mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-08 00:11:38 +01:00
Compare commits
24 Commits
trossner/f
...
54-issue-w
| Author | SHA1 | Date | |
|---|---|---|---|
|
f94e9c4930 | ||
|
|
5f9d015f0b | ||
|
|
7cc39647d8 | ||
|
|
8c97bcf994 | ||
|
|
5a39e8725b | ||
|
|
34d2c05959 | ||
|
|
42f63e3992 | ||
|
|
81105d1e94 | ||
|
|
a41ddd5451 | ||
|
|
8e889db63e | ||
|
|
5ebf291a4d | ||
|
|
d565c057dd | ||
|
|
50e263866b | ||
|
|
0fd4a26c71 | ||
|
|
0aa4cfb46f | ||
|
|
391d959630 | ||
|
|
9c32058fcc | ||
|
|
bc18724d70 | ||
|
|
011ad2cd6b | ||
|
|
ee99eefb72 | ||
|
|
a2b333b462 | ||
|
|
7ee9e47e82 | ||
|
|
d677ca5691 | ||
|
|
31e5cf317c |
@@ -1,4 +1,5 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
include:
|
||||
@@ -11,6 +12,7 @@ include:
|
||||
- local: "/.gitlab/generate/generate-docs.yml"
|
||||
- project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
|
||||
file: "gitlab/environments.yaml"
|
||||
ref: "main"
|
||||
- local: "/.gitlab/lint/lint-opendesk.yml"
|
||||
rules:
|
||||
- if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
|
||||
@@ -18,7 +20,7 @@ include:
|
||||
- when: "always"
|
||||
- local: "/.gitlab/lint/lint-kyverno.yml"
|
||||
rules:
|
||||
- if: "$JOB_KYVERNO_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
|
||||
- if: "$JOB_KYVERNO_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event|web|triggers'"
|
||||
when: "never"
|
||||
- when: "always"
|
||||
|
||||
@@ -26,7 +28,6 @@ stages:
|
||||
- ".pre"
|
||||
- "scan"
|
||||
- "automr"
|
||||
- "renovate"
|
||||
- "lint"
|
||||
- "env-cleanup"
|
||||
- "env"
|
||||
@@ -42,14 +43,15 @@ variables:
|
||||
description: "The name of namespaces to deploy to."
|
||||
value: ""
|
||||
CLUSTER:
|
||||
description: "Define which cluster to use. Cluster must be defined in gitlab/environments.yaml of
|
||||
sovereign-workplace-env included above."
|
||||
description: "Which cluster to use. Cluster must be defined in `gitlab/environments.yaml` of the
|
||||
repo that is included above using the env var `PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG`:
|
||||
${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
|
||||
value: "dev"
|
||||
MASTER_PASSWORD_WEB_VAR:
|
||||
description: "Optional: Provide a passphrase to be used for password generation."
|
||||
description: "Optional: Provide a seed to be used for generation of all internal secrets. Same seed will result in same secrets."
|
||||
value: ""
|
||||
ENV_STOP_BEFORE:
|
||||
description: "Stop environment/delete namespace for the deployment"
|
||||
description: "Stop environment/delete namespace for the deployment."
|
||||
value: "no"
|
||||
options:
|
||||
- "yes"
|
||||
@@ -132,12 +134,6 @@ variables:
|
||||
options:
|
||||
- "yes"
|
||||
- "no"
|
||||
RUN_RENOVATE:
|
||||
description: "Triggers the Renovate based check for dependency updates."
|
||||
value: "no"
|
||||
options:
|
||||
- "yes"
|
||||
- "no"
|
||||
RUN_TESTS:
|
||||
description: "Triggers execution of E2E-tests."
|
||||
value: "yes"
|
||||
@@ -458,7 +454,7 @@ avscan-prepare:
|
||||
$CI_PIPELINE_SOURCE =~ "push|merge_request_event"
|
||||
when: "always"
|
||||
- when: "never"
|
||||
image: "external-registry.souvap-univention.de/docker-remote/mikefarah/yq"
|
||||
image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/mikefarah/yq"
|
||||
script:
|
||||
- |
|
||||
cat << 'EOF' > dynamic-scans.yml
|
||||
@@ -543,19 +539,6 @@ reuse-linter:
|
||||
when: "never"
|
||||
- when: "always"
|
||||
|
||||
renovate:
|
||||
rules:
|
||||
- if: $RUN_RENOVATE == "yes"
|
||||
when: "on_success"
|
||||
image: "ghcr.io/renovatebot/renovate:37.59.7@sha256:a0dd48947ca03d9088ff7bfdcf689a5cc3c1eb9522d5ff87d14636b5ad60a3dc"
|
||||
variables:
|
||||
RENOVATE_CONFIG_FILE: "${CI_PROJECT_DIR}/.renovate/config.yaml"
|
||||
RENOVATE_ENDPOINT: "${CI_API_V4_URL}"
|
||||
RENOVATE_LOG_FILE_LEVEL: "debug"
|
||||
script:
|
||||
- "renovate ${RENOVATE_EXTRA_FLAGS}"
|
||||
stage: "renovate"
|
||||
|
||||
generate-release-version:
|
||||
rules:
|
||||
- if: >
|
||||
@@ -585,7 +568,7 @@ release:
|
||||
- |
|
||||
echo -e "\n[INFO] Writing data to helm value file..."
|
||||
cat <<EOF >helmfile/environments/default/global.generated.yaml
|
||||
# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
global:
|
||||
|
||||
@@ -1,81 +0,0 @@
|
||||
# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
# Platform type of repository
|
||||
platform: "gitlab"
|
||||
|
||||
# Enable oboarding merge request
|
||||
onboarding: false
|
||||
|
||||
# If set to true: keep repository data between runs instead of deleting the data
|
||||
persistRepoData: true
|
||||
|
||||
# Controls Renovate's behavior regarding repository config files such as renovate.json
|
||||
requireConfig: "ignored"
|
||||
|
||||
# List of Repositories
|
||||
# See: https://docs.renovatebot.com/configuration-options/
|
||||
repositories:
|
||||
- repository: ""
|
||||
# Prefix to use for all branch names created by renovate bot (default: "renovate/")
|
||||
branchPrefix: "renovate/"
|
||||
# Lowercase merge request and commit titles ("never" = leave titles untouched )
|
||||
commitMessageLowerCase: "never"
|
||||
# Commit scope to use if Semantic Commits are enabled (fix(<scope>)...)
|
||||
semanticCommitScope: "ci"
|
||||
# Commit type to use if Semantic Commits are enabled (default: "chore")
|
||||
semanticCommitType: "chore"
|
||||
# Include package files only within these defined paths
|
||||
includePaths:
|
||||
- "helmfile/environments/default/images.yaml"
|
||||
- "helmfile/environments/default/charts.yaml"
|
||||
customManagers:
|
||||
- customType: "regex"
|
||||
fileMatch:
|
||||
- "helmfile/environments/default/images.yaml"
|
||||
datasourceTemplate: "docker"
|
||||
matchStrings:
|
||||
- >
|
||||
# yamllint disable rule:line-length
|
||||
providerCategory: ["|']?(?<providerCategory>.+?)["|']?\n(?:.|\n|\r)+ registry: ["|']?(?<registryUrl>.+?)["|']?\n(?:.|\n|\r)+ repository: ["|']?(?<depName>.+?)["|']?\n(?:.|\n|\r)+ tag: ["|']?(?<currentValue>[^@]+)@(?<currentDigest>sha256:[a-f0-9]+)["|']
|
||||
- customType: "regex"
|
||||
fileMatch:
|
||||
- "helmfile/environments/default/charts.yaml"
|
||||
matchStrings:
|
||||
- >
|
||||
# yamllint disable rule:quoted-strings
|
||||
providerCategory: ["|']?(?<providerCategory>.+?)["|']?\n(?:.|\n|\r)+ registry: ["|']?(?<registryUrl>.+?)["|']?\n(?:.|\n|\r)+ repository: ["|']?(?<depName>.+?)["|']?\n(?:.|\n|\r)+ name: ["|']?(?<FIGURE_THAT_OUT>.+?)["|']?\n(?:.|\n|\r)+ version: ["|']?(?<currentValue>.+?)["|']?
|
||||
# Rules for matching packages
|
||||
packageRules:
|
||||
- matchDatasources: "docker"
|
||||
matchDepTypes:
|
||||
- "external"
|
||||
groupName: "external-dependencies"
|
||||
- matchDatasources: "docker"
|
||||
matchDepTypes:
|
||||
- "supplier"
|
||||
groupName: "supplier-dependencies"
|
||||
- matchDatasources: "docker"
|
||||
matchDepTypes:
|
||||
- "platform"
|
||||
groupName: "platform-dependencies"
|
||||
- matchDatasources: "helm"
|
||||
matchDepTypes:
|
||||
- "external"
|
||||
groupName: "external-dependencies"
|
||||
- matchDatasources: "helm"
|
||||
matchDepTypes:
|
||||
- "supplier"
|
||||
groupName: "supplier-dependencies"
|
||||
- matchDatasources: "helm"
|
||||
matchDepTypes:
|
||||
- "platform"
|
||||
groupName: "platform-dependencies"
|
||||
# Add merge request labels
|
||||
labels:
|
||||
- "renovate"
|
||||
- "dependencies"
|
||||
# Enable custom regex manager only
|
||||
enabledManagers:
|
||||
- "custom.regex"
|
||||
...
|
||||
47
CHANGELOG.md
47
CHANGELOG.md
@@ -1,3 +1,50 @@
|
||||
## [0.5.81](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.80...v0.5.81) (2024-03-28)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **docs:** Various updates ([50e2638](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/50e263866be8b51ef295ebf8025c3117821a2b6c))
|
||||
* **element:** Update Element Web to v1.11.59 with widget sync fix and NeoBoard v1.14.0 ([0fd4a26](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0fd4a26c711fb345b79cdff1c775d7ef20335768))
|
||||
* **helmfile:** Fix OpenAPI validations for Kubernetes v1.28 ([0aa4cfb](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0aa4cfb46f793369a472a736b28eea834a545439))
|
||||
* **nextcloud:** Bump to 28.0.3 ([34d2c05](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/34d2c059596466f8f7d6d09c2855c595391a7e0d))
|
||||
* **nextcloud:** Rename default shared folder to `__Shared_with_me__` ([5f9d015](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5f9d015f0b98579d652fd4172e74835ed67ccf11))
|
||||
* **open-xchange:** Bump to 8.22 ([5ebf291](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5ebf291a4dbe88a09c0afe2befa6140ad33bf30b))
|
||||
* **openproject:** Bump OpenProject to 13.4.0 ([d565c05](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d565c057ddb7b348f7a829e0f931b1ea448b454b))
|
||||
* **openproject:** Bump version to 13.4.1 ([7cc3964](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7cc39647d89538630bac9caa158c47b5cb8d2c45))
|
||||
* **services:** Update Otterize Policies ([42f63e3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/42f63e399230495c83f934e07beb9fc950ef5e29))
|
||||
* **univention-management-stack:** Add missing authenticator secret mount to portal-server ([5a39e87](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5a39e8725b6454591f552f87f12535201e52df7c))
|
||||
* **univention-management-stack:** Update LDAP server for BSI base security compliance ([8e889db](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8e889db63eaf05b24cc23838545f63d969232c65))
|
||||
* **univention-management-stack:** Update ldap-notifier and ldap-server ([a41ddd5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a41ddd5451a9fbd3c6319827fee3eaffbd931271))
|
||||
* **univention-management-stack:** Update provisioning charts, images and helm value to add authentication ([8c97bcf](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8c97bcf994487281ae94e6d66c73f4a11c08a0be))
|
||||
|
||||
## [0.5.80](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.79...v0.5.80) (2024-03-11)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **ci:** Remove creation of release artefacts, use the `images.yaml` and `charts.yaml` in `./helmfile/environments/default` for information about the artefacts instead. ([ee99eef](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/ee99eefb72d3207866ffd1b3bd21a36bd55ad288))
|
||||
* **collabora:** Bump image to 23.05.9.4.1 ([9c32058](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9c32058fcc21a14e9e66a46064ea044402638920))
|
||||
* **docs:** Add development.md and refactor `images.yaml` and `charts.yaml` ([a2b333b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a2b333b46277a4bb86b75ca04edb64e69efff916))
|
||||
* **helmfile:** YAML handling of seLinuxOptions and align overall `toYaml` syntax ([011ad2c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/011ad2cd6bfe552e04a598452e8814d4d1029152))
|
||||
* **nextcloud:** Update images digests ([bc18724](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bc18724d70ffff749d5192487944e62233cf4376))
|
||||
* **openproject:** Bump to 13.3.1 ([7ee9e47](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7ee9e47e8269334294c80093a359b247d86f5d62))
|
||||
|
||||
## [0.5.79](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.78...v0.5.79) (2024-02-29)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **collabora:** Bump image to 23.05.9.2.1 ([f4b8226](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f4b8226ea13971a38d61145ea9ac3821bc35f6b3))
|
||||
* **collabora:** Fix aliasgroups configuration whitelisting the Nextcloud host ([8b065fd](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8b065fd9d789cdd597a584937fefaae40f42bba2))
|
||||
* **docs:** Update version numbers of functional components for release in README.md ([31e5cf3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/31e5cf317ca7cd84a94cf42d57d0964152904471))
|
||||
* **element:** Provide end-to-end encryption as user controlled option ([3d31127](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3d31127a6ab0fa1d3af02695b521db5918932279))
|
||||
* **helmfile:** Enhance objectore environment variables to allow external Object Store ([d444226](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d4442261aa141e21222dc13407023b96570d055f))
|
||||
* **helmfile:** Set debuglevel to WARN instead of INFO when debug is not enabled. ([2efceef](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2efceef076beb06a3719859d7f4e2f0d03b99f44))
|
||||
* **nextcloud:** Bump images to enable password_policy and fix email with groupware ([8807b24](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8807b24ce09e59aaea39c349e9e12ee2a44a117a))
|
||||
* **univention-management-stack:** Bump Keycloak Extensions chart and configure the `/univention/meta.json` to be retrieved from `ums-stack-gateway` to avoid the inline 404 during Keycloak login. ([2023d5b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2023d5bce4642f794831670713b1a2520a0419d6))
|
||||
* **univention-management-stack:** Provisioning version bump ([410a023](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/410a0237149a5e41434c09795959bc53e57fb4ca))
|
||||
* **univention-management-stack:** Template more Keycloak Extension values incl. logLevel ([7ec123b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7ec123b9a174c8dade1fe9f6679796979749efab))
|
||||
|
||||
## [0.5.78](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.77...v0.5.78) (2024-02-23)
|
||||
|
||||
|
||||
|
||||
10
README.md
10
README.md
@@ -1,5 +1,5 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
|
||||
@@ -29,15 +29,15 @@ openDesk currently features the following functional main components:
|
||||
|
||||
| Function | Functional Component | Component<br/>Version | Upstream Documentation |
|
||||
| -------------------- | --------------------------- | -------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| Chat & collaboration | Element ft. Nordeck widgets | [1.11.52](https://github.com/element-hq/element-desktop/blob/develop/CHANGELOG.md#changes-in-11152-2023-12-19) | [For the most recent release](https://element.io/user-guide) |
|
||||
| Chat & collaboration | Element ft. Nordeck widgets | [1.11.59](https://github.com/element-hq/element-desktop/releases/tag/v1.11.59) | [For the most recent release](https://element.io/user-guide) |
|
||||
| Diagram editor | Cryptpad ft. diagrams.net | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0) | [For the most recent release](https://docs.cryptpad.org/en/) |
|
||||
| File management | Nextcloud | [28.0.2](https://nextcloud.com/de/changelog/#28-0-2) | [Nextcloud 28](https://docs.nextcloud.com/) |
|
||||
| Groupware | OX Appsuite | [8.20](https://documentation.open-xchange.com/appsuite/releases/8.20/) | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
|
||||
| Groupware | OX Appsuite | [8.22](https://documentation.open-xchange.com/appsuite/releases/8.22/) | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
|
||||
| Knowledge management | XWiki | [15.10.4](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15104Released) | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation) |
|
||||
| Portal & IAM | Nubus | Product Preview[^1] | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html) |
|
||||
| Project management | OpenProject | [13.3.1](https://www.openproject.org/docs/release-notes/13-3-1/) | [For the most recent release](https://www.openproject.org/docs/user-guide/) |
|
||||
| Project management | OpenProject | [13.4.1](https://www.openproject.org/docs/release-notes/13-4-1/) | [For the most recent release](https://www.openproject.org/docs/user-guide/) |
|
||||
| Videoconferencing | Jitsi | [2.0.8922](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_8922) | [For the most recent release](https://jitsi.github.io/handbook/docs/category/user-guide/) |
|
||||
| Weboffice | Collabora | [23.05.9.1.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/) | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/) |
|
||||
| Weboffice | Collabora | [23.05.9.4.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/) | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/) |
|
||||
|
||||
While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
|
||||
align the applications with best practises regarding container design and operations.
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
<h1>Components</h1>
|
||||
@@ -34,7 +35,6 @@ they need to be replaced in production deployments.
|
||||
| ClamAV (Simple) | Antivirus engine | Eval |
|
||||
| Collabora | Weboffice | Functional |
|
||||
| CryptPad | Weboffice | Functional |
|
||||
| Dovecot | Mail backend | Functional |
|
||||
| Element | Secure communications platform | Functional |
|
||||
| Intercom Service | Cross service data exchange | Functional |
|
||||
| Jitsi | Videoconferencing | Functional |
|
||||
@@ -44,7 +44,8 @@ they need to be replaced in production deployments.
|
||||
| Nextcloud | File share | Functional |
|
||||
| OpenProject | Project management | Functional |
|
||||
| OX Appsuite | Groupware | Functional |
|
||||
| Provisioning | Backend provisioning | Functional |
|
||||
| OX Dovecot | Mail backend (IMAP) | Functional |
|
||||
| Provisioning (OX Connector) | Groupware provisioning | Functional |
|
||||
| Postfix | MTA | Eval |
|
||||
| PostgreSQL | Database | Eval |
|
||||
| Redis | Cache Database | Eval |
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
|
||||
@@ -32,7 +33,7 @@ flowchart TD
|
||||
D-->G[images.yaml]
|
||||
D-->H[global.*]
|
||||
D-->I[secrets.yaml\nreplicas.yaml\nresources.yaml\n...]
|
||||
A-->|overwrite defaults with\nyour environment specific values|E[./helmfile/environments/*your_environment*/values.yaml.gotmpl]
|
||||
A-->|overwrite defaults with your\ndeployment/environment specific values|E[./helmfile/environments/*your_environment*/values.yaml.gotmpl]
|
||||
```
|
||||
|
||||
The `helmfile.yaml` in the root folder is the basis for the whole deployment. It references the app specific `helmfile.yaml` files as well as some
|
||||
@@ -96,13 +97,13 @@ Example:
|
||||
|
||||
## Renovate
|
||||
|
||||
- See also: https://gitlab.opencode.de/bmi/opendesk/tooling/renovate-opencode
|
||||
Uses a regular expression to match the values of the following attributes:
|
||||
|
||||
Uses a regular expression to match the values of the attributes
|
||||
- `# upstreamRegistry`
|
||||
- `# upstreamRepository`
|
||||
- `registry`
|
||||
- `repository`
|
||||
- `tag`
|
||||
check for newer versions of the given artefact and create a MR containing the newest version's tag (and digest).
|
||||
|
||||
Checks for newer versions of the given artefact and creates a MR containing the newest version's tag (and digest).
|
||||
|
||||
## Mirroring
|
||||
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
|
||||
@@ -139,17 +140,19 @@ As a standard, the openDesk platform development team uses [reuse.software](http
|
||||
|
||||
openDesk uses Apache 2.0 as the license for their work. A typical reuse copyright and license header looks like this:
|
||||
```
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
```
|
||||
As the way to mark the license header as a comment differs between the various filetypes, please find matching examples for the types all across the [deployment automation repository](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace).
|
||||
|
||||
**Remark**: If there is already an existing `SPDX-FileCopyrightText` please just add the one from the above example.
|
||||
|
||||
## Development workflow
|
||||
|
||||
### Disclaimer
|
||||
|
||||
openDesk consists only of community products, so there is no SLA to receive service updates or backports of critical security fixes. This has two consequences:
|
||||
- In production scenarios, you should replace the community versions of the functional components with supported, SLA-backend paid versions.
|
||||
- In production scenarios, you should replace the community versions of the functional components with supported, SLA-backed paid versions.
|
||||
- openDesk aims to always update to the latest available releases of the community components and we therefore have rolling technical releases.
|
||||
|
||||
### Workflow
|
||||
@@ -225,22 +228,28 @@ gitGraph
|
||||
|
||||
The Standard Quality Gate addresses quality assurance steps that should be executed within each of the mentioned quality gates in the workflow.
|
||||
|
||||
1. Linting
|
||||
- Blocking
|
||||
- Licening: [reuse](https://github.com/fsfe/reuse-tool)
|
||||
- openDesk specific: Especially `images.yaml` and `charts.yaml`, find more details in the [development](./development.md) docu
|
||||
- Non Blocking
|
||||
- Security: [Kyverno policy check](../.kyverno) addressing some IT-Grundschutz requirements
|
||||
- Formal: Yaml
|
||||
1. Deploy the full openDesk stack from scratch:
|
||||
- All deployment steps must be successful (green)
|
||||
- All tests from the end-to-end test set must be successful
|
||||
2. Update deployment[^3] of the full openDesk stack and apply the quality measures from the step #1:
|
||||
1. Update deployment[^3] of the full openDesk stack and apply the quality measures from the step #1:
|
||||
- Deploy the current merge target baseline (`develop` or `main`)
|
||||
- Update deploy from your QA branch into the instance from the previous step
|
||||
3. No showstopper found regarding
|
||||
1. No showstopper found regarding
|
||||
- SBOM compliance[^4]
|
||||
- Malware check
|
||||
- CVE check[^5]
|
||||
- Kubescape scan[^5]
|
||||
- Kyverno policy check (also covering some basic requirements from IT-Grundschutz)[^5]
|
||||
|
||||
Steps #1 and #2 from above are executed as GitLab CI and therefore documented within GitLab.
|
||||
Steps #1 to #3 from above are executed as GitLab CI and therefore documented within GitLab.
|
||||
|
||||
Step #3 is focussed on security and was not fully implemented yet. Its main objective is to check for regressions. That step is just the second step of a security check and monitoring chain as shown below. While some checks can be executed against the static artefacts (e.g. container images) other might require an up-and-running instance. These are especially located in the third step below which is not yet implemented.
|
||||
Step #4 is focussed on security and was not fully implemented yet. Its main objective is to check for regressions. That step is just the second step of a security check and monitoring chain as shown below. While some checks can be executed against the static artefacts (e.g. container images) other might require an up-and-running instance. These are especially located in the third step below which is not yet implemented.
|
||||
|
||||
```mermaid
|
||||
flowchart TD
|
||||
|
||||
@@ -126,7 +126,8 @@ securityContext:
|
||||
- "NET_RAW"
|
||||
- "SYS_CHROOT"
|
||||
- "MKNOD"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.collabora | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.collabora | toYaml | nindent 4 }}
|
||||
serviceAccount:
|
||||
create: true
|
||||
...
|
||||
|
||||
@@ -70,7 +70,8 @@ securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 4001
|
||||
runAsGroup: 4001
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.cryptpad | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.cryptpad | toYaml | nindent 4 }}
|
||||
|
||||
serviceAccount:
|
||||
create: true
|
||||
|
||||
@@ -107,7 +107,8 @@ containerSecurityContext:
|
||||
runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.element | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.element | toYaml | nindent 4 }}
|
||||
|
||||
global:
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
|
||||
@@ -14,7 +14,8 @@ containerSecurityContext:
|
||||
runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoBoardWidget | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.matrixNeoBoardWidget | toYaml | nindent 4 }}
|
||||
|
||||
global:
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
|
||||
@@ -14,7 +14,8 @@ containerSecurityContext:
|
||||
runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoChoiceWidget | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.matrixNeoChoiceWidget | toYaml | nindent 4 }}
|
||||
|
||||
global:
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
|
||||
@@ -35,6 +35,7 @@ securityContext:
|
||||
runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }}
|
||||
|
||||
...
|
||||
|
||||
@@ -35,7 +35,8 @@ containerSecurityContext:
|
||||
runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixBot | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.matrixNeoDateFixBot | toYaml | nindent 4 }}
|
||||
|
||||
extraEnvVars:
|
||||
- name: "ACCESS_TOKEN"
|
||||
|
||||
@@ -18,7 +18,8 @@ containerSecurityContext:
|
||||
runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixWidget | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.matrixNeoDateFixWidget | toYaml | nindent 4 }}
|
||||
|
||||
global:
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
|
||||
@@ -35,5 +35,6 @@ securityContext:
|
||||
runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }}
|
||||
...
|
||||
|
||||
@@ -14,7 +14,8 @@ containerSecurityContext:
|
||||
runAsUser: 0
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.matrixUserVerificationService | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.matrixUserVerificationService | toYaml | nindent 4 }}
|
||||
|
||||
extraEnvVars:
|
||||
- name: "UVS_ACCESS_TOKEN"
|
||||
|
||||
@@ -14,7 +14,8 @@ containerSecurityContext:
|
||||
runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.synapseWeb | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.synapseWeb | toYaml | nindent 4 }}
|
||||
|
||||
global:
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
|
||||
@@ -79,7 +79,8 @@ containerSecurityContext:
|
||||
runAsGroup: 10991
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.synapse | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.synapse | toYaml | nindent 4 }}
|
||||
|
||||
global:
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
|
||||
@@ -18,7 +18,8 @@ containerSecurityContext:
|
||||
runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.wellKnown | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.wellKnown | toYaml | nindent 4 }}
|
||||
|
||||
global:
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
|
||||
@@ -14,7 +14,8 @@ containerSecurityContext:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.intercom | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.intercom | toYaml | nindent 4 }}
|
||||
|
||||
global:
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
|
||||
@@ -23,7 +23,8 @@ containerSecurityContext:
|
||||
runAsUser: 1993
|
||||
runAsGroup: 1993
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.jitsiKeycloakAdapter | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.jitsiKeycloakAdapter | toYaml | nindent 4 }}
|
||||
|
||||
cleanup:
|
||||
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
|
||||
@@ -67,7 +68,6 @@ jitsi:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities: {}
|
||||
enabled: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
runAsGroup: 0
|
||||
@@ -75,7 +75,8 @@ jitsi:
|
||||
runAsUser: 0
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.jitsi | toYaml | nindent 8 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.jitsi | toYaml | nindent 8 }}
|
||||
prosody:
|
||||
image:
|
||||
repository: "{{ .Values.global.imageRegistry | default .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
|
||||
@@ -115,7 +116,6 @@ jitsi:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities: {}
|
||||
enabled: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
runAsGroup: 0
|
||||
@@ -123,7 +123,8 @@ jitsi:
|
||||
runAsUser: 0
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.prosody | toYaml | nindent 8 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.prosody | toYaml | nindent 8 }}
|
||||
jicofo:
|
||||
replicaCount: {{ .Values.replicas.jicofo }}
|
||||
image:
|
||||
@@ -137,7 +138,6 @@ jitsi:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities: {}
|
||||
enabled: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
runAsGroup: 0
|
||||
@@ -145,7 +145,8 @@ jitsi:
|
||||
runAsUser: 0
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.jicofo | toYaml | nindent 8 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.jicofo | toYaml | nindent 8 }}
|
||||
jvb:
|
||||
replicaCount: {{ .Values.replicas.jvb }}
|
||||
image:
|
||||
@@ -160,7 +161,6 @@ jitsi:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities: {}
|
||||
enabled: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
runAsGroup: 0
|
||||
@@ -168,7 +168,8 @@ jitsi:
|
||||
runAsUser: 0
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.jvb | toYaml | nindent 8 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.jvb | toYaml | nindent 8 }}
|
||||
jibri:
|
||||
replicaCount: {{ .Values.replicas.jibri }}
|
||||
image:
|
||||
@@ -206,7 +207,8 @@ patchJVB:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.jitsiPatchJVB | toYaml | nindent 6 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.jitsiPatchJVB | toYaml | nindent 6 }}
|
||||
image:
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiPatchJVB.registry | quote }}
|
||||
|
||||
@@ -95,7 +95,8 @@ containerSecurityContext:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudManagement | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.nextcloudManagement | toYaml | nindent 4 }}
|
||||
|
||||
debug:
|
||||
loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
|
||||
|
||||
@@ -25,7 +25,8 @@ exporter:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudExporter | toYaml | nindent 6 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.nextcloudExporter | toYaml | nindent 6 }}
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudExporter.registry | quote }}
|
||||
repository: "{{ .Values.images.nextcloudExporter.repository }}"
|
||||
@@ -78,7 +79,8 @@ php:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudPHP | toYaml | nindent 6 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.nextcloudPHP | toYaml | nindent 6 }}
|
||||
cron:
|
||||
successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
|
||||
debug:
|
||||
@@ -118,7 +120,8 @@ apache2:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudApache2 | toYaml | nindent 6 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.nextcloudApache2 | toYaml | nindent 6 }}
|
||||
ingress:
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
|
||||
|
||||
@@ -6,7 +6,7 @@ bases:
|
||||
---
|
||||
repositories:
|
||||
# openDesk Dovecot
|
||||
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-dovecot
|
||||
# Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dovecot
|
||||
- name: "dovecot-repo"
|
||||
keyring: "../../files/gpg-pubkeys/opencode.gpg"
|
||||
verify: {{ .Values.charts.dovecot.verify }}
|
||||
@@ -18,6 +18,8 @@ repositories:
|
||||
|
||||
# Open-Xchange
|
||||
- name: "open-xchange-repo"
|
||||
keyring: "../../files/gpg-pubkeys/open-xchange-com.gpg"
|
||||
verify: {{ .Values.charts.openXchangeAppSuite.verify }}
|
||||
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
|
||||
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
|
||||
oci: true
|
||||
@@ -25,7 +27,7 @@ repositories:
|
||||
{{ .Values.charts.openXchangeAppSuite.repository }}"
|
||||
|
||||
# openDesk Open-Xchange Bootstrap
|
||||
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap
|
||||
# Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap
|
||||
- name: "open-xchange-bootstrap-repo"
|
||||
keyring: "../../files/gpg-pubkeys/opencode.gpg"
|
||||
verify: {{ .Values.charts.openXchangeAppSuiteBootstrap.verify }}
|
||||
|
||||
@@ -66,7 +66,8 @@ containerSecurityContext:
|
||||
readOnlyRootFilesystem: true
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.dovecot | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.dovecot | toYaml | nindent 4 }}
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
|
||||
@@ -40,7 +40,8 @@ nextcloud-integration-ui:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeNextcloudIntegrationUI | toYaml | nindent 6 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.openxchangeNextcloudIntegrationUI | toYaml | nindent 6 }}
|
||||
|
||||
public-sector-ui:
|
||||
image:
|
||||
@@ -67,7 +68,8 @@ public-sector-ui:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangePublicSectorUI | toYaml | nindent 6 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.openxchangePublicSectorUI | toYaml | nindent 6 }}
|
||||
|
||||
appsuite:
|
||||
appsuite-toolkit:
|
||||
@@ -131,7 +133,8 @@ appsuite:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGotenberg | toYaml | nindent 10 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.openxchangeGotenberg | toYaml | nindent 10 }}
|
||||
hooks:
|
||||
beforeAppsuiteStart:
|
||||
create-guard-dir.sh: |
|
||||
@@ -356,7 +359,8 @@ appsuite:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUI | toYaml | nindent 8 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.openxchangeCoreUI | toYaml | nindent 8 }}
|
||||
|
||||
core-ui-middleware:
|
||||
enabled: true
|
||||
@@ -398,7 +402,8 @@ appsuite:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUIMiddleware | toYaml | nindent 8 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.openxchangeCoreUIMiddleware | toYaml | nindent 8 }}
|
||||
core-cacheservice:
|
||||
enabled: false
|
||||
|
||||
@@ -428,7 +433,8 @@ appsuite:
|
||||
- "ALL"
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeDocumentConverter | toYaml | nindent 8 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.openxchangeDocumentConverter | toYaml | nindent 8 }}
|
||||
|
||||
core-documents-collaboration:
|
||||
enabled: false
|
||||
@@ -470,7 +476,8 @@ appsuite:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreGuidedtours | toYaml | nindent 8 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.openxchangeCoreGuidedtours | toYaml | nindent 8 }}
|
||||
|
||||
core-imageconverter:
|
||||
enabled: true
|
||||
@@ -500,7 +507,8 @@ appsuite:
|
||||
- "ALL"
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeImageConverter | toYaml | nindent 8 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.openxchangeImageConverter | toYaml | nindent 8 }}
|
||||
|
||||
guard-ui:
|
||||
enabled: true
|
||||
@@ -526,7 +534,8 @@ appsuite:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGuardUI | toYaml | nindent 8 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.openxchangeGuardUI | toYaml | nindent 8 }}
|
||||
core-spellcheck:
|
||||
enabled: false
|
||||
|
||||
@@ -555,5 +564,6 @@ appsuite:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUserGuide | toYaml | nindent 8 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.openxchangeCoreUserGuide | toYaml | nindent 8 }}
|
||||
...
|
||||
|
||||
@@ -38,7 +38,8 @@ containerSecurityContext:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.openprojectBootstrap | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.openprojectBootstrap | toYaml | nindent 4 }}
|
||||
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectBootstrap.registry | quote }}
|
||||
|
||||
@@ -20,7 +20,8 @@ containerSecurityContext:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.openproject | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.openproject | toYaml | nindent 4 }}
|
||||
|
||||
environment:
|
||||
# For more details and more options see
|
||||
|
||||
@@ -85,7 +85,8 @@ securityContext:
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
readOnlyRootFilesystem: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.oxConnector | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.oxConnector | toYaml | nindent 4 }}
|
||||
|
||||
serviceAccount:
|
||||
create: true
|
||||
|
||||
@@ -15,7 +15,8 @@ clamd:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.clamd | toYaml | nindent 6 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.clamd | toYaml | nindent 6 }}
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }}
|
||||
repository: {{ .Values.images.clamd.repository | quote }}
|
||||
@@ -41,7 +42,8 @@ containerSecurityContext:
|
||||
capabilities:
|
||||
drop: []
|
||||
privileged: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.clamav | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.clamav | toYaml | nindent 4 }}
|
||||
|
||||
freshclam:
|
||||
containerSecurityContext:
|
||||
@@ -57,7 +59,8 @@ freshclam:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.freshclam | toYaml | nindent 6 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.freshclam | toYaml | nindent 6 }}
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.freshclam.registry | quote }}
|
||||
repository: {{ .Values.images.freshclam.repository | quote }}
|
||||
@@ -89,7 +92,8 @@ icap:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.icap | toYaml | nindent 6 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.icap | toYaml | nindent 6 }}
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }}
|
||||
repository: {{ .Values.images.icap.repository | quote }}
|
||||
@@ -117,7 +121,8 @@ milter:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.milter | toYaml | nindent 6 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.milter | toYaml | nindent 6 }}
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.milter.registry | quote }}
|
||||
repository: {{ .Values.images.milter.repository | quote }}
|
||||
|
||||
@@ -14,7 +14,8 @@ containerSecurityContext:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.clamavSimple | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.clamavSimple | toYaml | nindent 4 }}
|
||||
|
||||
global:
|
||||
imagePullSecrets:
|
||||
|
||||
@@ -17,7 +17,8 @@ containerSecurityContext:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.mariadb | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.mariadb | toYaml | nindent 4 }}
|
||||
|
||||
global:
|
||||
imagePullSecrets:
|
||||
|
||||
@@ -16,7 +16,8 @@ containerSecurityContext:
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.memcached | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.memcached | toYaml | nindent 4 }}
|
||||
|
||||
global:
|
||||
imagePullSecrets:
|
||||
|
||||
@@ -29,7 +29,8 @@ containerSecurityContext:
|
||||
readOnlyRootFilesystem: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.minio | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.minio | toYaml | nindent 4 }}
|
||||
|
||||
defaultBuckets: "openproject,openxchange,ums,nextcloud"
|
||||
|
||||
|
||||
@@ -45,6 +45,10 @@ apps:
|
||||
xwiki:
|
||||
enabled: {{ .Values.xwiki.enabled }}
|
||||
|
||||
ingressController:
|
||||
{{ .Values.security.ingressController | toYaml | nindent 2 }}
|
||||
|
||||
|
||||
extraApps:
|
||||
clusterPostfix:
|
||||
enabled: {{ .Values.security.clusterPostfix.enabled }}
|
||||
|
||||
@@ -17,7 +17,8 @@ containerSecurityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
privileged: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.postfix | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.postfix | toYaml | nindent 4 }}
|
||||
|
||||
global:
|
||||
imagePullSecrets:
|
||||
|
||||
@@ -14,7 +14,8 @@ containerSecurityContext:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.postgresql | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.postgresql | toYaml | nindent 4 }}
|
||||
|
||||
job:
|
||||
|
||||
|
||||
@@ -30,7 +30,8 @@ master:
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.redis | toYaml | nindent 6 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.redis | toYaml | nindent 6 }}
|
||||
count: {{ .Values.replicas.redis }}
|
||||
persistence:
|
||||
size: {{ .Values.persistence.size.redis | quote }}
|
||||
|
||||
@@ -55,6 +55,7 @@ securityContext:
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
readOnlyRootFilesystem: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 4 }}
|
||||
|
||||
...
|
||||
|
||||
@@ -73,6 +73,7 @@ securityContext:
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
readOnlyRootFilesystem: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 4 }}
|
||||
|
||||
...
|
||||
|
||||
@@ -46,6 +46,7 @@ securityContext:
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
readOnlyRootFilesystem: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 4 }}
|
||||
|
||||
...
|
||||
|
||||
@@ -16,9 +16,6 @@ resources:
|
||||
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
@@ -27,7 +24,8 @@ securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapNotifier | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsLdapNotifier | toYaml | nindent 4 }}
|
||||
|
||||
volumes:
|
||||
claims:
|
||||
|
||||
@@ -23,65 +23,70 @@ extraVolumeMounts:
|
||||
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema"
|
||||
subPath: "opendeskProjectmanagement.schema"
|
||||
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
|
||||
repository: {{ .Values.images.umsLdapServer.repository | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
tag: {{ .Values.images.umsLdapServer.tag | quote }}
|
||||
pullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
extraSecrets:
|
||||
- name: ums-stack-openldap-credentials
|
||||
stringData:
|
||||
adminPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
||||
|
||||
waitForDependency:
|
||||
waitForDependency:
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
|
||||
repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
|
||||
|
||||
ldapServer:
|
||||
waitForSamlMetadata: true
|
||||
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
||||
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
|
||||
repository: {{ .Values.images.umsLdapServer.repository | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
tag: {{ .Values.images.umsLdapServer.tag | quote }}
|
||||
pullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
|
||||
config:
|
||||
domainName: "univention-organization.intranet"
|
||||
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
|
||||
samlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
|
||||
samlMetadataUrlInternal: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
|
||||
samlServiceProviders: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
|
||||
credentialSecret:
|
||||
name: ums-stack-openldap-credentials
|
||||
key: adminPassword
|
||||
|
||||
persistence:
|
||||
sharedData:
|
||||
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
|
||||
sharedRun:
|
||||
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
|
||||
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
add:
|
||||
- "CHOWN"
|
||||
- "DAC_OVERRIDE"
|
||||
- "FOWNER"
|
||||
- "FSETID"
|
||||
- "KILL"
|
||||
- "SETGID"
|
||||
- "SETUID"
|
||||
- "SETPCAP"
|
||||
- "NET_BIND_SERVICE"
|
||||
- "NET_RAW"
|
||||
- "SYS_CHROOT"
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapServer | toYaml | nindent 4 }}
|
||||
|
||||
service:
|
||||
type: "ClusterIP"
|
||||
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
|
||||
legacy:
|
||||
sharedRunSize: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}
|
||||
|
||||
initResources:
|
||||
{{ .Values.resources.umsLdapServerInit | toYaml | nindent 2 }}
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 102
|
||||
fsGroupChangePolicy: "Always"
|
||||
sysctls:
|
||||
- name: "net.ipv4.ip_unprivileged_port_start"
|
||||
value: "1"
|
||||
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
runAsUser: 101
|
||||
runAsGroup: 102
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
|
||||
...
|
||||
|
||||
@@ -28,6 +28,7 @@ postgresql:
|
||||
username: {{ .Values.databases.umsNotificationsApi.username | quote }}
|
||||
database: {{ .Values.databases.umsNotificationsApi.name | quote }}
|
||||
password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
|
||||
existingSecret: "ums-notifications-api-postgresql-credentials"
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.umsNotificationsApi | toYaml | nindent 2 }}
|
||||
@@ -44,6 +45,11 @@ securityContext:
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsNotificationsApi | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsNotificationsApi | toYaml | nindent 4 }}
|
||||
|
||||
extraSecrets:
|
||||
- name: ums-notifications-api-postgresql-credentials
|
||||
stringData:
|
||||
password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
|
||||
...
|
||||
|
||||
@@ -46,6 +46,7 @@ securityContext:
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsOpenPolicyAgent | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsOpenPolicyAgent | toYaml | nindent 4 }}
|
||||
|
||||
...
|
||||
|
||||
@@ -597,7 +597,8 @@ containerSecurityContext:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.opendeskKeycloakBootstrap | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.opendeskKeycloakBootstrap | toYaml | nindent 4 }}
|
||||
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-keycloak-bootstrap"
|
||||
|
||||
@@ -112,5 +112,6 @@ securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalFrontend | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsPortalFrontend | toYaml | nindent 4 }}
|
||||
...
|
||||
|
||||
@@ -79,6 +79,7 @@ securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalListener | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsPortalListener | toYaml | nindent 4 }}
|
||||
|
||||
...
|
||||
|
||||
@@ -21,41 +21,55 @@ portalServer:
|
||||
ucsInternalPath: "portal-data"
|
||||
objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
|
||||
objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
|
||||
objectStorageAccessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }}
|
||||
objectStorageSecretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
|
||||
centralNavigation:
|
||||
enabled: true
|
||||
authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
|
||||
|
||||
credentialSecret:
|
||||
name: "ums-portal-server-minio-credentials"
|
||||
|
||||
replicaCount: {{ .Values.replicas.umsPortalServer }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.umsPortalServer | toYaml | nindent 2 }}
|
||||
|
||||
securityContext:
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: "Always"
|
||||
sysctls:
|
||||
- name: "net.ipv4.ip_unprivileged_port_start"
|
||||
value: "1"
|
||||
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
add:
|
||||
- "CHOWN"
|
||||
- "DAC_OVERRIDE"
|
||||
- "FOWNER"
|
||||
- "FSETID"
|
||||
- "KILL"
|
||||
- "SETGID"
|
||||
- "SETUID"
|
||||
- "SETPCAP"
|
||||
- "NET_BIND_SERVICE"
|
||||
- "NET_RAW"
|
||||
- "SYS_CHROOT"
|
||||
privileged: false
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalServer | toYaml | nindent 4 }}
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
|
||||
|
||||
extraSecrets:
|
||||
- name: ums-portal-server-minio-credentials
|
||||
stringData:
|
||||
accessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }}
|
||||
secretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
|
||||
- name: ums-portal-server-authenticator-credentials
|
||||
stringData:
|
||||
authenticator.secret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
|
||||
|
||||
extraVolumes:
|
||||
- name: authenticator-secret
|
||||
secret:
|
||||
secretName: ums-portal-server-authenticator-credentials
|
||||
|
||||
extraVolumeMounts:
|
||||
- name: authenticator-secret
|
||||
mountPath: "/var/secrets/authenticator.secret"
|
||||
subPath: "authenticator.secret"
|
||||
...
|
||||
|
||||
@@ -22,6 +22,11 @@ config:
|
||||
tlsMode: "off"
|
||||
natsHost: "ums-provisioning-nats"
|
||||
natsPort: "4222"
|
||||
natsUser: "udmlistener"
|
||||
natsPassword: {{ .Values.secrets.univentionManagementStack.provisioning.udmListenerNatsPassword }}
|
||||
internalApiHost: "ums-provisioning-api"
|
||||
eventsUsernameUdm: "udmproducer"
|
||||
eventsPasswordUdm: {{ .Values.secrets.univentionManagementStack.provisioning.udmProducerPassword }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.umsProvisioningUdmListener | toYaml | nindent 4 }}
|
||||
|
||||
@@ -4,23 +4,6 @@ SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
|
||||
dispatcher:
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningDispatcher.registry | quote }}
|
||||
repository: {{ .Values.images.umsProvisioningDispatcher.repository | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
tag: {{ .Values.images.umsProvisioningDispatcher.tag | quote }}
|
||||
pullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
resources:
|
||||
{{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 4 }}
|
||||
config:
|
||||
UDM_HOST: "ums-udm-rest-api"
|
||||
UDM_PORT: 9979
|
||||
UDM_USERNAME: "cn=admin"
|
||||
|
||||
api:
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
|
||||
@@ -35,6 +18,24 @@ api:
|
||||
rootPath: "/univention/provisioning-api"
|
||||
resources:
|
||||
{{ .Values.resources.umsProvisioningEventsAndConsumerApi | toYaml | nindent 4 }}
|
||||
credentialSecretName: "ums-provisioning-api-credentials"
|
||||
|
||||
dispatcher:
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningDispatcher.registry | quote }}
|
||||
repository: {{ .Values.images.umsProvisioningDispatcher.repository | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
tag: {{ .Values.images.umsProvisioningDispatcher.tag | quote }}
|
||||
pullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
resources:
|
||||
{{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 4 }}
|
||||
config:
|
||||
UDM_HOST: "ums-udm-rest-api"
|
||||
UDM_PORT: 80
|
||||
credentialSecretName: "ums-provisioning-dispatcher-credentials"
|
||||
|
||||
prefill:
|
||||
image:
|
||||
@@ -48,13 +49,152 @@ prefill:
|
||||
{{- end }}
|
||||
resources:
|
||||
{{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 4 }}
|
||||
config:
|
||||
UDM_HOST: "ums-udm-rest-api"
|
||||
UDM_PORT: 80
|
||||
credentialSecretName: "ums-provisioning-prefill-credentials"
|
||||
|
||||
nats:
|
||||
bundled: true
|
||||
affinity: ""
|
||||
nameOverride: ""
|
||||
bundled: true
|
||||
connection:
|
||||
host: "ums-provisioning-nats"
|
||||
port: 4222
|
||||
config:
|
||||
authorization:
|
||||
enabled: true
|
||||
users:
|
||||
- user: "$NATS_USER"
|
||||
password: "$NATS_PASSWORD"
|
||||
permissions:
|
||||
publish: ">"
|
||||
subscribe: ">"
|
||||
- user: "$NATS_API_USER"
|
||||
password: "$NATS_API_PASSWORD"
|
||||
permissions:
|
||||
publish: ">"
|
||||
subscribe: ">"
|
||||
- user: "$NATS_DISPATCHER_USER"
|
||||
password: "$NATS_DISPATCHER_PASSWORD"
|
||||
permissions:
|
||||
publish: ">"
|
||||
subscribe: ">"
|
||||
- user: "$NATS_PREFILL_USER"
|
||||
password: "$NATS_PREFILL_PASSWORD"
|
||||
permissions:
|
||||
publish: ">"
|
||||
subscribe: ">"
|
||||
- user: "$NATS_UDMLISTENER_USER"
|
||||
password: "$NATS_UDMLISTENER_PASSWORD"
|
||||
permissions:
|
||||
publish: ">"
|
||||
subscribe: ">"
|
||||
- user: "$NATS_ADMIN_USER"
|
||||
password: "$NATS_ADMIN_PASSWORD"
|
||||
permissions:
|
||||
publish: ">"
|
||||
subscribe: ">"
|
||||
resources:
|
||||
{{ .Values.resources.umsProvisioningNats | toYaml | nindent 4 }}
|
||||
|
||||
extraEnvVars:
|
||||
- name: NATS_USER
|
||||
value: "master_admin"
|
||||
- name: NATS_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: ums-provisioning-nats-credentials
|
||||
key: admin_password
|
||||
- name: NATS_ADMIN_USER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: ums-provisioning-api-credentials
|
||||
key: ADMIN_NATS_USER
|
||||
- name: NATS_ADMIN_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: ums-provisioning-api-credentials
|
||||
key: ADMIN_NATS_PASSWORD
|
||||
- name: NATS_API_USER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: ums-provisioning-api-credentials
|
||||
key: NATS_USER
|
||||
- name: NATS_API_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: ums-provisioning-api-credentials
|
||||
key: NATS_PASSWORD
|
||||
- name: NATS_DISPATCHER_USER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: ums-provisioning-dispatcher-credentials
|
||||
key: NATS_USER
|
||||
- name: NATS_DISPATCHER_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: ums-provisioning-dispatcher-credentials
|
||||
key: NATS_PASSWORD
|
||||
- name: NATS_PREFILL_USER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: ums-provisioning-prefill-credentials
|
||||
key: NATS_USER
|
||||
- name: NATS_PREFILL_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: ums-provisioning-prefill-credentials
|
||||
key: NATS_PASSWORD
|
||||
- name: NATS_UDMLISTENER_USER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: ums-provisioning-udmlistener-credentials
|
||||
key: NATS_USER
|
||||
- name: NATS_UDMLISTENER_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: ums-provisioning-udmlistener-credentials
|
||||
key: NATS_PASSWORD
|
||||
|
||||
extraSecrets:
|
||||
- name: ums-provisioning-nats-credentials
|
||||
stringData:
|
||||
admin_password: {{ .Values.secrets.nats.natsAdminPassword }}
|
||||
- name: ums-provisioning-api-credentials
|
||||
stringData:
|
||||
NATS_USER: "api"
|
||||
NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiNatsPassword }}
|
||||
ADMIN_NATS_USER: "admin"
|
||||
ADMIN_NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminNatsPassword }}
|
||||
UDM_HOST: "udm-rest-api"
|
||||
ADMIN_USERNAME: "admin"
|
||||
ADMIN_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminPassword }}
|
||||
DISPATCHER_USERNAME: "dispatcher"
|
||||
DISPATCHER_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherPassword }}
|
||||
PREFILL_USERNAME: "prefill"
|
||||
PREFILL_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillPassword }}
|
||||
EVENTS_USERNAME_UDM: "udmproducer"
|
||||
EVENTS_PASSWORD_UDM: {{ .Values.secrets.univentionManagementStack.provisioning.udmProducerPassword }}
|
||||
- name: ums-provisioning-dispatcher-credentials
|
||||
stringData:
|
||||
NATS_USER: "dispatcher"
|
||||
NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherNatsPassword }}
|
||||
DISPATCHER_USERNAME: "dispatcher"
|
||||
DISPATCHER_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherPassword }}
|
||||
- name: ums-provisioning-prefill-credentials
|
||||
stringData:
|
||||
NATS_USER: "prefill"
|
||||
NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillNatsPassword }}
|
||||
UDM_USERNAME: "cn=admin"
|
||||
UDM_PASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
||||
PREFILL_USERNAME: "prefill"
|
||||
PREFILL_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillPassword }}
|
||||
- name: ums-provisioning-udmlistener-credentials
|
||||
stringData:
|
||||
NATS_USER: "udmlistener"
|
||||
NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.udmListenerNatsPassword }}
|
||||
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
|
||||
@@ -73,6 +73,7 @@ securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsSelfserviceListener | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsSelfserviceListener | toYaml | nindent 4 }}
|
||||
|
||||
...
|
||||
|
||||
@@ -29,7 +29,8 @@ securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsDataLoader | toYaml | nindent 4 }}
|
||||
|
||||
stackDataContext:
|
||||
ldapBase: "dc=swp-ldap,dc=internal"
|
||||
|
||||
@@ -29,7 +29,8 @@ securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsDataLoader | toYaml | nindent 4 }}
|
||||
|
||||
stackDataContext:
|
||||
idpSamlMetadataUrlInternal: null
|
||||
@@ -48,6 +49,10 @@ stackDataContext:
|
||||
ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
|
||||
initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.systemAccounts.administratorPassword | quote }}
|
||||
initialPasswordSysIdpUser: {{ .Values.secrets.univentionManagementStack.systemAccounts.sysIdpUserPassword | quote }}
|
||||
umcPostgresqlHostname: {{ .Values.databases.umsSelfservice.host | quote }}
|
||||
umcPostgresqlUsername: {{ .Values.databases.umsSelfservice.username | quote }}
|
||||
umcMemcachedHostname: {{ .Values.cache.umsSelfservice.host | quote }}
|
||||
umcMemcachedUsername: "selfservice"
|
||||
|
||||
stackDataUms:
|
||||
loadDevData: true
|
||||
|
||||
@@ -53,7 +53,8 @@ securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsStoreDav | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsStoreDav | toYaml | nindent 4 }}
|
||||
|
||||
storeDav:
|
||||
auth:
|
||||
|
||||
@@ -14,53 +14,51 @@ extraVolumeMounts:
|
||||
mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
|
||||
subPath: "flag_to_group_mapping.json"
|
||||
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.umsUdmRestApi.registry | quote }}
|
||||
repository: {{ .Values.images.umsUdmRestApi.repository | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
tag: {{ .Values.images.umsUdmRestApi.tag | quote }}
|
||||
pullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.umsUdmRestApi | toYaml | nindent 2 }}
|
||||
|
||||
initResources:
|
||||
{{ .Values.resources.umsUdmRestApiInit | toYaml | nindent 2 }}
|
||||
|
||||
replicaCount: {{ .Values.replicas.umsUdmRestApi }}
|
||||
|
||||
securityContext:
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: "Always"
|
||||
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
add:
|
||||
- "CHOWN"
|
||||
- "DAC_OVERRIDE"
|
||||
- "FOWNER"
|
||||
- "FSETID"
|
||||
- "KILL"
|
||||
- "SETGID"
|
||||
- "SETUID"
|
||||
- "SETPCAP"
|
||||
- "NET_BIND_SERVICE"
|
||||
- "NET_RAW"
|
||||
- "SYS_CHROOT"
|
||||
privileged: false
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsUdmRestApi | toYaml | nindent 4 }}
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
|
||||
udmRestApi:
|
||||
# TODO: Stub value currently
|
||||
caCert: ""
|
||||
# TODO: Secret should be entered without b64enc
|
||||
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
|
||||
# TODO: Secret should be entered without b64enc
|
||||
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
|
||||
secretRef: ums-udm-rest-api-credentials
|
||||
ldap:
|
||||
uri: "ldap://{{ .Values.ldap.host }}:389"
|
||||
baseDN: {{ .Values.ldap.baseDn | quote }}
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.umsUdmRestApi.registry | quote }}
|
||||
repository: {{ .Values.images.umsUdmRestApi.repository | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
tag: {{ .Values.images.umsUdmRestApi.tag | quote }}
|
||||
pullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
|
||||
extraSecrets:
|
||||
- name: ums-udm-rest-api-credentials
|
||||
stringData:
|
||||
ldap.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
||||
machine.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
||||
|
||||
...
|
||||
|
||||
@@ -58,6 +58,7 @@ securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcGateway | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsUmcGateway | toYaml | nindent 4 }}
|
||||
|
||||
...
|
||||
|
||||
@@ -53,7 +53,8 @@ memcached:
|
||||
bundled: false
|
||||
auth:
|
||||
username: null
|
||||
password: null
|
||||
# This is also used by the umc-server Helm chart to generate a secret. The secrets content is represented as an environment variable. If said variable is empty, the container fails to start due to an entrypoint script erroring on a nullish value for the environment variable SELF_SERVICE_MEMCACHED_SECRET.
|
||||
password: "password"
|
||||
server: {{ .Values.cache.umsSelfservice.host | quote }}
|
||||
|
||||
postgresql:
|
||||
@@ -94,14 +95,16 @@ securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 4 }}
|
||||
|
||||
umcServer:
|
||||
certPemFile: "/var/secrets/ssl/tls.crt"
|
||||
# TODO: Secret should be entered without b64enc
|
||||
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
|
||||
# TODO: Secret should be entered without b64enc
|
||||
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
|
||||
caCert: "Cg=="
|
||||
certPem: "Cg=="
|
||||
privateKey: "Cg=="
|
||||
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
||||
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
||||
smtpSecret: {{ .Values.smtp.password | quote }}
|
||||
privateKeyFile: "/var/secrets/ssl/tls.key"
|
||||
|
||||
|
||||
@@ -66,7 +66,8 @@ containerSecurityContext:
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakBootstrap | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsKeycloakBootstrap | toYaml | nindent 4 }}
|
||||
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-keycloak-bootstrap"
|
||||
|
||||
@@ -48,7 +48,8 @@ handler:
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 6 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 6 }}
|
||||
resources:
|
||||
{{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 4 }}
|
||||
postgresql:
|
||||
@@ -103,7 +104,8 @@ proxy:
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
|
||||
resources:
|
||||
{{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 4 }}
|
||||
...
|
||||
|
||||
@@ -44,7 +44,8 @@ containerSecurityContext:
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloak | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsKeycloak | toYaml | nindent 4 }}
|
||||
|
||||
podSecurityContext:
|
||||
fsGroup: 1000
|
||||
|
||||
@@ -45,7 +45,8 @@ containerSecurityContext:
|
||||
- "ALL"
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsStackGateway | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsStackGateway | toYaml | nindent 4 }}
|
||||
|
||||
service:
|
||||
type: "ClusterIP"
|
||||
|
||||
@@ -36,7 +36,8 @@ containerSecurityContext:
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.xwiki | toYaml | nindent 4 }}
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.xwiki | toYaml | nindent 4 }}
|
||||
|
||||
customConfigs:
|
||||
xwiki.cfg:
|
||||
|
||||
@@ -1,5 +1,9 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
# Please read the /docs/development.md for information about structure and annotations used in this file.
|
||||
# yamllint disable rule:line-length
|
||||
---
|
||||
charts:
|
||||
certificates:
|
||||
@@ -20,7 +24,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav"
|
||||
name: "opendesk-clamav"
|
||||
version: "4.0.1"
|
||||
version: "4.0.5"
|
||||
verify: true
|
||||
clamavSimple:
|
||||
# providerCategory: 'Platform'
|
||||
@@ -30,7 +34,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav"
|
||||
name: "clamav-simple"
|
||||
version: "4.0.1"
|
||||
version: "4.0.5"
|
||||
verify: true
|
||||
collabora:
|
||||
# providerCategory: 'Supplier'
|
||||
@@ -270,7 +274,8 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
|
||||
name: "appsuite-public-sector"
|
||||
version: "2.2.37"
|
||||
version: "2.4.49"
|
||||
verify: false
|
||||
openXchangeAppSuiteBootstrap:
|
||||
# providerCategory: 'Platform'
|
||||
# providerResponsible: 'openDesk'
|
||||
@@ -289,7 +294,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize"
|
||||
name: "opendesk-otterize"
|
||||
version: "1.7.5"
|
||||
version: "1.7.9"
|
||||
verify: true
|
||||
oxConnector:
|
||||
# providerCategory: 'Supplier'
|
||||
@@ -363,6 +368,18 @@ charts:
|
||||
name: "opendesk-synapse-web"
|
||||
version: "2.6.7"
|
||||
verify: true
|
||||
ums:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Univention'
|
||||
# upstreamRegistry: 'registry.souvap-univention.de'
|
||||
# upstreamRepository: 'souvap/tooling/charts/univention/ums'
|
||||
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# upstreamMirrorStartFrom: ['0', '0', '1']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
|
||||
name: "ums"
|
||||
version: "0.7.5"
|
||||
verify: true
|
||||
umsGuardianAuthorizationApi:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Univention'
|
||||
@@ -445,7 +462,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
|
||||
name: "ldap-notifier"
|
||||
version: "0.8.2"
|
||||
version: "0.10.1"
|
||||
verify: true
|
||||
umsLdapServer:
|
||||
# providerCategory: 'Supplier'
|
||||
@@ -457,7 +474,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
|
||||
name: "ldap-server"
|
||||
version: "0.8.2"
|
||||
version: "0.10.1"
|
||||
verify: true
|
||||
umsNotificationsApi:
|
||||
# providerCategory: 'Supplier'
|
||||
@@ -469,7 +486,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
|
||||
name: "notifications-api"
|
||||
version: "0.9.2"
|
||||
version: "0.20.1"
|
||||
verify: true
|
||||
umsOpenPolicyAgent:
|
||||
# providerCategory: 'Supplier'
|
||||
@@ -493,7 +510,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
|
||||
name: "portal-frontend"
|
||||
version: "0.14.0"
|
||||
version: "0.20.1"
|
||||
verify: true
|
||||
umsPortalListener:
|
||||
# providerCategory: 'Supplier'
|
||||
@@ -505,7 +522,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
|
||||
name: "portal-listener"
|
||||
version: "0.14.0"
|
||||
version: "0.20.1"
|
||||
verify: true
|
||||
umsPortalServer:
|
||||
# providerCategory: 'Supplier'
|
||||
@@ -517,7 +534,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
|
||||
name: "portal-server"
|
||||
version: "0.14.0"
|
||||
version: "0.20.1"
|
||||
verify: true
|
||||
umsProvisioning:
|
||||
# providerCategory: 'Supplier'
|
||||
@@ -529,7 +546,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
|
||||
name: "provisioning"
|
||||
version: "0.14.0"
|
||||
version: "0.20.2"
|
||||
verify: true
|
||||
umsProvisioningUdmListener:
|
||||
# providerCategory: 'Supplier'
|
||||
@@ -541,7 +558,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
|
||||
name: "udm-listener"
|
||||
version: "0.14.0"
|
||||
version: "0.20.2"
|
||||
verify: true
|
||||
umsSelfserviceListener:
|
||||
# providerCategory: 'Supplier'
|
||||
@@ -565,7 +582,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
|
||||
name: "stack-data-swp"
|
||||
version: "0.44.0"
|
||||
version: "0.45.1"
|
||||
verify: true
|
||||
umsStackDataUms:
|
||||
# providerCategory: 'Supplier'
|
||||
@@ -577,7 +594,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
|
||||
name: "stack-data-ums"
|
||||
version: "0.44.0"
|
||||
version: "0.45.1"
|
||||
verify: true
|
||||
umsUdmRestApi:
|
||||
# providerCategory: 'Supplier'
|
||||
@@ -589,7 +606,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
|
||||
name: "udm-rest-api"
|
||||
version: "0.5.2"
|
||||
version: "0.9.0"
|
||||
verify: true
|
||||
umsUmcGateway:
|
||||
# providerCategory: 'Supplier'
|
||||
@@ -601,7 +618,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
|
||||
name: "umc-gateway"
|
||||
version: "0.6.4"
|
||||
version: "0.11.2"
|
||||
verify: true
|
||||
umsUmcServer:
|
||||
# providerCategory: 'Supplier'
|
||||
@@ -613,7 +630,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
|
||||
name: "umc-server"
|
||||
version: "0.6.4"
|
||||
version: "0.11.2"
|
||||
verify: true
|
||||
xwiki:
|
||||
# providerCategory: 'Supplier'
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
global:
|
||||
systemInformation:
|
||||
releaseVersion: "v0.5.78"
|
||||
releaseVersion: "v0.5.81"
|
||||
...
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
## The global properties are used to configure multiple charts at once.
|
||||
@@ -9,9 +10,7 @@ global:
|
||||
hosts:
|
||||
collabora: "collabora"
|
||||
cryptpad: "cryptpad"
|
||||
dimension: "integration"
|
||||
element: "chat"
|
||||
etherpad: "etherpad"
|
||||
intercomService: "ics"
|
||||
jitsi: "meet"
|
||||
keycloak: "id"
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
# Please read the /docs/development.md for information about structure and annotations used in this file.
|
||||
---
|
||||
images:
|
||||
clamd:
|
||||
@@ -17,7 +19,7 @@ images:
|
||||
# upstreamRepository: 'bmi/opendesk/components/supplier/collabora/images'
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
|
||||
tag: "23.05.9.2.1@sha256:4cdf38a73cfa8771d8184137525511a887cd5eab9e75ed894cee9cf1006d95eb"
|
||||
tag: "23.05.9.4.1@sha256:a7da0616002c7ae79ac91ed24a09471119c38741f99097866a775a94a071b945"
|
||||
cryptpad:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'XWiki'
|
||||
@@ -44,7 +46,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ['1', '8', '0']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
|
||||
tag: "1.10.0@sha256:050f4fd6aafdf988033486f3e75545b664edb60163f6a639cb1209aec6ed9387"
|
||||
tag: "1.11.0@sha256:633cc31a4c312cdb072136247ac382463ddbc458a5c57e139241394acee9baaf"
|
||||
freshclam:
|
||||
# providerCategory: 'Community'
|
||||
# providerResponsible: 'openDesk'
|
||||
@@ -146,7 +148,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ['1', '4', '0']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-neoboard-widget"
|
||||
tag: "1.12.0@sha256:2b2913cef614f2a81faea1997d9372b01347dadc3100d574b766df997d5ef2d5"
|
||||
tag: "1.14.0@sha256:1a00f33ed5f560e55b06011b2f81696fd8230820f6980edb826768af0e0b41d9"
|
||||
matrixNeoChoiceWidget:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Nordeck'
|
||||
@@ -218,7 +220,7 @@ images:
|
||||
# upstreamRepository: 'bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2'
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
|
||||
tag: "1.1.15@sha256:f8a2a08c44ad9f4941e34a5efb1010918e52df8ce0866848a00810ad34279a2e"
|
||||
tag: "1.1.18@sha256:234e1c4267006bf3ae8294e88da7de14291b9f80b53572490377f3e7ec80adec"
|
||||
nextcloudExporter:
|
||||
# providerCategory: 'Platform'
|
||||
# providerResponsible: 'openDesk'
|
||||
@@ -234,7 +236,7 @@ images:
|
||||
# upstreamRepository: 'bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management'
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
|
||||
tag: "1.3.5@sha256:790647d3424ab41cab1b0a7114a7737615b1772269699f9c3bcb078cba70d685"
|
||||
tag: "1.3.9@sha256:7c5065ae5397973825aabd695d81085918e4ad4e67f7cafbf08de1159adbba5e"
|
||||
nextcloudPHP:
|
||||
# providerCategory: 'Platform'
|
||||
# providerResponsible: 'openDesk'
|
||||
@@ -242,7 +244,7 @@ images:
|
||||
# upstreamRepository: 'bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php'
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
|
||||
tag: "1.8.4@sha256:d51ca3e22a493d6dd625cf9bfa40f96481ba36894a9d3eed1e082eadaef72c5c"
|
||||
tag: "1.8.8@sha256:c4fdc1917fecd945de4d7379cb2ad906dfc6d4d54ec437862a209237d668ac59"
|
||||
opendeskKeycloakBootstrap:
|
||||
# providerCategory: 'Platform'
|
||||
# providerResponsible: 'openDesk'
|
||||
@@ -260,7 +262,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ['13', '1', '1']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
|
||||
tag: "13.3.1@sha256:7e5a2cbd3d9f2db65e977797c0f7669b83f8e1b21bf0687ee20d19cbd1b55b7a"
|
||||
tag: "13.4.1@sha256:b72d3e841fa4da03fc284e0ef7c56e763a9b04188f4219e527d9de93ccc49fe3"
|
||||
openprojectBootstrap:
|
||||
# providerCategory: 'Platform'
|
||||
# providerResponsible: 'openDesk'
|
||||
@@ -294,7 +296,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ['8', '6', '0']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-guidedtours"
|
||||
tag: "8.6.0@sha256:6c20780f8c609636f2182c41709e2ee26586b4a23679fd13b15875a5f443445b"
|
||||
tag: "8.6.3@sha256:6fb8169cba4beb4bd9039f4ce7ab9b29fc02c4991b283824db949fe2b7be34e2"
|
||||
openxchangeCoreMW:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Open-Xchange'
|
||||
@@ -304,7 +306,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ['8', '20', '51']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/middleware-public-sector"
|
||||
tag: "8.20.51@sha256:4a9cc9d6745b09a9ace2475fbbacfeff2ca66db02b6314eb8e035f28e28574a8"
|
||||
tag: "8.22.52@sha256:dab45b0e308b8d5c6c5cb5ec5be9d711f55e7aa87375c4b08ab178287bb7b769"
|
||||
openxchangeCoreUI:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Open-Xchange'
|
||||
@@ -314,7 +316,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ['8', '20', '1']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui"
|
||||
tag: "8.20.1@sha256:a8bdf83b1179ca9126bcd4e5301b818aafec5e8ac6ff25914603d74a137b65dc"
|
||||
tag: "8.22.1@sha256:4b581d8fb3761156a5dd81a2cebc1c7a0382652d01ba6ee933527f9899b41768"
|
||||
openxchangeCoreUIMiddleware:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Open-Xchange'
|
||||
@@ -324,7 +326,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ['2', '0', '0']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui-middleware"
|
||||
tag: "2.0.0@sha256:8082edf30498a3ac1715f2d9b3e406f240ea586e2616b97f40c207ef55dff11f"
|
||||
tag: "2.0.2@sha256:eafcc0242b3fd93a777077c136b9e87fe03b163988731c15f0d3cd2ba39a2165"
|
||||
openxchangeCoreUserGuide:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Open-Xchange'
|
||||
@@ -334,7 +336,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ['8', '20', '799279']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-user-guide"
|
||||
tag: "8.20.799279@sha256:075c917a7e5ebfe57c07c3c21485ee672554616252d5c57f829f443ca987e75b"
|
||||
tag: "8.22.909960@sha256:dbd3f3a37c2d0a2885234cee53d79bf69015392c1381433c008694b4b99ddf30"
|
||||
openxchangeDocumentConverter:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Open-Xchange'
|
||||
@@ -344,17 +346,17 @@ images:
|
||||
# upstreamMirrorStartFrom: ['8', '20', '50']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/documentconverter"
|
||||
tag: "8.20.50@sha256:bd11b4e5a62377aab79ebc0ebbe8da0bf54d42ce9a8ae64db0c84608570edf9f"
|
||||
tag: "8.22.49@sha256:21ab0b52fa54fb5be969c4c689e4b7724b7bf9ee79b1bf166ab27d8c67e3a6b6"
|
||||
openxchangeGotenberg:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Open-Xchange'
|
||||
# upstreamRegistry: 'registry.open-xchange.com'
|
||||
# upstreamRepository: 'appsuite-public-sector/3rdparty/gotenberg'
|
||||
# upstreamRepository: 'appsuite-public-sector/gotenberg'
|
||||
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# upstreamMirrorStartFrom: ['7', '9', '2']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/gotenberg"
|
||||
tag: "8.0.3@sha256:1f4979e8cfde1c69f28c24604d19b3a11cf95c59b2a73db957c5af0a27a30ce8"
|
||||
tag: "8.2.0@sha256:ec5afe8eea496d3bef6c42291fde9c203c20e8a68189a2314ef876e9c0e67680"
|
||||
openxchangeGuardUI:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Open-Xchange'
|
||||
@@ -364,7 +366,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ['4', '2', '2']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/guard-ui"
|
||||
tag: "4.2.2@sha256:c2ff375fa3dc359c555570f5216a5451966d9b7165934980acb1bf60363b59c8"
|
||||
tag: "8.22.0@sha256:89c18129a2bdffe24587494e96ad12e95c01c25cd7a6a7b177afc75fec70415c"
|
||||
openxchangeImageConverter:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Open-Xchange'
|
||||
@@ -374,7 +376,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ['8', '20', '50']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/imageconverter"
|
||||
tag: "8.20.50@sha256:590a8a4c583057f6bb071247c2f8b8566c79d5d219482dcaa452b30c944c876b"
|
||||
tag: "8.22.49@sha256:42841719c515b21f5d6e18296116fe690ac63f82f5acfa877652c2639911f127"
|
||||
openxchangeNextcloudIntegrationUI:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Open-Xchange'
|
||||
@@ -394,7 +396,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ['2', '2', '1']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/public-sector-ui"
|
||||
tag: "2.2.1@sha256:cf5dc3754dfdf41844f619b0c3178d0406de3ce8dd51317ed706cb329d338fc8"
|
||||
tag: "2.3.0@sha256:a557816ee55500ecc3b46b60f0440ea66c7f0d90e888ce3b0df8a9acdd72acbe"
|
||||
oxConnector:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Univention'
|
||||
@@ -564,7 +566,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ['0', '8', '2']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
|
||||
tag: "0.8.2@sha256:bb7d76fb5299e9d019aa61b5397af15063a5b341fcf2b74c65db679ca5fa873f"
|
||||
tag: "0.10.1@sha256:940eb9c20c53f90aa477699c0393242a7064d974a856d714ad151069e8d12af4"
|
||||
umsLdapServer:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Univention'
|
||||
@@ -574,7 +576,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ['0', '8', '2']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
|
||||
tag: "0.8.2@sha256:abcaec050875a8605befe13cce78f9f8eb28aa3c1764e281a8540b2a3db4a5da"
|
||||
tag: "0.10.1@sha256:5ae54faec6074c4653ef837158262dd6e7b7ff414f8d8722e35f929543a6a6ef"
|
||||
umsNotificationsApi:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Univention'
|
||||
@@ -584,7 +586,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ['0', '9', '4']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
|
||||
tag: "0.9.4@sha256:f058398d68c38039bb168af6d60d016f66fffde83a02f0b8f62124ebf2fed4d9"
|
||||
tag: "0.20.1@sha256:c1176da0ecd3d964b7caaea0d9e583d7644c7a7dbdb08c0ecd85df88e0f27321"
|
||||
umsOpenPolicyAgent:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Univention'
|
||||
@@ -604,7 +606,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ['0', '9', '4']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
|
||||
tag: "0.19.0@sha256:7c80f703faf720da159c405a140c1029fd8c12def61653737e2a772982012d5c"
|
||||
tag: "0.20.1@sha256:fc7d1d7b22b83037ac6d54b2cc1baaefc78175cdc86557cfc121eda469832b59"
|
||||
umsPortalListener:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Univention'
|
||||
@@ -614,7 +616,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ['0', '9', '4']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-listener"
|
||||
tag: "0.19.0@sha256:7fff6db5151b9aecffdfcd429b6eefb36a96ca14c5384183aa4246b5c0c8b133"
|
||||
tag: "0.20.1@sha256:e93f256f736223edceaac50831cee062b4b8fee0a46f27175e6ea0c506620358"
|
||||
umsPortalServer:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Univention'
|
||||
@@ -624,7 +626,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ['0', '9', '4']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
|
||||
tag: "0.19.0@sha256:9a19e3a0990fba1dd2cdb1fd96ab53dcfba23717291ca1b0c87d8ed19b4c2c46"
|
||||
tag: "0.20.1@sha256:db5d79b64dc1b8678401d32a1a695b217d7677e7578738f0eec90467c7b5ae05"
|
||||
umsProvisioningDispatcher:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Univention'
|
||||
@@ -634,7 +636,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ['0', '14', '0']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
|
||||
tag: "0.14.0@sha256:2b51c4f2c71e044c67b036ab9084cb30330a7d38aae02a81ddf08752534ffa6f"
|
||||
tag: "0.20.2@sha256:738a8a6028ede63d22369ec58ac4834a0b34445cac216cb9475c24ccb1eaed1e"
|
||||
umsProvisioningEventsAndConsumerApi:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Univention'
|
||||
@@ -644,7 +646,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ['0', '14', '0']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
|
||||
tag: "0.14.0@sha256:c27f585d77fa030b0663ca6c5799ae1a7950f30e34e08407c295451af0a6b653"
|
||||
tag: "0.20.2@sha256:46523693c84e5e6639e9762a43b1dbfa98954391da268c70a152b76e26d9c6c2"
|
||||
umsProvisioningPrefill:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Univention'
|
||||
@@ -654,7 +656,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ['0', '14', '0']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
|
||||
tag: "0.14.0@sha256:f781373c3df8db73dcb87e5390deabe3f948054e15d9e107a556185773d473b0"
|
||||
tag: "0.20.2@sha256:47143e4a3bb68c814dd7017b273b138c061a5bbb0f7e71c32ba45b2c15f1d831"
|
||||
umsProvisioningUdmListener:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Univention'
|
||||
@@ -664,7 +666,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ['0', '14', '0']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
|
||||
tag: "0.14.0@sha256:90875ae80579651555c19db4badd474d7750b7322ab309d7812b40971a6813c5"
|
||||
tag: "0.20.2@sha256:011c73748fb406ad68e35be683da79429b420e1e42a39733b342632eb3efec2d"
|
||||
umsSelfserviceInvitation:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Univention'
|
||||
@@ -702,7 +704,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ['0', '5', '2']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
|
||||
tag: "0.5.2@sha256:94c8294130f6a187bb850bcaeb314a09c5aa48ab97e3f419fbeb6ddbd39a3246"
|
||||
tag: "0.9.0@sha256:f5589a1a885e9f96d98304148bac5a40dfd4350ee40205a29b8798b29ae0a7db"
|
||||
umsUmcGateway:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Univention'
|
||||
@@ -712,7 +714,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ['0', '7', '3']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
|
||||
tag: "0.9.0@sha256:e15b59b851b3cae2bdfde1a9de707bfbc64a124db98a8d9ac7965d7d3827519b"
|
||||
tag: "0.11.2@sha256:13edaa88ded4b3389ef36d0215ad19ea093ae962f8de9b4b178550e02de06277"
|
||||
umsUmcServer:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Univention'
|
||||
@@ -722,7 +724,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ['0', '7', '3']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
|
||||
tag: "0.9.0@sha256:7ef0f6a3a3024120a4dae6f0bd44fc531c88ca0b5893465d0bdbd96b5a9c87ea"
|
||||
tag: "0.11.2@sha256:866b8c3d2845653c68316458d7a24901b0493d2e2b83d50e0932adc42cda1706"
|
||||
umsWaitForDependency:
|
||||
# providerCategory: 'Supplier'
|
||||
# providerResponsible: 'Univention'
|
||||
@@ -732,7 +734,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ['0', '9', '4']
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/wait-for-dependency"
|
||||
tag: "0.14.0@sha256:fda3f99be59614115997a55ad5887bf8f6482de4c8e168706aac3e42575b4915"
|
||||
tag: "0.20.1@sha256:8b3d7195223de10ce6ac2649a363eed073dad9bb277c0d8d2d1c0f1613e0d5a7"
|
||||
wellKnown:
|
||||
# providerCategory: 'Community'
|
||||
# providerResponsible: 'Element'
|
||||
|
||||
@@ -396,6 +396,13 @@ resources:
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "256Mi"
|
||||
umsLdapServerInit:
|
||||
limits:
|
||||
cpu: 99
|
||||
memory: "1Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "256Mi"
|
||||
umsNotificationsApi:
|
||||
limits:
|
||||
cpu: 99
|
||||
@@ -501,6 +508,13 @@ resources:
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "256Mi"
|
||||
umsUdmRestApiInit:
|
||||
limits:
|
||||
cpu: 99
|
||||
memory: "1Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "256Mi"
|
||||
umsUmcGateway:
|
||||
limits:
|
||||
cpu: 99
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
{{/*
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
@@ -29,6 +30,21 @@ secrets:
|
||||
storeDavUsers:
|
||||
portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }}
|
||||
portalListener: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum | quote }}
|
||||
provisioning:
|
||||
apiNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }}
|
||||
apiAdminNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "apiAdmin" "nats" | sha1sum | quote }}
|
||||
apiAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }}
|
||||
dispatcherPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "dispatcher_service" | sha1sum | quote }}
|
||||
prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }}
|
||||
prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }}
|
||||
udmProducerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
|
||||
dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }}
|
||||
dispatcherUdmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
|
||||
udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmlistener" "nats" | sha1sum | quote }}
|
||||
udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
|
||||
nats:
|
||||
natsAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "admin" "nats" | sha1sum | quote }}
|
||||
|
||||
postgresql:
|
||||
postgresUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "postgres_user" | sha1sum | quote }}
|
||||
keycloakUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum | quote }}
|
||||
@@ -77,10 +93,8 @@ secrets:
|
||||
jicofoAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoAuthPassword" | sha1sum | quote }}
|
||||
jicofoComponentPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoComponentPassword" | sha1sum | quote }}
|
||||
jvbAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jvbAuthPassword" | sha1sum | quote }}
|
||||
etherpad:
|
||||
apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "etherpad" "apiKey" | sha1sum | quote }}
|
||||
whiteboard:
|
||||
apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "etherpad" "apiKey" | sha1sum | quote }}
|
||||
apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "whiteboard" "apiKey" | sha1sum | quote }}
|
||||
centralnavigation:
|
||||
apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "centralnavigation" "api_key" | sha1sum | quote }}
|
||||
redis:
|
||||
|
||||
@@ -7,4 +7,9 @@ security:
|
||||
clusterPostfix:
|
||||
enabled: false
|
||||
namespace: ""
|
||||
ingressController:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: "ingress-nginx"
|
||||
namespace: "ingress-nginx"
|
||||
...
|
||||
|
||||
@@ -7,6 +7,7 @@
|
||||
---
|
||||
seLinuxOptions:
|
||||
clamavSimple: ~
|
||||
clamav: ~
|
||||
clamd: ~
|
||||
collabora: ~
|
||||
cryptpad: ~
|
||||
|
||||
Reference in New Issue
Block a user