sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: sheppy:v0.1.2
Branches Tags
sheppy:develop sheppy:renovate/univention sheppy:renovate/openxchange sheppy:trossner/gpg-keys sheppy:trossner/mail_doc sheppy:tkaltenbrunner/fix-milter sheppy:ntretkowski/intercom-update sheppy:b1-boekhorst/nc_testing_encryption_bfp_nginx sheppy:trossner/ox_deputy sheppy:kuntke/size-profiles sheppy:trossner/misc_1.11.0 sheppy:feat/openproject/bump-16-6-2 sheppy:renovate/opf-helm-charts-openproject-11.x sheppy:rohland/selfsigned sheppy:sschmidt/feat_update_otterize sheppy:sell/opendesk-exporter sheppy:trossner/coco-update sheppy:renovate/lasuite-impress-y-provider-4.x sheppy:renovate/opf-helm-charts-openproject-10.x sheppy:renovate/openproject sheppy:renovate/nordeck sheppy:renovate/element sheppy:renovate/collabora sheppy:lender/test-externalsecrets sheppy:rfischer/baseline_requirements_update_2025 sheppy:chore/kyverno-sec sheppy:sell/pythonic-charts-local sheppy:trossner/ox-jitsi sheppy:irondesk-preview sheppy:chore/open-xchange/update-8.43 sheppy:b1-boekhorst/nc_basicauth_testing sheppy:lluerenbaum/develop sheppy:rfischer/nc_sharereview_app sheppy:tkaltenbrunner/fix/new-element-chart sheppy:vpracht/demo sheppy:main sheppy:b1-boekhorst/nc_status_php sheppy:gaberb1/postfix-sasl-security-options sheppy:ntretkowski/nubus-v1.15.0 sheppy:ntretkowski/ox-connector-v0.32.2 sheppy:sschmidt/feat_add_otterize_chart sheppy:b1-boekhorst/nc_bfp sheppy:trossner/nc_31-0-9 sheppy:trossner/token_exchange sheppy:boekhorst/nc_31-0-10_testing sheppy:ntretkowski/nubus-v1.14.1 sheppy:tkaltenbrunner/fix/dovecot-migration sheppy:tkaltenbrunner/fix/dovecot-caches sheppy:tkaltenbrunner/fix/postfix-transport sheppy:chore/open-xchange/update-8.42 sheppy:dkaminski/ca_certs sheppy:dpapoutsis/bundled-keycloak-secrets sheppy:boekhorst/favicon_resize sheppy:irondesk sheppy:boekhorst/nc_31-0-9 sheppy:migration_test sheppy:sschmidt/fix_services_otterize_intents sheppy:mmeschter/nats-secrets-refactor sheppy:sccon_2025 sheppy:jtorres/ox-test sheppy:lender/feat-externalsecrets-xwiki sheppy:sschmidt/fix_nubus_opendesk_keycloak_bootstrap_annotation sheppy:ntretkowski/nubus-2fa-upgrade-fix sheppy:jlohmer/ox-connector-helm-unittests sheppy:mmeschter/develop sheppy:tkaltenbrunner/fix/ox-push-notification sheppy:cgarcia/develop sheppy:trossner/fix_storageclassnames sheppy:jconde/ox-groups-deletion sheppy:ntretkowski/nubus-v1.13.1 sheppy:jtorres/develop sheppy:tkaltenbrunner/fix/opendesk-impress-customization sheppy:jconde/develop sheppy:mgcm/test/mas-upstream sheppy:document-nordeck-widgets sheppy:trossner/upd_jitsi_10431 sheppy:chaack/feat_add_jitsi_patchJVB_backoffLimit sheppy:trossner/xwiki_solr_image sheppy:1.7+harbor-fixes sheppy:lender/feat-externalsecrets-notes sheppy:tkaltenbrunner/fix/dovecot-fts sheppy:lender/feat-externalsecrets-postfix-dovecot sheppy:heading-capitalization-harmonization sheppy:lender/feat-externalsecrets-minio sheppy:jconde/debug-no-portal-tiles sheppy:hermann/feat-support-nginx-security-defaults sheppy:jtorres/ox-connector-manager-tests sheppy:jtorres/1.12.0-kc-bootstrap sheppy:sell/prometheus-nats-exporter sheppy:jconde/ics-secret-refactor sheppy:tkaltenbrunner/fix/postfix-submissions sheppy:jconde/debug-ics-with-keycloak-26.3 sheppy:data_storage_doc sheppy:tkaltenbrunner/fix/coco-internal sheppy:sell/keycloak-metrics sheppy:jconde/ox-connector-fixes sheppy:jlohmer/ox-connector-test sheppy:gaberb1/wip-ci sheppy:weber/update-notes sheppy:lender/feat-externalsecrets-redis sheppy:lender/feat-externalsecrets-opendesk-services sheppy:lender/feat-externalsecrets-collabora sheppy:lender/feat-externalsecrets-cassandra sheppy:lender/feat-externalsecrets-nextcloud sheppy:lender/feat-externalsecrets-openproject-bootstrap sheppy:thollwed/doc-bawue-migration-dev sheppy:1.5+nats-fix sheppy:trossner/nc_31.0.5 sheppy:sell/nubus-liveness-customization sheppy:integration-opendesk-family sheppy:gsautner/fix_nc_custom_baseDn sheppy:tkaltenbrunner/fix/ox-external-secrets sheppy:tlatz/portal_update sheppy:jbornhold/tmp-portal-update sheppy:trossner/temp_kc26.2.2_preview sheppy:yschmidt/nubus-v1.9.1-twofa-helpdesk sheppy:mmoura/phone-dial-in sheppy:lender/feat-externalsecrets-mariadb sheppy:lender/feat-externalsecrets-postgresql sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap-1725.191 sheppy:ys/dev-helpdesk sheppy:tkaltenbrunner/fix/dovecot-acls sheppy:ox-vpracht/dovecot-conf sheppy:renovate/major-openproject sheppy:renovate/major-platform sheppy:renovate/lasuite-impress-y-provider-3.x sheppy:renovate/lasuite-impress-y-provider-2.x sheppy:renovate/xwiki sheppy:trossner/nc_notifypush sheppy:cnegrini/load sheppy:nic/feat/ZO-155_dialin_docs sheppy:feat/dovecot-config sheppy:yschmidt/s3-region-example sheppy:trossner/nubus_ox_consumer sheppy:yschmidt/s3-region-vars sheppy:jschulz/fix_nubus-consumer-pvc-size sheppy:el/t3chguy/element-web-modules sheppy:jahlers/2fa-helpdesk sheppy:trossner/notes_guest_access sheppy:thollwed/nubus-v1.6.0-integration sheppy:jschulz/fix_set_jitsi_element_antiaffinity sheppy:jbornhold/nubus-v1.6.0-s3-ingress sheppy:chore/open-xchange/release-8.34 sheppy:jconde/test-ox-packaging sheppy:jtorres/ox-extension-integration sheppy:jschulz/feat_helmfile-enable-intents sheppy:chore/openproject/15-3-changes sheppy:nc-main sheppy:fischer/review-apps sheppy:jconde/fix-intercom-element sheppy:trossner/nc_notify_push sheppy:docs/nubus-version sheppy:schneemann/ingress-nginx-max-version sheppy:jlohmer/configurable-udm-listener-password sheppy:jtorres/hotfix-ics-secret sheppy:jtorres/ics-redis-ssl sheppy:dkaminski/feat/annotations sheppy:trossner/fix/openproject sheppy:jconde/ox-connector-kyverno sheppy:jconde/ics-kyverno-changes sheppy:chore/open-xchange/bump-8-31 sheppy:mmoura/feat_test sheppy:dkaminski/fix/nubus-v0.72.0 sheppy:jconde/ics-filepicker-fix sheppy:trossner/update_migrs sheppy:nic/qa/develop sheppy:nic/fix/widgets-no-guests sheppy:uv-jconde/plain-nubus sheppy:nubus/main sheppy:uv-jbornhold/preview-fe sheppy:nic/fix/undo-439-add-widgets sheppy:jtorres/bump-0.60-cache-http sheppy:acaceres/develop sheppy:fix/trossner/dominiks_improvements sheppy:uv-jbornhold/plain-nubus-3 sheppy:nubus-update-2024-09-16-backup sheppy:trossner/nubus-update-2024-09-16-ldap-mig sheppy:nic/feat/matrix-neoboard-widget-1.19.1 sheppy:jconde/integrate-ox-connector sheppy:jbornhold/include-ldap-migration-script sheppy:acaceres/integrate-ox-connector sheppy:uv-jbornhold/plain-nubus-2 sheppy:jtorres/clients-fixup sheppy:jconde/system-information sheppy:jtorres/remove-admin-credentials sheppy:jbornhold/develop sheppy:chore/openproject/bump-14-5-0 sheppy:temp/trossner/kcupd-fr sheppy:nubus/fix-domain-configuration sheppy:uv-fix/default-service-loglevel sheppy:uv-jlohmer/consumer-race-condition sheppy:uv-jconde/umc-plain-login sheppy:uv-jconde/statefulset-keycloak sheppy:jlohmer/develop sheppy:fix/tkaltenbrunner/oxmonitoring sheppy:jtorres/udm-loader sheppy:nubus/tkintscher/fix-fsnotify-load sheppy:nubus/wip-jbornhold-test sheppy:jbornhold/small-fixes sheppy:nubus/jconde-test-users sheppy:feat/nubus-updates sheppy:uv-jlohmer/manual-deploy-jobs sheppy:uv-jtorres/login-tiles sheppy:uv-jbornhold/fix-e2e-test-configuration sheppy:uv-jlohmer/fix-feature-flag-typo sheppy:uv-jbornhold/fix-e2e-test-configuration-test sheppy:uv-acaceres/register-ox-connector sheppy:uv-jtorres/keycloak-upgrade sheppy:uv-jtorres/create-readonly-user sheppy:uv-acaceres/update-provisioning-and-stack-data sheppy:uv-jlohmer/selfservice-consumer sheppy:uv-jlohmer/provisioning-consumer-feature-flag sheppy:uv-jconde/test-email-e2e-tests sheppy:jlohmer/nubus-updates-provisioning sheppy:nubus/provisioning-consumer-integration sheppy:uv-dkaminski/cert-manager-support sheppy:uv-jbornhold/update-portal-frontend sheppy:uv-provisioning-consumer-integration sheppy:uv-jtorres/opendesk-udm-loader sheppy:uv-jtorres/ox-extensions-to-data-loader sheppy:uv-jbornhold/update-stack-data sheppy:uv-maildev-ci-setup sheppy:uv-jconde/umc-server-session-stickyness sheppy:uv-jbornhold/cleanup sheppy:uv-dtroeder/raise-helm-timeout sheppy:uv-dtroeder/prov-int-biscet sheppy:uv-spike-plain-nubus sheppy:jtorres/univention-keycloak-provisioning sheppy:fix/trossner/proxy_ips sheppy:uv-jlohmer/provisioning-consumer-integration sheppy:uv-jconde/menu-patches sheppy:jconde/use-nubus-umbrella sheppy:jconde/udm-rest-api-fix sheppy:sandersen/develop sheppy:b1-demo1 sheppy:jbornhold/tmp-test-od-main-0.9.0 sheppy:feat/use-nubus-umbrella-2 sheppy:OC000007901454-main-patch-76476 sheppy:jtorres/allow-theme-configuration sheppy:acaceres/debug-ox-error sheppy:101-add-configmap-checksum-check-to-postfix-helm-chart sheppy:trossner/fix/op_guests sheppy:renovate/platform sheppy:feat/ldap-scalability sheppy:jlohmer/split-provisioning-listener sheppy:feat/update-keycloak-related-charts sheppy:acaceres/update-selfservice-to-use-provisioning sheppy:feat/nubus-keycloak-extensions sheppy:feat/nubus-keycloak-bootstrap sheppy:feat/nubus-provisioning-with-selfservice sheppy:refactor/ums-umbrella-values sheppy:54-issue-with-invitation-password-reset-mails sheppy:nic/fix/ew-1.11.59-widget-sync sheppy:trossner/fix/renovate sheppy:nic/test/ew-1.11.59 sheppy:feat/mon-redis sheppy:feat/mon-jitsi sheppy:feat/mon-ox sheppy:feat/mon-xwiki sheppy:v0.5.74-patch1
sheppy:v1.10.0 sheppy:v1.9.0 sheppy:v1.8.0 sheppy:v1.7.1 sheppy:v1.7.0 sheppy:v1.6.0 sheppy:v1.5.0 sheppy:v1.4.1 sheppy:v1.4.0 sheppy:v1.3.2 sheppy:v1.3.1 sheppy:v1.3.0 sheppy:v1.2.1 sheppy:v1.2.0 sheppy:v1.1.2 sheppy:v1.1.1 sheppy:v1.1.0 sheppy:v1.0.0 sheppy:v0.9.0 sheppy:v0.8.1 sheppy:v0.8.0 sheppy:v0.7.1 sheppy:v0.7.0 sheppy:v0.6.0 sheppy:v0.5.81 sheppy:v0.5.80 sheppy:v0.5.79 sheppy:v0.5.78 sheppy:v0.5.74 sheppy:24.03 sheppy:v0.5.77 sheppy:v0.5.76 sheppy:v0.5.75 sheppy:v0.5.73 sheppy:v0.5.72 sheppy:v0.5.71 sheppy:v0.5.70 sheppy:v0.5.69 sheppy:v0.5.68 sheppy:v0.5.67 sheppy:v0.5.66 sheppy:v0.5.65 sheppy:v0.5.64 sheppy:v0.5.63 sheppy:v0.5.62 sheppy:v0.5.61 sheppy:v0.5.60 sheppy:v0.5.59 sheppy:v0.5.58 sheppy:v0.5.57 sheppy:v0.5.56 sheppy:v0.5.55 sheppy:v0.5.54 sheppy:v0.5.53 sheppy:v0.5.52 sheppy:v0.5.51 sheppy:v0.5.50 sheppy:v0.5.49 sheppy:v0.5.48 sheppy:v0.5.47 sheppy:v0.5.46 sheppy:v0.5.45 sheppy:v0.5.44 sheppy:v0.5.43 sheppy:v0.5.42 sheppy:v0.5.41 sheppy:v0.5.40 sheppy:v0.5.39 sheppy:v0.5.38 sheppy:23.12 sheppy:v0.5.37 sheppy:v0.5.36 sheppy:v0.5.35 sheppy:v0.5.34 sheppy:v0.5.33 sheppy:v0.5.32 sheppy:v0.5.31 sheppy:v0.5.30 sheppy:v0.5.29 sheppy:v0.5.28 sheppy:v0.5.27 sheppy:v0.5.26 sheppy:v0.5.25 sheppy:v0.5.24 sheppy:v0.5.23 sheppy:v0.5.22 sheppy:v0.5.21 sheppy:v0.5.20 sheppy:v0.5.19 sheppy:v0.5.18 sheppy:v0.5.17 sheppy:v0.5.16 sheppy:v0.5.15 sheppy:v0.5.14 sheppy:v0.5.13 sheppy:v0.5.12 sheppy:v0.5.11 sheppy:v0.5.10 sheppy:v0.5.9 sheppy:v0.5.8 sheppy:v0.5.7 sheppy:v0.5.6 sheppy:v0.5.5 sheppy:v0.5.4 sheppy:v0.5.3 sheppy:v0.5.2 sheppy:v0.5.1 sheppy:v0.5.0 sheppy:v0.4.9 sheppy:v0.4.8 sheppy:v0.4.7 sheppy:v0.4.6 sheppy:v0.4.5 sheppy:v0.4.4 sheppy:v0.4.3 sheppy:v0.4.2 sheppy:v0.4.1 sheppy:v0.4.0 sheppy:v0.3.2 sheppy:v0.3.1 sheppy:v0.3.0 sheppy:v0.2.10 sheppy:v0.2.9 sheppy:v0.2.8 sheppy:v0.2.7 sheppy:v0.2.6 sheppy:v0.2.5 sheppy:v0.2.4 sheppy:v0.2.3 sheppy:v0.2.2 sheppy:v0.2.1 sheppy:v0.2.0 sheppy:v0.1.2 sheppy:v0.1.1 sheppy:v0.1.0 sheppy:v0.0.6 sheppy:v0.0.5 sheppy:v0.0.4 sheppy:v0.0.3 sheppy:v0.0.2 sheppy:v0.0.1
...
compare: sheppy:v0.5.22
Branches Tags
sheppy:renovate/univention sheppy:renovate/openxchange sheppy:trossner/gpg-keys sheppy:trossner/mail_doc sheppy:tkaltenbrunner/fix-milter sheppy:ntretkowski/intercom-update sheppy:b1-boekhorst/nc_testing_encryption_bfp_nginx sheppy:trossner/ox_deputy sheppy:kuntke/size-profiles sheppy:trossner/misc_1.11.0 sheppy:feat/openproject/bump-16-6-2 sheppy:renovate/opf-helm-charts-openproject-11.x sheppy:rohland/selfsigned sheppy:sschmidt/feat_update_otterize sheppy:sell/opendesk-exporter sheppy:trossner/coco-update sheppy:renovate/lasuite-impress-y-provider-4.x sheppy:renovate/opf-helm-charts-openproject-10.x sheppy:renovate/openproject sheppy:renovate/nordeck sheppy:renovate/element sheppy:renovate/collabora sheppy:lender/test-externalsecrets sheppy:develop sheppy:rfischer/baseline_requirements_update_2025 sheppy:chore/kyverno-sec sheppy:sell/pythonic-charts-local sheppy:trossner/ox-jitsi sheppy:irondesk-preview sheppy:chore/open-xchange/update-8.43 sheppy:b1-boekhorst/nc_basicauth_testing sheppy:lluerenbaum/develop sheppy:rfischer/nc_sharereview_app sheppy:tkaltenbrunner/fix/new-element-chart sheppy:vpracht/demo sheppy:main sheppy:b1-boekhorst/nc_status_php sheppy:gaberb1/postfix-sasl-security-options sheppy:ntretkowski/nubus-v1.15.0 sheppy:ntretkowski/ox-connector-v0.32.2 sheppy:sschmidt/feat_add_otterize_chart sheppy:b1-boekhorst/nc_bfp sheppy:trossner/nc_31-0-9 sheppy:trossner/token_exchange sheppy:boekhorst/nc_31-0-10_testing sheppy:ntretkowski/nubus-v1.14.1 sheppy:tkaltenbrunner/fix/dovecot-migration sheppy:tkaltenbrunner/fix/dovecot-caches sheppy:tkaltenbrunner/fix/postfix-transport sheppy:chore/open-xchange/update-8.42 sheppy:dkaminski/ca_certs sheppy:dpapoutsis/bundled-keycloak-secrets sheppy:boekhorst/favicon_resize sheppy:irondesk sheppy:boekhorst/nc_31-0-9 sheppy:migration_test sheppy:sschmidt/fix_services_otterize_intents sheppy:mmeschter/nats-secrets-refactor sheppy:sccon_2025 sheppy:jtorres/ox-test sheppy:lender/feat-externalsecrets-xwiki sheppy:sschmidt/fix_nubus_opendesk_keycloak_bootstrap_annotation sheppy:ntretkowski/nubus-2fa-upgrade-fix sheppy:jlohmer/ox-connector-helm-unittests sheppy:mmeschter/develop sheppy:tkaltenbrunner/fix/ox-push-notification sheppy:cgarcia/develop sheppy:trossner/fix_storageclassnames sheppy:jconde/ox-groups-deletion sheppy:ntretkowski/nubus-v1.13.1 sheppy:jtorres/develop sheppy:tkaltenbrunner/fix/opendesk-impress-customization sheppy:jconde/develop sheppy:mgcm/test/mas-upstream sheppy:document-nordeck-widgets sheppy:trossner/upd_jitsi_10431 sheppy:chaack/feat_add_jitsi_patchJVB_backoffLimit sheppy:trossner/xwiki_solr_image sheppy:1.7+harbor-fixes sheppy:lender/feat-externalsecrets-notes sheppy:tkaltenbrunner/fix/dovecot-fts sheppy:lender/feat-externalsecrets-postfix-dovecot sheppy:heading-capitalization-harmonization sheppy:lender/feat-externalsecrets-minio sheppy:jconde/debug-no-portal-tiles sheppy:hermann/feat-support-nginx-security-defaults sheppy:jtorres/ox-connector-manager-tests sheppy:jtorres/1.12.0-kc-bootstrap sheppy:sell/prometheus-nats-exporter sheppy:jconde/ics-secret-refactor sheppy:tkaltenbrunner/fix/postfix-submissions sheppy:jconde/debug-ics-with-keycloak-26.3 sheppy:data_storage_doc sheppy:tkaltenbrunner/fix/coco-internal sheppy:sell/keycloak-metrics sheppy:jconde/ox-connector-fixes sheppy:jlohmer/ox-connector-test sheppy:gaberb1/wip-ci sheppy:weber/update-notes sheppy:lender/feat-externalsecrets-redis sheppy:lender/feat-externalsecrets-opendesk-services sheppy:lender/feat-externalsecrets-collabora sheppy:lender/feat-externalsecrets-cassandra sheppy:lender/feat-externalsecrets-nextcloud sheppy:lender/feat-externalsecrets-openproject-bootstrap sheppy:thollwed/doc-bawue-migration-dev sheppy:1.5+nats-fix sheppy:trossner/nc_31.0.5 sheppy:sell/nubus-liveness-customization sheppy:integration-opendesk-family sheppy:gsautner/fix_nc_custom_baseDn sheppy:tkaltenbrunner/fix/ox-external-secrets sheppy:tlatz/portal_update sheppy:jbornhold/tmp-portal-update sheppy:trossner/temp_kc26.2.2_preview sheppy:yschmidt/nubus-v1.9.1-twofa-helpdesk sheppy:mmoura/phone-dial-in sheppy:lender/feat-externalsecrets-mariadb sheppy:lender/feat-externalsecrets-postgresql sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap-1725.191 sheppy:ys/dev-helpdesk sheppy:tkaltenbrunner/fix/dovecot-acls sheppy:ox-vpracht/dovecot-conf sheppy:renovate/major-openproject sheppy:renovate/major-platform sheppy:renovate/lasuite-impress-y-provider-3.x sheppy:renovate/lasuite-impress-y-provider-2.x sheppy:renovate/xwiki sheppy:trossner/nc_notifypush sheppy:cnegrini/load sheppy:nic/feat/ZO-155_dialin_docs sheppy:feat/dovecot-config sheppy:yschmidt/s3-region-example sheppy:trossner/nubus_ox_consumer sheppy:yschmidt/s3-region-vars sheppy:jschulz/fix_nubus-consumer-pvc-size sheppy:el/t3chguy/element-web-modules sheppy:jahlers/2fa-helpdesk sheppy:trossner/notes_guest_access sheppy:thollwed/nubus-v1.6.0-integration sheppy:jschulz/fix_set_jitsi_element_antiaffinity sheppy:jbornhold/nubus-v1.6.0-s3-ingress sheppy:chore/open-xchange/release-8.34 sheppy:jconde/test-ox-packaging sheppy:jtorres/ox-extension-integration sheppy:jschulz/feat_helmfile-enable-intents sheppy:chore/openproject/15-3-changes sheppy:nc-main sheppy:fischer/review-apps sheppy:jconde/fix-intercom-element sheppy:trossner/nc_notify_push sheppy:docs/nubus-version sheppy:schneemann/ingress-nginx-max-version sheppy:jlohmer/configurable-udm-listener-password sheppy:jtorres/hotfix-ics-secret sheppy:jtorres/ics-redis-ssl sheppy:dkaminski/feat/annotations sheppy:trossner/fix/openproject sheppy:jconde/ox-connector-kyverno sheppy:jconde/ics-kyverno-changes sheppy:chore/open-xchange/bump-8-31 sheppy:mmoura/feat_test sheppy:dkaminski/fix/nubus-v0.72.0 sheppy:jconde/ics-filepicker-fix sheppy:trossner/update_migrs sheppy:nic/qa/develop sheppy:nic/fix/widgets-no-guests sheppy:uv-jconde/plain-nubus sheppy:nubus/main sheppy:uv-jbornhold/preview-fe sheppy:nic/fix/undo-439-add-widgets sheppy:jtorres/bump-0.60-cache-http sheppy:acaceres/develop sheppy:fix/trossner/dominiks_improvements sheppy:uv-jbornhold/plain-nubus-3 sheppy:nubus-update-2024-09-16-backup sheppy:trossner/nubus-update-2024-09-16-ldap-mig sheppy:nic/feat/matrix-neoboard-widget-1.19.1 sheppy:jconde/integrate-ox-connector sheppy:jbornhold/include-ldap-migration-script sheppy:acaceres/integrate-ox-connector sheppy:uv-jbornhold/plain-nubus-2 sheppy:jtorres/clients-fixup sheppy:jconde/system-information sheppy:jtorres/remove-admin-credentials sheppy:jbornhold/develop sheppy:chore/openproject/bump-14-5-0 sheppy:temp/trossner/kcupd-fr sheppy:nubus/fix-domain-configuration sheppy:uv-fix/default-service-loglevel sheppy:uv-jlohmer/consumer-race-condition sheppy:uv-jconde/umc-plain-login sheppy:uv-jconde/statefulset-keycloak sheppy:jlohmer/develop sheppy:fix/tkaltenbrunner/oxmonitoring sheppy:jtorres/udm-loader sheppy:nubus/tkintscher/fix-fsnotify-load sheppy:nubus/wip-jbornhold-test sheppy:jbornhold/small-fixes sheppy:nubus/jconde-test-users sheppy:feat/nubus-updates sheppy:uv-jlohmer/manual-deploy-jobs sheppy:uv-jtorres/login-tiles sheppy:uv-jbornhold/fix-e2e-test-configuration sheppy:uv-jlohmer/fix-feature-flag-typo sheppy:uv-jbornhold/fix-e2e-test-configuration-test sheppy:uv-acaceres/register-ox-connector sheppy:uv-jtorres/keycloak-upgrade sheppy:uv-jtorres/create-readonly-user sheppy:uv-acaceres/update-provisioning-and-stack-data sheppy:uv-jlohmer/selfservice-consumer sheppy:uv-jlohmer/provisioning-consumer-feature-flag sheppy:uv-jconde/test-email-e2e-tests sheppy:jlohmer/nubus-updates-provisioning sheppy:nubus/provisioning-consumer-integration sheppy:uv-dkaminski/cert-manager-support sheppy:uv-jbornhold/update-portal-frontend sheppy:uv-provisioning-consumer-integration sheppy:uv-jtorres/opendesk-udm-loader sheppy:uv-jtorres/ox-extensions-to-data-loader sheppy:uv-jbornhold/update-stack-data sheppy:uv-maildev-ci-setup sheppy:uv-jconde/umc-server-session-stickyness sheppy:uv-jbornhold/cleanup sheppy:uv-dtroeder/raise-helm-timeout sheppy:uv-dtroeder/prov-int-biscet sheppy:uv-spike-plain-nubus sheppy:jtorres/univention-keycloak-provisioning sheppy:fix/trossner/proxy_ips sheppy:uv-jlohmer/provisioning-consumer-integration sheppy:uv-jconde/menu-patches sheppy:jconde/use-nubus-umbrella sheppy:jconde/udm-rest-api-fix sheppy:sandersen/develop sheppy:b1-demo1 sheppy:jbornhold/tmp-test-od-main-0.9.0 sheppy:feat/use-nubus-umbrella-2 sheppy:OC000007901454-main-patch-76476 sheppy:jtorres/allow-theme-configuration sheppy:acaceres/debug-ox-error sheppy:101-add-configmap-checksum-check-to-postfix-helm-chart sheppy:trossner/fix/op_guests sheppy:renovate/platform sheppy:feat/ldap-scalability sheppy:jlohmer/split-provisioning-listener sheppy:feat/update-keycloak-related-charts sheppy:acaceres/update-selfservice-to-use-provisioning sheppy:feat/nubus-keycloak-extensions sheppy:feat/nubus-keycloak-bootstrap sheppy:feat/nubus-provisioning-with-selfservice sheppy:refactor/ums-umbrella-values sheppy:54-issue-with-invitation-password-reset-mails sheppy:nic/fix/ew-1.11.59-widget-sync sheppy:trossner/fix/renovate sheppy:nic/test/ew-1.11.59 sheppy:feat/mon-redis sheppy:feat/mon-jitsi sheppy:feat/mon-ox sheppy:feat/mon-xwiki sheppy:v0.5.74-patch1
sheppy:v1.10.0 sheppy:v1.9.0 sheppy:v1.8.0 sheppy:v1.7.1 sheppy:v1.7.0 sheppy:v1.6.0 sheppy:v1.5.0 sheppy:v1.4.1 sheppy:v1.4.0 sheppy:v1.3.2 sheppy:v1.3.1 sheppy:v1.3.0 sheppy:v1.2.1 sheppy:v1.2.0 sheppy:v1.1.2 sheppy:v1.1.1 sheppy:v1.1.0 sheppy:v1.0.0 sheppy:v0.9.0 sheppy:v0.8.1 sheppy:v0.8.0 sheppy:v0.7.1 sheppy:v0.7.0 sheppy:v0.6.0 sheppy:v0.5.81 sheppy:v0.5.80 sheppy:v0.5.79 sheppy:v0.5.78 sheppy:v0.5.74 sheppy:24.03 sheppy:v0.5.77 sheppy:v0.5.76 sheppy:v0.5.75 sheppy:v0.5.73 sheppy:v0.5.72 sheppy:v0.5.71 sheppy:v0.5.70 sheppy:v0.5.69 sheppy:v0.5.68 sheppy:v0.5.67 sheppy:v0.5.66 sheppy:v0.5.65 sheppy:v0.5.64 sheppy:v0.5.63 sheppy:v0.5.62 sheppy:v0.5.61 sheppy:v0.5.60 sheppy:v0.5.59 sheppy:v0.5.58 sheppy:v0.5.57 sheppy:v0.5.56 sheppy:v0.5.55 sheppy:v0.5.54 sheppy:v0.5.53 sheppy:v0.5.52 sheppy:v0.5.51 sheppy:v0.5.50 sheppy:v0.5.49 sheppy:v0.5.48 sheppy:v0.5.47 sheppy:v0.5.46 sheppy:v0.5.45 sheppy:v0.5.44 sheppy:v0.5.43 sheppy:v0.5.42 sheppy:v0.5.41 sheppy:v0.5.40 sheppy:v0.5.39 sheppy:v0.5.38 sheppy:23.12 sheppy:v0.5.37 sheppy:v0.5.36 sheppy:v0.5.35 sheppy:v0.5.34 sheppy:v0.5.33 sheppy:v0.5.32 sheppy:v0.5.31 sheppy:v0.5.30 sheppy:v0.5.29 sheppy:v0.5.28 sheppy:v0.5.27 sheppy:v0.5.26 sheppy:v0.5.25 sheppy:v0.5.24 sheppy:v0.5.23 sheppy:v0.5.22 sheppy:v0.5.21 sheppy:v0.5.20 sheppy:v0.5.19 sheppy:v0.5.18 sheppy:v0.5.17 sheppy:v0.5.16 sheppy:v0.5.15 sheppy:v0.5.14 sheppy:v0.5.13 sheppy:v0.5.12 sheppy:v0.5.11 sheppy:v0.5.10 sheppy:v0.5.9 sheppy:v0.5.8 sheppy:v0.5.7 sheppy:v0.5.6 sheppy:v0.5.5 sheppy:v0.5.4 sheppy:v0.5.3 sheppy:v0.5.2 sheppy:v0.5.1 sheppy:v0.5.0 sheppy:v0.4.9 sheppy:v0.4.8 sheppy:v0.4.7 sheppy:v0.4.6 sheppy:v0.4.5 sheppy:v0.4.4 sheppy:v0.4.3 sheppy:v0.4.2 sheppy:v0.4.1 sheppy:v0.4.0 sheppy:v0.3.2 sheppy:v0.3.1 sheppy:v0.3.0 sheppy:v0.2.10 sheppy:v0.2.9 sheppy:v0.2.8 sheppy:v0.2.7 sheppy:v0.2.6 sheppy:v0.2.5 sheppy:v0.2.4 sheppy:v0.2.3 sheppy:v0.2.2 sheppy:v0.2.1 sheppy:v0.2.0 sheppy:v0.1.2 sheppy:v0.1.1 sheppy:v0.1.0 sheppy:v0.0.6 sheppy:v0.0.5 sheppy:v0.0.4 sheppy:v0.0.3 sheppy:v0.0.2 sheppy:v0.0.1

206 Commits
v0.1.2 ... v0.5.22

Author SHA1 Message Date
openDesk
9e54299917 chore(release): 0.5.22 [skip ci] 
## [0.5.22](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.21...v0.5.22) (2023-10-31)

### Bug Fixes

* **openproject:** Nextcloud integration within K8s instances ([d249d0e](d249d0e3ce))
 2023-10-31 14:04:35 +00:00
Oliver Günther
d249d0e3ce fix(openproject): Nextcloud integration within K8s instances 2023-10-31 14:02:40 +00:00
Thorsten Roßner
fbe7de3c56 chore(release): 0.5.21 [skip ci] 
## [0.5.21](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.20...v0.5.21) (2023-10-30)

### Bug Fixes

* **helmfile:** Deinstall components if disabled ([7feaadf](7feaadf7f8))
* **helmfile:** Put enviroments in first document inside of a yaml ([034e98c](034e98c850))
 2023-10-30 17:01:00 +00:00
Martin Müller
034e98c850 fix(helmfile): Put enviroments in first document inside of a yaml 
see: https://helmfile.readthedocs.io/en/latest/#environment
 2023-10-30 17:55:26 +01:00
Martin Müller
7feaadf7f8 fix(helmfile): Deinstall components if disabled 2023-10-30 17:42:35 +01:00
Thorsten Roßner
a7fef3afff chore(release): 0.5.20 [skip ci] 
## [0.5.20](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.19...v0.5.20) (2023-10-30)

### Bug Fixes

* **helmfile:** Remove old XWiki image, set explicit timeout for OP deployment, bump Jitsi Helm chart to enable chat for stand-alone Jitsi ([5d01f8c](5d01f8ca46))
 2023-10-30 15:41:11 +00:00
Thorsten Rossner
5d01f8ca46 fix(helmfile): Remove old XWiki image, set explicit timeout for OP deployment, bump Jitsi Helm chart to enable chat for stand-alone Jitsi 2023-10-30 15:38:48 +00:00
Thorsten Roßner
7093022ec4 chore(release): 0.5.19 [skip ci] 
## [0.5.19](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.18...v0.5.19) (2023-10-30)

### Bug Fixes

* **element:** Update Element Web and Nordeck Widgets to latest releases ([2313f75](2313f75dbe))
 2023-10-30 14:46:49 +00:00
Milton Moura
2313f75dbe fix(element): Update Element Web and Nordeck Widgets to latest releases 2023-10-30 14:43:46 +00:00
Thorsten Roßner
af9caea726 chore(release): 0.5.18 [skip ci] 
## [0.5.18](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.17...v0.5.18) (2023-10-28)

### Bug Fixes

* **xwiki:** Switch to Alpine/Jetty slim image ([b399869](b39986907c))
 2023-10-28 04:51:22 +00:00
Thomas Kaltenbrunner
b39986907c fix(xwiki): Switch to Alpine/Jetty slim image 2023-10-28 04:49:31 +00:00
Thorsten Roßner
a02d7c6085 chore(release): 0.5.17 [skip ci] 
## [0.5.17](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.16...v0.5.17) (2023-10-28)

### Bug Fixes

* **nextcloud:** Update swp_integration app and prepare CryptPad integration ([a046dea](a046deaf17))
 2023-10-28 04:30:26 +00:00
Thomas Kaltenbrunner
a046deaf17 fix(nextcloud): Update swp_integration app and prepare CryptPad integration 2023-10-28 04:28:48 +00:00
Thorsten Roßner
c76e960446 chore(release): 0.5.16 [skip ci] 
## [0.5.16](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.15...v0.5.16) (2023-10-26)

### Bug Fixes

* **openproject:** Slim container with upgraded helm-chart ([535823e](535823e0a8))
 2023-10-26 16:50:26 +00:00
Oliver Günther
535823e0a8 fix(openproject): Slim container with upgraded helm-chart 2023-10-26 16:48:46 +00:00
Thorsten Roßner
9966bf640e chore(release): 0.5.15 [skip ci] 
## [0.5.15](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.14...v0.5.15) (2023-10-25)

### Bug Fixes

* **helmfile:** Add XWiki Jetty and UniventionKeycloak to image.yaml for Compliance checks. They are not yet part of standard deployment. ([8e376bb](8e376bb4a5))
 2023-10-25 11:52:23 +00:00
Thorsten Rossner
8e376bb4a5 fix(helmfile): Add XWiki Jetty and UniventionKeycloak to image.yaml for Compliance checks. They are not yet part of standard deployment. 2023-10-25 11:50:08 +00:00
Thorsten Roßner
7c0e4aa9a6 chore(release): 0.5.14 [skip ci] 
## [0.5.14](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.13...v0.5.14) (2023-10-20)

### Bug Fixes

* **element:** Support for openDesk top bar with central navigation ([e609b75](e609b75cc7))
 2023-10-20 10:38:57 +00:00
Dominik Henneke
e609b75cc7 fix(element): Support for openDesk top bar with central navigation 2023-10-20 10:35:20 +00:00
Thorsten Roßner
20d26a069b chore(release): 0.5.13 [skip ci] 
## [0.5.13](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.12...v0.5.13) (2023-10-20)

### Bug Fixes

* **element:** Configure rights and roles ([59d58e3](59d58e320e))
 2023-10-20 08:54:39 +00:00
Ahmad Kadri
59d58e320e fix(element): Configure rights and roles 2023-10-20 08:52:53 +00:00
Thorsten Roßner
49b71aafb4 chore(release): 0.5.12 [skip ci] 
## [0.5.12](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.11...v0.5.12) (2023-10-19)

### Bug Fixes

* **element:** Add an application service for the intercom-service ([1a4eced](1a4eced998))
* **element:** Add the Matrix NeoBoard Widget deployment ([5afd233](5afd2339c2))
* **element:** Add the Matrix NeoChoice Widget deployment ([7756d35](7756d35fa1))
* **element:** Add the Matrix NeoDateFix Bot deployment ([785989e](785989e91d))
* **element:** Add the Matrix NeoDateFix Widget deployment ([27b6796](27b6796639))
* **element:** Add the Matrix User Verification Service deployment ([30405d1](30405d182d))
* **element:** Upgrade Element to v1.11.46 ([82a037e](82a037ec7c))
* **element:** Upgrade the opendesk-element charts to 2.3.0 ([fd9e04d](fd9e04d992))
* **element:** Upgrade the opendesk-matrix-widgets charts to 2.3.0 ([cbe5141](cbe514176a))
* **element:** Use a separate image configuration for the bootstrap tasks ([7f7c364](7f7c364071))
* **intercom-service:** Allow access from the non-istio domain and reference to the correct synapse hostname ([16f2ac4](16f2ac464e))
* **intercom-service:** Fix the nordeck configuration ([06dcdd7](06dcdd78af))
* **jitsi:** Use template for the cluster networking domain ([0898d96](0898d96571))
* **keycloak:** Use the correct backchannel logout configuration for element ([86657b1](86657b139a))
* **open-xchange:** Enable Element calendar integration ([f564efd](f564efd97f))
 2023-10-19 09:31:03 +00:00
Dominik Henneke
cbe514176a fix(element): Upgrade the opendesk-matrix-widgets charts to 2.3.0 2023-10-17 11:22:59 +02:00
Dominik Henneke
0898d96571 fix(jitsi): Use template for the cluster networking domain 2023-10-17 11:09:33 +02:00
Dominik Henneke
7f7c364071 fix(element): Use a separate image configuration for the bootstrap tasks 2023-10-17 10:54:32 +02:00
Dominik Henneke
fd9e04d992 fix(element): Upgrade the opendesk-element charts to 2.3.0 2023-10-17 10:47:08 +02:00
Dominik Henneke
86657b139a fix(keycloak): Use the correct backchannel logout configuration for element 2023-10-13 15:45:32 +02:00
Dominik Henneke
cdffbe1298 chore(element): Use prerelease of charts 2023-10-13 15:13:12 +02:00
Dominik Henneke
82a037ec7c fix(element): Upgrade Element to v1.11.46 2023-10-13 14:46:12 +02:00
Dominik Henneke
1a4eced998 fix(element): Add an application service for the intercom-service 2023-10-13 14:46:12 +02:00
Dominik Henneke
06dcdd78af fix(intercom-service): Fix the nordeck configuration 2023-10-13 14:46:11 +02:00
Thorsten Roßner
f564efd97f fix(open-xchange): Enable Element calendar integration 2023-10-13 14:46:11 +02:00
Dominik Henneke
16f2ac464e fix(intercom-service): Allow access from the non-istio domain and reference to the correct synapse hostname 2023-10-13 14:46:11 +02:00
Dominik Henneke
30405d182d fix(element): Add the Matrix User Verification Service deployment 2023-10-13 14:46:11 +02:00
Dominik Henneke
785989e91d fix(element): Add the Matrix NeoDateFix Bot deployment 2023-10-13 14:20:07 +02:00
Dominik Henneke
27b6796639 fix(element): Add the Matrix NeoDateFix Widget deployment 2023-10-13 14:17:16 +02:00
Dominik Henneke
7756d35fa1 fix(element): Add the Matrix NeoChoice Widget deployment 2023-10-13 14:17:10 +02:00
Dominik Henneke
5afd2339c2 fix(element): Add the Matrix NeoBoard Widget deployment 2023-10-13 14:17:02 +02:00
Thorsten Roßner
b7f220a6b6 chore(release): 0.5.11 [skip ci] 
## [0.5.11](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.10...v0.5.11) (2023-10-11)

### Bug Fixes

* **helmfile:** Quote all password template strings ([fb7dba7](fb7dba787c))
* **services:** Add memcached service ([72e3afd](72e3afdffd))
 2023-10-11 19:04:59 +00:00
Dominik Kaminski
fb7dba787c fix(helmfile): Quote all password template strings 2023-10-11 16:18:51 +02:00
Dominik Kaminski
72e3afdffd fix(services): Add memcached service 
Add documentation about cache service and refactor into seperate default environment file.
Refactor OpenProject to use external memcached service.
 2023-10-11 15:49:41 +02:00
Thorsten Roßner
85b8fcaab5 chore(release): 0.5.10 [skip ci] 
## [0.5.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.9...v0.5.10) (2023-10-11)

### Bug Fixes

* **intercom-service:** Update intercom-service chart to v2.0.0 ([c3129f1](c3129f1443))
 2023-10-11 07:01:57 +00:00
Dominik Kaminski
c3129f1443 fix(intercom-service): Update intercom-service chart to v2.0.0 2023-10-10 19:09:37 +02:00
Thorsten Roßner
000be8b032 chore(release): 0.5.9 [skip ci] 
## [0.5.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.8...v0.5.9) (2023-10-10)

### Bug Fixes

* **element:** Enable the guest module in Synapse ([da1bf35](da1bf3581c))
 2023-10-10 11:42:54 +00:00
Dominik Henneke
da1bf3581c fix(element): Enable the guest module in Synapse 2023-10-10 09:39:34 +00:00
Thorsten Roßner
4d0011d957 chore(release): 0.5.8 [skip ci] 
## [0.5.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.7...v0.5.8) (2023-10-10)

### Bug Fixes

* **helmfile:** Add default port for SMTP in environment ([74f9ec2](74f9ec28e4))
 2023-10-10 07:01:29 +00:00
Dominik Kaminski
74f9ec28e4 fix(helmfile): Add default port for SMTP in environment 2023-10-09 18:30:50 +02:00
Thorsten Roßner
b1d4b2d8ea chore(release): 0.5.7 [skip ci] 
## [0.5.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.6...v0.5.7) (2023-10-09)

### Bug Fixes

* **openproject:** Mail sender address ([711d29e](711d29e374))
 2023-10-09 09:41:26 +00:00
Thorsten Roßner
711d29e374 fix(openproject): Mail sender address 2023-10-09 09:31:39 +00:00
Thorsten Roßner
0ba7be2a5f chore(release): 0.5.6 [skip ci] 
## [0.5.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.5...v0.5.6) (2023-10-09)

### Bug Fixes

* **helmfile:** Use signed bitnami charts from openDesk Mirror Builds ([70744d0](70744d04c6))
* **services:** Bump redis chart to 18.1.2 ([d4c751d](d4c751d29f))
 2023-10-09 09:30:56 +00:00
Dominik Kaminski
d4c751d29f fix(services): Bump redis chart to 18.1.2 2023-10-09 11:19:50 +02:00
Dominik Kaminski
70744d04c6 fix(helmfile): Use signed bitnami charts from openDesk Mirror Builds 2023-10-09 11:19:50 +02:00
Thorsten Roßner
e4e6d2d60a chore(release): 0.5.5 [skip ci] 
## [0.5.5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.4...v0.5.5) (2023-10-09)

### Bug Fixes

* **openproject:** Switch image to fix central navigation; set email sender address ([e42feb4](e42feb4c26))
 2023-10-09 07:24:26 +00:00
Thorsten Rossner
e42feb4c26 fix(openproject): Switch image to fix central navigation; set email sender address 2023-10-09 07:22:35 +00:00
Thorsten Roßner
f12c2ed0c2 chore(release): 0.5.4 [skip ci] 
## [0.5.4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.3...v0.5.4) (2023-10-02)

### Bug Fixes

* **helmfile:** Add third environment (test) ([7dbcbfe](7dbcbfe723))
 2023-10-02 11:21:03 +00:00
Thorsten Rossner
7dbcbfe723 fix(helmfile): Add third environment (test) 2023-10-02 11:19:29 +00:00
Thorsten Roßner
1d8a0ccf1a chore(release): 0.5.3 [skip ci] 
## [0.5.3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.2...v0.5.3) (2023-09-28)

### Bug Fixes

* **open-xchange:** Rollback MariaDB version to fix OX Guard initialization ([e33acd3](e33acd33e7))
 2023-09-28 16:38:21 +00:00
Thorsten Rossner
e33acd33e7 fix(open-xchange): Rollback MariaDB version to fix OX Guard initialization 2023-09-28 16:36:28 +00:00
Thorsten Roßner
74e206694e chore(release): 0.5.2 [skip ci] 
## [0.5.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.1...v0.5.2) (2023-09-28)

### Bug Fixes

* **ci:** Add Gitlab-CI sledgehammer deployment removal ([6fd655a](6fd655a0b1))
 2023-09-28 09:06:20 +00:00
Dominik Kaminski
6fd655a0b1 fix(ci): Add Gitlab-CI sledgehammer deployment removal 2023-09-28 10:01:01 +02:00
Thorsten Roßner
d4c39025b6 chore(release): 0.5.1 [skip ci] 
## [0.5.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.0...v0.5.1) (2023-09-28)

### Bug Fixes

* **docs:** Add 'Helm Chart Trust Chain' section ([b6b4972](b6b4972a5d))
* **docs:** Highlight that Helmfile >= 0.157.0 is required ([d86f516](d86f516747))
* **element:** Use OCI registry and verify chart signatures ([a41b9a6](a41b9a699c))
* **helmfile:** Add cleanup flag for job resources ([0f01b94](0f01b94aa1))
* **helmfile:** Create directory for gpg pubkeys ([4c5731e](4c5731e6bb))
* **intercom-service:** Use OCI registry and verify chart signatures ([74b3d41](74b3d41381))
* **jitsi:** Verify chart signatures ([1dd6582](1dd6582ec7))
* **keycloak-bootstrap:** Use OCI registry and verify chart signatures ([ca5d5f8](ca5d5f8280))
* **keycloak:** Use OCI registry and verify chart signatures ([095059c](095059c7e5))
* **nextcloud:** Use OCI registry and verify chart signatures ([41dfdc0](41dfdc0c8f))
* **open-xchange:** Use OCI registry and verify chart signatures ([2d5d370](2d5d3708f7))
* **open-xchange:** Use renamed istio gateway ([65d2642](65d2642d34))
* **openproject:** Use OCI registry and verify chart signatures ([5343840](5343840bed))
* **services:** Add wildcard certifcate request support ([15ad8ca](15ad8ca7ab))
* **services:** Bump opendesk-certificates to 2.1.0 ([4372f06](4372f063e0))
* **services:** Only create istio gateway with webmail domain ([6a39011](6a390112da))
* **services:** Use OCI registry for all services and add gpg verify mechanism ([892920b](892920b048))
* **univention-corporate-container:** Use OCI registry and verify chart signatures ([424317e](424317ed58))
 2023-09-28 07:23:23 +00:00
Dominik Kaminski
d86f516747 fix(docs): Highlight that Helmfile >= 0.157.0 is required 2023-09-28 09:00:34 +02:00
Dominik Kaminski
4c5731e6bb fix(helmfile): Create directory for gpg pubkeys 2023-09-28 08:41:49 +02:00
Dominik Kaminski
6a390112da fix(services): Only create istio gateway with webmail domain 2023-09-27 22:13:39 +02:00
Dominik Kaminski
65d2642d34 fix(open-xchange): Use renamed istio gateway 2023-09-27 22:03:41 +02:00
Dominik Kaminski
55f73924df chore(univention-corporate-container): Add missing OCI flag 2023-09-27 21:49:13 +02:00
Dominik Kaminski
11cc708f6e chore(open-xchange): Remove duplicate default key 2023-09-27 21:48:55 +02:00
Dominik Kaminski
b6b4972a5d fix(docs): Add 'Helm Chart Trust Chain' section 2023-09-27 20:55:41 +02:00
Dominik Kaminski
2e3f5f6e53 chore(xwiki): Add source to repo description 2023-09-27 20:55:41 +02:00
Dominik Kaminski
3da2aaaed9 chore(univention-management-stack): Rename repostory to ums-repo 2023-09-27 20:55:41 +02:00
Dominik Kaminski
424317ed58 fix(univention-corporate-container): Use OCI registry and verify chart signatures 2023-09-27 20:55:40 +02:00
Dominik Kaminski
b335bc4c3b chore(provisioning): Add respository comment 2023-09-27 20:55:40 +02:00
Dominik Kaminski
5343840bed fix(openproject): Use OCI registry and verify chart signatures 2023-09-27 20:55:40 +02:00
Dominik Kaminski
2d5d3708f7 fix(open-xchange): Use OCI registry and verify chart signatures 2023-09-27 20:55:40 +02:00
Dominik Kaminski
41dfdc0c8f fix(nextcloud): Use OCI registry and verify chart signatures 2023-09-27 20:55:40 +02:00
Dominik Kaminski
ca5d5f8280 fix(keycloak-bootstrap): Use OCI registry and verify chart signatures 2023-09-27 20:55:40 +02:00
Dominik Kaminski
095059c7e5 fix(keycloak): Use OCI registry and verify chart signatures 2023-09-27 20:55:40 +02:00
Dominik Kaminski
1dd6582ec7 fix(jitsi): Verify chart signatures 2023-09-27 20:55:40 +02:00
Dominik Kaminski
74b3d41381 fix(intercom-service): Use OCI registry and verify chart signatures 2023-09-27 20:55:40 +02:00
Dominik Kaminski
a41b9a699c fix(element): Use OCI registry and verify chart signatures 2023-09-27 20:55:40 +02:00
Dominik Kaminski
0b4cd739fc chore(collabora): Add souce link to repository 2023-09-27 20:55:40 +02:00
Dominik Kaminski
4372f063e0 fix(services): Bump opendesk-certificates to 2.1.0 2023-09-27 20:55:40 +02:00
Dominik Kaminski
15ad8ca7ab fix(services): Add wildcard certifcate request support 2023-09-27 20:55:40 +02:00
Dominik Kaminski
1884a90e6f chore(helmfile): Quote string and fix line endings 2023-09-27 20:55:40 +02:00
Dominik Kaminski
0997f2e4a7 chore(helmfile): Add license for gpg key 2023-09-27 20:55:40 +02:00
Dominik Kaminski
0f01b94aa1 fix(helmfile): Add cleanup flag for job resources 2023-09-27 20:55:40 +02:00
Dominik Kaminski
892920b048 fix(services): Use OCI registry for all services and add gpg verify mechanism 2023-09-27 20:55:40 +02:00
Thorsten Roßner
5c3568871b chore(release): 0.5.0 [skip ci] 
# [0.5.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.9...v0.5.0) (2023-09-27)

### Bug Fixes

* **element:** Move the static configuration into the values.yaml ([f22619b](f22619bd8e))
* **element:** Specify resources for the guest module init container ([275798c](275798c1d6))

### Features

* **element:** Activate the guest module ([5ad25ac](5ad25acafd))
 2023-09-27 14:37:23 +00:00
Dominik Henneke
f22619bd8e fix(element): Move the static configuration into the values.yaml 2023-09-27 16:33:22 +02:00
Dominik Henneke
275798c1d6 fix(element): Specify resources for the guest module init container 2023-09-27 16:33:22 +02:00
Dominik Henneke
5ad25acafd feat(element): Activate the guest module 2023-09-27 16:18:00 +02:00
Thorsten Roßner
437633cda6 chore(release): 0.4.9 [skip ci] 
## [0.4.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.8...v0.4.9) (2023-09-27)

### Bug Fixes

* **nextcloud:** Bump Helm chart to add app "groupfolders" ([62b767e](62b767ef38))
 2023-09-27 13:47:20 +00:00
Thorsten Rossner
62b767ef38 fix(nextcloud): Bump Helm chart to add app "groupfolders" 2023-09-27 13:44:47 +00:00
Thorsten Roßner
02be7c15bb chore(release): 0.4.8 [skip ci] 
## [0.4.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.7...v0.4.8) (2023-09-26)

### Bug Fixes

* **openproject:** Digest rollback ([9acce08](9acce08139))
 2023-09-26 16:11:15 +00:00
Thorsten Roßner
9acce08139 fix(openproject): Digest rollback 2023-09-26 18:02:31 +02:00
Thorsten Roßner
3f8bffbcf3 chore(release): 0.4.7 [skip ci] 
## [0.4.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.6...v0.4.7) (2023-09-26)

### Bug Fixes

* **helmfile:** Add timeout for database services ([98ec02f](98ec02f230))
* **openproject:** Image digest ([b340373](b340373133))
 2023-09-26 14:49:31 +00:00
Thorsten Roßner
98ec02f230 fix(helmfile): Add timeout for database services 2023-09-26 16:32:19 +02:00
Thorsten Roßner
b340373133 fix(openproject): Image digest 2023-09-26 16:30:28 +02:00
Thorsten Roßner
6456f68b7b chore(release): 0.4.6 [skip ci] 
## [0.4.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.5...v0.4.6) (2023-09-26)

### Bug Fixes

* **openproject:** Use renamed registry open_desk ([a37faf3](a37faf3b57))
 2023-09-26 12:51:57 +00:00
Oliver Günther
a37faf3b57 fix(openproject): Use renamed registry open_desk 2023-09-26 12:50:26 +00:00
Thorsten Roßner
fbbf3f253b chore(release): 0.4.5 [skip ci] 
## [0.4.5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.4...v0.4.5) (2023-09-26)

### Bug Fixes

* **helmfile:** Streamline timeouts ([2703615](2703615dff))
 2023-09-26 12:20:31 +00:00
Thorsten Rossner
2703615dff fix(helmfile): Streamline timeouts 2023-09-26 12:18:13 +00:00
Thorsten Roßner
85ad5ecd6d chore(release): 0.4.4 [skip ci] 
## [0.4.4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.3...v0.4.4) (2023-09-25)

### Bug Fixes

* **open-xchange:** Updates for mail templates and mail export ([ae3d0da](ae3d0daa11))
 2023-09-25 17:29:54 +00:00
Thorsten Rossner
ae3d0daa11 fix(open-xchange): Updates for mail templates and mail export 2023-09-25 17:27:48 +00:00
Thorsten Roßner
0a17976aca chore(release): 0.4.3 [skip ci] 
## [0.4.3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.2...v0.4.3) (2023-09-25)

### Bug Fixes

* **nextcloud:** Update image to 27.1.1 ([ce7e5f6](ce7e5f670a))
 2023-09-25 11:24:24 +00:00
Thorsten Rossner
ce7e5f670a fix(nextcloud): Update image to 27.1.1 2023-09-25 11:22:39 +00:00
Thorsten Roßner
917f9fb452 chore(release): 0.4.2 [skip ci] 
## [0.4.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.1...v0.4.2) (2023-09-21)

### Bug Fixes

* **nextcloud:** Add Nextcloud app for OpenProject integration; Bump Collabora Image ([f46c8a9](f46c8a9a5f))
 2023-09-21 12:38:44 +00:00
Thorsten Rossner
f46c8a9a5f fix(nextcloud): Add Nextcloud app for OpenProject integration; Bump Collabora Image 2023-09-21 12:25:53 +00:00
Thorsten Roßner
c2b44da34e chore(release): 0.4.1 [skip ci] 
## [0.4.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.0...v0.4.1) (2023-09-19)

### Bug Fixes

* **univention-management-stack:** Remove doublette triple dashes in helmfile.yaml ([41b9afb](41b9afb364))
 2023-09-19 12:40:28 +00:00
Thorsten Roßner
41b9afb364 fix(univention-management-stack): Remove doublette triple dashes in helmfile.yaml 2023-09-19 13:54:20 +02:00
Thorsten Roßner
63bdcf594b chore(release): 0.4.0 [skip ci] 
# [0.4.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.2...v0.4.0) (2023-09-18)

### Features

* **ci:** Optionally trigger E2E tests of the SouvAP Dev team ([a99c088](a99c088361))
 2023-09-18 14:48:12 +00:00
Dibya Chakravorty
a99c088361 feat(ci): Optionally trigger E2E tests of the SouvAP Dev team 2023-09-18 14:46:17 +00:00
Thorsten Roßner
8d09aa02f9 chore(release): 0.3.2 [skip ci] 
## [0.3.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.1...v0.3.2) (2023-09-14)

### Bug Fixes

* **helmfile:** Fix linter issues ([1514678](1514678db0))
* **univention-management-stack:** Add "commonLabels" into helmfile ([16c08f8](16c08f82c9))
* **univention-management-stack:** Add Helm charts ([a74d662](a74d662404))
* **univention-management-stack:** Add switch "univentionManagementStack.enabled" ([471a2fa](471a2fa262))
* **univention-management-stack:** Adjust Ingress configuration for portal-server ([13bcd78](13bcd785e8))
* **univention-management-stack:** Adjust Ingress configuration for umc ([320da3b](320da3bec3))
* **univention-management-stack:** Adjust Ingress configuration of notifications-api ([5e1a7b1](5e1a7b19e2))
* **univention-management-stack:** Adjust ingress configuration of the portal-frontend ([c54bab1](c54bab165b))
* **univention-management-stack:** Adjust Ingress configuration of udm-rest-api ([c61b1b8](c61b1b8281))
* **univention-management-stack:** Adjust Ingress conifguration of store-dav ([96097e4](96097e4704))
* **univention-management-stack:** Configure cookie banner data ([12c931f](12c931fcff))
* **univention-management-stack:** Define resource requests and limits ([2f8a298](2f8a298925))
* **univention-management-stack:** Disable istio for the stack ([4835a2b](4835a2beec))
* **univention-management-stack:** Prepare persistence configuration ([7ab1cb5](7ab1cb5c7e))
* **univention-management-stack:** Process bases before releases ([ec3f1d9](ec3f1d96ac))
* **univention-management-stack:** Set externalDomainName for bootstrapping the stack ([0ba71f2](0ba71f2749))
* **univention-management-stack:** Split templated from static values ([09079a1](09079a1303))
* **univention-management-stack:** Split values into templated and static ([d3c4390](d3c439038a))
* **univention-management-stack:** Update portal-listener to leverage dependency waiting ([c840608](c840608112))
* **univention-management-stack:** Use global secrets to fill initialPasswordAdministrator ([a4bab40](a4bab4068d))
* **univention-management-stack:** Use global secrets to populate ldap related secrets ([9409ad8](9409ad829a))
* **univention-management-stack:** Use global secrets to set store-dav related passwords ([90019e3](90019e3ef6))
* **univention-management-stack:** Use ldap base DN "dc=swp-ldap,dc=internal" ([77e362f](77e362f6bc))
* **univention-management-stack:** Use postgresql service for notifications-api ([fe0e0cd](fe0e0cdce4))
* **univention-management-stack:** Use the prefix "ums-" for all releases ([edb25bd](edb25bd765))
* **univention-management-stack:** Use the value "global.imagePullPolicy" ([15db5dc](15db5dcbba))
 2023-09-14 20:16:01 +00:00
Johannes Bornhold
1514678db0 fix(helmfile): Fix linter issues 2023-09-14 15:37:35 +02:00
Johannes Bornhold
b7254cf5dc ci(univention-management-stack): Enforce choice between UCS and UMS 2023-09-14 15:26:58 +02:00
Johannes Bornhold
7ab1cb5c7e fix(univention-management-stack): Prepare persistence configuration 2023-09-14 15:21:46 +02:00
Johannes Bornhold
0ba71f2749 fix(univention-management-stack): Set externalDomainName for bootstrapping the stack 2023-09-14 15:21:46 +02:00
Johannes Bornhold
77e362f6bc fix(univention-management-stack): Use ldap base DN "dc=swp-ldap,dc=internal" 2023-09-14 15:21:45 +02:00
Johannes Bornhold
09079a1303 fix(univention-management-stack): Split templated from static values 2023-09-14 15:21:45 +02:00
Johannes Bornhold
15db5dcbba fix(univention-management-stack): Use the value "global.imagePullPolicy" 2023-09-14 15:18:00 +02:00
Johannes Bornhold
d3c439038a fix(univention-management-stack): Split values into templated and static 2023-09-14 15:18:00 +02:00
Johannes Bornhold
9409ad829a fix(univention-management-stack): Use global secrets to populate ldap related secrets 2023-09-14 15:18:00 +02:00
Johannes Bornhold
a4bab4068d fix(univention-management-stack): Use global secrets to fill initialPasswordAdministrator 2023-09-14 15:18:00 +02:00
Johannes Bornhold
90019e3ef6 fix(univention-management-stack): Use global secrets to set store-dav related passwords 2023-09-14 15:18:00 +02:00
Johannes Bornhold
4835a2beec fix(univention-management-stack): Disable istio for the stack 2023-09-14 15:18:00 +02:00
Johannes Bornhold
12c931fcff fix(univention-management-stack): Configure cookie banner data 2023-09-14 15:18:00 +02:00
Johannes Bornhold
2f8a298925 fix(univention-management-stack): Define resource requests and limits 2023-09-14 15:18:00 +02:00
Johannes Bornhold
ec3f1d96ac fix(univention-management-stack): Process bases before releases 2023-09-14 15:17:59 +02:00
Johannes Bornhold
16c08f82c9 fix(univention-management-stack): Add "commonLabels" into helmfile 2023-09-14 15:17:59 +02:00
Johannes Bornhold
edb25bd765 fix(univention-management-stack): Use the prefix "ums-" for all releases 2023-09-14 15:17:59 +02:00
Johannes Bornhold
c840608112 fix(univention-management-stack): Update portal-listener to leverage dependency waiting 2023-09-14 15:17:59 +02:00
Johannes Bornhold
320da3bec3 fix(univention-management-stack): Adjust Ingress configuration for umc 2023-09-14 15:17:59 +02:00
Johannes Bornhold
c61b1b8281 fix(univention-management-stack): Adjust Ingress configuration of udm-rest-api 2023-09-14 15:17:59 +02:00
Johannes Bornhold
96097e4704 fix(univention-management-stack): Adjust Ingress conifguration of store-dav 2023-09-14 15:17:59 +02:00
Johannes Bornhold
5e1a7b19e2 fix(univention-management-stack): Adjust Ingress configuration of notifications-api 2023-09-14 15:17:59 +02:00
Johannes Bornhold
13bcd785e8 fix(univention-management-stack): Adjust Ingress configuration for portal-server 2023-09-14 15:17:58 +02:00
Johannes Bornhold
c54bab165b fix(univention-management-stack): Adjust ingress configuration of the portal-frontend 2023-09-14 15:17:58 +02:00
Johannes Bornhold
836f491766 ci(univention-management-stack): Add option to deploy UMS 2023-09-14 15:17:58 +02:00
Johannes Bornhold
fe0e0cdce4 fix(univention-management-stack): Use postgresql service for notifications-api 2023-09-14 15:17:58 +02:00
Johannes Bornhold
a74d662404 fix(univention-management-stack): Add Helm charts 2023-09-14 15:17:58 +02:00
Johannes Bornhold
471a2fa262 fix(univention-management-stack): Add switch "univentionManagementStack.enabled" 2023-09-14 14:58:22 +02:00
Thorsten Roßner
5f79763e2b chore(release): 0.3.1 [skip ci] 
## [0.3.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.0...v0.3.1) (2023-09-14)

### Bug Fixes

* **collabora:** Update Ingress annotations and set securityContext ([b5583ca](b5583caec1))
* **element:** Improve default container security settings ([882f1fb](882f1fbc93))
* **element:** Update opendesk element version to 2.0.1 ([d725b93](d725b93798))
* **helmfile:** Remove default SMTP credentials and create docs for SMTP/TURN ([e120f5f](e120f5fb9a))
* **helmfile:** Update images and use a tag and digest together ([c7fc187](c7fc187f14))
* **services:** Explicitly set securityContexts ([a799db0](a799db03c4))
* **services:** Update Postfix to 2.0.2 fixing security gaining ([e1070ee](e1070eeb06))
 2023-09-14 11:11:40 +00:00
Dominik Kaminski
e120f5fb9a fix(helmfile): Remove default SMTP credentials and create docs for SMTP/TURN 2023-09-13 23:39:38 +02:00
Dominik Kaminski
a799db03c4 fix(services): Explicitly set securityContexts 2023-09-13 19:33:47 +02:00
Dominik Kaminski
d725b93798 fix(element): Update opendesk element version to 2.0.1 2023-09-13 19:33:47 +02:00
Dominik Kaminski
e1070eeb06 fix(services): Update Postfix to 2.0.2 fixing security gaining 2023-09-13 19:33:47 +02:00
Dominik Kaminski
c7fc187f14 fix(helmfile): Update images and use a tag and digest together 2023-09-13 19:33:47 +02:00
Dominik Kaminski
89ac783dc3 chore(collabora): Quote strings 2023-09-13 19:33:47 +02:00
Dominik Kaminski
882f1fbc93 fix(element): Improve default container security settings 2023-09-13 19:33:43 +02:00
Dominik Kaminski
b5583caec1 fix(collabora): Update Ingress annotations and set securityContext 2023-09-13 16:32:35 +02:00
Thorsten Roßner
6d23534ee0 chore(release): 0.3.0 [skip ci] 
# [0.3.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.10...v0.3.0) (2023-09-12)

### Features

* **ci:** Selective tests ([d2e7ac9](d2e7ac9348))
 2023-09-12 21:18:26 +00:00
Tobias Heinzmann
d2e7ac9348 feat(ci): Selective tests 2023-09-12 21:16:33 +00:00
Thorsten Roßner
2125037a3c chore(release): 0.2.10 [skip ci] 
## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06)

### Bug Fixes

* **helmfile:** Add imagePullPolicy default env variable ([f988644](f9886448b6))
* **helmfile:** Update images and add jitsi, keycloak to security section in docs ([0eceb85](0eceb85e7d))
* **jitsi:** Update chart to 1.4.2 with improved security and fixed change on each deployment ([1349181](1349181d80))
* **jitsi:** Update jitsi to 1.5.1 and fix prosody image ([ed7e5e4](ed7e5e428e))
* **keycloak:** Improve default security settings ([3b90533](3b90533063))
* **nextcloud:** Fix yamllint disable comment ([4380e78](4380e78981))
* **services:** Disable https redirect in istio to fix cert-manager issues ([1ef4a86](1ef4a861ac))
* **services:** Fix capabilities of postifix ([a6fa846](a6fa846afc))
* **services:** Fix OCI registry address of postgresql, mariadb ([be82243](be82243966))
 2023-09-06 17:12:09 +00:00
Dominik Kaminski
ed7e5e428e fix(jitsi): Update jitsi to 1.5.1 and fix prosody image 2023-09-06 19:09:59 +02:00
Dominik Kaminski
d28a425673 chore(release): 0.2.10 [skip ci] 
## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06)

### Bug Fixes

* **helmfile:** Add imagePullPolicy default env variable ([f988644](f9886448b6))
* **helmfile:** Update images and add jitsi, keycloak to security section in docs ([0eceb85](0eceb85e7d))
* **jitsi:** Update chart to 1.4.2 with improved security and fixed change on each deployment ([1349181](1349181d80))
* **keycloak:** Improve default security settings ([3b90533](3b90533063))
* **nextcloud:** Fix yamllint disable comment ([4380e78](4380e78981))
* **services:** Disable https redirect in istio to fix cert-manager issues ([1ef4a86](1ef4a861ac))
* **services:** Fix capabilities of postifix ([a6fa846](a6fa846afc))
* **services:** Fix OCI registry address of postgresql, mariadb ([be82243](be82243966))
 2023-09-06 07:53:01 +00:00
Dominik Kaminski
a6fa846afc fix(services): Fix capabilities of postifix 2023-09-05 21:50:31 +02:00
Dominik Kaminski
4380e78981 fix(nextcloud): Fix yamllint disable comment 2023-09-05 20:31:32 +02:00
Dominik Kaminski
be82243966 fix(services): Fix OCI registry address of postgresql, mariadb 2023-09-05 20:15:03 +02:00
Dominik Kaminski
f9886448b6 fix(helmfile): Add imagePullPolicy default env variable 2023-09-05 19:59:18 +02:00
Dominik Kaminski
0eceb85e7d fix(helmfile): Update images and add jitsi, keycloak to security section in docs 2023-09-05 18:49:09 +02:00
Dominik Kaminski
1ef4a861ac fix(services): Disable https redirect in istio to fix cert-manager issues 2023-09-05 18:48:18 +02:00
Dominik Kaminski
3b90533063 fix(keycloak): Improve default security settings 2023-09-05 18:47:28 +02:00
Dominik Kaminski
1349181d80 fix(jitsi): Update chart to 1.4.2 with improved security and fixed change on each deployment 2023-09-05 18:47:04 +02:00
Thorsten Roßner
e1b84898c5 chore(release): 0.2.9 [skip ci] 
## [0.2.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.8...v0.2.9) (2023-09-05)

### Bug Fixes

* **collabora:** Add websocket support for NGINX Inc. Ingress ([6e5ef63](6e5ef639c2))
* **docs:** Add security part in README ([ff462ab](ff462ab0dc))
* **docs:** Update scaling docs ([63a1e25](63a1e2568e))
* **helmfile:** Reduce icap resources in default enviroment ([c5ab1b8](c5ab1b81fe))
* **helmfile:** Update clamav and nextcloud images in default environment ([4f2a8ae](4f2a8aeee4))
* **nextcloud:** Add support for up to 4G large upload for Ingress NGINX and NGINX Inc. Ingress ([6e68f7f](6e68f7f28c))
* **nextcloud:** Rename sovereign-workplace-nextcloud-bootstrap to opendesk-nextcloud-bootstrap and use OCI ([cef11ac](cef11acbae))
* **nextcloud:** Use clamav-icap when clamavDistributed is activated ([41d40c9](41d40c9b73))
* **services:** Enable security context and use default increased security settings ([9a6d240](9a6d2409a6))
* **services:** Fix image registry templates for postfix ([6321ff5](6321ff50a0))
* **services:** Replace image digest by tag ([f758293](f758293241))
* **services:** Set readOnlyRootFilesystem to true on master ([5fbf86b](5fbf86b6bc))
* **services:** Update clamav to 4.0.0, redis to 18.0.0, postgresql to 2.0.2, mariadb to 2.0.2 and use OCI registries ([9d78664](9d7866480c))
 2023-09-05 11:58:43 +00:00
Dominik Kaminski
63a1e2568e fix(docs): Update scaling docs 2023-09-03 22:45:29 +02:00
Dominik Kaminski
ca4b1da84f chore(helmfile): Fix linting errors for yamllint 2023-09-03 22:26:26 +02:00
Dominik Kaminski
ff462ab0dc fix(docs): Add security part in README 2023-09-03 21:56:55 +02:00
Dominik Kaminski
4f2a8aeee4 fix(helmfile): Update clamav and nextcloud images in default environment 2023-09-03 21:56:45 +02:00
Dominik Kaminski
c5ab1b81fe fix(helmfile): Reduce icap resources in default enviroment 2023-09-03 21:56:31 +02:00
Dominik Kaminski
9d7866480c fix(services): Update clamav to 4.0.0, redis to 18.0.0, postgresql to 2.0.2, mariadb to 2.0.2 and use OCI registries 2023-09-03 21:53:09 +02:00
Dominik Kaminski
9a6d2409a6 fix(services): Enable security context and use default increased security settings 2023-09-03 21:51:33 +02:00
Dominik Kaminski
f758293241 fix(services): Replace image digest by tag 2023-09-03 21:49:39 +02:00
Dominik Kaminski
6321ff50a0 fix(services): Fix image registry templates for postfix 2023-09-03 21:46:40 +02:00
Dominik Kaminski
5fbf86b6bc fix(services): Set readOnlyRootFilesystem to true on master 2023-09-03 21:44:42 +02:00
Dominik Kaminski
6e68f7f28c fix(nextcloud): Add support for up to 4G large upload for Ingress NGINX and NGINX Inc. Ingress 2023-09-03 21:43:55 +02:00
Dominik Kaminski
41d40c9b73 fix(nextcloud): Use clamav-icap when clamavDistributed is activated 2023-09-03 21:43:00 +02:00
Dominik Kaminski
cef11acbae fix(nextcloud): Rename sovereign-workplace-nextcloud-bootstrap to opendesk-nextcloud-bootstrap and use OCI 2023-09-03 21:40:45 +02:00
Dominik Kaminski
6e5ef639c2 fix(collabora): Add websocket support for NGINX Inc. Ingress 2023-09-03 21:40:06 +02:00
Thorsten Roßner
65b0ca5480 chore(release): 0.2.8 [skip ci] 
## [0.2.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.7...v0.2.8) (2023-08-31)

### Bug Fixes

* **open-xchange:** Update images and Helm chart ([39565c7](39565c7cfd))
 2023-08-31 10:57:35 +00:00
Thorsten Rossner
39565c7cfd fix(open-xchange): Update images and Helm chart 2023-08-31 10:56:00 +00:00
Thorsten Roßner
0d374c1fea chore(release): 0.2.7 [skip ci] 
## [0.2.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.6...v0.2.7) (2023-08-30)

### Bug Fixes

* **jitsi:** Update Jitsi Helm chart to set the user's display name as default ([387bd87](387bd8715c))
 2023-08-30 17:08:35 +00:00
Thorsten Rossner
387bd8715c fix(jitsi): Update Jitsi Helm chart to set the user's display name as default 2023-08-30 17:06:57 +00:00
Dominik Kaminski
f219c42afa chore(release): 0.2.6 [skip ci] 
## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)

### Bug Fixes

* **ci:** Change path of asset_generator ([6ab4fa0](6ab4fa078b))
* **ci:** Include deployment environments ([0f59736](0f59736c5d))
* **ci:** Release artefacts ([2a61b5f](2a61b5f2a6))
 2023-08-30 14:23:01 +00:00
Thorsten Roßner
4d3bc2799c chore(release): 0.2.6 [skip ci] 
## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)

### Bug Fixes

* **ci:** Change path of asset_generator ([6ab4fa0](6ab4fa078b))
* **ci:** Include deployment environments ([0f59736](0f59736c5d))
* **ci:** Release artefacts ([2a61b5f](2a61b5f2a6))
 2023-08-30 14:18:36 +00:00
Thorsten Rossner
0f59736c5d fix(ci): Include deployment environments 2023-08-30 14:16:30 +00:00
Thorsten Roßner
7e9d39cc7f chore(release): 0.2.6 [skip ci] 
## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)

### Bug Fixes

* **ci:** Change path of asset_generator ([6ab4fa0](6ab4fa078b))
* **ci:** Release artefacts ([2a61b5f](2a61b5f2a6))
 2023-08-30 13:49:37 +00:00
Dominik Kaminski
6ab4fa078b fix(ci): Change path of asset_generator 2023-08-30 11:37:09 +00:00
Dominik Kaminski
05361276c0 chore(ci): Improve rules 2023-08-30 11:19:03 +00:00
Dominik Kaminski
cda237a655 chore(ci): Fix gitlab pipeline 2023-08-30 11:16:01 +00:00
Dominik Kaminski
ea77d1712e chore(ci): Fix runner tags on OpenCoDE 2023-08-30 11:13:47 +00:00
Thorsten Rossner
2a61b5f2a6 fix(ci): Release artefacts 2023-08-30 10:57:54 +00:00
Thorsten Rossner
f4dbdfb321 chore(release): 0.2.5 [skip ci] 
## [0.2.5](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.4...v0.2.5) (2023-08-30)

### Bug Fixes

* **xwiki:** Theming and language of central navigation ([3d4d45f](3d4d45f711))
 2023-08-30 09:50:06 +00:00
Thorsten Rossner
3d4d45f711 fix(xwiki): Theming and language of central navigation 2023-08-30 09:48:20 +00:00
Johannes Bornhold
86fdb34735 chore(docs): Language pass in the contribution guide 2023-08-29 18:20:48 +02:00
Thorsten Rossner
7c9c6f9000 chore(release): 0.2.4 [skip ci] 
## [0.2.4](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.3...v0.2.4) (2023-08-29)

### Bug Fixes

* **element:** Apply the global theme to Element ([7f7eae8](7f7eae8f99))
 2023-08-29 15:41:16 +00:00
Dominik Henneke
7f7eae8f99 fix(element): Apply the global theme to Element 2023-08-29 15:39:37 +00:00
Thorsten Rossner
c9953299cc chore(release): 0.2.3 [skip ci] 
## [0.2.3](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.2...v0.2.3) (2023-08-29)

### Bug Fixes

* **ci:** Add central branding information ([a14c42f](a14c42f6ed))
 2023-08-29 14:29:25 +00:00
Thorsten Rossner
a14c42f6ed fix(ci): Add central branding information 2023-08-29 14:27:52 +00:00
Dominik Kaminski
c520b0047c chore(release): 0.2.2 [skip ci] 
## [0.2.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.1...v0.2.2) (2023-08-16)

### Bug Fixes

* **jitsi:** Allow configuration of LoadBalancer status field for patchJVB job ([7491582](7491582c28))
* **open-xchange:** Explicitly disable core-ui-middleware ingress ([06dc7a1](06dc7a115d))
 2023-08-16 14:44:44 +00:00
Dominik Kaminski
7491582c28 fix(jitsi): Allow configuration of LoadBalancer status field for patchJVB job 2023-08-16 15:21:49 +02:00
Dominik Kaminski
06dc7a115d fix(open-xchange): Explicitly disable core-ui-middleware ingress 2023-08-16 10:36:14 +02:00
Dominik Kaminski
b9c895b357 chore(release): 0.2.1 [skip ci] 
## [0.2.1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.0...v0.2.1) (2023-08-16)

### Bug Fixes

* **keycloak:** Increase proxy-buffer-size for ingress-nginx ([d8adcc4](d8adcc463a))
 2023-08-16 07:39:28 +00:00
Dominik Kaminski
d8adcc463a fix(keycloak): Increase proxy-buffer-size for ingress-nginx 2023-08-16 09:33:27 +02:00
Dominik Kaminski
83aeb4ece2 chore(release): 0.2.0 [skip ci] 
# [0.2.0](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.2...v0.2.0) (2023-08-15)

### Bug Fixes

* **helmfile:** Replace bitnami repositories with OCI ([4c21fd2](4c21fd2286))

### Features

* **helmfile:** Implement private image/chart registry variables ([5788323](5788323621))
 2023-08-15 10:40:25 +00:00
Dominik Kaminski
4c21fd2286 fix(helmfile): Replace bitnami repositories with OCI 2023-08-15 11:32:03 +02:00
Dominik Kaminski
5788323621 feat(helmfile): Implement private image/chart registry variables 2023-08-15 11:32:03 +02:00
137 changed files with 4225 additions and 734 deletions
Expand all files Collapse all files

4
.gitignore vendored
View File

@@ -5,4 +5,8 @@
# Ignore changes to sample environments
helmfile/environments/dev/values.yaml
helmfile/environments/dev/values.gotmpl
helmfile/environments/test/values.yaml
helmfile/environments/test/values.gotmpl
helmfile/environments/prod/values.yaml
helmfile/environments/prod/values.gotmpl

287
.gitlab-ci.yml
View File

@@ -2,13 +2,15 @@
# SPDX-License-Identifier: Apache-2.0
---
include:
- project: "souvap/tooling/gitlab-config"
- project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
ref: "main"
file:
- "ci/common/lint.yml"
- "ci/release-automation/semantic-release.yml"
- project: "souvap/devops/sovereign-workplace-env"
- project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
file: "gitlab/environments.yaml"
rules:
- if: "$INCLUDE_ENVIRONMENTS_ENABLED != 'false'"
stages:
- ".pre"
@@ -20,22 +22,17 @@ stages:
- "component-deploy-stage-2"
- "tests"
- "env-stop"
- "post"
- "generate-release-assets"
- ".post"
variables:
NAMESPACE:
description: "The name of namespaces to deploy to."
value: ""
CLUSTER:
description: "Define which cluster to use"
value: "develop"
options:
- "dev"
- "qa"
- "ref"
- "develop"
- "hubble"
- "prototype"
description: "Define which cluster to use. Cluster must be defined in gitlab/environments.yaml of
sovereign-workplace-env included above."
value: "dev"
BASE_DOMAIN:
description: "Define the Cluster Base Domain."
value: "souvap.cloud"
@@ -61,10 +58,13 @@ variables:
- "yes"
- "no"
DEPLOY_UCS:
description: "Enable Univention Corporate Server deployment."
description: >-
Enable Univention Corporate Server deployment.
"ums-eval" does deploy the Univention Management Stack instead of the UCS container.
value: "no"
options:
- "yes"
- "ums-eval"
- "no"
DEPLOY_PROVISIONING:
description: "Enable Provisioning Components."
@@ -132,8 +132,18 @@ variables:
options:
- "yes"
- "no"
TESTS_PROJECT_URL:
description: "URL of the E2E-test Gitlab project API with project ID."
TESTS_BRANCH:
description: "Branch of E2E-tests on which the test pipeline is triggered"
value: "main"
RUN_UMS_TESTS:
description: "Run E2E test suite of SouvAP Dev team"
value: "no"
options:
- "yes"
- "no"
UMS_TESTS_BRANCH:
description: "Branch of E2E test suite of SouvAP Dev team"
value: "main"
# please use the following set of variables with normalized names:
DOMAIN: "${NAMESPACE}.${CLUSTER}.${BASE_DOMAIN}"
ISTIO_DOMAIN: "${NAMESPACE}.istio.${CLUSTER}.${BASE_DOMAIN}"
@@ -143,23 +153,6 @@ variables:
dependencies: []
extends: ".environments"
image: "registry.souvap-univention.de/souvap/tooling/images/helm:latest"
secrets:
SMTP_PASSWORD:
vault:
engine:
name: "kv-v2"
path: "swp"
path: "accounts/brained/mail/relay@souvap-univention.de"
field: "password"
file: false
TURN_CREDENTIALS:
vault:
engine:
name: "kv-v2"
path: "swp"
path: "accounts/souvap-univention.de/develop/turn/secret"
field: "credentials"
file: false
script:
- "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
# MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD
@@ -190,8 +183,16 @@ env-cleanup:
$ENV_STOP_BEFORE != "no"
when: "always"
script:
- "helmfile destroy --namespace ${NAMESPACE}"
- "kubectl delete pvc --all --namespace ${NAMESPACE}"
- |
if [ "${OPENDESK_SLEDGEHAMMER_DESTROY_ENABLED}" = "yes" ]; then
for OPENDESK_RELEASE in $(helm ls -n ${NAMESPACE} -aq); do
helm uninstall -n ${NAMESPACE} ${OPENDESK_RELEASE};
done
kubectl delete pvc --all --namespace ${NAMESPACE};
kubectl delete jobs --all --namespace ${NAMESPACE};
else
helmfile destroy --namespace ${NAMESPACE};
fi
stage: "env-cleanup"
env-start:
@@ -238,7 +239,7 @@ ucs-deploy:
- if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
$NAMESPACE =~ /.+/ &&
($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UCS != "no")
($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UCS == "yes")
when: "always"
variables:
COMPONENT: "univention-corporate-container"
@@ -255,6 +256,18 @@ provisioning-deploy:
variables:
COMPONENT: "provisioning"
ums-deploy:
stage: "component-deploy-stage-1"
extends: ".deploy-common"
rules:
- if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
$NAMESPACE =~ /.+/ &&
$DEPLOY_UCS == "ums-eval"
when: "always"
variables:
COMPONENT: "univention-management-stack"
keycloak-deploy:
stage: "component-deploy-stage-1"
extends: ".deploy-common"
@@ -283,6 +296,7 @@ keycloak-bootstrap-deploy:
ox-deploy:
stage: "component-deploy-stage-1"
extends: ".deploy-common"
timeout: "30m"
rules:
- if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
@@ -410,70 +424,183 @@ run-tests:
when: "always"
script:
- |
COMPONENTS="login or portal or profile or navigation"
if [ "${DEPLOY_ALL_COMPONENTS}" != "no" ]; then
COMPONENTS="${COMPONENTS} or collabora or ics or jitsi or keycloak or nextcloud or openproject or ox or ucs \
or xwiki"
else
[ "${DEPLOY_COLLABORA}" != "no" ] && COMPONENTS="${COMPONENTS} or collabora"
[ "${DEPLOY_ICS}" != "no" ] && COMPONENTS="${COMPONENTS} or ics"
[ "${DEPLOY_JITSI}" != "no" ] && COMPONENTS="${COMPONENTS} or jitsi"
[ "${DEPLOY_KEYCLOAK}" != "no" ] && COMPONENTS="${COMPONENTS} or keycloak"
[ "${DEPLOY_NEXTCLOUD}" != "no" ] && COMPONENTS="${COMPONENTS} or nextcloud"
[ "${DEPLOY_OPENPROJECT}" != "no" ] && COMPONENTS="${COMPONENTS} or openproject"
[ "${DEPLOY_OX}" != "no" ] && COMPONENTS="${COMPONENTS} or ox"
[ "${DEPLOY_UCS}" != "no" ] && COMPONENTS="${COMPONENTS} or ucs"
[ "${DEPLOY_XWIKI}" != "no" ] && COMPONENTS="${COMPONENTS} or xwiki"
fi
echo "Gathering passwords from UCS container ..."
UCS_CONTAINER_NAME=$( \
kubectl -n ${NAMESPACE} get pods --no-headers \
--selector 'app.kubernetes.io/instance=univention-corporate-container' \
| awk '{print $1}' \
kubectl -n ${NAMESPACE} get pods --no-headers --selector \
'app.kubernetes.io/instance=univention-corporate-container' \
| grep Running \
| awk '{print $1}' \
)
echo "UCS_CONTAINER_NAME: ${UCS_CONTAINER_NAME}"
DEFAULT_USER_PASSWORD=$( \
kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
| grep DEFAULT_ACCOUNT_USER_PASSWORD \
| awk '{print $2}' \
)
DEFAULT_ADMIN_PASSWORD=$( \
DEFAULT_ADMIN_PASSWORD=$(
kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
| grep DEFAULT_ACCOUNT_ADMIN_PASSWORD \
| awk '{print $2}' \
)
echo "triggering test pipeline ..."
curl -X POST \
-F "ref=main" \
-F "token=${CI_JOB_TOKEN}" \
-F "variables[url]=https://portal.${DOMAIN}" \
-F "variables[user_name]=${DEFAULT_USER_NAME}" \
-F "variables[user_password]=${DEFAULT_USER_PASSWORD}" \
-F "variables[admin_name]=${DEFAULT_ADMIN_NAME}" \
-F "variables[admin_password]=${DEFAULT_ADMIN_PASSWORD}" \
-F "variables[components]=\"${COMPONENTS}\"" \
https://${TESTS_PROJECT_URL}/trigger/pipeline
curl --request POST \
--header "Content-Type: application/json" \
--data "{ \
\"ref\": \"${TESTS_BRANCH}\", \
\"token\": \"${CI_JOB_TOKEN}\", \
\"variables\": { \
\"url\": \"https://portal.${DOMAIN}\", \
\"user_name\": \"${DEFAULT_USER_NAME}\", \
\"user_password\": \"${DEFAULT_USER_PASSWORD}\", \
\"admin_name\": \"${DEFAULT_ADMIN_NAME}\", \
\"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
\"DEPLOY_ALL_COMPONENTS\": \"${DEPLOY_ALL_COMPONENTS}\", \
\"DEPLOY_COLLABORA\": \"${DEPLOY_COLLABORA}\", \
\"DEPLOY_ELEMENT\": \"${DEPLOY_ELEMENT}\", \
\"DEPLOY_ICS\": \"${DEPLOY_ICS}\", \
\"DEPLOY_JITSI\": \"${DEPLOY_JITSI}\", \
\"DEPLOY_KEYCLOAK\": \"${DEPLOY_KEYCLOAK}\", \
\"DEPLOY_NEXTCLOUD\": \"${DEPLOY_NEXTCLOUD}\", \
\"DEPLOY_OPENPROJECT\": \"${DEPLOY_OPENPROJECT}\", \
\"DEPLOY_OX\": \"${DEPLOY_OX}\", \
\"DEPLOY_SERVICES\": \"${DEPLOY_SERVICES}\", \
\"DEPLOY_UCS\": \"${DEPLOY_UCS}\", \
\"DEPLOY_XWIKI\": \"${DEPLOY_XWIKI}\", \
\"DEPLOY_PROVISIONING\": \"${DEPLOY_PROVISIONING}\" \
} \
}" \
"https://${TESTS_PROJECT_URL}/trigger/pipeline"
run-souvap-dev-tests:
extends: ".deploy-common"
environment:
name: "${NAMESPACE}"
tags:
- "docker"
- "kubernetes"
- "${CLUSTER}"
stage: "tests"
rules:
- if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_UMS_TESTS == "yes"
when: "always"
script:
- |
UCS_CONTAINER_NAME=$( \
kubectl -n ${NAMESPACE} get pods --no-headers --selector \
'app.kubernetes.io/instance=univention-corporate-container' \
| grep Running \
| awk '{print $1}' \
)
DEFAULT_USER_PASSWORD=$( \
kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
| grep DEFAULT_ACCOUNT_USER_PASSWORD \
| awk '{print $2}' \
)
DEFAULT_ADMIN_PASSWORD=$(
kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
| grep DEFAULT_ACCOUNT_ADMIN_PASSWORD \
| awk '{print $2}' \
)
curl --request POST \
--header "Content-Type: application/json" \
--data "{ \
\"ref\": \"${UMS_TESTS_BRANCH}\", \
\"token\": \"${CI_JOB_TOKEN}\", \
\"variables\": { \
\"portal_base_url\": \"https://portal.${DOMAIN}\", \
\"username\": \"${DEFAULT_USER_NAME}\", \
\"password\": \"${DEFAULT_USER_PASSWORD}\", \
\"admin_username\": \"${DEFAULT_ADMIN_NAME}\", \
\"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
\"keycloak_base_url\": \"https://id.${DOMAIN}\" \
} \
}" \
"https://${UMS_TESTS_PROJECT_URL}/trigger/pipeline"
generate-release-assets:
stage: "generate-release-assets"
image: "registry.souvap-univention.de/souvap/tooling/images/ansible:4.10.0"
rules:
- if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
when: "always"
- when: "never"
script:
- |
git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/${ASSET_GENERATOR_REPO_PATH}
cd opendesk-asset-generator
export OPENDESK_DEPLOYMENT_AUTOMATION_PATH=${CI_PROJECT_DIR}
./opendesk_asset_generator.py
mv ./build_artefacts ${CI_PROJECT_DIR}
cd ..
rm -rf opendesk-asset-generator
ls -l ./build_artefacts
artifacts:
paths:
- "./build_artefacts/chart-index.json"
- "./build_artefacts/image-index.json"
tags: []
variables:
ASSET_GENERATOR_REPO_PATH: "bmi/souveraener_arbeitsplatz/tooling/opendesk-asset-generator"
# Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.
# 'cache' is used because job must contain at least one key, so cache is just a dummy key.
.environments:
cache: {}
# Overwrite shared settings
.common-semantic-release:
image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest"
except:
- "tags"
- "triggers"
- "web"
tags: []
common-yaml-linter:
except:
- "tags"
- "triggers"
- "web"
rules:
- if: "$JOB_COMMON_YAML_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
when: "never"
- when: "always"
reuse-linter:
allow_failure: false
except:
- "tags"
- "triggers"
- "web"
rules:
- if: "$JOB_REUSE_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
when: "never"
- when: "always"
generate-release-version:
rules:
- if: "$JOB_RELEASE_ENABLED != 'false'"
when: "always"
release:
dependencies:
- "generate-release-assets"
rules:
- if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
when: "always"
script:
- |
cat << 'EOF' > ${CI_PROJECT_DIR}/.releaserc
{
"branches": ["main"],
"plugins": [
["@semantic-release/gitlab",
{
"assets": [
{ "path": "./build_artefacts/chart-index.json",
"label": "Chart Index JSON" },
{ "path": "./build_artefacts/image-index.json",
"label": "Image Index JSON" },
]
}
],
"@semantic-release/release-notes-generator",
"@semantic-release/changelog",
["@semantic-release/git", {
"assets": ["charts/**/Chart.yaml", "CHANGELOG.md", "charts/**/README.md"],
"message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
}]
]
}
EOF
- "semantic-release"
...

8
.reuse/dep5 Normal file
View File

@@ -0,0 +1,8 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: openDesk
Upstream-Contact: <git+bmi-souveraener-arbeitsplatz-cla-1339-29pr0g9pj4or9yi6wfly6pbhg-issue@opencode.de>
Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace
Files: helmfile/environments/default/theme/*
Copyright: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
License: Apache-2.0

465
CHANGELOG.md
View File

@@ -1,3 +1,463 @@
## [0.5.22](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.21...v0.5.22) (2023-10-31)
### Bug Fixes
* **openproject:** Nextcloud integration within K8s instances ([d249d0e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d249d0e3ce3ee0966033e870ea5c4d9e1928f045))
## [0.5.21](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.20...v0.5.21) (2023-10-30)
### Bug Fixes
* **helmfile:** Deinstall components if disabled ([7feaadf](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7feaadf7f8830d8d0d5df752733c9b8f47315df6))
* **helmfile:** Put enviroments in first document inside of a yaml ([034e98c](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/034e98c850fa1f67300c04883904737a69448a25))
## [0.5.20](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.19...v0.5.20) (2023-10-30)
### Bug Fixes
* **helmfile:** Remove old XWiki image, set explicit timeout for OP deployment, bump Jitsi Helm chart to enable chat for stand-alone Jitsi ([5d01f8c](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5d01f8ca46384d63d69dab0119998c4bb3183084))
## [0.5.19](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.18...v0.5.19) (2023-10-30)
### Bug Fixes
* **element:** Update Element Web and Nordeck Widgets to latest releases ([2313f75](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2313f75dbe32d855b0c440944bd0de51c8e104ca))
## [0.5.18](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.17...v0.5.18) (2023-10-28)
### Bug Fixes
* **xwiki:** Switch to Alpine/Jetty slim image ([b399869](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b39986907cece3cec06012531a55b2699d131f90))
## [0.5.17](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.16...v0.5.17) (2023-10-28)
### Bug Fixes
* **nextcloud:** Update swp_integration app and prepare CryptPad integration ([a046dea](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a046deaf173ab41029c2ab5e3161bd89e0fdabcb))
## [0.5.16](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.15...v0.5.16) (2023-10-26)
### Bug Fixes
* **openproject:** Slim container with upgraded helm-chart ([535823e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/535823e0a8b2bde72d159835248b2287fd136af7))
## [0.5.15](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.14...v0.5.15) (2023-10-25)
### Bug Fixes
* **helmfile:** Add XWiki Jetty and UniventionKeycloak to image.yaml for Compliance checks. They are not yet part of standard deployment. ([8e376bb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/8e376bb4a5e37e16d76ea527cd02a5f614cdfe3d))
## [0.5.14](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.13...v0.5.14) (2023-10-20)
### Bug Fixes
* **element:** Support for openDesk top bar with central navigation ([e609b75](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e609b75cc7fcbb7f03997cb5e26dd9cf4628f77d))
## [0.5.13](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.12...v0.5.13) (2023-10-20)
### Bug Fixes
* **element:** Configure rights and roles ([59d58e3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/59d58e320e503727e42dbfe0b027ba7948275ac6))
## [0.5.12](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.11...v0.5.12) (2023-10-19)
### Bug Fixes
* **element:** Add an application service for the intercom-service ([1a4eced](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1a4eced998998faa7ac862b8c409bbd743b16ec0))
* **element:** Add the Matrix NeoBoard Widget deployment ([5afd233](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5afd2339c20a0be41078ae4c3ce703c62f332557))
* **element:** Add the Matrix NeoChoice Widget deployment ([7756d35](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7756d35fa156b36ed50ba8f837273db56323f45f))
* **element:** Add the Matrix NeoDateFix Bot deployment ([785989e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/785989e91df5547ab5ac60914b82bc99c4f1a790))
* **element:** Add the Matrix NeoDateFix Widget deployment ([27b6796](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/27b6796639f37dbd6c26f21fd54502153398aed0))
* **element:** Add the Matrix User Verification Service deployment ([30405d1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/30405d182d44a5586a4070738dfbe1c141841d19))
* **element:** Upgrade Element to v1.11.46 ([82a037e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/82a037ec7c25baf41bd0542c3ded47402adc2844))
* **element:** Upgrade the opendesk-element charts to 2.3.0 ([fd9e04d](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/fd9e04d9922b949d0f213016169a9024a66a1ded))
* **element:** Upgrade the opendesk-matrix-widgets charts to 2.3.0 ([cbe5141](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/cbe514176a4d86d166db248d7297d215409016d2))
* **element:** Use a separate image configuration for the bootstrap tasks ([7f7c364](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7f7c364071072b01d485d3e248a3f8de49a07309))
* **intercom-service:** Allow access from the non-istio domain and reference to the correct synapse hostname ([16f2ac4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/16f2ac464eb7267f1c4d87c3ccaca2c91a7ecc1b))
* **intercom-service:** Fix the nordeck configuration ([06dcdd7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/06dcdd78afe0e6514c1f30d24924d3e7077ae6da))
* **jitsi:** Use template for the cluster networking domain ([0898d96](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0898d9657145d66fd4c52fe6036c955ad58a0cfe))
* **keycloak:** Use the correct backchannel logout configuration for element ([86657b1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/86657b139a6d8f4ff3f921b8755e04cb790c3786))
* **open-xchange:** Enable Element calendar integration ([f564efd](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f564efd97f8db39cffaea317e36db3825fc9121e))
## [0.5.11](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.10...v0.5.11) (2023-10-11)
### Bug Fixes
* **helmfile:** Quote all password template strings ([fb7dba7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/fb7dba787c232c402aa9c989c0e8ace51869d534))
* **services:** Add memcached service ([72e3afd](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/72e3afdffdeb6f88f8e926426dbc26adf4b54e7a))
## [0.5.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.9...v0.5.10) (2023-10-11)
### Bug Fixes
* **intercom-service:** Update intercom-service chart to v2.0.0 ([c3129f1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c3129f14437728be890187bb7c4a1bfc42d90958))
## [0.5.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.8...v0.5.9) (2023-10-10)
### Bug Fixes
* **element:** Enable the guest module in Synapse ([da1bf35](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/da1bf3581c5790786601948cabcef8a1d1c680ad))
## [0.5.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.7...v0.5.8) (2023-10-10)
### Bug Fixes
* **helmfile:** Add default port for SMTP in environment ([74f9ec2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/74f9ec28e401f7caeefc4e50ac0a7e95fea41a53))
## [0.5.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.6...v0.5.7) (2023-10-09)
### Bug Fixes
* **openproject:** Mail sender address ([711d29e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/711d29e374d13a3c8b7bcdf3e8440d03e0ef2b7d))
## [0.5.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.5...v0.5.6) (2023-10-09)
### Bug Fixes
* **helmfile:** Use signed bitnami charts from openDesk Mirror Builds ([70744d0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/70744d04c66f32d65dc968c8570ed7a397f4efcc))
* **services:** Bump redis chart to 18.1.2 ([d4c751d](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d4c751d29f15c718957f6bc388a99347e2923c87))
## [0.5.5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.4...v0.5.5) (2023-10-09)
### Bug Fixes
* **openproject:** Switch image to fix central navigation; set email sender address ([e42feb4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e42feb4c260fc24692bc2742c97754230f8e2857))
## [0.5.4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.3...v0.5.4) (2023-10-02)
### Bug Fixes
* **helmfile:** Add third environment (test) ([7dbcbfe](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7dbcbfe7237b365cf53f4c850b149e8b95149901))
## [0.5.3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.2...v0.5.3) (2023-09-28)
### Bug Fixes
* **open-xchange:** Rollback MariaDB version to fix OX Guard initialization ([e33acd3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e33acd33e79740144e8fe318fe34dc705834ddf3))
## [0.5.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.1...v0.5.2) (2023-09-28)
### Bug Fixes
* **ci:** Add Gitlab-CI sledgehammer deployment removal ([6fd655a](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6fd655a0b1afd40303ac11130692202146bab215))
## [0.5.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.0...v0.5.1) (2023-09-28)
### Bug Fixes
* **docs:** Add 'Helm Chart Trust Chain' section ([b6b4972](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b6b4972a5dd426bcc8fa00137d7e7b60056376c8))
* **docs:** Highlight that Helmfile >= 0.157.0 is required ([d86f516](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d86f516747323d117f620658c4368408926c507a))
* **element:** Use OCI registry and verify chart signatures ([a41b9a6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a41b9a699c79bf90163bbb3c233c805b8d0a999e))
* **helmfile:** Add cleanup flag for job resources ([0f01b94](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0f01b94aa19b40b4774ba11d9886fe6f12090e73))
* **helmfile:** Create directory for gpg pubkeys ([4c5731e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4c5731e6bb057cb272f660b4df0369b67709c203))
* **intercom-service:** Use OCI registry and verify chart signatures ([74b3d41](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/74b3d41381474efd2fbc5a9f3a0f1c0713811106))
* **jitsi:** Verify chart signatures ([1dd6582](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1dd6582ec7d742250ba08f69eba9a4679984b1ae))
* **keycloak-bootstrap:** Use OCI registry and verify chart signatures ([ca5d5f8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ca5d5f82800ea6d7ecfa38eb2b5d8b85e709bb9f))
* **keycloak:** Use OCI registry and verify chart signatures ([095059c](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/095059c7e53bbe8a874773f574cc6794ef8af6e4))
* **nextcloud:** Use OCI registry and verify chart signatures ([41dfdc0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/41dfdc0c8f83e3d79fa5a763ac449f6edfc76676))
* **open-xchange:** Use OCI registry and verify chart signatures ([2d5d370](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2d5d3708f7f45600961c22ce11e750561de1fd27))
* **open-xchange:** Use renamed istio gateway ([65d2642](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/65d2642d34c1c21a00a29278f7e1143f7fabb2aa))
* **openproject:** Use OCI registry and verify chart signatures ([5343840](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5343840bed01992b3132eace362f91588c705a98))
* **services:** Add wildcard certifcate request support ([15ad8ca](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/15ad8ca7ab34b079252f7b69219ede81ad43aa1c))
* **services:** Bump opendesk-certificates to 2.1.0 ([4372f06](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4372f063e0a27d5156da963d44d3ed4e72490fc4))
* **services:** Only create istio gateway with webmail domain ([6a39011](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6a390112dab11afaca06118a0ca7a18afe633a30))
* **services:** Use OCI registry for all services and add gpg verify mechanism ([892920b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/892920b0487b41a35b5a96596c61101827e8dd6d))
* **univention-corporate-container:** Use OCI registry and verify chart signatures ([424317e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/424317ed585f7bd5036259d7e3d77d081d2aec1b))
# [0.5.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.9...v0.5.0) (2023-09-27)
### Bug Fixes
* **element:** Move the static configuration into the values.yaml ([f22619b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f22619bd8ef11cb43147ef19dcff2c02d9fe0503))
* **element:** Specify resources for the guest module init container ([275798c](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/275798c1d6aa47ef33fbb0da3bb03a86d3e4b0ee))
### Features
* **element:** Activate the guest module ([5ad25ac](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5ad25acafd54d19dd2ed330b19f7860aff5d49f4))
## [0.4.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.8...v0.4.9) (2023-09-27)
### Bug Fixes
* **nextcloud:** Bump Helm chart to add app "groupfolders" ([62b767e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/62b767ef38c8eae2874b20a9aa51e85d2a3fe5a3))
## [0.4.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.7...v0.4.8) (2023-09-26)
### Bug Fixes
* **openproject:** Digest rollback ([9acce08](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9acce081397c06426820b61f39c9aa0dcc1234a5))
## [0.4.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.6...v0.4.7) (2023-09-26)
### Bug Fixes
* **helmfile:** Add timeout for database services ([98ec02f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/98ec02f230f1691eb8c17d8d3552fceda329bf7c))
* **openproject:** Image digest ([b340373](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b340373133ad973cfd6a3632adc9a74a23419cc7))
## [0.4.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.5...v0.4.6) (2023-09-26)
### Bug Fixes
* **openproject:** Use renamed registry open_desk ([a37faf3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a37faf3b5769aea9944ffa7626096c16296dcc85))
## [0.4.5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.4...v0.4.5) (2023-09-26)
### Bug Fixes
* **helmfile:** Streamline timeouts ([2703615](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2703615dffb2ba5c70704a4f08bb0485629218f3))
## [0.4.4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.3...v0.4.4) (2023-09-25)
### Bug Fixes
* **open-xchange:** Updates for mail templates and mail export ([ae3d0da](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ae3d0daa117d3d0ff307f379590394914a757546))
## [0.4.3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.2...v0.4.3) (2023-09-25)
### Bug Fixes
* **nextcloud:** Update image to 27.1.1 ([ce7e5f6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ce7e5f670a4dbc980eb8be73e5f7d15b27e8b1de))
## [0.4.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.1...v0.4.2) (2023-09-21)
### Bug Fixes
* **nextcloud:** Add Nextcloud app for OpenProject integration; Bump Collabora Image ([f46c8a9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f46c8a9a5f4f9778cb171d65e9a0280e4ce61c16))
## [0.4.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.0...v0.4.1) (2023-09-19)
### Bug Fixes
* **univention-management-stack:** Remove doublette triple dashes in helmfile.yaml ([41b9afb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/41b9afb3648a0e1fddc5aa4337cc1501756b370c))
# [0.4.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.2...v0.4.0) (2023-09-18)
### Features
* **ci:** Optionally trigger E2E tests of the SouvAP Dev team ([a99c088](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a99c088361b95b2bb7ee2b161e3a254f02bcd9ae))
## [0.3.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.1...v0.3.2) (2023-09-14)
### Bug Fixes
* **helmfile:** Fix linter issues ([1514678](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1514678db00d32c1463d8fc496c0e6d1c2a2df96))
* **univention-management-stack:** Add "commonLabels" into helmfile ([16c08f8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/16c08f82c9b4934567bb3b9c7fccab754bfad494))
* **univention-management-stack:** Add Helm charts ([a74d662](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a74d66240423fd5ba87854cc2b71132f11271ec7))
* **univention-management-stack:** Add switch "univentionManagementStack.enabled" ([471a2fa](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/471a2fa26205b8ca3afb5eeeb4524897a57f5c20))
* **univention-management-stack:** Adjust Ingress configuration for portal-server ([13bcd78](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/13bcd785e8f7db22d20903020e0cdd28094309a9))
* **univention-management-stack:** Adjust Ingress configuration for umc ([320da3b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/320da3bec3a49d974765e567878d5c2f2b4e93ef))
* **univention-management-stack:** Adjust Ingress configuration of notifications-api ([5e1a7b1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5e1a7b19e278147d010c48dac2da111f828dd115))
* **univention-management-stack:** Adjust ingress configuration of the portal-frontend ([c54bab1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c54bab165bf81854471d790200781b4181eba22a))
* **univention-management-stack:** Adjust Ingress configuration of udm-rest-api ([c61b1b8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c61b1b828150caa8d2fe1a5b9f0a862b2fbef4f1))
* **univention-management-stack:** Adjust Ingress conifguration of store-dav ([96097e4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/96097e470483a5251acd81eb772da70ad7f55137))
* **univention-management-stack:** Configure cookie banner data ([12c931f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/12c931fcff5536116af11df1c9c0468429949fe2))
* **univention-management-stack:** Define resource requests and limits ([2f8a298](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2f8a2989250ea0f3b50dd3417f214a8864fe62d0))
* **univention-management-stack:** Disable istio for the stack ([4835a2b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4835a2beec408ec6267177f82257edd9ccb0d937))
* **univention-management-stack:** Prepare persistence configuration ([7ab1cb5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7ab1cb5c7e7bca85394eae2ed17141e513dd5a42))
* **univention-management-stack:** Process bases before releases ([ec3f1d9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ec3f1d96ac17cf1fb9d34ab692240460d5bd4ba1))
* **univention-management-stack:** Set externalDomainName for bootstrapping the stack ([0ba71f2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0ba71f2749eaf51b09429a5f3c705bd0075c1efa))
* **univention-management-stack:** Split templated from static values ([09079a1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/09079a13031be7894a34bf92945bd25a040c2290))
* **univention-management-stack:** Split values into templated and static ([d3c4390](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d3c439038a2551ec90324ab8659d24b65b223d4f))
* **univention-management-stack:** Update portal-listener to leverage dependency waiting ([c840608](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c84060811229bb131bcd473a9e4668dfa73f97d7))
* **univention-management-stack:** Use global secrets to fill initialPasswordAdministrator ([a4bab40](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a4bab4068dc298056ed864e60a244d49a2934c8b))
* **univention-management-stack:** Use global secrets to populate ldap related secrets ([9409ad8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9409ad829a725c84ebc3de5d1c4d42fe735e9d0c))
* **univention-management-stack:** Use global secrets to set store-dav related passwords ([90019e3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/90019e3ef6de5e4ed1742ee9ddc3bbb256cd3dec))
* **univention-management-stack:** Use ldap base DN "dc=swp-ldap,dc=internal" ([77e362f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/77e362f6bc053c5d456bf65649f15130ce53547c))
* **univention-management-stack:** Use postgresql service for notifications-api ([fe0e0cd](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/fe0e0cdce4622352afbf74875adcae8324d769a3))
* **univention-management-stack:** Use the prefix "ums-" for all releases ([edb25bd](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/edb25bd7655beeefa73a62fb9a8c85e076c4cc2f))
* **univention-management-stack:** Use the value "global.imagePullPolicy" ([15db5dc](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/15db5dcbba33c39f752499f2d73c77cac32d1e8c))
## [0.3.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.0...v0.3.1) (2023-09-14)
### Bug Fixes
* **collabora:** Update Ingress annotations and set securityContext ([b5583ca](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b5583caec10c24e3bfb312edcb2800e6a60a9b10))
* **element:** Improve default container security settings ([882f1fb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/882f1fbc93ceb4ac33683d445e100e445798b202))
* **element:** Update opendesk element version to 2.0.1 ([d725b93](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d725b937989987ffacf87d7a9ee05803dcdd4c93))
* **helmfile:** Remove default SMTP credentials and create docs for SMTP/TURN ([e120f5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e120f5fb9a91b80ba71ce78eace99852b4da5fda))
* **helmfile:** Update images and use a tag and digest together ([c7fc187](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c7fc187f14b78cdcc698abbbaec1ba0bbfc718a1))
* **services:** Explicitly set securityContexts ([a799db0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a799db03c4115ba69303be1c265f7aefef95d659))
* **services:** Update Postfix to 2.0.2 fixing security gaining ([e1070ee](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e1070eeb0602523c240a91dae1b0869a7cc42a78))
# [0.3.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.10...v0.3.0) (2023-09-12)
### Features
* **ci:** Selective tests ([d2e7ac9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d2e7ac93481249e9eb7e5e1a41a6c6e333abe2dc))
## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06)
### Bug Fixes
* **helmfile:** Add imagePullPolicy default env variable ([f988644](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f9886448b60bbbd917b5ba04d188401275293eec))
* **helmfile:** Update images and add jitsi, keycloak to security section in docs ([0eceb85](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0eceb85e7df7455fa61cb17a854807069fbcf51a))
* **jitsi:** Update chart to 1.4.2 with improved security and fixed change on each deployment ([1349181](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1349181d802ccb80d9e48cf50fe39f1505116c8e))
* **jitsi:** Update jitsi to 1.5.1 and fix prosody image ([ed7e5e4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ed7e5e428e5d9213a92f97dc03d72fa3e04334c2))
* **keycloak:** Improve default security settings ([3b90533](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/3b90533063c151a9f3cdc9861a115481f6dc440a))
* **nextcloud:** Fix yamllint disable comment ([4380e78](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4380e789814ec2b0458fb2c341c8160ab2743afc))
* **services:** Disable https redirect in istio to fix cert-manager issues ([1ef4a86](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1ef4a861acc955e2e85715c62f715a6629ada940))
* **services:** Fix capabilities of postifix ([a6fa846](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a6fa846afc9744f2b399c37cc754f878b6b9e90b))
* **services:** Fix OCI registry address of postgresql, mariadb ([be82243](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/be822439661f766c4db6044fd3581db0cce214bb))
## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06)
### Bug Fixes
* **helmfile:** Add imagePullPolicy default env variable ([f988644](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f9886448b60bbbd917b5ba04d188401275293eec))
* **helmfile:** Update images and add jitsi, keycloak to security section in docs ([0eceb85](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0eceb85e7df7455fa61cb17a854807069fbcf51a))
* **jitsi:** Update chart to 1.4.2 with improved security and fixed change on each deployment ([1349181](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1349181d802ccb80d9e48cf50fe39f1505116c8e))
* **keycloak:** Improve default security settings ([3b90533](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/3b90533063c151a9f3cdc9861a115481f6dc440a))
* **nextcloud:** Fix yamllint disable comment ([4380e78](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4380e789814ec2b0458fb2c341c8160ab2743afc))
* **services:** Disable https redirect in istio to fix cert-manager issues ([1ef4a86](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1ef4a861acc955e2e85715c62f715a6629ada940))
* **services:** Fix capabilities of postifix ([a6fa846](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a6fa846afc9744f2b399c37cc754f878b6b9e90b))
* **services:** Fix OCI registry address of postgresql, mariadb ([be82243](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/be822439661f766c4db6044fd3581db0cce214bb))
## [0.2.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.8...v0.2.9) (2023-09-05)
### Bug Fixes
* **collabora:** Add websocket support for NGINX Inc. Ingress ([6e5ef63](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6e5ef639c22aad93fd2d0eb75f7a1ffc00d6cc9a))
* **docs:** Add security part in README ([ff462ab](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ff462ab0dc2252cc7b517874f5337427b8d19053))
* **docs:** Update scaling docs ([63a1e25](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/63a1e2568e8c5ff62081c6e6594d2019c1aa4b74))
* **helmfile:** Reduce icap resources in default enviroment ([c5ab1b8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c5ab1b81fecbce46788c50b282ed6d1770124fa5))
* **helmfile:** Update clamav and nextcloud images in default environment ([4f2a8ae](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4f2a8aeee4ee6c3d27b1c8a99bad14f603486be5))
* **nextcloud:** Add support for up to 4G large upload for Ingress NGINX and NGINX Inc. Ingress ([6e68f7f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6e68f7f28c937319d93f8afe1dbb302012f77233))
* **nextcloud:** Rename sovereign-workplace-nextcloud-bootstrap to opendesk-nextcloud-bootstrap and use OCI ([cef11ac](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/cef11acbae28510809f9bfa13224dc3a6996207f))
* **nextcloud:** Use clamav-icap when clamavDistributed is activated ([41d40c9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/41d40c9b731b866da2666fa4ffa8cb6493737112))
* **services:** Enable security context and use default increased security settings ([9a6d240](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9a6d2409a697f7e9811a0f4f8d31bb18bac1b926))
* **services:** Fix image registry templates for postfix ([6321ff5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6321ff50a00203abbfb7f5822e67a3c0e00d4b01))
* **services:** Replace image digest by tag ([f758293](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f7582932412f13b1a087d40459e97cf633b1a97e))
* **services:** Set readOnlyRootFilesystem to true on master ([5fbf86b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5fbf86b6bc7b63c81b3ac07c5e0fa8cd464fdad1))
* **services:** Update clamav to 4.0.0, redis to 18.0.0, postgresql to 2.0.2, mariadb to 2.0.2 and use OCI registries ([9d78664](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9d7866480cee889fd3b3003b2eea313a6ed73344))
## [0.2.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.7...v0.2.8) (2023-08-31)
### Bug Fixes
* **open-xchange:** Update images and Helm chart ([39565c7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/39565c7cfd89a8d1c2e645e3ecea28fba703ccc1))
## [0.2.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.6...v0.2.7) (2023-08-30)
### Bug Fixes
* **jitsi:** Update Jitsi Helm chart to set the user's display name as default ([387bd87](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/387bd8715c5a1cf54733c6642cf57c6ef9a44316))
## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)
### Bug Fixes
* **ci:** Change path of asset_generator ([6ab4fa0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6ab4fa078b0bb3939c54f46d6475770fa9901936))
* **ci:** Include deployment environments ([0f59736](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0f59736c5dcff905400ae2e1bbf7ae496ffb9b2c))
* **ci:** Release artefacts ([2a61b5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2a61b5f2a66bf1dc1ad06f7111ef7ecaf9247b39))
## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)
### Bug Fixes
* **ci:** Change path of asset_generator ([6ab4fa0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6ab4fa078b0bb3939c54f46d6475770fa9901936))
* **ci:** Include deployment environments ([0f59736](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0f59736c5dcff905400ae2e1bbf7ae496ffb9b2c))
* **ci:** Release artefacts ([2a61b5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2a61b5f2a66bf1dc1ad06f7111ef7ecaf9247b39))
## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)
### Bug Fixes
* **ci:** Change path of asset_generator ([6ab4fa0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6ab4fa078b0bb3939c54f46d6475770fa9901936))
* **ci:** Release artefacts ([2a61b5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2a61b5f2a66bf1dc1ad06f7111ef7ecaf9247b39))
## [0.2.5](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.4...v0.2.5) (2023-08-30)
### Bug Fixes
* **xwiki:** Theming and language of central navigation ([3d4d45f](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/3d4d45f7114e6e3bc353b8d6c5fdbcac4cb2460f))
## [0.2.4](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.3...v0.2.4) (2023-08-29)
### Bug Fixes
* **element:** Apply the global theme to Element ([7f7eae8](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/7f7eae8f99a6d8ad8085ad99c63af27b858ff9b7))
## [0.2.3](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.2...v0.2.3) (2023-08-29)
### Bug Fixes
* **ci:** Add central branding information ([a14c42f](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/a14c42f6ed2e3d8e12af5d04cae1a4bb1336fb3d))
## [0.2.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.1...v0.2.2) (2023-08-16)
### Bug Fixes
* **jitsi:** Allow configuration of LoadBalancer status field for patchJVB job ([7491582](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/7491582c28c21e83a0bc6349fb68045472146aad))
* **open-xchange:** Explicitly disable core-ui-middleware ingress ([06dc7a1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/06dc7a115d36841f1109f9e75aac844d934c2f4c))
## [0.2.1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.0...v0.2.1) (2023-08-16)
### Bug Fixes
* **keycloak:** Increase proxy-buffer-size for ingress-nginx ([d8adcc4](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/d8adcc463adc8bec5a793a97977dddd89d7363cc))
# [0.2.0](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.2...v0.2.0) (2023-08-15)
### Bug Fixes
* **helmfile:** Replace bitnami repositories with OCI ([4c21fd2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/4c21fd228654520bb71d56dc1bda96332334002b))
### Features
* **helmfile:** Implement private image/chart registry variables ([5788323](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/57883236219811d2a5fc422649b4f9b042a0ac22))
## [0.1.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.1...v0.1.2) (2023-08-15)
@@ -99,3 +559,8 @@
* **open-xchange:** OX AppSuite 8 within SWP is now publicly available ([6dc470f](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/6dc470fd67edbb9711e406acb067569ca357b989))
* **services:** Add clamav-simple deployment ([505f25c](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/505f25c5493ebb9e0181233ed5b7d8018e3a315d))
* **sovereign-workplace:** Initial commit ([533c504](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/533c5040faebd91f4012b604d0f4779ea1510424))
<!--
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
-->

4
COMPONENTS-FUNCTIONAL.md
View File

@@ -17,7 +17,7 @@ Functional components are the core of the SWP as they provide it's rich function
## File & Share - Nextcloud
## Kollaboration - dOnlineZusammenarbeit 2.0
## Kollaboration - Element
## Videokonferenzen - Jitsi
@@ -25,4 +25,4 @@ Functional components are the core of the SWP as they provide it's rich function
## Project Management - OpenProject
## IAM - Univention Corporate Services
## Portal & IAM - Univention Corporate Services

2
COMPONENTS-SERVICE.md
View File

@@ -42,7 +42,7 @@ This service is used by:
## TURN Server
- dOZ 2.0
This services is used by:
- Jitsi
## NFS

8
CONTRIBUTING.md
View File

@@ -9,17 +9,17 @@ Please read the [project's overall CONTRIBUTING.md](https://gitlab.opencode.de/b
# How to contribute?
When providing contributes to this project, please adhere to the standards and conventions described in further down in this document. Doing so please feel free to create merge requests.
When providing contributes to this project, please adhere to the standards and conventions described further down in this document. Doing so please feel free to create merge requests.
# Standards and conventions
## Branching
We use of [Github flow](https://docs.github.com/en/get-started/quickstart/github-flow).
We use [Github flow](https://docs.github.com/en/get-started/quickstart/github-flow).
## Verified commits
We only allow verify commits:
We only allow verified commits:
- https://docs.gitlab.com/ee/user/project/repository/ssh_signed_commits/
- https://docs.gitlab.com/ee/user/project/repository/gpg_signed_commits/
- https://docs.gitlab.com/ee/user/project/repository/x509_signed_commits/
@@ -80,7 +80,7 @@ Due to DVS requirements:
- we should avoid stand alone Manifests.
- we do not use Operators and CRDs.
In order to align the Helm files from various sources into an unified deployment of the SWP we make use of to [Helmfile](https://github.com/helmfile/helmfile).
In order to align the Helm files from various sources into an unified deployment of the SWP we make use of [Helmfile](https://github.com/helmfile/helmfile).
## Tooling

228
README.md
View File

@@ -45,6 +45,15 @@ repository please use the [issues within this project](https://gitlab.opencode.d
If you want to address other topics, please check the section
["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
# Releases
All technical releases are created using [Semantic Versioning](https://semver.org/lang/de/).
Gitlab provides an [overview on the releases](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/releases) of this project.
The following release artefacts are provided beside the default source code assets:
- `chart-index.json`: An overview of all Helm charts used by the release.
- `image-index.json`: An overview of all container images used by the release.
# Deployment
**Note for project members:** You can use the project's `dev` K8s cluster to set
@@ -57,15 +66,15 @@ up your own instance for development purposes. Please see the project
These are the requirements of the Sovereign Workplace deployment:
- Vanilla K8s cluster
- K8s cluster >= 1.24, [CNCF Certified Kubernetes Distro](https://www.cncf.io/certification/software-conformance/)
- Domain and DNS Service
- Ingress controller (supported are nginx-ingress, ingress-nginx, HAProxy)
- [Helm](https://helm.sh/), [HelmFile](https://helmfile.readthedocs.io/en/latest/) and
[HelmDiff](https://github.com/databus23/helm-diff)
- [Helm](https://helm.sh/) >= v3.9.0
- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v0.157.0**
- [HelmDiff](https://github.com/databus23/helm-diff) >= 3.6.0
- Volume provisioner supporting RWO (read-write-once)
- Certificate handling with [cert-manager](https://cert-manager.io/)
- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8, we are
working with Open-Xchange to get rid of this dependency.
- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8, we are talking to Open-Xchange and will try to get rid of this dependency.
#### TLS Certificate
@@ -83,8 +92,6 @@ installation.
| `DOMAIN` | `souvap.cloud` | External reachable domain |
| `ISTIO_DOMAIN` | `istio.souvap.cloud` | External reachable domain for Istio Gateway |
| `MASTER_PASSWORD` | `sovereign-workplace` | The password that seeds the autogenerated secrets |
| `SMTP_PASSWORD` | | Password for SMTP relay gateway |
| `TURN_CREDENTIALS` | | Credentials for coturn server |
Please ensure that you set the DNS records pointing to the loadbalancer/IP for
`DOMAIN` and `ISTIO_DOMAIN`.
@@ -149,6 +156,22 @@ and wait a little. After the deployment is finished some bootstrapping is
executed which might take some more minutes before you can log in your new
instance.
Deployments can be removed with:
```shell
helmfile destroy -n <NAMESPACE>
```
## Offline deployment
Before executing a [local deployment](#local-deployment), you can set following
environment variables to use your own container image and helm chart registry:
| name | description |
|------------------------------|--------------------------------|
| PRIVATE_CHART_REPOSITORY_URL | Your helm chart repository url |
| PRIVATE_IMAGE_REGISTRY_URL | Your image registry url |
## Logging in
When successfully deployed the SWP, all K8s jobs from the deployment should be
@@ -192,6 +215,7 @@ subdirectory `/helmfile/apps/services`.
| Jitsi | `jitsi.enabled` | `true` | Videoconferencing | Functional |
| Keycloak | `keycloak.enabled` | `true` | Identity Provider | Functional |
| MariaDB | `mariadb.enabled` | `true` | Database | Eval |
| Memcached | `memcached.enabled` | `true` | Cache Database | Eval |
| Nextcloud | `nextcloud.enabled` | `true` | File share | Functional |
| OpenProject | `openproject.enabled` | `true` | Project management | Functional |
| OX Appsuite | `oxAppsuite.enabled` | `true` | Groupware | Functional |
@@ -200,6 +224,7 @@ subdirectory `/helmfile/apps/services`.
| PostgreSQL | `postgresql.enabled` | `true` | Database | Eval |
| Redis | `redis.enabled` | `true` | Cache Database | Eval |
| Univention Corporate Server | `univentionCorporateServer.enabled` | `true` | Identity Management & Portal | Functional |
| Univention Management Stack | `univentionManagementStack.enabled` | `false` | Identity Management & Portal | Eval |
| XWiki | `xwiki.enabled` | `true` | Knowledgebase | Functional |
@@ -214,8 +239,8 @@ subdirectory `/helmfile/apps/services`.
#### Databases
In case you don't got for a develop or evaluation environment you want to point
the application to your own database instances.
When deploying this suite to production, you need to configure the applications to use your production grade database
service.
| Component | Name | Type | Parameter | Key | Default |
|-------------|--------------------|------------|-----------|----------------------------------------|----------------------------|
@@ -259,33 +284,150 @@ the application to your own database instances.
| | | | Username | `databases.xwiki.username` | `xwiki_user` |
| | | | Password | `databases.xwiki.password` | |
#### Cache
When deploying this suite to production, you need to configure the applications to use your production grade cache
service.
| Component | Name | Type | Parameter | Key | Default |
|------------------|------------------|-----------|-----------|------------------------------|------------------|
| Intercom Service | Intercom Service | Redis | | | |
| | | | Host | `cache.intercomService.host` | `redis-headless` |
| | | | Port | `cache.intercomService.port` | `6379` |
| Nextcloud | Nextcloud | Redis | | | |
| | | | Host | `cache.nextcloud.host` | `redis-headless` |
| | | | Port | `cache.nextcloud.port` | `6379` |
| OpenProject | OpenProject | Memcached | | | |
| | | | Host | `cache.openproject.host` | `memcached` |
| | | | Port | `cache.openproject.port` | `11211` |
### Scaling
The Replicas of components can be increased, while we still have to look in the
actual scalability of the components (see column `Scales at least to 2`).
actual scalability of the components (see column `Scaling (verified)`).
| Component | Name | Default | Service | Scaling | Scales at least to 2 |
|-------------|------------------------|---------|--------------------|--------------------|----------------------|
| ClamAV | `replicas.clamav` | `1` | :white_check_mark: | :white_check_mark: | not tested |
| | `replicas.clamd` | `1` | :white_check_mark: | :white_check_mark: | not tested |
| | `replicas.freshclam` | `1` | :white_check_mark: | :x: | not tested |
| | `replicas.icap` | `1` | :white_check_mark: | :white_check_mark: | not tested |
| | `replicas.milter` | `1` | :white_check_mark: | :white_check_mark: | not tested |
| Collabora | `replicas.collabora` | `1` | :white_check_mark: | :white_check_mark: | not tested |
| Dovecot | `replicas.dovecot` | `1` | :white_check_mark: | :x: | not tested |
| Element | `replicas.element` | `2` | :white_check_mark: | :white_check_mark: | :white_check_mark: |
| | `replicas.synapse` | `1` | :white_check_mark: | :x: | not tested |
| | `replicas.synapseWeb` | `2` | :white_check_mark: | :white_check_mark: | :white_check_mark: |
| | `replicas.wellKnown` | `2` | :white_check_mark: | :white_check_mark: | :white_check_mark: |
| Jitsi | `replicas.jibri` | `1` | :white_check_mark: | :white_check_mark: | not tested |
| | `replicas.jicofo` | `1` | :white_check_mark: | :white_check_mark: | not tested |
| | `replicas.jitsi ` | `1` | :white_check_mark: | :white_check_mark: | not tested |
| | `replicas.jvb ` | `1` | :white_check_mark: | :x: | :x: |
| Keycloak | `replicas.keycloak` | `1` | :white_check_mark: | :white_check_mark: | not tested |
| Nextcloud | `replicas.nextcloud` | `1` | :white_check_mark: | :white_check_mark: | not tested |
| OpenProject | `replicas.openproject` | `1` | :white_check_mark: | :white_check_mark: | not tested |
| Postfix | `replicas.postfix` | `1` | :white_check_mark: | :x: | not tested |
| XWiki | `replicas.xwiki` | `1` | :white_check_mark: | :white_check_mark: | not tested |
| Component | Name | Scaling (effective) | Scaling (verified) |
|-------------|------------------------|:-------------------:|:------------------:|
| ClamAV | `replicas.clamav` | :white_check_mark: | :white_check_mark: |
| | `replicas.clamd` | :white_check_mark: | :white_check_mark: |
| | `replicas.freshclam` | :x: | :x: |
| | `replicas.icap` | :white_check_mark: | :white_check_mark: |
| | `replicas.milter` | :white_check_mark: | :white_check_mark: |
| Collabora | `replicas.collabora` | :white_check_mark: | :gear: |
| Dovecot | `replicas.dovecot` | :x: | :gear: |
| Element | `replicas.element` | :white_check_mark: | :white_check_mark: |
| | `replicas.synapse` | :x: | :gear: |
| | `replicas.synapseWeb` | :white_check_mark: | :white_check_mark: |
| | `replicas.wellKnown` | :white_check_mark: | :white_check_mark: |
| Jitsi | `replicas.jibri` | :white_check_mark: | :gear: |
| | `replicas.jicofo` | :white_check_mark: | :gear: |
| | `replicas.jitsi ` | :white_check_mark: | :gear: |
| | `replicas.jvb ` | :x: | :x: |
| Keycloak | `replicas.keycloak` | :white_check_mark: | :gear: |
| Nextcloud | `replicas.nextcloud` | :white_check_mark: | :gear: |
| OpenProject | `replicas.openproject` | :white_check_mark: | :gear: |
| Postfix | `replicas.postfix` | :x: | :gear: |
| XWiki | `replicas.xwiki` | :white_check_mark: | :gear: |
### Mail/SMTP configuration
To use the full potential of the openDesk, you need to set up a STMP Smarthost/Relay which allows to send emails from
the whole subdomain.
```yaml
smtp:
host: # your SMTP host or IP-address
username: # username/email for authentication
password: # password for authentication, or via environment variable SMTP_PASSWORD
```
### TURN configuration
Some components (Jitsi, Element) use for direct communication a TURN server.
You can configure your own TURN server with these options:
```yaml
turn:
transport: # "udp" or "tcp"
credentials: # turn credential string
server: # configuration for unsecure connections
host: # your TURN host or IP-address
port: # server port
tls: # configuration for secure connections
host: # your TURN host or IP-address
port: # server port
```
## Security
This section summarizes various aspects of security and compliance aspects.
### Kubernetes Security Enforcements
This list gives you an overview of default security settings and if they comply with security standards:
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|-------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
| OpenProject | openproject | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | - |
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
### Helm Chart Trust Chain
Helm Charts which are released via openDesk CI/CD process are always signed. The public GPG keys are present in
`pubkey.gpg` file and are validated during helmfile installation.
| Repository | OCI | Verifiable |
|--------------------------------------|:---:|:------------------:|
| bitnami-repo (openDesk build) | yes | :white_check_mark: |
| clamav-repo | yes | :white_check_mark: |
| collabora-online-repo | no | :x: |
| intercom-service-repo | yes | :white_check_mark: |
| istio-resources-repo | yes | :white_check_mark: |
| jitsi-repo | yes | :white_check_mark: |
| keycloak-extensions-repo | no | :x: |
| keycloak-theme-repo | yes | :white_check_mark: |
| mariadb-repo | yes | :white_check_mark: |
| nextcloud-repo | no | :x: |
| opendesk-certificates-repo | yes | :white_check_mark: |
| opendesk-dovecot-repo | yes | :white_check_mark: |
| opendesk-element-repo | yes | :white_check_mark: |
| opendesk-keycloak-bootstrap-repo | yes | :white_check_mark: |
| opendesk-nextcloud-bootstrap-repo | yes | :white_check_mark: |
| opendesk-open-xchange-bootstrap-repo | yes | :white_check_mark: |
| openproject-repo | no | :x: |
| openxchange-repo | yes | :x: |
| ox-connector-repo | no | :x: |
| postfix-repo | yes | :white_check_mark: |
| postgresql-repo | yes | :white_check_mark: |
| univention-corporate-container-repo | yes | :white_check_mark: |
| ums-repo | no | :x: |
| xwiki-repo | no | :x: |
# Component integration
@@ -362,7 +504,7 @@ flowchart TD
A[OX AppSuite]-->L
D[OX Dovecot]-->L
P[Portal/Admin]-->L
O[OpenProject]-->|in 2023|L
O[OpenProject]-->L
X[XWiki]-->|in 2023|L
A-->K
N-->K
@@ -416,18 +558,20 @@ components we are going to cover various aspects:
## Tests
There is a frontend end-to-end test suite that can get triggered if the
deployment is performed via a Gitlab pipeline.
The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project.
The `DEPLOY_`-variables are used to determine which components should be tested.
In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this gitlab project's CI variables
that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
`<domain of gitlab>/api/v4/projects/<id>`.
Currently, the test suite is in progress to be published, so right now it is
only usable by project members. But that will change soon, and it could be used
to create custom tests and perform them after deployment.
If the branch of the test pipeline is not `main` this can be set with the .gitlab-ci.yml variable
`TESTS_BRANCH` while creating a new pipeline.
The deployment pipeline provides a variable named `TESTS_PROJECT_URL` that
points to the test pipeline residing in another Gitlab repository. At the end of
the deployment the test pipeline is triggered. Tests are just performed for
components that have been deployed prior.
# License
This project uses the following license: Apache-2.0
# Copyright
Copyright (C) 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# Footnotes

13
helmfile.yaml
View File

@@ -9,6 +9,7 @@ helmfiles:
- path: "helmfile/apps/services/helmfile.yaml"
- path: "helmfile/apps/keycloak/helmfile.yaml"
- path: "helmfile/apps/univention-corporate-container/helmfile.yaml"
- path: "helmfile/apps/univention-management-stack/helmfile.yaml"
- path: "helmfile/apps/keycloak-bootstrap/helmfile.yaml"
- path: "helmfile/apps/intercom-service/helmfile.yaml"
- path: "helmfile/apps/open-xchange/helmfile.yaml"
@@ -28,16 +29,28 @@ missingFileHandler: "Error"
# - Installing a single release from root via helmfile apply -f helmfile/apps/<app>/helmfile.yaml
# - Installing a single release from app directory via helmfile apply
# Issue: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/issues/2
environments:
default:
values:
- "helmfile/environments/default/*.gotmpl"
- "helmfile/environments/default/*.yaml"
dev:
values:
- "helmfile/environments/default/*.gotmpl"
- "helmfile/environments/default/*.yaml"
- "helmfile/environments/dev/values.yaml"
- "helmfile/environments/dev/values.gotmpl"
test:
values:
- "helmfile/environments/default/*.gotmpl"
- "helmfile/environments/default/*.yaml"
- "helmfile/environments/test/values.yaml"
- "helmfile/environments/test/values.gotmpl"
prod:
values:
- "helmfile/environments/default/*.gotmpl"
- "helmfile/environments/default/*.yaml"
- "helmfile/environments/prod/values.yaml"
- "helmfile/environments/prod/values.gotmpl"
...

19
helmfile/apps/collabora/helmfile.yaml
View File

@@ -1,23 +1,28 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
- name: "collabora-online"
url: "https://collaboraonline.github.io/online"
# Collabora Online
# Source: https://github.com/CollaboraOnline/online
- name: "collabora-online-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://collaboraonline.github.io/online" }}
releases:
- name: "collabora-online"
chart: "collabora-online/collabora-online"
chart: "collabora-online-repo/collabora-online"
version: "1.0.2"
values:
- "values.yaml"
- "values.gotmpl"
condition: "collabora.enabled"
installed: {{ .Values.collabora.enabled }}
commonLabels:
deploy-stage: "component-1"
component: "collabora"
bases:
- "../../bases/environments.yaml"
...

14
helmfile/apps/collabora/values.gotmpl
View File

@@ -6,6 +6,7 @@ SPDX-License-Identifier: Apache-2.0
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.collabora.repository }}"
tag: "{{ .Values.images.collabora.tag }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
@@ -28,18 +29,13 @@ ingress:
collabora:
# Admin Console Credentials: https://CODE-domain/browser/dist/admin/admin.html
username: "collabora-internal-admin"
password: {{ .Values.secrets.collabora.adminPassword }}
password: {{ .Values.secrets.collabora.adminPassword | quote }}
aliasgroups:
- host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
{{- if not (eq .Values.cluster.container.engine "containerd") }}
# In case of issues with "Failed to exec command '/usr/bin/loolforkit' (EPERM: Operation not permitted)...", activate:
# Ref.: https://github.com/CollaboraOnline/online/issues/2800
securityContext:
capabilities:
add:
- "MKNOD"
{{- end }}
replicaCount: {{ .Values.replicas.collabora }}
resources:
{{ .Values.resources.collabora | toYaml | nindent 2 }}
...

73
helmfile/apps/collabora/values.yaml
View File

@@ -14,19 +14,74 @@ collabora:
ingress:
annotations:
# nginx
# Ingress NGINX
nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
nginx.ingress.kubernetes.io/server-snippet: |
# block admin and metrics endpoint from outside by default
location /cool/getMetrics { deny all; return 403; }
location /cool/adminws/ { deny all; return 403; }
location /browser/dist/admin/admin.html { deny all; return 403; }
# NGINX
nginx.org/websocket-services: "collabora"
nginx.org/lb-method: "hash $arg_WOPISrc consistent"
nginx.org/proxy-read-timeout: "600"
nginx.org/proxy-send-timeout: "600"
nginx.org/client-max-body-size: "0"
nginx.org/server-snippets: |
# block admin and metrics endpoint from outside by default
location /cool/getMetrics { deny all; return 403; }
location /cool/adminws/ { deny all; return 403; }
location /browser/dist/admin/admin.html { deny all; return 403; }
# HAProxy
haproxy.org/timeout-tunnel: "3600s"
haproxy.org/backend-config-snippet: |
mode http
balance leastconn
stick-table type string len 2048 size 1k store conn_cur
http-request set-var(txn.wopisrcconns) url_param(WOPISrc),table_conn_cur()
http-request track-sc1 url_param(WOPISrc)
stick match url_param(WOPISrc) if { var(txn.wopisrcconns) -m int gt 0 }
stick store-request url_param(WOPISrc)
balance url_param WOPISrc check_post
hash-type consistent
# HAProxy - Community: https://haproxy-ingress.github.io/
haproxy-ingress.github.io/timeout-tunnel: "3600s"
haproxy-ingress.github.io/balance-algorithm: "url_param WOPISrc check_post"
haproxy-ingress.github.io/config-backend: |
hash-type consistent
# block admin urls from outside
acl admin_url path_beg /cool/getMetrics
acl admin_url path_beg /cool/adminws/
acl admin_url path_beg /browser/dist/admin/admin.html
http-request deny if admin_url
autoscaling:
enabled: false
serviceAccount:
create: true
securityContext:
allowPrivilegeEscalation: true
privileged: false
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
- "MKNOD"
podSecurityContext:
fsGroup: 100
...

135
helmfile/apps/element/helmfile.yaml
View File

@@ -1,43 +1,136 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
- name: "sovereign-workplace-element"
url: "https://gitlab.souvap-univention.de/api/v4/projects/148/packages/helm/stable"
# openDesk Element
# Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/sovereign-workplace-element
- name: "opendesk-element-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
# openDesk Matrix Widgets
# Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/opendesk-matrix-widgets
- name: "opendesk-matrix-widgets-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/opendesk-matrix-widgets" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
releases:
- name: "sovereign-workplace-element"
chart: "sovereign-workplace-element/sovereign-workplace-element"
version: "1.1.2"
- name: "opendesk-element"
chart: "opendesk-element-repo/opendesk-element"
version: "2.5.0"
values:
- "values-element.yaml"
- "values-element.gotmpl"
condition: "element.enabled"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "sovereign-workplace-well-known"
chart: "sovereign-workplace-element/sovereign-workplace-well-known"
version: "1.1.2"
- name: "opendesk-well-known"
chart: "opendesk-element-repo/opendesk-well-known"
version: "2.5.0"
values:
- "values-well-known.yaml"
- "values-well-known.gotmpl"
condition: "element.enabled"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "sovereign-workplace-synapse-web"
chart: "sovereign-workplace-element/sovereign-workplace-synapse-web"
version: "1.1.2"
- name: "opendesk-synapse-web"
chart: "opendesk-element-repo/opendesk-synapse-web"
version: "2.5.0"
values:
- "values-synapse-web.yaml"
- "values-synapse-web.gotmpl"
condition: "element.enabled"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "sovereign-workplace-synapse"
chart: "sovereign-workplace-element/sovereign-workplace-synapse"
version: "1.1.2"
- name: "opendesk-synapse"
chart: "opendesk-element-repo/opendesk-synapse"
version: "2.5.0"
values:
- "values-synapse.yaml"
- "values-synapse.gotmpl"
condition: "element.enabled"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "opendesk-matrix-user-verification-service-bootstrap"
chart: "opendesk-element-repo/opendesk-synapse-create-account"
version: "2.5.0"
values:
- "values-matrix-user-verification-service-bootstrap.yaml"
- "values-matrix-user-verification-service-bootstrap.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "opendesk-matrix-user-verification-service"
chart: "opendesk-element-repo/opendesk-matrix-user-verification-service"
version: "2.5.0"
values:
- "values-matrix-user-verification-service.yaml"
- "values-matrix-user-verification-service.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "matrix-neoboard-widget"
chart: "opendesk-matrix-widgets-repo/matrix-neoboard-widget"
version: "3.1.0"
values:
- "values-matrix-neoboard-widget.yaml"
- "values-matrix-neoboard-widget.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "matrix-neochoice-widget"
chart: "opendesk-matrix-widgets-repo/matrix-neochoice-widget"
version: "3.1.0"
values:
- "values-matrix-neochoice-widget.yaml"
- "values-matrix-neochoice-widget.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "matrix-neodatefix-widget"
chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-widget"
version: "3.1.0"
values:
- "values-matrix-neodatefix-widget.yaml"
- "values-matrix-neodatefix-widget.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "matrix-neodatefix-bot-bootstrap"
chart: "opendesk-element-repo/opendesk-synapse-create-account"
version: "2.5.0"
values:
- "values-matrix-neodatefix-bot-bootstrap.yaml"
- "values-matrix-neodatefix-bot-bootstrap.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "matrix-neodatefix-bot"
chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-bot"
version: "3.1.0"
values:
- "values-matrix-neodatefix-bot.yaml"
- "values-matrix-neodatefix-bot.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
commonLabels:
deploy-stage: "component-1"
component: "element"
bases:
- "../../bases/environments.yaml"
...

95
helmfile/apps/element/values-element.gotmpl
View File

@@ -11,7 +11,99 @@ global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
configuration:
additionalConfiguration:
logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
"net.nordeck.element_web.module.opendesk":
config:
ics_navigation_json_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/navigation.json"
ics_silent_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/silent"
portal_logo_svg_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
portal_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/"
custom_css_variables:
--cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }}
"net.nordeck.element_web.module.widget_lifecycle":
widget_permissions:
"https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/jitsi.html":
identity_approved: true
"https://{{ .Values.global.hosts.matrixNeoBoardWidget }}.{{ .Values.global.domain }}/*":
preload_approved: true
capabilities_approved:
- org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.create
- org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.create
- org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.chunk
- org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.chunk
- org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.snapshot
- org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.snapshot
- org.matrix.msc2762.send.state_event:m.room.power_levels#
- org.matrix.msc2762.receive.state_event:m.room.power_levels#
- org.matrix.msc2762.receive.state_event:m.room.member
- org.matrix.msc2762.receive.state_event:m.room.name
- org.matrix.msc2762.send.state_event:net.nordeck.whiteboard
- org.matrix.msc2762.receive.state_event:net.nordeck.whiteboard
- org.matrix.msc2762.send.state_event:net.nordeck.whiteboard.sessions#*
- org.matrix.msc2762.receive.state_event:net.nordeck.whiteboard.sessions
- org.matrix.msc3819.send.to_device:net.nordeck.whiteboard.connection_signaling
- org.matrix.msc3819.receive.to_device:net.nordeck.whiteboard.connection_signaling
- town.robin.msc3846.turn_servers
"https://{{ .Values.global.hosts.matrixNeoChoiceWidget }}.{{ .Values.global.domain }}/*":
preload_approved: true
capabilities_approved:
- org.matrix.msc2762.send.event:net.nordeck.poll.vote
- org.matrix.msc2762.receive.event:net.nordeck.poll.vote
- org.matrix.msc2762.send.state_event:net.nordeck.poll
- org.matrix.msc2762.receive.state_event:net.nordeck.poll
- org.matrix.msc2762.send.state_event:net.nordeck.poll.settings
- org.matrix.msc2762.receive.state_event:net.nordeck.poll.settings
- org.matrix.msc2762.receive.state_event:m.room.power_levels
- org.matrix.msc2762.receive.state_event:m.room.name
- org.matrix.msc2762.receive.state_event:m.room.member
- org.matrix.msc2762.send.state_event:net.nordeck.poll.group
- org.matrix.msc2762.receive.state_event:net.nordeck.poll.group
- org.matrix.msc2762.send.event:net.nordeck.poll.start
- org.matrix.msc2762.receive.event:net.nordeck.poll.start
"https://{{ .Values.global.hosts.matrixNeoDateFixWidget }}.{{ .Values.global.domain }}/*":
preload_approved: true
identity_approved: true
capabilities_approved:
- org.matrix.msc2931.navigate
- org.matrix.msc2762.timeline:*
- org.matrix.msc2762.receive.state_event:m.room.power_levels
- org.matrix.msc2762.receive.event:m.reaction
- org.matrix.msc2762.receive.state_event:m.room.create
- org.matrix.msc2762.receive.state_event:m.room.tombstone
- org.matrix.msc2762.receive.state_event:m.room.member
- org.matrix.msc2762.send.state_event:m.room.member
- org.matrix.msc2762.receive.state_event:m.room.name
- org.matrix.msc2762.receive.state_event:m.room.topic
- org.matrix.msc2762.receive.state_event:m.space.parent
- org.matrix.msc2762.receive.state_event:m.space.child
- org.matrix.msc2762.receive.state_event:net.nordeck.meetings.metadata
- org.matrix.msc2762.receive.state_event:im.vector.modular.widgets
- org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.create
- org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.create
- org.matrix.msc2762.send.event:net.nordeck.meetings.breakoutsessions.create
- org.matrix.msc2762.receive.event:net.nordeck.meetings.breakoutsessions.create
- org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.close
- org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.close
- org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.widgets.handle
- org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.widgets.handle
- org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.participants.handle
- org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.participants.handle
- org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.update
- org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.update
- org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.change.message_permissions
- org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.change.message_permissions
- org.matrix.msc2762.send.event:net.nordeck.meetings.sub_meetings.send_message
- org.matrix.msc2762.receive.event:net.nordeck.meetings.sub_meetings.send_message
- org.matrix.msc3973.user_directory_search
welcomeUserId: "@meetings-bot:{{ .Values.global.domain }}"
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.element.repository }}"
tag: "{{ .Values.images.element.tag }}"
@@ -24,6 +116,9 @@ ingress:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
theme:
{{ .Values.theme | toYaml | nindent 2 }}
replicaCount: {{ .Values.replicas.element }}
resources:

21
helmfile/apps/element/values-element.yaml Normal file
View File

@@ -0,0 +1,21 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
...

33
helmfile/apps/element/values-matrix-neoboard-widget.gotmpl Normal file
View File

@@ -0,0 +1,33 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
imageRegistry: "{{ .Values.global.imageRegistry }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.matrixNeoBoardWidget.repository }}"
tag: "{{ .Values.images.matrixNeoBoardWidget.tag }}"
ingress:
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
theme:
{{ .Values.theme | toYaml | nindent 2 }}
replicaCount: {{ .Values.replicas.matrixNeoBoardWidget }}
resources:
{{ .Values.resources.matrixNeoBoardWidget | toYaml | nindent 2 }}
...

21
helmfile/apps/element/values-matrix-neoboard-widget.yaml Normal file
View File

@@ -0,0 +1,21 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
...

33
helmfile/apps/element/values-matrix-neochoice-widget.gotmpl Normal file
View File

@@ -0,0 +1,33 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
imageRegistry: "{{ .Values.global.imageRegistry }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.matrixNeoChoiceWidget.repository }}"
tag: "{{ .Values.images.matrixNeoChoiceWidget.tag }}"
ingress:
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
theme:
{{ .Values.theme | toYaml | nindent 2 }}
replicaCount: {{ .Values.replicas.matrixNeoChoiceWidget }}
resources:
{{ .Values.resources.matrixNeoChoiceWidget | toYaml | nindent 2 }}
...

21
helmfile/apps/element/values-matrix-neochoice-widget.yaml Normal file
View File

@@ -0,0 +1,21 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
...

23
helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.gotmpl Normal file
View File

@@ -0,0 +1,23 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
configuration:
password: {{ .Values.secrets.matrixNeoDateFixBot.password | quote }}
image:
registry: "{{ .Values.global.imageRegistry }}"
url: "{{ .Values.images.synapseCreateUser.repository }}"
tag: "{{ .Values.images.synapseCreateUser.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
...

8
helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml Normal file
View File

@@ -0,0 +1,8 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
configuration:
username: "meetings-bot"
pod: "opendesk-synapse-0"
secretName: "matrix-neodatefix-bot-account"
...

37
helmfile/apps/element/values-matrix-neodatefix-bot.gotmpl Normal file
View File

@@ -0,0 +1,37 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
imageRegistry: "{{ .Values.global.imageRegistry }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
configuration:
openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.matrixNeoDateFixBot.repository }}"
tag: "{{ .Values.images.matrixNeoDateFixBot.tag }}"
ingress:
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
persistence:
size: "{{ .Values.persistence.size.matrixNeoDateFixBot }}"
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}
resources:
{{ .Values.resources.matrixNeoDateFixBot | toYaml | nindent 2 }}
...

50
helmfile/apps/element/values-matrix-neodatefix-bot.yaml Normal file
View File

@@ -0,0 +1,50 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
configuration:
bot:
username: "meetings-bot"
displayname: "Terminplaner Bot"
strings:
breakoutSessionWidgetName: "Breakoutsessions"
calendarRoomName: "Terminplaner"
calendarWidgetName: "Terminplaner"
cockpitWidgetName: "Meeting Steuerung"
jitsiWidgetName: "Videokonferenz"
matrixNeoBoardWidgetName: "Whiteboard"
matrixNeoChoiceWidgetName: "Abstimmungen"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
extraEnvVars:
- name: "ACCESS_TOKEN"
valueFrom:
secretKeyRef:
name: "matrix-neodatefix-bot-account"
key: "access_token"
# TODO: The health endpoint does not work with the haproxy configuration, yet
livenessProbe:
enabled: false
podSecurityContext:
enabled: true
fsGroup: 101
# TODO: The health endpoint does not work with the haproxy configuration, yet
readinessProbe:
enabled: false
...

33
helmfile/apps/element/values-matrix-neodatefix-widget.gotmpl Normal file
View File

@@ -0,0 +1,33 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
imageRegistry: "{{ .Values.global.imageRegistry }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.matrixNeoDateFixWidget.repository }}"
tag: "{{ .Values.images.matrixNeoDateFixWidget.tag }}"
ingress:
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
theme:
{{ .Values.theme | toYaml | nindent 2 }}
replicaCount: {{ .Values.replicas.matrixNeoDateFixWidget }}
resources:
{{ .Values.resources.matrixNeoDateFixWidget | toYaml | nindent 2 }}
...

25
helmfile/apps/element/values-matrix-neodatefix-widget.yaml Normal file
View File

@@ -0,0 +1,25 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
configuration:
bot:
username: "meetings-bot"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
...

23
helmfile/apps/element/values-matrix-user-verification-service-bootstrap.gotmpl Normal file
View File

@@ -0,0 +1,23 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
configuration:
password: {{ .Values.secrets.matrixUserVerificationService.password }}
image:
registry: "{{ .Values.global.imageRegistry }}"
url: "{{ .Values.images.synapseCreateUser.repository }}"
tag: "{{ .Values.images.synapseCreateUser.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
...

8
helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml Normal file
View File

@@ -0,0 +1,8 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
configuration:
username: "uvs"
pod: "opendesk-synapse-0"
secretName: "opendesk-matrix-user-verification-service-account"
...

23
helmfile/apps/element/values-matrix-user-verification-service.gotmpl Normal file
View File

@@ -0,0 +1,23 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
imageRegistry: "{{ .Values.global.imageRegistry }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.matrixUserVerificationService.repository }}"
tag: "{{ .Values.images.matrixUserVerificationService.tag }}"
replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
resources:
{{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
...

29
helmfile/apps/element/values-matrix-user-verification-service.yaml Normal file
View File

@@ -0,0 +1,29 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
# TODO: the service can't run with read only filesystem or as non-root
# readOnlyRootFilesystem: true
# runAsGroup: 101
# runAsNonRoot: true
# runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
extraEnvVars:
- name: "UVS_ACCESS_TOKEN"
valueFrom:
secretKeyRef:
name: "opendesk-matrix-user-verification-service-account"
key: "access_token"
podSecurityContext:
enabled: true
fsGroup: 101
...

1
helmfile/apps/element/values-synapse-web.gotmpl
View File

@@ -12,6 +12,7 @@ global:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.synapseWeb.repository }}"
tag: "{{ .Values.images.synapseWeb.tag }}"

21
helmfile/apps/element/values-synapse-web.yaml Normal file
View File

@@ -0,0 +1,21 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
...

21
helmfile/apps/element/values-synapse.gotmpl
View File

@@ -12,6 +12,7 @@ global:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.synapse.repository }}"
tag: "{{ .Values.images.synapse.tag }}"
@@ -21,9 +22,20 @@ configuration:
host: "{{ .Values.databases.synapse.host }}"
name: "{{ .Values.databases.synapse.name }}"
user: "{{ .Values.databases.synapse.username }}"
password: "{{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser }}"
password: {{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser | quote }}
homeserver:
appServiceConfigs:
- as_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
hs_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
id: intercom-service
namespaces:
users:
- exclusive: false
regex: "@.*"
url: null
sender_localpart: intercom-service
oidc:
clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix }}
issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
@@ -41,6 +53,13 @@ configuration:
transport: {{ .Values.turn.transport }}
{{- end }}
guestModule:
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.synapseGuestModule.repository }}"
tag: "{{ .Values.images.synapseGuestModule.tag }}"
persistence:
size: "{{ .Values.persistence.size.synapse }}"
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"

32
helmfile/apps/element/values-synapse.yaml Normal file
View File

@@ -0,0 +1,32 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
configuration:
additionalConfiguration:
room_prejoin_state:
additional_event_types:
- "m.space.parent"
- "net.nordeck.meetings.metadata"
- "m.room.power_levels"
homeserver:
guestModule:
enabled: true
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 10991
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 10991
...

1
helmfile/apps/element/values-well-known.gotmpl
View File

@@ -12,6 +12,7 @@ global:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.wellKnown.repository }}"
tag: "{{ .Values.images.wellKnown.tag }}"

25
helmfile/apps/element/values-well-known.yaml Normal file
View File

@@ -0,0 +1,25 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
configuration:
e2ee:
forceDisable: true
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
...

25
helmfile/apps/intercom-service/helmfile.yaml
View File

@@ -1,23 +1,30 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
- name: "intercom-service"
url: "https://gitlab.souvap-univention.de/api/v4/projects/66/packages/helm/stable"
# Intercom Service
# Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
- name: "intercom-service-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/intercom-service" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
releases:
- name: "intercom-service"
chart: "intercom-service/intercom-service"
version: "1.1.3"
chart: "intercom-service-repo/intercom-service"
version: "2.0.0"
values:
- "values.yaml"
- "values.gotmpl"
condition: "intercom.enabled"
installed: {{ .Values.intercom.enabled }}
commonLabels:
deploy-stage: "component-1"
component: "intercom-service"
bases:
- "../../bases/environments.yaml"
...

16
helmfile/apps/intercom-service/values.gotmpl
View File

@@ -4,6 +4,7 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
domain: "{{ .Values.global.domain }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
@@ -13,23 +14,28 @@ global:
ics:
secret: {{ .Values.secrets.intercom.secret }}
issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
originRegex: "{{ .Values.istio.domain }}"
originRegex: "{{ .Values.istio.domain }}|{{ .Values.global.domain }}"
default:
domain: "{{ .Values.global.domain }}"
oidc:
secret: {{ .Values.secrets.keycloak.clientSecret.intercom }}
matrix:
asSecret: {{ .Values.secrets.jitsi.synapseAsToken }}
serverName: "matrix.{{ .Values.global.domain }}"
asSecret: {{ .Values.secrets.intercom.synapseAsToken | quote }}
subdomain: {{ .Values.global.hosts.synapse }}
serverName: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
nordeck:
subdomain: {{ .Values.global.hosts.matrixNeoDateFixBot }}
portal:
apiKey: {{ .Values.secrets.centralnavigation.apiKey }}
redis:
password: {{ .Values.secrets.redis.password }}
host: {{ .Values.cache.intercomService.host }}
port: {{ .Values.cache.intercomService.port }}
password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }}
openxchange:
url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
image:
registry: "{{ .Values.global.imageRegistry }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.intercom.repository }}"
tag: "{{ .Values.images.intercom.tag }}"

25
helmfile/apps/jitsi/helmfile.yaml
View File

@@ -1,22 +1,31 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
- name: "jitsi"
url: "https://gitlab.souvap-univention.de/api/v4/projects/137/packages/helm/stable"
# openDesk Jitsi
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-jitsi
- name: "jitsi-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
"external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-jitsi" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
releases:
- name: "jitsi"
chart: "jitsi/sovereign-workplace-jitsi"
version: "1.2.1"
chart: "jitsi-repo/sovereign-workplace-jitsi"
version: "1.7.1"
values:
- "values-jitsi.gotmpl"
condition: "jitsi.enabled"
installed: {{ .Values.jitsi.enabled }}
timeout: 900
commonLabels:
deploy-stage: "component-1"
component: "jitsi"
bases:
- "../../bases/environments.yaml"
...

15
helmfile/apps/jitsi/values-jitsi.gotmpl
View File

@@ -11,7 +11,11 @@ global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.jitsiKeycloakAdapter.repository }}"
tag: "{{ .Values.images.jitsiKeycloakAdapter.tag }}"
@@ -19,6 +23,9 @@ image:
settings:
jwtAppSecret: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
theme:
{{ .Values.theme | toYaml | nindent 2 }}
jitsi:
publicURL: "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
web:
@@ -56,6 +63,10 @@ jitsi:
value: "myappid"
- name: "JWT_APP_SECRET"
value: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
- name: "MATRIX_UVS_SYNC_POWER_LEVELS"
value: "true"
- name: "MATRIX_UVS_URL"
value: "http://opendesk-matrix-user-verification-service.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}"
- name: TURNS_HOST
value: "{{ .Values.turn.tls.host }}"
- name: TURNS_PORT
@@ -79,7 +90,7 @@ jitsi:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jicofo.repository }}"
tag: "{{ .Values.images.jicofo.tag }}"
xmpp:
password: "{{ .Values.secrets.jitsi.jicofoAuthPassword }}"
password: {{ .Values.secrets.jitsi.jicofoAuthPassword | quote }}
componentSecret: "{{ .Values.secrets.jitsi.jicofoComponentPassword }}"
resources:
{{ .Values.resources.jicofo | toYaml | nindent 6 }}
@@ -113,7 +124,9 @@ jitsi:
patchJVB:
configuration:
staticLoadbalancerIP: "{{ .Values.cluster.networking.ingressGatewayIP }}"
loadbalancerStatusField: "{{ .Values.cluster.networking.loadBalancerStatusField }}"
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.jitsiPatchJVB.repository }}"
tag: "{{ .Values.images.jitsiPatchJVB.tag }}"

26
helmfile/apps/keycloak-bootstrap/helmfile.yaml
View File

@@ -1,25 +1,35 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
- name: "sovereign-workplace-keycloak-bootstrap"
url: "https://gitlab.souvap-univention.de/api/v4/projects/138/packages/helm/stable"
# openDesk Keycloak Bootstrap
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-keycloak-bootstrap
- name: "opendesk-keycloak-bootstrap-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-keycloak-bootstrap" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
releases:
- name: "sovereign-workplace-keycloak-bootstrap"
chart: "sovereign-workplace-keycloak-bootstrap/sovereign-workplace-keycloak-bootstrap"
- name: "opendesk-keycloak-bootstrap"
chart: "opendesk-keycloak-bootstrap-repo/sovereign-workplace-keycloak-bootstrap"
version: "1.1.11"
values:
- "values-bootstrap.gotmpl"
- "values-bootstrap.yaml"
condition: "keycloak.enabled"
installed: {{ .Values.keycloak.enabled }}
# as we have seen some slow clusters we want to ensure we not just fail due to a timeout.
timeout: 1800
commonLabels:
deploy-stage: "component-1"
component: "keycloak-bootstrap"
bases:
- "../../bases/environments.yaml"
...

7
helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl
View File

@@ -11,14 +11,19 @@ global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
config:
administrator:
password: "{{ .Values.secrets.keycloak.adminPassword }}"
password: {{ .Values.secrets.keycloak.adminPassword | quote }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.keycloakBootstrap.repository }}"
tag: "{{ .Values.images.keycloakBootstrap.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
resources:
{{ .Values.resources.keycloakBootstrap | toYaml | nindent 2 }}

3
helmfile/apps/keycloak-bootstrap/values-bootstrap.yaml
View File

@@ -4,7 +4,4 @@
config:
administrator:
username: "kcadmin"
cleanup:
deletePodsOnSuccess: true
...

52
helmfile/apps/keycloak/helmfile.yaml
View File

@@ -1,44 +1,62 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
- name: "bitnami"
url: "https://charts.bitnami.com/bitnami"
- name: "keycloak-theme"
url: "https://gitlab.souvap-univention.de/api/v4/projects/96/packages/helm/stable"
- name: "keycloak-extensions"
url: "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable"
# VMWare Bitnami
# Source: https://github.com/bitnami/charts/
- name: "bitnami-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
# openDesk Keycloak Theme
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-keycloak-theme
- name: "keycloak-theme-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/keycloak-theme" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
# openDesk Keycloak Extensions
- name: "keycloak-extensions-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable" }}
releases:
- name: "keycloak-theme"
chart: "keycloak-theme/sovereign-workplace-theme"
version: "1.0.0"
chart: "keycloak-theme-repo/opendesk-keycloak-theme"
version: "2.0.0"
values:
- "values-theme.gotmpl"
condition: "keycloak.enabled"
installed: {{ .Values.keycloak.enabled }}
- name: "keycloak"
chart: "bitnami/keycloak"
version: "12.2.0"
chart: "bitnami-repo/keycloak"
version: "12.1.5"
values:
- "values-keycloak.gotmpl"
- "values-keycloak.yaml"
- "values-keycloak-idp.yaml"
wait: true
condition: "keycloak.enabled"
installed: {{ .Values.keycloak.enabled }}
- name: "keycloak-extensions"
chart: "keycloak-extensions/keycloak-extensions"
chart: "keycloak-extensions-repo/keycloak-extensions"
version: "0.1.0"
needs:
- "keycloak"
values:
- "values-extensions.yaml"
- "values-extensions.gotmpl"
condition: "keycloak.enabled"
installed: {{ .Values.keycloak.enabled }}
commonLabels:
deploy-stage: "component-1"
component: "keycloak"
bases:
- "../../bases/environments.yaml"
...

20
helmfile/apps/keycloak/values-extensions.gotmpl
View File

@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0
---
global:
keycloak:
adminPassword: {{ .Values.secrets.keycloak.adminPassword }}
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
postgresql:
connection:
host: "{{ .Values.databases.keycloakExtension.host }}"
@@ -13,19 +13,15 @@ global:
auth:
database: "{{ .Values.databases.keycloakExtension.name }}"
username: "{{ .Values.databases.keycloakExtension.username }}"
password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser }}
password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
handler:
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.keycloakExtensionHandler.repository }}"
{{- if .Values.images.keycloakExtensionHandler.digest }}
sha256: "{{ .Values.images.keycloakExtensionHandler.digest}}"
{{- else if .Values.images.keycloakExtensionHandler.tag }}
tag: "{{ .Values.images.keycloakExtensionHandler.tag }}"
{{- end }}
imagePullPolicy: "Always"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
appConfig:
smtpPassword: "{{ .Values.smtp.password }}"
smtpPassword: {{ .Values.smtp.password | quote }}
smtpHost: "{{ .Values.smtp.host }}"
smtpUsername: "{{ .Values.smtp.username }}"
mailFrom: "noreply@{{ .Values.global.domain }}"
@@ -35,17 +31,11 @@ proxy:
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.keycloakExtensionProxy.repository }}"
{{- if .Values.images.keycloakExtensionProxy.digest }}
sha256: "{{ .Values.images.keycloakExtensionProxy.digest}}"
{{- else if .Values.images.keycloakExtensionProxy.tag }}
tag: "{{ .Values.images.keycloakExtensionProxy.tag }}"
{{- end }}
imagePullPolicy: "Always"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
ingress:
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
annotations:
nginx.org/proxy-buffer-size: "8k"
host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"

28
helmfile/apps/keycloak/values-extensions.yaml
View File

@@ -11,11 +11,35 @@ global:
handler:
appConfig:
captchaProtectionEnable: "False"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
postgresql:
enabled: false
proxy:
image:
tag: "latest"
ingress:
annotations:
nginx.org/proxy-buffer-size: "8k"
nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
...

2
helmfile/apps/keycloak/values-keycloak-idp.yaml
View File

@@ -181,7 +181,7 @@ keycloakConfigCli:
"attributes": {
"backchannel.logout.revoke.offline.tokens": "true",
"backchannel.logout.session.required": "true",
"backchannel.logout.url": "https://$(ELEMENT_DOMAIN)/_synapse/client/oidc/backchannel_logout",
"backchannel.logout.url": "https://$(MATRIX_DOMAIN)/_synapse/client/oidc/backchannel_logout",
"post.logout.redirect.uris": "https://$(ELEMENT_DOMAIN)/*##https://$(MATRIX_DOMAIN)/*##https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*"
},
"authenticationFlowBindingOverrides": {},

8
helmfile/apps/keycloak/values-keycloak.gotmpl
View File

@@ -13,17 +13,17 @@ image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.keycloak.repository }}"
tag: "{{ .Values.images.keycloak.tag }}"
digest: "{{ .Values.images.keycloak.digest }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
externalDatabase:
host: "{{ .Values.databases.keycloak.host }}"
port: {{ .Values.databases.keycloak.port }}
user: "{{ .Values.databases.keycloak.username }}"
database: "{{ .Values.databases.keycloak.name }}"
password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser }}
password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
auth:
adminPassword: {{ .Values.secrets.keycloak.adminPassword }}
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
replicaCount: {{ .Values.replicas.keycloak }}
@@ -81,6 +81,8 @@ keycloakConfigCli:
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak }}
- name: "LDAPSEARCH_USERNAME"
value: "ldapsearch_keycloak"
resources:
{{ .Values.resources.keycloak | toYaml | nindent 4 }}
resources:
{{ .Values.resources.keycloak | toYaml | nindent 2 }}

27
helmfile/apps/keycloak/values-keycloak.yaml
View File

@@ -54,5 +54,32 @@ keycloakConfigCli:
- "--import.var-substitution.enabled=true"
cache:
enabled: false
containerSecurityContext:
enabled: true
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
podSecurityContext:
fsGroup: 1001
fsGroupChangePolicy: "OnRootMismatch"
...

3
helmfile/apps/keycloak/values-theme.gotmpl
View File

@@ -7,4 +7,7 @@ global:
domain: "{{ .Values.global.domain }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}
...

47
helmfile/apps/nextcloud/helmfile.yaml
View File

@@ -1,39 +1,54 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
- name: "sovereign-workplace-nextcloud-bootstrap"
url: "https://gitlab.souvap-univention.de/api/v4/projects/130/packages/helm/stable"
- name: "nextcloud"
url: "https://nextcloud.github.io/helm/"
# openDesk Keycloak Bootstrap
# Source:
# https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/sovereign-workplace-nextcloud-bootstrap
- name: "opendesk-nextcloud-bootstrap-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
"external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
# Nextcloud
# Source: https://github.com/nextcloud/helm/
- name: "nextcloud-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://nextcloud.github.io/helm/" }}
releases:
- name: "sovereign-workplace-nextcloud-bootstrap"
chart: "sovereign-workplace-nextcloud-bootstrap/sovereign-workplace-nextcloud-bootstrap"
version: "2.2.0"
- name: "opendesk-nextcloud-bootstrap"
chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap"
version: "3.2.2"
wait: true
waitForJobs: true
values:
- "values-bootstrap.gotmpl"
- "values-bootstrap.yaml"
condition: "nextcloud.enabled"
timeout: 1800
installed: {{ .Values.nextcloud.enabled }}
timeout: 900
- name: "nextcloud"
chart: "nextcloud/nextcloud"
chart: "nextcloud-repo/nextcloud"
version: "3.5.19"
needs:
- "sovereign-workplace-nextcloud-bootstrap"
- "opendesk-nextcloud-bootstrap"
values:
- "values-nextcloud.gotmpl"
- "values-nextcloud.yaml"
condition: "nextcloud.enabled"
timeout: 1800
installed: {{ .Values.nextcloud.enabled }}
timeout: 900
commonLabels:
deploy-stage: "component-1"
component: "nextcloud"
bases:
- "../../bases/environments.yaml"
...

19
helmfile/apps/nextcloud/values-bootstrap.gotmpl
View File

@@ -14,26 +14,26 @@ global:
config:
administrator:
password: {{ .Values.secrets.nextcloud.adminPassword }}
password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
antivirus:
{{- if .Values.clamavDistributed.enabled }}
host: "clamav-sovereign-workplace-icap"
host: "clamav-icap"
{{- else if .Values.clamavSimple.enabled }}
host: "clamav-simple"
{{- end }}
apps:
integrationSwp:
password: {{ .Values.secrets.centralnavigation.apiKey }}
password: {{ .Values.secrets.centralnavigation.apiKey | quote }}
userOidc:
password: {{ .Values.secrets.keycloak.clientSecret.ncoidc }}
password: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
database:
host: "{{ .Values.databases.nextcloud.host }}"
name: "{{ .Values.databases.nextcloud.name }}"
user: "{{ .Values.databases.nextcloud.username }}"
password: "{{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser }}"
password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
ldapSearch:
password: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud }}"
@@ -43,7 +43,13 @@ config:
username: "{{ .Values.smtp.username }}"
password: "{{ .Values.smtp.password }}"
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.nextcloud.repository }}"
tag: "{{ .Values.images.nextcloud.tag }}"
@@ -64,4 +70,7 @@ persistence:
resources:
{{ .Values.resources.nextcloud | toYaml | nindent 2 }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}
...

4
helmfile/apps/nextcloud/values-bootstrap.yaml
View File

@@ -11,6 +11,6 @@ config:
userOidc:
username: "ncoidc"
cleanup:
deletePodsOnSuccess: false
ldapSearch:
host: "univention-corporate-container"
...

12
helmfile/apps/nextcloud/values-nextcloud.gotmpl
View File

@@ -6,16 +6,20 @@ SPDX-License-Identifier: Apache-2.0
nextcloud:
host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
username: "nextcloud"
password: {{ .Values.secrets.nextcloud.adminPassword }}
password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
externalDatabase:
database: "{{ .Values.databases.nextcloud.name }}"
user: "{{ .Values.databases.nextcloud.username }}"
host: "{{ .Values.databases.nextcloud.host }}"
password: "{{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser }}"
password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
extraEnv:
REDIS_HOST: {{ .Values.cache.nextcloud.host | quote }}
REDIS_HOST_PORT: {{ .Values.cache.nextcloud.port | quote }}
REDIS_HOST_PASSWORD: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
redis:
auth:
enabled: true
password: {{ .Values.secrets.redis.password }}
password: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
ingress:
enabled: {{ .Values.ingress.enabled }}
className: {{ .Values.ingress.ingressClassName }}
@@ -25,7 +29,7 @@ ingress:
- "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloud.repository }}"
pullPolicy: "Always"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.nextcloud.tag }}"
pullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

17
helmfile/apps/nextcloud/values-nextcloud.yaml
View File

@@ -21,6 +21,11 @@ cronjob:
sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f
\/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data
ingress:
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "4G"
nginx.org/client-max-body-size: "4G"
internalDatabase:
enabled: false
postgresql:
@@ -39,6 +44,18 @@ externalDatabase:
metrics:
enabled: false
nextcloud:
configs:
mimetypealiases.json: |-
{
"application/x-drawio": "image"
}
mimetypemapping.json: |-
{
"drawio": ["application/x-drawio"]
}
# this is not documented but can be found in values.yaml
service:
port: "80"

62
helmfile/apps/open-xchange/helmfile.yaml
View File

@@ -1,41 +1,67 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
- name: "dovecot"
url: "https://gitlab.souvap-univention.de/api/v4/projects/80/packages/helm/stable"
- name: "openxchange"
url: "registry.open-xchange.com"
# openDesk Dovecot
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-dovecot
- name: "opendesk-dovecot-repo"
oci: true
- name: "sovereign-workplace-open-xchange-bootstrap"
url: "https://gitlab.souvap-univention.de/api/v4/projects/139/packages/helm/stable"
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
"external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/dovecot" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
# Open-Xchange
- name: "openxchange-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "registry.open-xchange.com" }}
# openDesk Open-Xchange Bootstrap
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-open-xchange-bootstrap
- name: "opendesk-open-xchange-bootstrap-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
"external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-open-xchange-bootstrap" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
releases:
- name: "dovecot"
chart: "dovecot/dovecot"
chart: "opendesk-dovecot-repo/dovecot"
version: "1.3.1"
values:
- "values-dovecot.yaml"
- "values-dovecot.gotmpl"
condition: "dovecot.enabled"
installed: {{ .Values.dovecot.enabled }}
timeout: 900
- name: "open-xchange"
chart: "openxchange/appsuite-public-sector/charts/appsuite-public-sector"
version: "1.2.13"
chart: "openxchange-repo/appsuite-public-sector/charts/appsuite-public-sector"
version: "2.0.4"
values:
- "values-openxchange.yaml"
- "values-openxchange.gotmpl"
condition: "oxAppsuite.enabled"
- name: "sovereign-workplace-open-xchange-bootstrap"
chart: "sovereign-workplace-open-xchange-bootstrap/sovereign-workplace-open-xchange-bootstrap"
- "values-openxchange-enterprise-contact-picker.yaml"
- "values-openxchange-enterprise-contact-picker.gotmpl"
installed: {{ .Values.oxAppsuite.enabled }}
timeout: 900
- name: "opendesk-open-xchange-bootstrap"
chart: "opendesk-open-xchange-bootstrap-repo/sovereign-workplace-open-xchange-bootstrap"
version: "1.3.1"
values:
- "values-openxchange-bootstrap.yaml"
condition: "oxAppsuite.enabled"
- "values-openxchange-bootstrap.gotmpl"
installed: {{ .Values.oxAppsuite.enabled }}
timeout: 900
commonLabels:
deploy-stage: "component-1"
component: "open-xchange"
bases:
- "../../bases/environments.yaml"
...

7
helmfile/apps/open-xchange/values-dovecot.gotmpl
View File

@@ -6,7 +6,8 @@ SPDX-License-Identifier: Apache-2.0
image:
registry: "{{ .Values.global.imageRegistry }}"
url: "{{ .Values.images.dovecot.repository }}"
digest: "{{ .Values.images.dovecot.digest }}"
tag: "{{ .Values.images.dovecot.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
@@ -15,10 +16,10 @@ imagePullSecrets:
dovecot:
mailDomain: "{{ .Values.global.domain }}"
password: {{ .Values.secrets.dovecot.doveadm }}
password: {{ .Values.secrets.dovecot.doveadm | quote }}
ldap:
dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot }}
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
oidc:
introspectionURL: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token/introspect"
clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc }}

7
helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl
View File

@@ -3,10 +3,15 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
SPDX-License-Identifier: Apache-2.0
*/}}
---
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
image:
registry: "{{ .Values.global.imageRegistry }}"
url: "{{ .Values.images.openxchangeBootstrap.repository }}"
digest: "{{ .Values.images.openxchangeBootstrap.digest }}"
tag: "{{ .Values.images.openxchangeBootstrap.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}

14
helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
appsuite:
core-mw:
secretYAMLFiles:
ldap-client-config.yml:
contactsLdapClient:
auth:
adminDN:
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
...

349
helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml Normal file
View File

@@ -0,0 +1,349 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
appsuite:
core-mw:
properties:
# Enterprise contact picker
com.openexchange.contacts.ldap.accounts: "opendesk"
com.openexchange.admin.bypassAccessCombinationChecks: "true"
ENABLE_INTERNAL_USER_EDIT: "false"
# Enterprise contact picker (see also gotmpl)
secretYAMLFiles:
ldap-client-config.yml:
contactsLdapClient:
pool:
type: "simple"
host:
address: "univention-corporate-container"
port: 389
auth:
type: "adminDN"
adminDN:
dn: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
uiSettings:
# Enterprise contact picker
io.ox/core//features/enterprisePicker/enabled: "true"
yamlFiles:
contacts-provider-ldap.yml:
# Example definitions of available LDAP contact providers, together with their corresponding configuration,
# referenced LDAP client connection settings and attribute mappings.
#
# This template contains examples and will be overwritten during updates. To use, copy this file to
# /opt/open-xchange/etc/contacts-provider-ldap.yml and configure as needed.
#
# Each configured contacts provider can be enabled for users using the corresponding identifier used in this
# .yml file. For this purpose, the config-cascade-enabled setting "com.openexchange.contacts.provider.ldap"
# is available.
#
# Besides the provider configuration in this file, also accompanying LDAP client and contact property mappings
# need to be referenced.
#
# See also https://documentation.open-xchange.com/latest/middleware/contacts/contacts_provider_ldap.html
# for further details and a complete list of available configuration options.
#
# Key will be used as identifier for the contact provider
opendesk:
# The display name of this contacts provider.
name: "Example Address Lists"
# Configures the identifier of the LDAP client configuration settings to use, as defined in
# 'ldap-client-config.yml'. There, all further connection-related properties to access the LDAP server can
# be specified.
ldapClientId: "contactsLdapClient"
# A reference to the contact property <-> LDAP attribute mapping definitions to use, referencing the
# corresponding entry in the file 'contact-provider-ldap-mappings.yml'.
mappings: "ucs"
# Specifies if support for querying deleted objects is enabled or not. When enabled, deleted objects are
# identified with the filter 'isDeleted=TRUE', which is usually only available in Active Directory (as
# control with OID 1.2.840.113556.1.4.417). If disabled, no results are available for folders from this
# provider for the 'deleted' API call, and therefore no incremental synchronizations are possible. See also
# 'usedForSync' folders property. Defaults to "false".
isDeletedSupport: false
# Specifies the requested maximum size for paged results. "0" disables paged results. This should be
# configured, especially when the there are server-side restrictions towards the maximum result size.
# Defaults to "500".
maxPageSize: 500
# Optionally enables a local cache that holds certain properties of all of the provider's contacts in
# memory to speed up access. Can only be used if no individual authentication is used to access the
# LDAP server.
cache:
useCache: false
# Definition of addressbook folders of the contacts provider. Different folder modes are possible, each
# one with its specific configuration settings. The template contains examples for all possible modes,
# however, only the one specified through 'mode' property is actually used.
folders:
# Configures in which mode addressbook folders are provided by the contacts provider. Possible modes
# are "fixedAttributes" to have a common search filter per folder that varies by a fixed set of possible
# attribute values, "dynamicAttributes" to use a common filter and retrieve all possible values
# dynamically, or "static" to have a static search filter associated with each contact folder.
# The corresponding mode-specific section needs to be configured as well.
mode: "dynamicAttributes"
# Configures if the addressbook folders can be synchronized to external clients via CardDAV or not.
# If set to "false", the folders are only available in the web client. If set to "true", folders can
# be activated for synchronization. Should only be enabled if attribute mappings for the 'changing_date'
# and 'uid' contact properties are available, and the LDAP server supports the special
# "LDAP Show Deleted Control" to query tombstone entries via 'isDeleted=TRUE'. The 'protected' flag
# controls whether the default value can be changed by the client or not.
usedForSync:
protected: true
defaultValue: false
# Defines whether addressbook folders will be available in the contact picker dialog of App Suite.
# If enabled, contacts from this provider can be looked up through this dialog, otherwise they are
# hidden. The 'protected' flag controls whether the default value can be changed by the client or not.
usedInPicker:
protected: false
defaultValue: true
# Defines whether addressbook folders will be shown as 'subscribed' folders in the tree or not.
# If enabled, the folders will appear in the contacts module of App Suite as regular, subscribed folder.
# Otherwise, they're treated as hidden, unsubscribed folders. The 'protected' flag controls whether
# the default value can be changed by the client or not.
shownInTree:
protected: false
defaultValue: true
# In "static" folder mode, a fixed list of folder definitions is used, each one with its own contact
# filter and name (the names must be unique). Additionally, a "commonContactFilter" needs to be
# defined, which is used for operations that are not bound to
# a specific folder, like lookups across all visible folders.
# The filter's search scopes relative to the LDAP client's 'baseDN' can be configured as "one"
# (only immediate subordinates) or "sub" (base entry itself and any subordinate entries to any depth),
# and all default to "sub" unless specified otherwise.
static:
commonContactFilter: "(|(objectClass=person)(objectClass=groupOfNames))"
commonContactSearchScope: "sub"
folders:
- name: "Cupertino"
contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=Cupertino))"
contactSearchScope: "sub"
- name: "San Mateo"
contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=San Mateo))"
contactSearchScope: "sub"
- name: "Redwood Shores"
contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=Redwood Shores))"
contactSearchScope: "sub"
- name: "Armonk"
contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=Armonk))"
contactSearchScope: "sub"
# With mode "dynamic attributes", all possible values for one attribute are fetched periodically and
# serve as folders. The list of values is fetched by querying all entries that match the
# "contactFilterTemplate" (with the wildcard "*" as value) and "contactSearchScope" ("one"/"sub").
# Then, the folders are derived based on all distinct attribute values found, with the value as name.
# Depending on the configured authentication mode, this is either done per user individually, or globally.
# Therefore, per-user authentication is not recommend in this mode.
# The "refreshInterval" determines how often the list of attributes is refreshed, and can be defined
# using units of measurement:
# "D" (=days), "W" (=weeks), "H" (=hours) and "m" (=minutes). Defaults to "1h". The optional "sortOrder"
# allows to sort the attributes lexicographically, either "ascending" or "descending".
dynamicAttributes:
attributeName: "o"
contactFilterTemplate: "(&(univentionObjectType=users/user)(o=[value]))"
contactSearchScope: "sub"
# refreshInterval: 1h
refreshInterval: "5m"
sortOrder: "ascending"
# With mode "fixed attributes", all entries matching a filter and having an attribute set to one of the
# defined values do form a folder. Works similar to "dynamic attributes", but with a static list of
# possible values.
# All items defined in the "attributeValues" array are used as folder (with the value as name). When
# listing the contents of a specific folder, this folder's specific attribute value is inserted in the
# configured "contactFilterTemplate", using the "contactSearchScope" ("one"/"sub").
fixedAttributes:
contactFilterTemplate: "(&(|(objectClass=person)(objectClass=groupOfNames))(ou=[value]))"
contactSearchScope: "sub"
attributeValues:
- "Janitorial"
- "Product Development"
- "Management"
- "Human Resources"
contacts-provider-ldap-mappings.yml:
# Example definitions of contact property <-> LDAP attribute mappings.
#
# This template contains examples and will be overwritten during updates. To use, copy this file to
# /opt/open-xchange/etc/contacts-provider-ldap-mappings.yml and configure as needed.
#
# Each configured set of mappings can be used for an LDAP contact provider (as defined through separate
# file contacts-provider-ldap.yml), by using the corresponding identifier used in this .yml file.
#
# Generally, contact properties are set based on an entry's value of the mapped LDAP attribute name.
# Empty mappings are ignored. It's possible to define a second LDAP attribute name for a property that is
# used as fall-back if the first one is empty in an LDAP result, e.g. to define multiple attributes for a
# display name, or to have multiple mappings for contacts and distribution lists.
#
# For the data-types, each LDAP attribute value is converted/parsed to the type necessary on the server
# (Strings, Numbers, Booleans). Dates are assumed to be in UTC and parsed using the pattern 'yyyyMMddHHmmss'.
# Binary properties may be indicated by appending ';binary' to the LDAP attribute name. In order to assign
# the internal user- and context identifier based on attributes yielding the corresponding
# login information (username / contextname), the special appendix ';logininfo' can be used.
# Boolean properties may also be set based on a comparison with the LDAP attribute value, which is defined
# by the syntax '[LDAP_ATTRIBUTE_NAME]=[EXPECTED_VALUE]', e.g. to set the 'mark_as_distribution_list'
# property based on a specific 'objectClass' value.
# Alternatively, a Boolean value may also be assigned based on the the existence of any attribute value
# using '*'.
#
# See also https://documentation.open-xchange.com/latest/middleware/contacts/contacts_provider_ldap.html
# for further details and a complete list of available configuration options.
#
# Mappings for a typical OpenLDAP server.
ucs:
# == ID Mappings =======================================================
# The object ID is always required and must be unique for the LDAP server. Will use the DN of the entry
# unless overridden.
# The 'guid' flag can be passed along to properly decode a Microsoft GUID. For 'regular' UUIDs, the
# flag 'binary' should be used.
objectid: "uidNumber,gidNumber"
# The user and context identifiers can be mapped to certain LDAP attributes to aid resolving contact
# entries to internal users, e.g. in scenarios where the default global addressbook folder is disabled.
# Will only be considered if an entry's context identifier matches the one from the actual session of
# the requesting operation.
# If used, they should be mapped to attributes that provide the matching rules "integerMatch" for
# "EQUALITY" as well as "integerOrderingMatch" for "ORDERING".
# Alternatively, if no internal context- or user identifier is available, also attributes yielding
# the corresponding login information (username / contextname) can be used by appending ';logininfo'
# to the attribute name.
internal_userid: "uid;logininfo"
contextid: "oxContextIDNum"
# The 'guid' flag can be passed along properly decode a Microsoft GUID. For 'regular' UUIDs in binary
# format, the flag 'binary' should be used.
# uid : entryUUID;binary;logininfo
# == String Mappings ===================================================
displayname: "oxDisplayName,displayName,name"
file_as: "oxDisplayName,displayName,name"
givenname: "givenName"
surname: "sn"
email1: "mailPrimaryAddress"
department: "oxDepartment,department"
company: "oxCompany,o"
branches: "oxBranches"
# business_category :
postal_code_business: "postalCode"
state_business: "oxStateBusiness,st"
street_business: "streetAddress"
# telephone_callback :
city_home: "oxCityHome"
commercial_register: "oxCommercialRegister"
country_home: "oxCountryHome"
email2: "oxEmail2"
email3: "oxEmail3"
employeetype: "employeeType"
fax_business: "oxFaxBusiness,facsimileTelehoneNumber"
fax_home: "oxFaxHome"
fax_other: "oxFaxOther"
instant_messenger1: "oxInstantMessenger1"
instant_messenger2: "oxInstantMessenger2"
telephone_ip: "oxTelephoneIp"
telephone_isdn: "internationaliSDNNumber"
marital_status: "oxMaritalStatus"
cellular_telephone1: "mobile"
# cellular_telephone2 :
nickname: "oxNickName"
number_of_children: "oxNumOfChildren"
number_of_employee: "employeeNumber"
note: "oxNote,description"
telephone_pager: "oxTelephonePager,pager"
telephone_assistant: "oxTelephoneAssistant"
telephone_business1: "oxTelephoneBusiness1,telephoneNumber"
telephone_business2: "oxTelephoneBusiness2"
telephone_car: "oxTelephoneCar"
telephone_company: "oxTelephoneCompany"
telephone_home1: "oxTelephoneHome1,homePhone"
telephone_home2: "oxTelephoneHome2"
telephone_other: "oxTelephoneOther"
postal_code_home: "oxPostalCodeHome"
# telephone_radio :
room_number: "roomNumber"
sales_volume: "oxSalesVolume"
city_other: "oxCityOther"
country_other: "oxCountryOther"
middle_name: "oxMiddleName,middleName"
postal_code_other: "oxPostalCodeOther"
state_other: "oxStateOther"
street_other: "oxStreetOther"
spouse_name: "oxSpouseName"
state_home: "oxStateHome"
street_home: "oxStreetHome"
suffix: "oxSuffix"
tax_id: "oxTaxId"
telephone_telex: "oxTelephoneTelex,telexNumber"
telephone_ttytdd: "oxTelephoneTtydd"
url: "oxUrl,wWWHome"
userfield01: "oxUserfiels01"
userfield02: "oxUserfiels02"
userfield03: "oxUserfiels03"
userfield04: "oxUserfiels04"
userfield05: "oxUserfiels05"
userfield06: "oxUserfiels06"
userfield07: "oxUserfiels07"
userfield08: "oxUserfiels08"
userfield09: "oxUserfiels09"
userfield10: "oxUserfiels10"
userfield11: "oxUserfiels11"
userfield12: "oxUserfiels12"
userfield13: "oxUserfiels13"
userfield14: "oxUserfiels14"
userfield15: "oxUserfiels15"
userfield16: "oxUserfiels16"
userfield17: "oxUserfiels17"
userfield18: "oxUserfiels18"
userfield19: "oxUserfiels19"
userfield20: "oxUserfiels20"
city_business: "l"
country_business: "oxCountryBusiness,country"
# telephone_primary :
# categories :
title: "title"
position: "oxPosition"
profession: "oxProfession"
# == Date Mappings =====================================================
birthday: "oxBirthday"
anniversary: "oxAnniversary"
# The last-modified and creation dates are required by the groupware server, therefore an implicit
# default date is assumed when no LDAP attribute is mapped here, and no results are available for this
# folder for the 'modified' and 'deleted' API calls. Therefore, any synchronization-based usage will
# not be available.
lastmodified: "modifyTimestamp"
creationdate: "createTimestamp"
# == Misc Mappings =====================================================
# Distribution list members are resolved dynamically using the DNs found in the mapped LDAP attribute.
# Alternatively, if the attribute value does not denote a DN reference, the value is assumed to be the
# plain email address of the member.
distributionlist: "memberUid"
# Special mapping where the value is evaluated using a string comparison with, or the existence of
# the attribute value.
markasdistributionlist: "objectClass=posixGroup"
# The values for the for assistant- and manager name mappings are either used as-is, or get resolved
# dynamically using the DNs found
# in the mapped LDAP attribute.
assistant_name: "secretary"
manager_name: "oxManagerName,manager"
# Contact image, binary format is expected.
image1: "jpegPhoto"
# Special mapping where the value is evaluated using a string comparison with, or the existence of
# the attribute value.
number_of_images: "jpegPhoto=*"
# Will be set internally if not defined.
# image_last_modified :
# Will be set automatically to "image/jpeg" if not defined.
# image1_content_type :

31
helmfile/apps/open-xchange/values-openxchange.gotmpl
View File

@@ -11,8 +11,8 @@ global:
database: "{{ .Values.databases.oxAppsuite.name }}"
auth:
user: "{{ .Values.databases.oxAppsuite.username }}"
password: "{{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword }}"
rootPassword: "{{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword }}"
password: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
rootPassword: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
istio:
enabled: {{ .Values.istio.enabled }}
@@ -34,6 +34,7 @@ public-sector-ui:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
appsuite:
istio:
@@ -52,6 +53,15 @@ appsuite:
core-mw:
masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
gotenberg:
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
image:
repository: {{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGotenberg.repository }}
tag: {{ .Values.images.openxchangeGotenberg.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
properties:
"com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/certs"
"com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
@@ -76,6 +86,16 @@ appsuite:
uiSettings:
"io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
"io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"
# Dynamic theme
io.ox/dynamic-theme//mainColor: "{{ .Values.theme.colors.primary }}"
io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
io.ox/dynamic-theme//topbarBackground: "{{ .Values.theme.colors.white }}"
io.ox/dynamic-theme//topbarColor: "{{ .Values.theme.colors.black }}"
io.ox/dynamic-theme//listSelected: "{{ .Values.theme.colors.primary15 }}"
io.ox/dynamic-theme//listHover: "{{ .Values.theme.colors.secondaryGreyLight }}"
io.ox/dynamic-theme//folderBackground: "{{ .Values.theme.colors.white }}"
io.ox/dynamic-theme//folderSelected: "{{ .Values.theme.colors.primary15 }}"
io.ox/dynamic-theme//folderHover: "{{ .Values.theme.colors.secondaryGreyLight }}"
secretETCFiles:
# Format of the OX Guard master key:
# MC+base64(20 random bytes)
@@ -86,6 +106,7 @@ appsuite:
image:
repository: {{ .Values.images.openxchangeCoreMW.repository }}
tag: {{ .Values.images.openxchangeCoreMW.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
update:
image:
repository: {{ .Values.images.openxchangeCoreMW.repository }}
@@ -103,11 +124,13 @@ appsuite:
image:
repository: {{ .Values.images.openxchangeCoreUI.repository }}
tag: {{ .Values.images.openxchangeCoreUI.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
core-ui-middleware:
ingress:
hosts:
- host: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
enabled: false
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
@@ -115,6 +138,7 @@ appsuite:
image:
repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository }}
tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
core-guidedtours:
imagePullSecrets:
@@ -124,6 +148,7 @@ appsuite:
image:
repository: {{ .Values.images.openxchangeCoreGuidedtours.repository }}
tag: {{ .Values.images.openxchangeCoreGuidedtours.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
guard-ui:
imagePullSecrets:
@@ -133,11 +158,13 @@ appsuite:
image:
repository: {{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}
tag: {{ .Values.images.openxchangeGuardUI.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
core-user-guide:
image:
repository: {{ .Values.images.openxchangeCoreUserGuide.repository }}
tag: {{ .Values.images.openxchangeCoreUserGuide.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}

40
helmfile/apps/open-xchange/values-openxchange.yaml
View File

@@ -4,11 +4,13 @@
appsuite:
istio:
ingressGateway:
name: "sovereign-workplace-gateway-istio-gateway"
name: "opendesk-gateway-istio-gateway"
core-mw:
enabled: true
masterAdmin: "admin"
gotenberg:
enabled: true
features:
status:
# enable admin pack
@@ -22,6 +24,13 @@ appsuite:
open-xchange-authentication-oauth: "enabled"
properties:
com.openexchange.UIWebPath: "/appsuite/"
# PDF Export
com.openexchange.capability.mail_export_pdf: "true"
com.openexchange.mail.exportpdf.gotenberg.enabled: "true"
com.openexchange.mail.exportpdf.collabora.enabled: "true"
com.openexchange.mail.exportpdf.pdfa.collabora.enabled: "true"
com.openexchange.mail.exportpdf.collabora.url: "http://collabora:9980"
com.openexchange.mail.exportpdf.gotenberg.url: "http://open-xchange-gotenberg:3000"
# OIDC
com.openexchange.oidc.enabled: "true"
com.openexchange.oidc.autologinCookieMode: "ox_direct"
@@ -55,14 +64,20 @@ appsuite:
com.openexchange.mail.filter.server: "dovecot"
com.openexchange.mail.filter.preferredSaslMech: "XOAUTH2"
# Capabilities
# Old capability can be used to toggle all integrations with a single switch
com.openexchange.capability.public-sector: "true"
# New capabilities in 2.0
com.openexchange.capability.public-sector-element: "true"
com.openexchange.capability.public-sector-navigation: "true"
com.openexchange.capability.client-onboarding: "true"
com.openexchange.capability.dynamic-theme: "true"
com.openexchange.capability.filestorage_nextcloud: "true"
com.openexchange.capability.filestorage_nextcloud_oauth: "true"
com.openexchange.capability.guard: "true"
com.openexchange.capability.guard-mail: "true"
com.openexchange.capability.public-sector: "true"
com.openexchange.capability.smime: "true"
com.openexchange.capability.share_links: "false"
com.openexchange.capability.invite_guests: "false"
# Secondary Accounts
com.openexchange.mail.secondary.authType: "XOAUTH2"
com.openexchange.mail.transport.secondary.authType: "xoauth2"
@@ -93,6 +108,13 @@ appsuite:
bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
uiSettings:
# Show the Enterprise Picker in the top right corner instead of the launcher drop-down
io.ox/core//features/enterprisePicker/showLauncher: "false"
io.ox/core//features/enterprisePicker/showTopRightLauncher: "true"
# Text and icon color in the topbar
io.ox/dynamic-theme//topbarColor: "#000"
io.ox/dynamic-theme//logoWidth: "82"
io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)"
# Resources
io.ox/core//features/resourceCalendars: "true"
io.ox/core//features/managedResources: "true"
@@ -107,18 +129,8 @@ appsuite:
# io.ox.public-sector//ics/url: "https://ics.<DOMAIN>/"
io.ox/core//apps/quickLaunchCount: "0"
io.ox/core//coloredIcons: "false"
# Dynamic theme
io.ox/dynamic-theme//mainColor: "#004B76"
io.ox/dynamic-theme//logoURL: "io.ox.public-sector/logo.svg"
io.ox/dynamic-theme//logoWidth: "80"
io.ox/dynamic-theme//topbarBackground: "#fff"
io.ox/dynamic-theme//topbarColor: "#1f1f1f"
io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)"
io.ox/dynamic-theme//listSelected: "#ADC8F0"
io.ox/dynamic-theme//listHover: "#ddd"
io.ox/dynamic-theme//folderBackground: "#fff"
io.ox/dynamic-theme//folderSelected: "#ADC8F0"
io.ox/dynamic-theme//folderHover: "#ddd"
# Mail templates
io.ox/core//features/templates: "true"
asConfig:
default:

24
helmfile/apps/openproject/helmfile.yaml
View File

@@ -1,23 +1,31 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
- name: "openproject"
url: "https://charts.openproject.org"
# OpenProject
# Source: https://github.com/opf/helm-charts
- name: "openproject-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://charts.openproject.org" }}
releases:
- name: "openproject"
chart: "openproject/openproject"
version: "1.8.0"
chart: "openproject-repo/openproject"
version: "2.0.4"
wait: true
waitForJobs: true
values:
- "values.yaml"
- "values.gotmpl"
condition: "openproject.enabled"
installed: {{ .Values.openproject.enabled }}
timeout: 900
commonLabels:
deploy-stage: "component-1"
component: "openproject"
bases:
- "../../bases/environments.yaml"
...

19
helmfile/apps/openproject/values.gotmpl
View File

@@ -10,10 +10,13 @@ global:
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.openproject.repository }}"
pullPolicy: "Always"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.openproject.tag }}"
memcached:
connection:
host: "{{ .Values.cache.openproject.host }}"
port: {{ .Values.cache.openproject.port }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.memcached.repository }}"
@@ -21,7 +24,7 @@ memcached:
postgresql:
auth:
password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser }}
password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser | quote }}
username: "{{ .Values.databases.openproject.username }}"
database: "{{ .Values.databases.openproject.name }}"
connection:
@@ -35,7 +38,7 @@ openproject:
name: "OpenProject Interal Admin"
mail: "openproject-admin@swp-domain.internal"
password_reset: "false"
password: "{{ .Values.secrets.openproject.adminPassword }}"
password: {{ .Values.secrets.openproject.adminPassword | quote }}
ingress:
host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
@@ -51,21 +54,25 @@ environment:
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey }}
OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
OPENPROJECT_SMTP__DOMAIN: "{{ .Values.global.domain }}"
OPENPROJECT_SMTP__USER__NAME: "{{ .Values.smtp.username }}"
OPENPROJECT_SMTP__PASSWORD: "{{ .Values.smtp.password }}"
OPENPROJECT_SMTP__PORT: "587" # (default=587)
OPENPROJECT_SMTP__PORT: "{{ .Values.smtp.port }}"
OPENPROJECT_SMTP__SSL: "false" # (default=false)
OPENPROJECT_SMTP__ADDRESS: "{{ .Values.smtp.host }}"
OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}"
# Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject }}"
persistence:
size: "{{ .Values.persistence.size.openproject }}"
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
storageClassName: "{{ .Values.persistence.storageClassNames.RWX }}"
replicaCount: {{ .Values.replicas.openproject }}
resources:
{{ .Values.resources.openproject | toYaml | nindent 2 }}
...

34
helmfile/apps/openproject/values.yaml
View File

@@ -4,6 +4,9 @@
image:
registry: "registry.souvap-univention.de"
memcached:
bundled: false
probes:
liveness:
initialDelaySeconds: 300
@@ -27,6 +30,16 @@ openproject:
# seed will only be executed on initial installation
seed_locale: "de"
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
persistence:
accessModes:
- "ReadWriteMany"
# For more details and more options see
# https://www.openproject.org/docs/installation-and-operations/configuration/environment/
environment:
@@ -34,11 +47,32 @@ environment:
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_LOGIN: "phoenixusername"
OPENPROJECT_LOGIN__REQUIRED: "true"
OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_DISPLAY__NAME: "Keycloak"
OPENPROJECT_PER__PAGE__OPTIONS: "20, 50, 100, 200"
OPENPROJECT_EMAIL__DELIVERY__METHOD: "smtp"
OPENPROJECT_SMTP__AUTHENTICATION: "plain"
OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc"
# Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
OPENPROJECT_SEED_LDAP_OPENDESK_HOST: "univention-corporate-container"
OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"
OPENPROJECT_SEED_LDAP_OPENDESK_FILTER:
"(&(objectClass=opendeskProjectmanagementUser)(opendeskProjectmanagementEnabled=TRUE))"
OPENPROJECT_SEED_LDAP_OPENDESK_SYNC__USERS: "true"
OPENPROJECT_SEED_LDAP_OPENDESK_LOGIN__MAPPING: "uid"
OPENPROJECT_SEED_LDAP_OPENDESK_FIRSTNAME__MAPPING: "givenName"
OPENPROJECT_SEED_LDAP_OPENDESK_LASTNAME__MAPPING: "sn"
OPENPROJECT_SEED_LDAP_OPENDESK_MAIL__MAPPING: "mailPrimaryAddress"
OPENPROJECT_SEED_LDAP_OPENDESK_ADMIN__MAPPING: "opendeskProjectmanagementAdmin"
OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_BASE: "dc=swp-ldap,dc=internal"
OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_FILTER:
"(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
...

18
helmfile/apps/provisioning/helmfile.yaml
View File

@@ -1,23 +1,27 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
- name: "ox-connector"
url: "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable"
# OX Connector
- name: "ox-connector-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable" }}
releases:
- name: "ox-connector"
chart: "ox-connector/ox-connector"
chart: "ox-connector-repo/ox-connector"
version: "0.1.0-pre-jconde-listener-entrypoint-chaining"
values:
- "values-oxconnector.yaml"
- "values-oxconnector.gotmpl"
condition: "oxConnector.enabled"
installed: {{ .Values.oxConnector.enabled }}
commonLabels:
deploy-stage: "component-2"
component: "provisioning"
bases:
- "../../bases/environments.yaml"
...

4
helmfile/apps/provisioning/values-oxconnector.gotmpl
View File

@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.oxConnector.repository }}"
pullPolicy: "Always"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.oxConnector.tag }}"
imagePullSecrets:
@@ -21,7 +21,7 @@ oxConnector:
domainName: "{{ .Values.global.domain }}"
#oxMasterAdmin: "(( .Values.appsuite.core-mw.masterAdmin ))"
oxMasterAdmin: "admin"
oxMasterPassword: "{{ .Values.secrets.oxAppsuite.adminPassword }}"
oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
oxDefaultContext: "1"

150
helmfile/apps/services/helmfile.yaml
View File

@@ -1,80 +1,144 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
- name: "sovereign-workplace-certificates"
url: "https://gitlab.souvap-univention.de/api/v4/projects/133/packages/helm/stable"
- name: "postgresql"
url: "https://gitlab.souvap-univention.de/api/v4/projects/83/packages/helm/stable"
- name: "mariadb"
url: "https://gitlab.souvap-univention.de/api/v4/projects/86/packages/helm/stable"
- name: "postfix"
url: "https://gitlab.souvap-univention.de/api/v4/projects/85/packages/helm/stable"
- name: "istio-resources"
url: "https://gitlab.souvap-univention.de/api/v4/projects/69/packages/helm/stable"
- name: "clamav"
url: "https://gitlab.souvap-univention.de/api/v4/projects/73/packages/helm/stable"
- name: "bitnami"
url: "https://charts.bitnami.com/bitnami"
# openDesk Certificates
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-certificates
- name: "opendesk-certificates-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-certificates" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
# openDesk PostgreSQL
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postgresql
- name: "postgresql-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postgresql" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
# openDesk MariaDB
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-mariadb
- name: "mariadb-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/mariadb" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
# openDesk Postfix
# https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postfix
- name: "postfix-repo"
oci: true
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postfix" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
# openDesk Istio Resources
# https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-istio-resources
- name: "istio-resources-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/istio-ressources" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
# openDesk ClamAV
# https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-clamav
- name: "clamav-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/clamav" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
# VMWare Bitnami
# Source: https://github.com/bitnami/charts/
- name: "bitnami-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
releases:
- name: "sovereign-workplace-certificates"
chart: "sovereign-workplace-certificates/sovereign-workplace-certificates"
version: "1.2.2"
- name: "opendesk-certificates"
chart: "opendesk-certificates-repo/opendesk-certificates"
version: "2.1.0"
values:
- "values-certificates.gotmpl"
condition: "certificates.enabled"
installed: {{ .Values.certificates.enabled }}
- name: "redis"
chart: "bitnami/redis"
version: "^17.9.3"
chart: "bitnami-repo/redis"
version: "18.1.2"
values:
- "values-redis.gotmpl"
- "values-redis.yaml"
condition: "redis.enabled"
installed: {{ .Values.redis.enabled }}
- name: "memcached"
chart: "bitnami-repo/memcached"
version: "6.6.2"
values:
- "values-memcached.yaml"
- "values-memcached.gotmpl"
installed: {{ .Values.memcached.enabled }}
- name: "postgresql"
chart: "postgresql/postgresql"
version: "2.0.0"
chart: "postgresql-repo/postgresql"
version: "2.0.2"
values:
- "values-postgresql.yaml"
- "values-postgresql.gotmpl"
condition: "postgresql.enabled"
installed: {{ .Values.postgresql.enabled }}
timeout: 900
- name: "mariadb"
chart: "mariadb/mariadb"
version: "2.0.0"
chart: "mariadb-repo/mariadb"
version: "2.0.2"
values:
- "values-mariadb.yaml"
- "values-mariadb.gotmpl"
condition: "mariadb.enabled"
installed: {{ .Values.mariadb.enabled }}
timeout: 900
- name: "postfix"
chart: "postfix/postfix"
version: "1.13.0"
chart: "postfix-repo/postfix"
version: "2.0.3"
values:
- "values-postfix.yaml"
- "values-postfix.gotmpl"
condition: "postfix.enabled"
installed: {{ .Values.postfix.enabled }}
- name: "clamav"
chart: "clamav/sovereign-workplace-clamav"
version: "2.1.0"
chart: "clamav-repo/opendesk-clamav"
version: "4.0.0"
values:
- "values-clamav-distributed.yaml"
- "values-clamav-distributed.gotmpl"
condition: "clamavDistributed.enabled"
installed: {{ .Values.clamavDistributed.enabled }}
- name: "clamav-simple"
chart: "clamav/clamav-simple"
version: "2.1.0"
chart: "clamav-repo/clamav-simple"
version: "4.0.0"
values:
- "values-clamav-simple.yaml"
- "values-clamav-simple.gotmpl"
condition: "clamavSimple.enabled"
- name: "sovereign-workplace-gateway"
chart: "istio-resources/istio-gateway"
version: "1.1.2"
installed: {{ .Values.clamavSimple.enabled }}
- name: "opendesk-gateway"
chart: "istio-resources-repo/istio-gateway"
version: "2.0.0"
values:
- "values-istio-gateway.yaml"
- "values-istio-gateway.gotmpl"
condition: "istio.enabled"
installed: {{ .Values.istio.enabled }}
commonLabels:
deploy-stage: "services"
component: "services"
bases:
- "../../bases/environments.yaml"
...

5
helmfile/apps/services/values-certificates.gotmpl
View File

@@ -18,4 +18,9 @@ istio:
issuerRef:
name: "{{ .Values.istio.issuerRef.name }}"
{{- end }}
cleanup:
keepRessourceOnDelete: {{ .Values.cleanup.keepRessourceOnDelete }}
wildcard: {{ .Values.certificate.wildcard }}
...

10
helmfile/apps/services/values-clamav-distributed.gotmpl
View File

@@ -5,25 +5,23 @@ SPDX-License-Identifier: Apache-2.0
---
clamd:
podSecurityContext:
{{/* Disabled until NFS Provisioner on IONOS is fixed */}}
enabled: false
replicaCount: {{ .Values.replicas.clamd }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.clamd.repository }}"
tag: "{{ .Values.images.clamd.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
resources:
{{ .Values.resources.clamd | toYaml | nindent 4 }}
freshclam:
podSecurityContext:
{{/* Disabled until NFS Provisioner on IONOS is fixed */}}
enabled: false
replicaCount: {{ .Values.replicas.freshclam }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.freshclam.repository }}"
tag: "{{ .Values.images.freshclam.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
resources:
{{ .Values.resources.freshclam | toYaml | nindent 4 }}
@@ -37,18 +35,18 @@ icap:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.icap.repository }}"
tag: "{{ .Values.images.icap.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
resources:
{{ .Values.resources.icap | toYaml | nindent 4 }}
milter:
podSecurityContext:
{{/* Disabled until NFS Provisioner on IONOS is fixed */}}
enabled: false
replicaCount: {{ .Values.replicas.milter }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.milter.repository }}"
tag: "{{ .Values.images.milter.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
resources:
{{ .Values.resources.milter | toYaml | nindent 4 }}

80
helmfile/apps/services/values-clamav-distributed.yaml Normal file
View File

@@ -0,0 +1,80 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
enabled: true
readOnlyRootFilesystem: true
clamd:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
freshclam:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
icap:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
milter:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
...

7
helmfile/apps/services/values-clamav-simple.gotmpl
View File

@@ -3,11 +3,6 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
SPDX-License-Identifier: Apache-2.0
*/}}
---
podSecurityContext:
{{/* Disabled until NFS Provisioner on IONOS is fixed */}}
enabled: false
replicaCount: {{ .Values.replicas.clamav }}
image:
@@ -15,10 +10,12 @@ image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.clamd.repository }}"
tag: "{{ .Values.images.clamd.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
icap:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.icap.repository }}"
tag: "{{ .Values.images.icap.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
resources:
{{ .Values.resources.clamd | toYaml | nindent 4 }}

19
helmfile/apps/services/values-clamav-simple.yaml Normal file
View File

@@ -0,0 +1,19 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
...

2
helmfile/apps/services/values-istio-gateway.gotmpl
View File

@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
global:
domain: "{{ .Values.istio.domain }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
openxchange: "{{ .Values.global.hosts.openxchange }}"
tls:
secretName: "{{ .Values.istio.domain }}-tls"

4
helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml → helmfile/apps/services/values-istio-gateway.yaml
View File

@@ -1,6 +1,6 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
cleanup:
deletePodsOnSuccess: true
tls:
httpsRedirect: false
...

11
helmfile/apps/services/values-mariadb.gotmpl
View File

@@ -11,15 +11,18 @@ global:
image:
repository: "{{ .Values.images.mariadb.repository }}"
tag: "{{ .Values.images.mariadb.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
# Open-Xchange and XWiki require the permission to create database schemas, so they use the `root` account anyway.
# Please refer to `databases.yaml` for details.
job:
users:
- username: "xwiki_user"
password: "{{ .Values.secrets.mariadb.xwikiUser }}"
password: {{ .Values.secrets.mariadb.xwikiUser | quote }}
- username: "openxchange_user"
password: "{{ .Values.secrets.mariadb.openxchangeUser }}"
password: {{ .Values.secrets.mariadb.openxchangeUser | quote }}
- username: "nextcloud_user"
password: "{{ .Values.secrets.mariadb.nextcloudUser }}"
password: {{ .Values.secrets.mariadb.nextcloudUser | quote}}
databases:
- name: "xwiki"
user: "xwiki_user"
@@ -29,7 +32,7 @@ job:
user: "openxchange_user"
mariadb:
rootPassword: "{{ .Values.secrets.mariadb.rootPassword }}"
rootPassword: {{ .Values.secrets.mariadb.rootPassword | quote }}
persistence:
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"

19
helmfile/apps/services/values-mariadb.yaml
View File

@@ -1,6 +1,25 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1001
runAsGroup: 1001
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
job:
enabled: true
podSecurityContext:
enabled: true
fsGroup: 1001
fsGroupChangePolicy: "OnRootMismatch"
...

19
helmfile/apps/services/values-memcached.gotmpl Normal file
View File

@@ -0,0 +1,19 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.memcached.repository }}"
tag: "{{ .Values.images.memcached.tag }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
resources:
{{ .Values.resources.memcached | toYaml | nindent 2 }}
...

18
helmfile/apps/services/values-memcached.yaml Normal file
View File

@@ -0,0 +1,18 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1001
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
serviceAccount:
create: true
...

16
helmfile/apps/services/values-postfix.gotmpl
View File

@@ -3,14 +3,16 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
url: "{{ .Values.global.imageRegistry }}/{{ .Values.images.postfix.repository }}"
digest: "{{ .Values.images.postfix.digest }}"
global:
registry: {{ .Values.global.imageRegistry }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
image:
registry: {{ .Values.global.imageRegistry }}
repository: "{{ .Values.images.postfix.repository }}"
tag: "{{ .Values.images.postfix.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
certificate:
secretName: "{{ .Values.ingress.tls.secretName }}"

13
helmfile/apps/services/values-postfix.yaml
View File

@@ -5,6 +5,19 @@ certificate:
request:
enabled: false
containerSecurityContext:
allowPrivilegeEscalation: true
capabilities: {}
enabled: true
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsNonRoot: false
podSecurityContext:
enabled: true
fsGroup: 101
postfix:
hostname: "postfix"
inetProtocols: "ipv4"

13
helmfile/apps/services/values-postgresql.gotmpl
View File

@@ -11,19 +11,20 @@ global:
image:
repository: "{{ .Values.images.postgresql.repository }}"
tag: "{{ .Values.images.postgresql.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
job:
users:
- username: "keycloak_user"
password: {{ .Values.secrets.postgresql.keycloakUser }}
password: {{ .Values.secrets.postgresql.keycloakUser | quote }}
- username: "openproject_user"
password: {{ .Values.secrets.postgresql.openprojectUser }}
password: {{ .Values.secrets.postgresql.openprojectUser | quote }}
- username: "keycloak_extensions_user"
password: {{ .Values.secrets.postgresql.keycloakExtensionUser }}
password: {{ .Values.secrets.postgresql.keycloakExtensionUser | quote }}
- username: "matrix_user"
password: {{ .Values.secrets.postgresql.matrixUser }}
password: {{ .Values.secrets.postgresql.matrixUser | quote }}
- username: "notificationsapi_user"
password: {{ .Values.secrets.postgresql.notificationsapiUser }}
password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
databases:
- name: "keycloak"
user: "keycloak_user"
@@ -42,7 +43,7 @@ persistence:
size: "{{ .Values.persistence.size.postgresql }}"
postgres:
password: {{ .Values.secrets.postgresql.postgresUser }}
password: {{ .Values.secrets.postgresql.postgresUser | quote }}
resources:
{{ .Values.resources.postgresql | toYaml | nindent 2 }}

20
helmfile/apps/services/values-postgresql.yaml
View File

@@ -1,11 +1,29 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
enabled: true
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1001
runAsGroup: 1001
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
job:
image:
digest: "sha256:de7451b563ef79eb6acb2851dbadd18388e6436cd757b65d275a3dc60dbb0b73"
podSecurityContext:
enabled: true
fsGroup: 1001
fsGroupChangePolicy: "OnRootMismatch"
postgres:
user: "postgres"
...

3
helmfile/apps/services/values-redis.gotmpl
View File

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
auth:
password: {{ .Values.secrets.redis.password }}
password: {{ .Values.secrets.redis.password | quote }}
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
@@ -16,6 +16,7 @@ image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.redis.repository }}"
tag: "{{ .Values.images.redis.tag }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
master:
persistence:

4
helmfile/apps/services/values-redis.yaml
View File

@@ -8,4 +8,8 @@ sentinel:
metrics:
enabled: false
master:
containerSecurityContext:
readOnlyRootFilesystem: true
...

23
helmfile/apps/univention-corporate-container/helmfile.yaml
View File

@@ -1,23 +1,32 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
- name: "univention-corporate-container"
url: "https://gitlab.souvap-univention.de/api/v4/projects/132/packages/helm/stable"
# openDesk Univention Corporate Server (as eval Container)
- name: "univention-corporate-container-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
"external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/univention-corporate-container" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
releases:
- name: "univention-corporate-container"
chart: "univention-corporate-container/univention-corporate-container"
chart: "univention-corporate-container-repo/univention-corporate-container"
version: "1.0.10"
values:
- "values.yaml"
- "values.gotmpl"
condition: "univentionCorporateServer.enabled"
installed: {{ .Values.univentionCorporateServer.enabled }}
commonLabels:
deploy-stage: "component-1"
component: "univention-corporate-container"
bases:
- "../../bases/environments.yaml"
...

18
helmfile/apps/univention-corporate-container/values.gotmpl
View File

@@ -13,7 +13,7 @@ global:
image:
registry: "{{ .Values.global.imageRegistry }}"
imagePullPolicy: "Always"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.univentionCorporateServer.repository }}"
tag: "{{ .Values.images.univentionCorporateServer.tag }}"
@@ -37,31 +37,31 @@ extraEnvVars:
- name: LDAPSEARCH_OX_USERNAME
value: "ldapsearch_ox"
- name: LDAPSEARCH_OX_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox }}
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
- name: LDAPSEARCH_DOVECOT_USERNAME
value: "ldapsearch_dovecot"
- name: LDAPSEARCH_DOVECOT_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot }}
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
- name: LDAPSEARCH_KEYCLOAK_USERNAME
value: "ldapsearch_keycloak"
- name: LDAPSEARCH_KEYCLOAK_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak }}
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak | quote }}
- name: LDAPSEARCH_NEXTCLOUD_USERNAME
value: "ldapsearch_nextcloud"
- name: LDAPSEARCH_NEXTCLOUD_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud }}
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud | quote }}
- name: LDAPSEARCH_OPENPROJECT_USERNAME
value: "ldapsearch_openproject"
- name: LDAPSEARCH_OPENPROJECT_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject }}
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }}
- name: LDAPSEARCH_XWIKI_USERNAME
value: "ldapsearch_xwiki"
- name: LDAPSEARCH_XWIKI_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki }}
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki | quote }}
- name: DEFAULT_ACCOUNT_USER_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.userPassword }}
value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.userPassword | quote }}
- name: DEFAULT_ACCOUNT_ADMIN_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.adminPassword }}
value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.adminPassword | quote }}
resources:
{{ .Values.resources.univentionCorporateServer | toYaml | nindent 2 }}

120
helmfile/apps/univention-management-stack/helmfile.yaml Normal file
View File

@@ -0,0 +1,120 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# Univention Management Stack
- name: "ums-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable" }}
releases:
- name: "ums-store-dav"
chart: "ums-repo/store-dav"
version: "0.2.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-store-dav.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-ldap-server"
chart: "ums-repo/ldap-server"
version: "0.1.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-ldap-server.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-ldap-notifier"
chart: "ums-repo/ldap-notifier"
version: "0.1.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-ldap-notifier.gotmpl"
- "values-ldap-notifier.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-udm-rest-api"
chart: "ums-repo/udm-rest-api"
version: "0.1.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-udm-rest-api.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-stack-data-ums"
chart: "ums-repo/stack-data-ums"
version: "0.1.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-stack-data-ums.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-stack-data-swp"
chart: "ums-repo/stack-data-swp"
version: "0.1.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-stack-data-swp.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-portal-server"
chart: "ums-repo/portal-server"
version: "0.1.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-portal-server.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-notifications-api"
chart: "ums-repo/notifications-api"
version: "0.1.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-notifications-api.gotmpl"
- "values-notifications-api.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-portal-listener"
chart: "ums-repo/portal-listener"
version: "0.1.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-portal-listener.gotmpl"
- "values-portal-listener.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-portal-frontend"
chart: "ums-repo/portal-frontend"
version: "0.1.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-portal-frontend.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-umc-gateway"
chart: "ums-repo/umc-gateway"
version: "0.1.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-umc-gateway.gotmpl"
- "values-umc-gateway.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-umc-server"
chart: "ums-repo/umc-server"
version: "0.1.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-umc-server.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
commonLabels:
deploy-stage: "component-1"
component: "univention-management-stack"
...

14
helmfile/apps/univention-management-stack/values-common.gotmpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
ingress:
enabled: {{ .Values.ingress.enabled }}
host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
tls:
# The TLS configuration is on the "master" Ingress, see "portal-frontend"
enabled: false
secretName: ""

4
helmfile/apps/intercom-service/values.yaml → helmfile/apps/univention-management-stack/values-common.yaml
View File

@@ -1,8 +1,6 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
istio:
enabled: false
virtualService:
enabled: false
...

20
helmfile/apps/univention-management-stack/values-ldap-notifier.gotmpl Normal file
View File

@@ -0,0 +1,20 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsLdapNotifier.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsLdapNotifier.tag }}"
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
resources:
{{ .Values.resources.umsLdapNotifier | toYaml | nindent 2 }}
...

10
helmfile/apps/univention-management-stack/values-ldap-notifier.yaml Normal file
View File

@@ -0,0 +1,10 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
volumes:
claims:
shared-data: "shared-data-ums-ldap-server-0"
shared-run: "shared-run-ums-ldap-server-0"
...

44
helmfile/apps/univention-management-stack/values-ldap-server.gotmpl Normal file
View File

@@ -0,0 +1,44 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
ldapServer:
ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
ldapBaseDn: "dc=swp-ldap,dc=internal"
# TODO: Certificates handling
# caCert: ""
# certPem: ""
# privateKey: ""
# dhParam: ""
tlsMode: "off"
# TODO: SAML integration
# samlMetadataUrl: "http://localhost:8097/realms/ucs/protocol/saml/descriptor"
# samlMetadataUrlInternal: "http://keycloak.default/realms/ucs/protocol/saml/descriptor"
# serviceProviders: "http://localhost:8000/univention/saml/metadata,http://localhost:8000/auth/realms/ucs"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsLdapServer.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsLdapServer.tag }}"
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
# TODO: Pending upstream support, #199
persistence:
data:
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.univentionManagementStack.ldapServerData }}"
shared:
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.univentionManagementStack.ldapServerShared }}"
resources:
{{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}
...

28
helmfile/apps/univention-management-stack/values-notifications-api.gotmpl Normal file
View File

@@ -0,0 +1,28 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
postgresql:
bundled: false
connection:
host: "postgresql"
port: 5432
auth:
username: "notificationsapi_user"
database: "notificationsapi"
password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsNotificationsApi.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsNotificationsApi.tag }}"
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
resources:
{{ .Values.resources.umsNotificationsApi | toYaml | nindent 2 }}
...

12
helmfile/apps/univention-management-stack/values-notifications-api.yaml Normal file
View File

@@ -0,0 +1,12 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
notificationsapi:
apply_database_migrations: "True"
dev_mode: "False"
environment: "staging"
log_level: "DEBUG"
sql_echo: "False"
api_prefix: "/univention/portal/notifications-api"
...

31
helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl Normal file
View File

@@ -0,0 +1,31 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsPortalFrontend.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsPortalFrontend.tag }}"
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
extraIngresses:
redirects:
# The TLS configuration is on the "master" Ingress, see below.
tls:
enabled: false
master:
enabled: {{ .Values.ingress.enabled }}
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: "{{ .Values.ingress.tls.secretName }}"
resources:
{{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }}
...

54
helmfile/apps/univention-management-stack/values-portal-listener.gotmpl Normal file
View File

@@ -0,0 +1,54 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
portalListener:
adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
environment: "staging"
debugLevel: "4"
assetsRoot: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-assets/"
ucsInternalUrl: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-data/"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
ldapBaseDn: "dc=swp-ldap,dc=internal"
ldapHost: "ums-ldap-server"
ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
notifierServer: "ums-ldap-notifier"
portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,dc=swp-ldap,dc=internal"
udmApiUrl: "http://ums-udm-rest-api/udm/"
udmApiUsername: "cn=admin"
tlsMode: "off"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsPortalListener.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsPortalListener.tag }}"
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
waitForDependency:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsWaitForDependency.repository }}"
imagePullPolicy: "Always"
tag: "{{ .Values.images.umsWaitForDependency.tag }}"
# TODO: Pending upstream support, #200
persistence:
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.univentionManagementStack.portalListener }}"
resources:
{{ .Values.resources.umsPortalListener | toYaml | nindent 2 }}
resourcesDependencyWaiter:
{{ .Values.resources.umsPortalListenerDependencies | toYaml | nindent 2 }}
...

8
helmfile/apps/univention-management-stack/values-portal-listener.yaml Normal file
View File

@@ -0,0 +1,8 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
store-dav:
bundled: false
...

28
helmfile/apps/univention-management-stack/values-portal-server.gotmpl Normal file
View File

@@ -0,0 +1,28 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
portalServer:
adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
authMode: "saml"
environment: "staging"
editable: "true"
logLevel: "DEBUG"
ucsInternalUrl: "http://portal-server:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}@ums-store-dav/portal-data"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsPortalServer.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsPortalServer.tag }}"
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
resources:
{{ .Values.resources.umsPortalServer | toYaml | nindent 2 }}
...

38
helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl Normal file
View File

@@ -0,0 +1,38 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
stackDataSwp:
udmApiUsername: "cn=admin"
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
udmApiUrl: "http://ums-udm-rest-api/udm/"
loadDevData: true
stackDataContext:
ldapBase: "dc=swp-ldap,dc=internal"
externalDomainName: "{{ .Values.global.domain }}"
externalMailDomain: "{{ .Values.global.domain }}"
portalGroupwareLinkBase: "https://webmail.{{ .Values.istio.domain }}"
portalFileshareLinkBase: "https://fs.{{ .Values.global.domain }}"
portalRealtimeCollaborationLinkBase: "https://chat.{{ .Values.global.domain }}"
portalRealtimeVideoconferenceLinkBase: "https://meet.{{ .Values.global.domain }}"
portalManagementProjectLinkBase: "https://project.{{ .Values.global.domain }}"
portalManagementKnowledgeLinkBase: "https://wiki.{{ .Values.global.domain }}"
oxDefaultContext: "10"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsDataLoader.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsDataLoader.tag }}"
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
resources:
{{ .Values.resources.umsStackDataSwp | toYaml | nindent 2 }}
...

31
helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl Normal file
View File

@@ -0,0 +1,31 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
stackDataUms:
udmApiUser: "cn=admin"
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
udmApiUrl: "http://ums-udm-rest-api/udm/"
loadDevData: true
stackDataContext:
ldapBase: "dc=swp-ldap,dc=internal"
initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
# The SWP configuration brings its own UMC policies.
installUmcPolicies: false
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsDataLoader.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsDataLoader.tag }}"
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
resources:
{{ .Values.resources.umsStackDataUms | toYaml | nindent 2 }}
...

Some files were not shown because too many files have changed in this diff Show More