||||
@@ -106,6 +106,27 @@ resources:
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "384Mi"
|
||||
notesBackend:
|
||||
limits:
|
||||
cpu: 99
|
||||
memory: "768Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "512Mi"
|
||||
notesFrontend:
|
||||
limits:
|
||||
cpu: 99
|
||||
memory: "128Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "32Mi"
|
||||
notesYProvider:
|
||||
limits:
|
||||
cpu: 99
|
||||
memory: "256Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "128Mi"
|
||||
opendeskKeycloakBootstrap:
|
||||
limits:
|
||||
cpu: 99
|
||||
@@ -113,6 +134,13 @@ resources:
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "256Mi"
|
||||
opendeskStaticFiles:
|
||||
limits:
|
||||
cpu: 99
|
||||
memory: "64Mi"
|
||||
requests:
|
||||
cpu: 0.01
|
||||
memory: "16Mi"
|
||||
umsKeycloak:
|
||||
limits:
|
||||
cpu: 99
|
||||
|
||||
@@ -7,22 +7,20 @@ SPDX-License-Identifier: Apache-2.0
|
||||
secrets:
|
||||
oxAppSuite:
|
||||
adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "admin_password" | sha1sum | quote }}
|
||||
migrationsMasterPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "opendesk") "ox_appsuite" "migrations_master_password" | sha1sum | quote }}
|
||||
basicAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "basic_auth_password" | sha1sum | quote }}
|
||||
cookieHashSalt: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "cookie_hash_salt" | sha1sum | quote }}
|
||||
sessiondEncryptionKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "sessiond_encryptionkey" | sha1sum | quote }}
|
||||
shareCryptKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_cryptkey" | sha1sum | quote }}
|
||||
hzGroupPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "hz_group_password" | sha1sum | quote }}
|
||||
jolokiaPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "jolokia_password" | sha1sum | quote }}
|
||||
migrationsMasterPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "opendesk") "ox_appsuite" "migrations_master_password" | sha1sum | quote }}
|
||||
oxguardMC: {{ printf "MC%s" (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "oxguardMC" | sha1sum | trunc 20 | b64enc) | quote }}
|
||||
oxguardRC: {{ printf "RC%s" (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "oxguardRC" | sha1sum | trunc 20 | b64enc) | quote }}
|
||||
hzGroupPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "hz_group_password" | sha1sum | quote }}
|
||||
basicAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "basic_auth_password" | sha1sum | quote }}
|
||||
jolokiaPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "jolokia_password" | sha1sum | quote }}
|
||||
cookieHashSalt: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "cookie_hash_salt" | sha1sum | quote }}
|
||||
shareCryptKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_crypt_key" | sha1sum | quote }}
|
||||
sessiondEncryptionKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "sessiond_encryption_key" | sha1sum | quote }}
|
||||
shareCryptKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_crypt_key" | sha1sum | quote }}
|
||||
synapseAsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "as_token" | sha1sum | quote }}
|
||||
oxConnector:
|
||||
provisioningApiPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ox-connector" | sha1sum | quote }}
|
||||
nubus:
|
||||
masterpassword: {{ env "MASTER_PASSWORD" | default "sovereign-workplace" | quote }}
|
||||
ldapSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "ldap" | sha1sum | quote }}
|
||||
ldapSearch:
|
||||
keycloak: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_keycloak" | sha1sum | quote }}
|
||||
@@ -59,6 +57,7 @@ secrets:
|
||||
keycloakUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum | quote }}
|
||||
keycloakExtensionUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_extensions_user" | sha1sum | quote }}
|
||||
matrixUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "matrix_user" | sha1sum | quote }}
|
||||
notesUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notes_user" | sha1sum | quote }}
|
||||
openprojectUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "openproject_user" | sha1sum | quote }}
|
||||
umsNotificationsApiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }}
|
||||
umsGuardianManagementApiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "guardianmanagementapi_user" | sha1sum | quote }}
|
||||
@@ -72,6 +71,7 @@ secrets:
|
||||
rootPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "root_password" | sha1sum | quote) }}
|
||||
migrationsUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "migrations_user" | sha1sum | quote) }}
|
||||
nextcloudUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "nextcloud_user" | sha1sum | quote) }}
|
||||
notesUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "notes_user" | sha1sum | quote) }}
|
||||
openprojectUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "openproject_user" | sha1sum | quote) }}
|
||||
umsUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "ums_user" | sha1sum | quote) }}
|
||||
keycloak:
|
||||
@@ -86,6 +86,7 @@ secrets:
|
||||
xwiki: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "xwiki_client_secret" | sha1sum | quote }}
|
||||
as8oidc: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "as8oidc_client_secret" | sha1sum | quote }}
|
||||
guardian: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "guardian_client_secret" | sha1sum | quote }}
|
||||
notes: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "notes_client_secret" | sha1sum | quote }}
|
||||
nextcloud:
|
||||
adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "nextcloud_admin_user" | sha1sum | quote }}
|
||||
metricsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "metricsToken" | sha1sum | quote }}
|
||||
@@ -121,4 +122,8 @@ secrets:
|
||||
password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-user-verification-service" "password" | sha1sum | quote }}
|
||||
certificates:
|
||||
password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "certificates" "password" | sha1sum | quote }}
|
||||
notes:
|
||||
djangoSecretKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "notes" "djangoSecretKey" | sha256sum | quote }}
|
||||
superuser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "notes" "superuser" | sha1sum | quote }}
|
||||
collaborationSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "notes" "collaborationSecret" | sha1sum | quote }}
|
||||
...
|
||||
|
||||
@@ -37,7 +37,11 @@ seLinuxOptions:
|
||||
nextcloud: ~
|
||||
nextcloudExporter: ~
|
||||
nextcloudManagement: ~
|
||||
notesBackend: ~
|
||||
notesFrontend: ~
|
||||
notesYProvider: ~
|
||||
opendeskKeycloakBootstrap: ~
|
||||
opendeskStaticFiles: ~
|
||||
openproject: ~
|
||||
openprojectBootstrap: ~
|
||||
openprojectDbInit: ~
|
||||
|
||||
9
helmfile/environments/default/technical.yaml.gotmpl
Normal file
9
helmfile/environments/default/technical.yaml.gotmpl
Normal file
@@ -0,0 +1,9 @@
|
||||
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
technical:
|
||||
# Collabora related technical settings
|
||||
collabora:
|
||||
# Defines the value for the start parameter `-o:num_prespawn_children`
|
||||
numPrespawnChildren: 4
|
||||
...
|
||||
@@ -39,47 +39,72 @@ theme:
|
||||
## Define imagery
|
||||
#
|
||||
imagery:
|
||||
# Xwiki
|
||||
faviconSvgB64: {{ readFile "./../../files/theme/favicon.svg" | b64enc | quote }}
|
||||
faviconIcoB64: {{ readFile "./../../files/theme/favicon.ico" | b64enc | quote }}
|
||||
favicon16PngB64: {{ readFile "./../../files/theme/favicon16.png" | b64enc | quote }}
|
||||
favicon144PngB64: {{ readFile "./../../files/theme/favicon144.png" | b64enc | quote }}
|
||||
logoHeaderSvgB64: {{ readFile "./../../files/theme/logoHeader.svg" | b64enc | quote }}
|
||||
|
||||
# Jitsi
|
||||
logoHeaderInvertedSvgB64: {{ readFile "./../../files/theme/logoHeaderInverted.svg" | b64enc | quote }}
|
||||
|
||||
# Portal
|
||||
portalLogoBackgroundSvgB64: {{ readFile "./../../files/theme/empty.svg" | b64enc | quote }}
|
||||
portalWaitingSpinnerSvgB64: {{ readFile "./../../files/theme/portalWaitingSpinner.svg" | b64enc | quote }}
|
||||
chat:
|
||||
faviconIco: {{ readFile "./../../files/theme/chat/favicon.ico" | b64enc | quote }}
|
||||
|
||||
files:
|
||||
faviconIco: {{ readFile "./../../files/theme/files/favicon.ico" | b64enc | quote }}
|
||||
faviconPng: {{ readFile "./../../files/theme/files/favicon.png" | b64enc | quote }}
|
||||
|
||||
login:
|
||||
faviconIco: {{ readFile "./../../files/theme/login/favicon.ico" | b64enc | quote }}
|
||||
backgroundJpg: {{ readFile "./../../files/theme/login/background.jpg" | b64enc | quote }}
|
||||
logoSvg: {{ readFile "./../../files/theme/login/logo.svg" | b64enc | quote }}
|
||||
|
||||
groupware:
|
||||
faviconIco: {{ readFile "./../../files/theme/groupware/favicon.ico" | b64enc | quote }}
|
||||
faviconSvg: {{ readFile "./../../files/theme/groupware/favicon.svg" | b64enc | quote }}
|
||||
|
||||
knowledge:
|
||||
faviconSvg: {{ readFile "./../../files/theme/knowledge/favicon.svg" | b64enc | quote }}
|
||||
faviconPng: {{ readFile "./../../files/theme/knowledge/favicon.png" | b64enc | quote }}
|
||||
|
||||
notes:
|
||||
faviconIco: {{ readFile "./../../files/theme/notes/favicon.ico" | b64enc | quote }}
|
||||
|
||||
portal:
|
||||
faviconIco: {{ readFile "./../../files/theme/portal/favicon.ico" | b64enc | quote }}
|
||||
waitingSpinnerSvg: {{ readFile "./../../files/theme/portal/waiting-spinner.svg" | b64enc }}
|
||||
backgroundSvg: {{ readFile "./../../files/theme/portal/background.svg" | b64enc | quote }}
|
||||
portalTiles:
|
||||
adminAnnouncement: {{ readFile "./../../files/portal-tiles/admin_announcement.svg" | b64enc | quote }}
|
||||
adminContext: {{ readFile "./../../files/portal-tiles/admin_context.svg" | b64enc | quote }}
|
||||
adminFunctionalmailbox: {{ readFile "./../../files/portal-tiles/admin_functionalmailbox.svg" | b64enc | quote }}
|
||||
adminGroup: {{ readFile "./../../files/portal-tiles/admin_group.svg" | b64enc | quote }}
|
||||
adminResource: {{ readFile "./../../files/portal-tiles/admin_resource.svg" | b64enc | quote }}
|
||||
adminUser: {{ readFile "./../../files/portal-tiles/admin_user.svg" | b64enc | quote }}
|
||||
anonymousLogin: {{ readFile "./../../files/portal-tiles/anonymous_login.svg" | b64enc | quote }}
|
||||
dummyCircle: {{ readFile "./../../files/portal-tiles/dummy_circle.svg" | b64enc | quote }}
|
||||
fileshareActivity: {{ readFile "./../../files/portal-tiles/fileshare_activity.svg" | b64enc | quote }}
|
||||
fileshareDirectdocOdp: {{ readFile "./../../files/portal-tiles/fileshare_directdoc_odp.svg" | b64enc | quote }}
|
||||
fileshareDirectdocOds: {{ readFile "./../../files/portal-tiles/fileshare_directdoc_ods.svg" | b64enc | quote }}
|
||||
fileshareDirectdocOdt: {{ readFile "./../../files/portal-tiles/fileshare_directdoc_odt.svg" | b64enc | quote }}
|
||||
fileshareFiles: {{ readFile "./../../files/portal-tiles/fileshare_files.svg" | b64enc | quote }}
|
||||
groupwareCalendar: {{ readFile "./../../files/portal-tiles/groupware_calendar.svg" | b64enc | quote }}
|
||||
groupwareContacts: {{ readFile "./../../files/portal-tiles/groupware_contacts.svg" | b64enc | quote }}
|
||||
groupwareMail: {{ readFile "./../../files/portal-tiles/groupware_mail.svg" | b64enc | quote }}
|
||||
groupwareTasks: {{ readFile "./../../files/portal-tiles/groupware_tasks.svg" | b64enc | quote }}
|
||||
managementKnowledge: {{ readFile "./../../files/portal-tiles/management_knowledge.svg" | b64enc | quote }}
|
||||
managementProject: {{ readFile "./../../files/portal-tiles/management_project.svg" | b64enc | quote }}
|
||||
realtimeCollaboration: {{ readFile "./../../files/portal-tiles/realtime_collaboration.svg" | b64enc | quote }}
|
||||
realtimeVideoconference: {{ readFile "./../../files/portal-tiles/realtime_videoconference.svg" | b64enc | quote }}
|
||||
selfserviceChangepassword: {{ readFile "./../../files/portal-tiles/selfservice_changepassword.svg" | b64enc | quote }}
|
||||
selfserviceEditprofile: {{ readFile "./../../files/portal-tiles/selfservice_editprofile.svg" | b64enc | quote }}
|
||||
selfserviceProtectaccount: {{ readFile "./../../files/portal-tiles/selfservice_protectaccount.svg" | b64enc | quote }}
|
||||
adminAnnouncement: {{ readFile "./../../files/theme/portal-tiles/admin_announcement.svg" | b64enc | quote }}
|
||||
adminContext: {{ readFile "./../../files/theme/portal-tiles/admin_context.svg" | b64enc | quote }}
|
||||
adminFunctionalmailbox: {{ readFile "./../../files/theme/portal-tiles/admin_functionalmailbox.svg" | b64enc | quote }}
|
||||
adminGroup: {{ readFile "./../../files/theme/portal-tiles/admin_group.svg" | b64enc | quote }}
|
||||
adminResource: {{ readFile "./../../files/theme/portal-tiles/admin_resource.svg" | b64enc | quote }}
|
||||
adminUser: {{ readFile "./../../files/theme/portal-tiles/admin_user.svg" | b64enc | quote }}
|
||||
anonymousLogin: {{ readFile "./../../files/theme/portal-tiles/anonymous_login.svg" | b64enc | quote }}
|
||||
dummyCircle: {{ readFile "./../../files/theme/portal-tiles/dummy_circle.svg" | b64enc | quote }}
|
||||
fileshareActivity: {{ readFile "./../../files/theme/portal-tiles/fileshare_activity.svg" | b64enc | quote }}
|
||||
fileshareDirectdocOdp: {{ readFile "./../../files/theme/portal-tiles/fileshare_directdoc_odp.svg" | b64enc | quote }}
|
||||
fileshareDirectdocOds: {{ readFile "./../../files/theme/portal-tiles/fileshare_directdoc_ods.svg" | b64enc | quote }}
|
||||
fileshareDirectdocOdt: {{ readFile "./../../files/theme/portal-tiles/fileshare_directdoc_odt.svg" | b64enc | quote }}
|
||||
fileshareFiles: {{ readFile "./../../files/theme/portal-tiles/fileshare_files.svg" | b64enc | quote }}
|
||||
groupwareCalendar: {{ readFile "./../../files/theme/portal-tiles/groupware_calendar.svg" | b64enc | quote }}
|
||||
groupwareContacts: {{ readFile "./../../files/theme/portal-tiles/groupware_contacts.svg" | b64enc | quote }}
|
||||
groupwareMail: {{ readFile "./../../files/theme/portal-tiles/groupware_mail.svg" | b64enc | quote }}
|
||||
groupwareTasks: {{ readFile "./../../files/theme/portal-tiles/groupware_tasks.svg" | b64enc | quote }}
|
||||
managementKnowledge: {{ readFile "./../../files/theme/portal-tiles/management_knowledge.svg" | b64enc | quote }}
|
||||
managementProject: {{ readFile "./../../files/theme/portal-tiles/management_project.svg" | b64enc | quote }}
|
||||
notes: {{ readFile "./../../files/theme/portal-tiles/misc_notes.svg" | b64enc | quote }}
|
||||
realtimeCollaboration: {{ readFile "./../../files/theme/portal-tiles/realtime_collaboration.svg" | b64enc | quote }}
|
||||
realtimeVideoconference: {{ readFile "./../../files/theme/portal-tiles/realtime_videoconference.svg" | b64enc | quote }}
|
||||
selfserviceChangepassword: {{ readFile "./../../files/theme/portal-tiles/selfservice_changepassword.svg" | b64enc | quote }}
|
||||
selfserviceEditprofile: {{ readFile "./../../files/theme/portal-tiles/selfservice_editprofile.svg" | b64enc | quote }}
|
||||
selfserviceProtectaccount: {{ readFile "./../../files/theme/portal-tiles/selfservice_protectaccount.svg" | b64enc | quote }}
|
||||
|
||||
projects:
|
||||
faviconSvg: {{ readFile "./../../files/theme/projects/favicon.svg" | b64enc | quote }}
|
||||
|
||||
videoconference:
|
||||
faviconSvg: {{ readFile "./../../files/theme/videoconference/favicon.svg" | b64enc | quote }}
|
||||
|
||||
## Where required define complete Stylesheets
|
||||
#
|
||||
styles:
|
||||
portalCss: {{ readFile "./../../files/theme/portalStylesheet.css" | b64enc }}
|
||||
portal:
|
||||
main: {{ readFile "./../../files/theme/portal/stylesheet.css" | b64enc }}
|
||||
...
|
||||
|
||||
BIN
helmfile/files/theme/_dev/red.ico
Normal file
BIN
helmfile/files/theme/_dev/red.ico
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 70 B |
BIN
helmfile/files/theme/_dev/red.png
Normal file
BIN
helmfile/files/theme/_dev/red.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 72 B |
1
helmfile/files/theme/_dev/red.svg
Normal file
1
helmfile/files/theme/_dev/red.svg
Normal file
@@ -0,0 +1 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?><svg xmlns="http://www.w3.org/2000/svg" width="1" height="1"><rect width="100%" height="100%" fill="red"/></svg>
|
||||
|
After Width: | Height: | Size: 150 B |
BIN
helmfile/files/theme/chat/favicon.ico
Normal file
BIN
helmfile/files/theme/chat/favicon.ico
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 49 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 66 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 2.7 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 513 B |
BIN
helmfile/files/theme/files/favicon.ico
Normal file
BIN
helmfile/files/theme/files/favicon.ico
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 49 KiB |
BIN
helmfile/files/theme/files/favicon.png
Normal file
BIN
helmfile/files/theme/files/favicon.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 1.2 KiB |
BIN
helmfile/files/theme/groupware/favicon.ico
Normal file
BIN
helmfile/files/theme/groupware/favicon.ico
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 49 KiB |
5
helmfile/files/theme/groupware/favicon.svg
Normal file
5
helmfile/files/theme/groupware/favicon.svg
Normal file
@@ -0,0 +1,5 @@
|
||||
<svg width="110" height="110" viewBox="0 0 110 110" fill="none" xmlns="http://www.w3.org/2000/svg">
|
||||
<rect width="110" height="110" rx="20" fill="white"/>
|
||||
<path d="M83.0501 33.75H26.8501L54.9501 54.75L83.0501 33.75Z" fill="#571EFA"/>
|
||||
<path d="M54.95 63.65L26.65 42.35V69.15C26.65 73.05 29.85 76.25 33.75 76.25H76.25C80.15 76.25 83.35 73.05 83.35 69.15V42.35C83.35 42.35 55.05 63.65 54.95 63.65Z" fill="#571EFA" fill-opacity="0.7"/>
|
||||
</svg>
|
||||
|
After Width: | Height: | Size: 438 B |
BIN
helmfile/files/theme/knowledge/favicon.png
Normal file
BIN
helmfile/files/theme/knowledge/favicon.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 1.5 KiB |
5
helmfile/files/theme/knowledge/favicon.svg
Normal file
5
helmfile/files/theme/knowledge/favicon.svg
Normal file
@@ -0,0 +1,5 @@
|
||||
<svg width="110" height="110" viewBox="0 0 110 110" fill="none" xmlns="http://www.w3.org/2000/svg">
|
||||
<rect width="110" height="110" rx="20" fill="white"/>
|
||||
<path d="M65.65 72.7C65.65 78.6 60.85 83.3 55.05 83.3C49.25 83.3 44.45 78.5 44.45 72.7V69.2H65.75V72.7H65.65Z" fill="#571EFA" fill-opacity="0.7"/>
|
||||
<path d="M55.05 26.7C43.35 26.7 33.75 36.2 33.75 48C33.75 53.5 35.85 58.4 39.25 62.2H70.85C74.25 58.4 76.25 53.5 76.25 48C76.25 36.3 66.75 26.7 54.95 26.7H55.05Z" fill="#571EFA"/>
|
||||
</svg>
|
||||
|
After Width: | Height: | Size: 488 B |
BIN
helmfile/files/theme/login/background.jpg
Normal file
BIN
helmfile/files/theme/login/background.jpg
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 100 KiB |
BIN
helmfile/files/theme/login/favicon.ico
Normal file
BIN
helmfile/files/theme/login/favicon.ico
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 49 KiB |
|
Before Width: | Height: | Size: 3.5 KiB After Width: | Height: | Size: 3.5 KiB |
BIN
helmfile/files/theme/notes/favicon.ico
Normal file
BIN
helmfile/files/theme/notes/favicon.ico
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 49 KiB |
|
Before Width: | Height: | Size: 732 B After Width: | Height: | Size: 732 B |
|
Before Width: | Height: | Size: 690 B After Width: | Height: | Size: 690 B |
|
Before Width: | Height: | Size: 615 B After Width: | Height: | Size: 615 B |
|
Before Width: | Height: | Size: 1.2 KiB After Width: | Height: | Size: 1.2 KiB |
|
Before Width: | Height: | Size: 399 B After Width: | Height: | Size: 399 B |
|
Before Width: | Height: | Size: 794 B After Width: | Height: | Size: 794 B |
|
Before Width: | Height: | Size: 707 B After Width: | Height: | Size: 707 B |
|
Before Width: | Height: | Size: 100 B After Width: | Height: | Size: 100 B |
|
Before Width: | Height: | Size: 518 B After Width: | Height: | Size: 518 B |
|
Before Width: | Height: | Size: 546 B After Width: | Height: | Size: 546 B |
|
Before Width: | Height: | Size: 566 B After Width: | Height: | Size: 566 B |
|
Before Width: | Height: | Size: 550 B After Width: | Height: | Size: 550 B |
|
Before Width: | Height: | Size: 501 B After Width: | Height: | Size: 501 B |
|
Before Width: | Height: | Size: 629 B After Width: | Height: | Size: 629 B |
|
Before Width: | Height: | Size: 585 B After Width: | Height: | Size: 585 B |
|
Before Width: | Height: | Size: 478 B After Width: | Height: | Size: 478 B |
|
Before Width: | Height: | Size: 526 B After Width: | Height: | Size: 526 B |
|
Before Width: | Height: | Size: 556 B After Width: | Height: | Size: 556 B |
|
Before Width: | Height: | Size: 565 B After Width: | Height: | Size: 565 B |
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user