sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 15:31:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: sheppy:v0.2.6
Branches Tags
sheppy:develop sheppy:renovate/univention sheppy:renovate/openxchange sheppy:trossner/gpg-keys sheppy:trossner/mail_doc sheppy:tkaltenbrunner/fix-milter sheppy:ntretkowski/intercom-update sheppy:b1-boekhorst/nc_testing_encryption_bfp_nginx sheppy:trossner/ox_deputy sheppy:kuntke/size-profiles sheppy:trossner/misc_1.11.0 sheppy:feat/openproject/bump-16-6-2 sheppy:renovate/opf-helm-charts-openproject-11.x sheppy:rohland/selfsigned sheppy:sschmidt/feat_update_otterize sheppy:sell/opendesk-exporter sheppy:trossner/coco-update sheppy:renovate/lasuite-impress-y-provider-4.x sheppy:renovate/opf-helm-charts-openproject-10.x sheppy:renovate/openproject sheppy:renovate/nordeck sheppy:renovate/element sheppy:renovate/collabora sheppy:lender/test-externalsecrets sheppy:rfischer/baseline_requirements_update_2025 sheppy:chore/kyverno-sec sheppy:sell/pythonic-charts-local sheppy:trossner/ox-jitsi sheppy:irondesk-preview sheppy:chore/open-xchange/update-8.43 sheppy:b1-boekhorst/nc_basicauth_testing sheppy:lluerenbaum/develop sheppy:rfischer/nc_sharereview_app sheppy:tkaltenbrunner/fix/new-element-chart sheppy:vpracht/demo sheppy:main sheppy:b1-boekhorst/nc_status_php sheppy:gaberb1/postfix-sasl-security-options sheppy:ntretkowski/nubus-v1.15.0 sheppy:ntretkowski/ox-connector-v0.32.2 sheppy:sschmidt/feat_add_otterize_chart sheppy:b1-boekhorst/nc_bfp sheppy:trossner/nc_31-0-9 sheppy:trossner/token_exchange sheppy:boekhorst/nc_31-0-10_testing sheppy:ntretkowski/nubus-v1.14.1 sheppy:tkaltenbrunner/fix/dovecot-migration sheppy:tkaltenbrunner/fix/dovecot-caches sheppy:tkaltenbrunner/fix/postfix-transport sheppy:chore/open-xchange/update-8.42 sheppy:dkaminski/ca_certs sheppy:dpapoutsis/bundled-keycloak-secrets sheppy:boekhorst/favicon_resize sheppy:irondesk sheppy:boekhorst/nc_31-0-9 sheppy:migration_test sheppy:sschmidt/fix_services_otterize_intents sheppy:mmeschter/nats-secrets-refactor sheppy:sccon_2025 sheppy:jtorres/ox-test sheppy:lender/feat-externalsecrets-xwiki sheppy:sschmidt/fix_nubus_opendesk_keycloak_bootstrap_annotation sheppy:ntretkowski/nubus-2fa-upgrade-fix sheppy:jlohmer/ox-connector-helm-unittests sheppy:mmeschter/develop sheppy:tkaltenbrunner/fix/ox-push-notification sheppy:cgarcia/develop sheppy:trossner/fix_storageclassnames sheppy:jconde/ox-groups-deletion sheppy:ntretkowski/nubus-v1.13.1 sheppy:jtorres/develop sheppy:tkaltenbrunner/fix/opendesk-impress-customization sheppy:jconde/develop sheppy:mgcm/test/mas-upstream sheppy:document-nordeck-widgets sheppy:trossner/upd_jitsi_10431 sheppy:chaack/feat_add_jitsi_patchJVB_backoffLimit sheppy:trossner/xwiki_solr_image sheppy:1.7+harbor-fixes sheppy:lender/feat-externalsecrets-notes sheppy:tkaltenbrunner/fix/dovecot-fts sheppy:lender/feat-externalsecrets-postfix-dovecot sheppy:heading-capitalization-harmonization sheppy:lender/feat-externalsecrets-minio sheppy:jconde/debug-no-portal-tiles sheppy:hermann/feat-support-nginx-security-defaults sheppy:jtorres/ox-connector-manager-tests sheppy:jtorres/1.12.0-kc-bootstrap sheppy:sell/prometheus-nats-exporter sheppy:jconde/ics-secret-refactor sheppy:tkaltenbrunner/fix/postfix-submissions sheppy:jconde/debug-ics-with-keycloak-26.3 sheppy:data_storage_doc sheppy:tkaltenbrunner/fix/coco-internal sheppy:sell/keycloak-metrics sheppy:jconde/ox-connector-fixes sheppy:jlohmer/ox-connector-test sheppy:gaberb1/wip-ci sheppy:weber/update-notes sheppy:lender/feat-externalsecrets-redis sheppy:lender/feat-externalsecrets-opendesk-services sheppy:lender/feat-externalsecrets-collabora sheppy:lender/feat-externalsecrets-cassandra sheppy:lender/feat-externalsecrets-nextcloud sheppy:lender/feat-externalsecrets-openproject-bootstrap sheppy:thollwed/doc-bawue-migration-dev sheppy:1.5+nats-fix sheppy:trossner/nc_31.0.5 sheppy:sell/nubus-liveness-customization sheppy:integration-opendesk-family sheppy:gsautner/fix_nc_custom_baseDn sheppy:tkaltenbrunner/fix/ox-external-secrets sheppy:tlatz/portal_update sheppy:jbornhold/tmp-portal-update sheppy:trossner/temp_kc26.2.2_preview sheppy:yschmidt/nubus-v1.9.1-twofa-helpdesk sheppy:mmoura/phone-dial-in sheppy:lender/feat-externalsecrets-mariadb sheppy:lender/feat-externalsecrets-postgresql sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap-1725.191 sheppy:ys/dev-helpdesk sheppy:tkaltenbrunner/fix/dovecot-acls sheppy:ox-vpracht/dovecot-conf sheppy:renovate/major-openproject sheppy:renovate/major-platform sheppy:renovate/lasuite-impress-y-provider-3.x sheppy:renovate/lasuite-impress-y-provider-2.x sheppy:renovate/xwiki sheppy:trossner/nc_notifypush sheppy:cnegrini/load sheppy:nic/feat/ZO-155_dialin_docs sheppy:feat/dovecot-config sheppy:yschmidt/s3-region-example sheppy:trossner/nubus_ox_consumer sheppy:yschmidt/s3-region-vars sheppy:jschulz/fix_nubus-consumer-pvc-size sheppy:el/t3chguy/element-web-modules sheppy:jahlers/2fa-helpdesk sheppy:trossner/notes_guest_access sheppy:thollwed/nubus-v1.6.0-integration sheppy:jschulz/fix_set_jitsi_element_antiaffinity sheppy:jbornhold/nubus-v1.6.0-s3-ingress sheppy:chore/open-xchange/release-8.34 sheppy:jconde/test-ox-packaging sheppy:jtorres/ox-extension-integration sheppy:jschulz/feat_helmfile-enable-intents sheppy:chore/openproject/15-3-changes sheppy:nc-main sheppy:fischer/review-apps sheppy:jconde/fix-intercom-element sheppy:trossner/nc_notify_push sheppy:docs/nubus-version sheppy:schneemann/ingress-nginx-max-version sheppy:jlohmer/configurable-udm-listener-password sheppy:jtorres/hotfix-ics-secret sheppy:jtorres/ics-redis-ssl sheppy:dkaminski/feat/annotations sheppy:trossner/fix/openproject sheppy:jconde/ox-connector-kyverno sheppy:jconde/ics-kyverno-changes sheppy:chore/open-xchange/bump-8-31 sheppy:mmoura/feat_test sheppy:dkaminski/fix/nubus-v0.72.0 sheppy:jconde/ics-filepicker-fix sheppy:trossner/update_migrs sheppy:nic/qa/develop sheppy:nic/fix/widgets-no-guests sheppy:uv-jconde/plain-nubus sheppy:nubus/main sheppy:uv-jbornhold/preview-fe sheppy:nic/fix/undo-439-add-widgets sheppy:jtorres/bump-0.60-cache-http sheppy:acaceres/develop sheppy:fix/trossner/dominiks_improvements sheppy:uv-jbornhold/plain-nubus-3 sheppy:nubus-update-2024-09-16-backup sheppy:trossner/nubus-update-2024-09-16-ldap-mig sheppy:nic/feat/matrix-neoboard-widget-1.19.1 sheppy:jconde/integrate-ox-connector sheppy:jbornhold/include-ldap-migration-script sheppy:acaceres/integrate-ox-connector sheppy:uv-jbornhold/plain-nubus-2 sheppy:jtorres/clients-fixup sheppy:jconde/system-information sheppy:jtorres/remove-admin-credentials sheppy:jbornhold/develop sheppy:chore/openproject/bump-14-5-0 sheppy:temp/trossner/kcupd-fr sheppy:nubus/fix-domain-configuration sheppy:uv-fix/default-service-loglevel sheppy:uv-jlohmer/consumer-race-condition sheppy:uv-jconde/umc-plain-login sheppy:uv-jconde/statefulset-keycloak sheppy:jlohmer/develop sheppy:fix/tkaltenbrunner/oxmonitoring sheppy:jtorres/udm-loader sheppy:nubus/tkintscher/fix-fsnotify-load sheppy:nubus/wip-jbornhold-test sheppy:jbornhold/small-fixes sheppy:nubus/jconde-test-users sheppy:feat/nubus-updates sheppy:uv-jlohmer/manual-deploy-jobs sheppy:uv-jtorres/login-tiles sheppy:uv-jbornhold/fix-e2e-test-configuration sheppy:uv-jlohmer/fix-feature-flag-typo sheppy:uv-jbornhold/fix-e2e-test-configuration-test sheppy:uv-acaceres/register-ox-connector sheppy:uv-jtorres/keycloak-upgrade sheppy:uv-jtorres/create-readonly-user sheppy:uv-acaceres/update-provisioning-and-stack-data sheppy:uv-jlohmer/selfservice-consumer sheppy:uv-jlohmer/provisioning-consumer-feature-flag sheppy:uv-jconde/test-email-e2e-tests sheppy:jlohmer/nubus-updates-provisioning sheppy:nubus/provisioning-consumer-integration sheppy:uv-dkaminski/cert-manager-support sheppy:uv-jbornhold/update-portal-frontend sheppy:uv-provisioning-consumer-integration sheppy:uv-jtorres/opendesk-udm-loader sheppy:uv-jtorres/ox-extensions-to-data-loader sheppy:uv-jbornhold/update-stack-data sheppy:uv-maildev-ci-setup sheppy:uv-jconde/umc-server-session-stickyness sheppy:uv-jbornhold/cleanup sheppy:uv-dtroeder/raise-helm-timeout sheppy:uv-dtroeder/prov-int-biscet sheppy:uv-spike-plain-nubus sheppy:jtorres/univention-keycloak-provisioning sheppy:fix/trossner/proxy_ips sheppy:uv-jlohmer/provisioning-consumer-integration sheppy:uv-jconde/menu-patches sheppy:jconde/use-nubus-umbrella sheppy:jconde/udm-rest-api-fix sheppy:sandersen/develop sheppy:b1-demo1 sheppy:jbornhold/tmp-test-od-main-0.9.0 sheppy:feat/use-nubus-umbrella-2 sheppy:OC000007901454-main-patch-76476 sheppy:jtorres/allow-theme-configuration sheppy:acaceres/debug-ox-error sheppy:101-add-configmap-checksum-check-to-postfix-helm-chart sheppy:trossner/fix/op_guests sheppy:renovate/platform sheppy:feat/ldap-scalability sheppy:jlohmer/split-provisioning-listener sheppy:feat/update-keycloak-related-charts sheppy:acaceres/update-selfservice-to-use-provisioning sheppy:feat/nubus-keycloak-extensions sheppy:feat/nubus-keycloak-bootstrap sheppy:feat/nubus-provisioning-with-selfservice sheppy:refactor/ums-umbrella-values sheppy:54-issue-with-invitation-password-reset-mails sheppy:nic/fix/ew-1.11.59-widget-sync sheppy:trossner/fix/renovate sheppy:nic/test/ew-1.11.59 sheppy:feat/mon-redis sheppy:feat/mon-jitsi sheppy:feat/mon-ox sheppy:feat/mon-xwiki sheppy:v0.5.74-patch1
sheppy:v1.10.0 sheppy:v1.9.0 sheppy:v1.8.0 sheppy:v1.7.1 sheppy:v1.7.0 sheppy:v1.6.0 sheppy:v1.5.0 sheppy:v1.4.1 sheppy:v1.4.0 sheppy:v1.3.2 sheppy:v1.3.1 sheppy:v1.3.0 sheppy:v1.2.1 sheppy:v1.2.0 sheppy:v1.1.2 sheppy:v1.1.1 sheppy:v1.1.0 sheppy:v1.0.0 sheppy:v0.9.0 sheppy:v0.8.1 sheppy:v0.8.0 sheppy:v0.7.1 sheppy:v0.7.0 sheppy:v0.6.0 sheppy:v0.5.81 sheppy:v0.5.80 sheppy:v0.5.79 sheppy:v0.5.78 sheppy:v0.5.74 sheppy:24.03 sheppy:v0.5.77 sheppy:v0.5.76 sheppy:v0.5.75 sheppy:v0.5.73 sheppy:v0.5.72 sheppy:v0.5.71 sheppy:v0.5.70 sheppy:v0.5.69 sheppy:v0.5.68 sheppy:v0.5.67 sheppy:v0.5.66 sheppy:v0.5.65 sheppy:v0.5.64 sheppy:v0.5.63 sheppy:v0.5.62 sheppy:v0.5.61 sheppy:v0.5.60 sheppy:v0.5.59 sheppy:v0.5.58 sheppy:v0.5.57 sheppy:v0.5.56 sheppy:v0.5.55 sheppy:v0.5.54 sheppy:v0.5.53 sheppy:v0.5.52 sheppy:v0.5.51 sheppy:v0.5.50 sheppy:v0.5.49 sheppy:v0.5.48 sheppy:v0.5.47 sheppy:v0.5.46 sheppy:v0.5.45 sheppy:v0.5.44 sheppy:v0.5.43 sheppy:v0.5.42 sheppy:v0.5.41 sheppy:v0.5.40 sheppy:v0.5.39 sheppy:v0.5.38 sheppy:23.12 sheppy:v0.5.37 sheppy:v0.5.36 sheppy:v0.5.35 sheppy:v0.5.34 sheppy:v0.5.33 sheppy:v0.5.32 sheppy:v0.5.31 sheppy:v0.5.30 sheppy:v0.5.29 sheppy:v0.5.28 sheppy:v0.5.27 sheppy:v0.5.26 sheppy:v0.5.25 sheppy:v0.5.24 sheppy:v0.5.23 sheppy:v0.5.22 sheppy:v0.5.21 sheppy:v0.5.20 sheppy:v0.5.19 sheppy:v0.5.18 sheppy:v0.5.17 sheppy:v0.5.16 sheppy:v0.5.15 sheppy:v0.5.14 sheppy:v0.5.13 sheppy:v0.5.12 sheppy:v0.5.11 sheppy:v0.5.10 sheppy:v0.5.9 sheppy:v0.5.8 sheppy:v0.5.7 sheppy:v0.5.6 sheppy:v0.5.5 sheppy:v0.5.4 sheppy:v0.5.3 sheppy:v0.5.2 sheppy:v0.5.1 sheppy:v0.5.0 sheppy:v0.4.9 sheppy:v0.4.8 sheppy:v0.4.7 sheppy:v0.4.6 sheppy:v0.4.5 sheppy:v0.4.4 sheppy:v0.4.3 sheppy:v0.4.2 sheppy:v0.4.1 sheppy:v0.4.0 sheppy:v0.3.2 sheppy:v0.3.1 sheppy:v0.3.0 sheppy:v0.2.10 sheppy:v0.2.9 sheppy:v0.2.8 sheppy:v0.2.7 sheppy:v0.2.6 sheppy:v0.2.5 sheppy:v0.2.4 sheppy:v0.2.3 sheppy:v0.2.2 sheppy:v0.2.1 sheppy:v0.2.0 sheppy:v0.1.2 sheppy:v0.1.1 sheppy:v0.1.0 sheppy:v0.0.6 sheppy:v0.0.5 sheppy:v0.0.4 sheppy:v0.0.3 sheppy:v0.0.2 sheppy:v0.0.1
...
compare: sheppy:v0.5.29
Branches Tags
sheppy:renovate/univention sheppy:renovate/openxchange sheppy:trossner/gpg-keys sheppy:trossner/mail_doc sheppy:tkaltenbrunner/fix-milter sheppy:ntretkowski/intercom-update sheppy:b1-boekhorst/nc_testing_encryption_bfp_nginx sheppy:trossner/ox_deputy sheppy:kuntke/size-profiles sheppy:trossner/misc_1.11.0 sheppy:feat/openproject/bump-16-6-2 sheppy:renovate/opf-helm-charts-openproject-11.x sheppy:rohland/selfsigned sheppy:sschmidt/feat_update_otterize sheppy:sell/opendesk-exporter sheppy:trossner/coco-update sheppy:renovate/lasuite-impress-y-provider-4.x sheppy:renovate/opf-helm-charts-openproject-10.x sheppy:renovate/openproject sheppy:renovate/nordeck sheppy:renovate/element sheppy:renovate/collabora sheppy:lender/test-externalsecrets sheppy:develop sheppy:rfischer/baseline_requirements_update_2025 sheppy:chore/kyverno-sec sheppy:sell/pythonic-charts-local sheppy:trossner/ox-jitsi sheppy:irondesk-preview sheppy:chore/open-xchange/update-8.43 sheppy:b1-boekhorst/nc_basicauth_testing sheppy:lluerenbaum/develop sheppy:rfischer/nc_sharereview_app sheppy:tkaltenbrunner/fix/new-element-chart sheppy:vpracht/demo sheppy:main sheppy:b1-boekhorst/nc_status_php sheppy:gaberb1/postfix-sasl-security-options sheppy:ntretkowski/nubus-v1.15.0 sheppy:ntretkowski/ox-connector-v0.32.2 sheppy:sschmidt/feat_add_otterize_chart sheppy:b1-boekhorst/nc_bfp sheppy:trossner/nc_31-0-9 sheppy:trossner/token_exchange sheppy:boekhorst/nc_31-0-10_testing sheppy:ntretkowski/nubus-v1.14.1 sheppy:tkaltenbrunner/fix/dovecot-migration sheppy:tkaltenbrunner/fix/dovecot-caches sheppy:tkaltenbrunner/fix/postfix-transport sheppy:chore/open-xchange/update-8.42 sheppy:dkaminski/ca_certs sheppy:dpapoutsis/bundled-keycloak-secrets sheppy:boekhorst/favicon_resize sheppy:irondesk sheppy:boekhorst/nc_31-0-9 sheppy:migration_test sheppy:sschmidt/fix_services_otterize_intents sheppy:mmeschter/nats-secrets-refactor sheppy:sccon_2025 sheppy:jtorres/ox-test sheppy:lender/feat-externalsecrets-xwiki sheppy:sschmidt/fix_nubus_opendesk_keycloak_bootstrap_annotation sheppy:ntretkowski/nubus-2fa-upgrade-fix sheppy:jlohmer/ox-connector-helm-unittests sheppy:mmeschter/develop sheppy:tkaltenbrunner/fix/ox-push-notification sheppy:cgarcia/develop sheppy:trossner/fix_storageclassnames sheppy:jconde/ox-groups-deletion sheppy:ntretkowski/nubus-v1.13.1 sheppy:jtorres/develop sheppy:tkaltenbrunner/fix/opendesk-impress-customization sheppy:jconde/develop sheppy:mgcm/test/mas-upstream sheppy:document-nordeck-widgets sheppy:trossner/upd_jitsi_10431 sheppy:chaack/feat_add_jitsi_patchJVB_backoffLimit sheppy:trossner/xwiki_solr_image sheppy:1.7+harbor-fixes sheppy:lender/feat-externalsecrets-notes sheppy:tkaltenbrunner/fix/dovecot-fts sheppy:lender/feat-externalsecrets-postfix-dovecot sheppy:heading-capitalization-harmonization sheppy:lender/feat-externalsecrets-minio sheppy:jconde/debug-no-portal-tiles sheppy:hermann/feat-support-nginx-security-defaults sheppy:jtorres/ox-connector-manager-tests sheppy:jtorres/1.12.0-kc-bootstrap sheppy:sell/prometheus-nats-exporter sheppy:jconde/ics-secret-refactor sheppy:tkaltenbrunner/fix/postfix-submissions sheppy:jconde/debug-ics-with-keycloak-26.3 sheppy:data_storage_doc sheppy:tkaltenbrunner/fix/coco-internal sheppy:sell/keycloak-metrics sheppy:jconde/ox-connector-fixes sheppy:jlohmer/ox-connector-test sheppy:gaberb1/wip-ci sheppy:weber/update-notes sheppy:lender/feat-externalsecrets-redis sheppy:lender/feat-externalsecrets-opendesk-services sheppy:lender/feat-externalsecrets-collabora sheppy:lender/feat-externalsecrets-cassandra sheppy:lender/feat-externalsecrets-nextcloud sheppy:lender/feat-externalsecrets-openproject-bootstrap sheppy:thollwed/doc-bawue-migration-dev sheppy:1.5+nats-fix sheppy:trossner/nc_31.0.5 sheppy:sell/nubus-liveness-customization sheppy:integration-opendesk-family sheppy:gsautner/fix_nc_custom_baseDn sheppy:tkaltenbrunner/fix/ox-external-secrets sheppy:tlatz/portal_update sheppy:jbornhold/tmp-portal-update sheppy:trossner/temp_kc26.2.2_preview sheppy:yschmidt/nubus-v1.9.1-twofa-helpdesk sheppy:mmoura/phone-dial-in sheppy:lender/feat-externalsecrets-mariadb sheppy:lender/feat-externalsecrets-postgresql sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap-1725.191 sheppy:ys/dev-helpdesk sheppy:tkaltenbrunner/fix/dovecot-acls sheppy:ox-vpracht/dovecot-conf sheppy:renovate/major-openproject sheppy:renovate/major-platform sheppy:renovate/lasuite-impress-y-provider-3.x sheppy:renovate/lasuite-impress-y-provider-2.x sheppy:renovate/xwiki sheppy:trossner/nc_notifypush sheppy:cnegrini/load sheppy:nic/feat/ZO-155_dialin_docs sheppy:feat/dovecot-config sheppy:yschmidt/s3-region-example sheppy:trossner/nubus_ox_consumer sheppy:yschmidt/s3-region-vars sheppy:jschulz/fix_nubus-consumer-pvc-size sheppy:el/t3chguy/element-web-modules sheppy:jahlers/2fa-helpdesk sheppy:trossner/notes_guest_access sheppy:thollwed/nubus-v1.6.0-integration sheppy:jschulz/fix_set_jitsi_element_antiaffinity sheppy:jbornhold/nubus-v1.6.0-s3-ingress sheppy:chore/open-xchange/release-8.34 sheppy:jconde/test-ox-packaging sheppy:jtorres/ox-extension-integration sheppy:jschulz/feat_helmfile-enable-intents sheppy:chore/openproject/15-3-changes sheppy:nc-main sheppy:fischer/review-apps sheppy:jconde/fix-intercom-element sheppy:trossner/nc_notify_push sheppy:docs/nubus-version sheppy:schneemann/ingress-nginx-max-version sheppy:jlohmer/configurable-udm-listener-password sheppy:jtorres/hotfix-ics-secret sheppy:jtorres/ics-redis-ssl sheppy:dkaminski/feat/annotations sheppy:trossner/fix/openproject sheppy:jconde/ox-connector-kyverno sheppy:jconde/ics-kyverno-changes sheppy:chore/open-xchange/bump-8-31 sheppy:mmoura/feat_test sheppy:dkaminski/fix/nubus-v0.72.0 sheppy:jconde/ics-filepicker-fix sheppy:trossner/update_migrs sheppy:nic/qa/develop sheppy:nic/fix/widgets-no-guests sheppy:uv-jconde/plain-nubus sheppy:nubus/main sheppy:uv-jbornhold/preview-fe sheppy:nic/fix/undo-439-add-widgets sheppy:jtorres/bump-0.60-cache-http sheppy:acaceres/develop sheppy:fix/trossner/dominiks_improvements sheppy:uv-jbornhold/plain-nubus-3 sheppy:nubus-update-2024-09-16-backup sheppy:trossner/nubus-update-2024-09-16-ldap-mig sheppy:nic/feat/matrix-neoboard-widget-1.19.1 sheppy:jconde/integrate-ox-connector sheppy:jbornhold/include-ldap-migration-script sheppy:acaceres/integrate-ox-connector sheppy:uv-jbornhold/plain-nubus-2 sheppy:jtorres/clients-fixup sheppy:jconde/system-information sheppy:jtorres/remove-admin-credentials sheppy:jbornhold/develop sheppy:chore/openproject/bump-14-5-0 sheppy:temp/trossner/kcupd-fr sheppy:nubus/fix-domain-configuration sheppy:uv-fix/default-service-loglevel sheppy:uv-jlohmer/consumer-race-condition sheppy:uv-jconde/umc-plain-login sheppy:uv-jconde/statefulset-keycloak sheppy:jlohmer/develop sheppy:fix/tkaltenbrunner/oxmonitoring sheppy:jtorres/udm-loader sheppy:nubus/tkintscher/fix-fsnotify-load sheppy:nubus/wip-jbornhold-test sheppy:jbornhold/small-fixes sheppy:nubus/jconde-test-users sheppy:feat/nubus-updates sheppy:uv-jlohmer/manual-deploy-jobs sheppy:uv-jtorres/login-tiles sheppy:uv-jbornhold/fix-e2e-test-configuration sheppy:uv-jlohmer/fix-feature-flag-typo sheppy:uv-jbornhold/fix-e2e-test-configuration-test sheppy:uv-acaceres/register-ox-connector sheppy:uv-jtorres/keycloak-upgrade sheppy:uv-jtorres/create-readonly-user sheppy:uv-acaceres/update-provisioning-and-stack-data sheppy:uv-jlohmer/selfservice-consumer sheppy:uv-jlohmer/provisioning-consumer-feature-flag sheppy:uv-jconde/test-email-e2e-tests sheppy:jlohmer/nubus-updates-provisioning sheppy:nubus/provisioning-consumer-integration sheppy:uv-dkaminski/cert-manager-support sheppy:uv-jbornhold/update-portal-frontend sheppy:uv-provisioning-consumer-integration sheppy:uv-jtorres/opendesk-udm-loader sheppy:uv-jtorres/ox-extensions-to-data-loader sheppy:uv-jbornhold/update-stack-data sheppy:uv-maildev-ci-setup sheppy:uv-jconde/umc-server-session-stickyness sheppy:uv-jbornhold/cleanup sheppy:uv-dtroeder/raise-helm-timeout sheppy:uv-dtroeder/prov-int-biscet sheppy:uv-spike-plain-nubus sheppy:jtorres/univention-keycloak-provisioning sheppy:fix/trossner/proxy_ips sheppy:uv-jlohmer/provisioning-consumer-integration sheppy:uv-jconde/menu-patches sheppy:jconde/use-nubus-umbrella sheppy:jconde/udm-rest-api-fix sheppy:sandersen/develop sheppy:b1-demo1 sheppy:jbornhold/tmp-test-od-main-0.9.0 sheppy:feat/use-nubus-umbrella-2 sheppy:OC000007901454-main-patch-76476 sheppy:jtorres/allow-theme-configuration sheppy:acaceres/debug-ox-error sheppy:101-add-configmap-checksum-check-to-postfix-helm-chart sheppy:trossner/fix/op_guests sheppy:renovate/platform sheppy:feat/ldap-scalability sheppy:jlohmer/split-provisioning-listener sheppy:feat/update-keycloak-related-charts sheppy:acaceres/update-selfservice-to-use-provisioning sheppy:feat/nubus-keycloak-extensions sheppy:feat/nubus-keycloak-bootstrap sheppy:feat/nubus-provisioning-with-selfservice sheppy:refactor/ums-umbrella-values sheppy:54-issue-with-invitation-password-reset-mails sheppy:nic/fix/ew-1.11.59-widget-sync sheppy:trossner/fix/renovate sheppy:nic/test/ew-1.11.59 sheppy:feat/mon-redis sheppy:feat/mon-jitsi sheppy:feat/mon-ox sheppy:feat/mon-xwiki sheppy:v0.5.74-patch1
sheppy:v1.10.0 sheppy:v1.9.0 sheppy:v1.8.0 sheppy:v1.7.1 sheppy:v1.7.0 sheppy:v1.6.0 sheppy:v1.5.0 sheppy:v1.4.1 sheppy:v1.4.0 sheppy:v1.3.2 sheppy:v1.3.1 sheppy:v1.3.0 sheppy:v1.2.1 sheppy:v1.2.0 sheppy:v1.1.2 sheppy:v1.1.1 sheppy:v1.1.0 sheppy:v1.0.0 sheppy:v0.9.0 sheppy:v0.8.1 sheppy:v0.8.0 sheppy:v0.7.1 sheppy:v0.7.0 sheppy:v0.6.0 sheppy:v0.5.81 sheppy:v0.5.80 sheppy:v0.5.79 sheppy:v0.5.78 sheppy:v0.5.74 sheppy:24.03 sheppy:v0.5.77 sheppy:v0.5.76 sheppy:v0.5.75 sheppy:v0.5.73 sheppy:v0.5.72 sheppy:v0.5.71 sheppy:v0.5.70 sheppy:v0.5.69 sheppy:v0.5.68 sheppy:v0.5.67 sheppy:v0.5.66 sheppy:v0.5.65 sheppy:v0.5.64 sheppy:v0.5.63 sheppy:v0.5.62 sheppy:v0.5.61 sheppy:v0.5.60 sheppy:v0.5.59 sheppy:v0.5.58 sheppy:v0.5.57 sheppy:v0.5.56 sheppy:v0.5.55 sheppy:v0.5.54 sheppy:v0.5.53 sheppy:v0.5.52 sheppy:v0.5.51 sheppy:v0.5.50 sheppy:v0.5.49 sheppy:v0.5.48 sheppy:v0.5.47 sheppy:v0.5.46 sheppy:v0.5.45 sheppy:v0.5.44 sheppy:v0.5.43 sheppy:v0.5.42 sheppy:v0.5.41 sheppy:v0.5.40 sheppy:v0.5.39 sheppy:v0.5.38 sheppy:23.12 sheppy:v0.5.37 sheppy:v0.5.36 sheppy:v0.5.35 sheppy:v0.5.34 sheppy:v0.5.33 sheppy:v0.5.32 sheppy:v0.5.31 sheppy:v0.5.30 sheppy:v0.5.29 sheppy:v0.5.28 sheppy:v0.5.27 sheppy:v0.5.26 sheppy:v0.5.25 sheppy:v0.5.24 sheppy:v0.5.23 sheppy:v0.5.22 sheppy:v0.5.21 sheppy:v0.5.20 sheppy:v0.5.19 sheppy:v0.5.18 sheppy:v0.5.17 sheppy:v0.5.16 sheppy:v0.5.15 sheppy:v0.5.14 sheppy:v0.5.13 sheppy:v0.5.12 sheppy:v0.5.11 sheppy:v0.5.10 sheppy:v0.5.9 sheppy:v0.5.8 sheppy:v0.5.7 sheppy:v0.5.6 sheppy:v0.5.5 sheppy:v0.5.4 sheppy:v0.5.3 sheppy:v0.5.2 sheppy:v0.5.1 sheppy:v0.5.0 sheppy:v0.4.9 sheppy:v0.4.8 sheppy:v0.4.7 sheppy:v0.4.6 sheppy:v0.4.5 sheppy:v0.4.4 sheppy:v0.4.3 sheppy:v0.4.2 sheppy:v0.4.1 sheppy:v0.4.0 sheppy:v0.3.2 sheppy:v0.3.1 sheppy:v0.3.0 sheppy:v0.2.10 sheppy:v0.2.9 sheppy:v0.2.8 sheppy:v0.2.7 sheppy:v0.2.6 sheppy:v0.2.5 sheppy:v0.2.4 sheppy:v0.2.3 sheppy:v0.2.2 sheppy:v0.2.1 sheppy:v0.2.0 sheppy:v0.1.2 sheppy:v0.1.1 sheppy:v0.1.0 sheppy:v0.0.6 sheppy:v0.0.5 sheppy:v0.0.4 sheppy:v0.0.3 sheppy:v0.0.2 sheppy:v0.0.1

196 Commits
v0.2.6 ... v0.5.29

Author SHA1 Message Date
openDesk
4a79728f01 chore(release): 0.5.29 [skip ci] 
## [0.5.29](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.28...v0.5.29) (2023-11-06)

### Bug Fixes

* **xwiki:** Update XWiki Helm configuration to enable LDAP and OIDC user synchronization ([7c56c72](7c56c7244f))
 2023-11-06 19:34:52 +00:00
Clément Aubin
7c56c7244f fix(xwiki): Update XWiki Helm configuration to enable LDAP and OIDC user synchronization 2023-11-06 15:41:23 +00:00
openDesk
e0fce6631b chore(release): 0.5.28 [skip ci] 
## [0.5.28](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.27...v0.5.28) (2023-11-06)

### Bug Fixes

* **open-xchange:** Add Document- and ImageConverter, improve LDAP address book filters ([899a8c5](899a8c5af9))
 2023-11-06 15:40:22 +00:00
Viktor Pracht
899a8c5af9 fix(open-xchange): Add Document- and ImageConverter, improve LDAP address book filters 2023-11-06 15:38:35 +00:00
openDesk
6cee2c878b chore(release): 0.5.27 [skip ci] 
## [0.5.27](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.26...v0.5.27) (2023-11-04)

### Bug Fixes

* **docs:** Re-include release artefacts ([4359b21](4359b21f1c))
 2023-11-04 12:21:17 +00:00
Thorsten Rossner
4359b21f1c fix(docs): Re-include release artefacts 2023-11-04 12:19:45 +00:00
openDesk
d8b2bd3af0 chore(release): 0.5.26 [skip ci] 
## [0.5.26](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.25...v0.5.26) (2023-11-02)

### Bug Fixes

* **element:** Enables user directory search for all users ([8fafd90](8fafd906a3))
 2023-11-02 14:32:46 +00:00
Milton Moura
8fafd906a3 fix(element): Enables user directory search for all users 2023-11-02 11:45:05 -01:00
openDesk
fece4ace87 chore(release): 0.5.25 [skip ci] 
## [0.5.25](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.24...v0.5.25) (2023-11-01)

### Bug Fixes

* **cryptpad:** Add CryptPad to support editing of diagrams.net files from within Nextcloud ([ab6014f](ab6014f8c6))
 2023-11-01 17:25:13 +00:00
Thomas Kaltenbrunner
ab6014f8c6 fix(cryptpad): Add CryptPad to support editing of diagrams.net files from within Nextcloud 2023-11-01 17:23:21 +00:00
openDesk
fecd13612b chore(release): 0.5.24 [skip ci] 
## [0.5.24](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.23...v0.5.24) (2023-11-01)

### Bug Fixes

* **collabora:** Update image to 23.05.5.3.1 ([38336d0](38336d0240))
 2023-11-01 16:27:49 +00:00
Thorsten Roßner
38336d0240 fix(collabora): Update image to 23.05.5.3.1 2023-11-01 08:53:27 +01:00
openDesk
9f9e4e9521 chore(release): 0.5.23 [skip ci] 
## [0.5.23](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.22...v0.5.23) (2023-11-01)

### Bug Fixes

* **element:** Update Element Web to latest release ([b47de62](b47de62f98))
 2023-11-01 14:29:33 +00:00
Mikhail Aheichyk
b47de62f98 fix(element): Update Element Web to latest release 2023-11-01 16:55:14 +03:00
openDesk
9e54299917 chore(release): 0.5.22 [skip ci] 
## [0.5.22](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.21...v0.5.22) (2023-10-31)

### Bug Fixes

* **openproject:** Nextcloud integration within K8s instances ([d249d0e](d249d0e3ce))
 2023-10-31 14:04:35 +00:00
Oliver Günther
d249d0e3ce fix(openproject): Nextcloud integration within K8s instances 2023-10-31 14:02:40 +00:00
Thorsten Roßner
fbe7de3c56 chore(release): 0.5.21 [skip ci] 
## [0.5.21](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.20...v0.5.21) (2023-10-30)

### Bug Fixes

* **helmfile:** Deinstall components if disabled ([7feaadf](7feaadf7f8))
* **helmfile:** Put enviroments in first document inside of a yaml ([034e98c](034e98c850))
 2023-10-30 17:01:00 +00:00
Martin Müller
034e98c850 fix(helmfile): Put enviroments in first document inside of a yaml 
see: https://helmfile.readthedocs.io/en/latest/#environment
 2023-10-30 17:55:26 +01:00
Martin Müller
7feaadf7f8 fix(helmfile): Deinstall components if disabled 2023-10-30 17:42:35 +01:00
Thorsten Roßner
a7fef3afff chore(release): 0.5.20 [skip ci] 
## [0.5.20](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.19...v0.5.20) (2023-10-30)

### Bug Fixes

* **helmfile:** Remove old XWiki image, set explicit timeout for OP deployment, bump Jitsi Helm chart to enable chat for stand-alone Jitsi ([5d01f8c](5d01f8ca46))
 2023-10-30 15:41:11 +00:00
Thorsten Rossner
5d01f8ca46 fix(helmfile): Remove old XWiki image, set explicit timeout for OP deployment, bump Jitsi Helm chart to enable chat for stand-alone Jitsi 2023-10-30 15:38:48 +00:00
Thorsten Roßner
7093022ec4 chore(release): 0.5.19 [skip ci] 
## [0.5.19](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.18...v0.5.19) (2023-10-30)

### Bug Fixes

* **element:** Update Element Web and Nordeck Widgets to latest releases ([2313f75](2313f75dbe))
 2023-10-30 14:46:49 +00:00
Milton Moura
2313f75dbe fix(element): Update Element Web and Nordeck Widgets to latest releases 2023-10-30 14:43:46 +00:00
Thorsten Roßner
af9caea726 chore(release): 0.5.18 [skip ci] 
## [0.5.18](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.17...v0.5.18) (2023-10-28)

### Bug Fixes

* **xwiki:** Switch to Alpine/Jetty slim image ([b399869](b39986907c))
 2023-10-28 04:51:22 +00:00
Thomas Kaltenbrunner
b39986907c fix(xwiki): Switch to Alpine/Jetty slim image 2023-10-28 04:49:31 +00:00
Thorsten Roßner
a02d7c6085 chore(release): 0.5.17 [skip ci] 
## [0.5.17](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.16...v0.5.17) (2023-10-28)

### Bug Fixes

* **nextcloud:** Update swp_integration app and prepare CryptPad integration ([a046dea](a046deaf17))
 2023-10-28 04:30:26 +00:00
Thomas Kaltenbrunner
a046deaf17 fix(nextcloud): Update swp_integration app and prepare CryptPad integration 2023-10-28 04:28:48 +00:00
Thorsten Roßner
c76e960446 chore(release): 0.5.16 [skip ci] 
## [0.5.16](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.15...v0.5.16) (2023-10-26)

### Bug Fixes

* **openproject:** Slim container with upgraded helm-chart ([535823e](535823e0a8))
 2023-10-26 16:50:26 +00:00
Oliver Günther
535823e0a8 fix(openproject): Slim container with upgraded helm-chart 2023-10-26 16:48:46 +00:00
Thorsten Roßner
9966bf640e chore(release): 0.5.15 [skip ci] 
## [0.5.15](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.14...v0.5.15) (2023-10-25)

### Bug Fixes

* **helmfile:** Add XWiki Jetty and UniventionKeycloak to image.yaml for Compliance checks. They are not yet part of standard deployment. ([8e376bb](8e376bb4a5))
 2023-10-25 11:52:23 +00:00
Thorsten Rossner
8e376bb4a5 fix(helmfile): Add XWiki Jetty and UniventionKeycloak to image.yaml for Compliance checks. They are not yet part of standard deployment. 2023-10-25 11:50:08 +00:00
Thorsten Roßner
7c0e4aa9a6 chore(release): 0.5.14 [skip ci] 
## [0.5.14](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.13...v0.5.14) (2023-10-20)

### Bug Fixes

* **element:** Support for openDesk top bar with central navigation ([e609b75](e609b75cc7))
 2023-10-20 10:38:57 +00:00
Dominik Henneke
e609b75cc7 fix(element): Support for openDesk top bar with central navigation 2023-10-20 10:35:20 +00:00
Thorsten Roßner
20d26a069b chore(release): 0.5.13 [skip ci] 
## [0.5.13](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.12...v0.5.13) (2023-10-20)

### Bug Fixes

* **element:** Configure rights and roles ([59d58e3](59d58e320e))
 2023-10-20 08:54:39 +00:00
Ahmad Kadri
59d58e320e fix(element): Configure rights and roles 2023-10-20 08:52:53 +00:00
Thorsten Roßner
49b71aafb4 chore(release): 0.5.12 [skip ci] 
## [0.5.12](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.11...v0.5.12) (2023-10-19)

### Bug Fixes

* **element:** Add an application service for the intercom-service ([1a4eced](1a4eced998))
* **element:** Add the Matrix NeoBoard Widget deployment ([5afd233](5afd2339c2))
* **element:** Add the Matrix NeoChoice Widget deployment ([7756d35](7756d35fa1))
* **element:** Add the Matrix NeoDateFix Bot deployment ([785989e](785989e91d))
* **element:** Add the Matrix NeoDateFix Widget deployment ([27b6796](27b6796639))
* **element:** Add the Matrix User Verification Service deployment ([30405d1](30405d182d))
* **element:** Upgrade Element to v1.11.46 ([82a037e](82a037ec7c))
* **element:** Upgrade the opendesk-element charts to 2.3.0 ([fd9e04d](fd9e04d992))
* **element:** Upgrade the opendesk-matrix-widgets charts to 2.3.0 ([cbe5141](cbe514176a))
* **element:** Use a separate image configuration for the bootstrap tasks ([7f7c364](7f7c364071))
* **intercom-service:** Allow access from the non-istio domain and reference to the correct synapse hostname ([16f2ac4](16f2ac464e))
* **intercom-service:** Fix the nordeck configuration ([06dcdd7](06dcdd78af))
* **jitsi:** Use template for the cluster networking domain ([0898d96](0898d96571))
* **keycloak:** Use the correct backchannel logout configuration for element ([86657b1](86657b139a))
* **open-xchange:** Enable Element calendar integration ([f564efd](f564efd97f))
 2023-10-19 09:31:03 +00:00
Dominik Henneke
cbe514176a fix(element): Upgrade the opendesk-matrix-widgets charts to 2.3.0 2023-10-17 11:22:59 +02:00
Dominik Henneke
0898d96571 fix(jitsi): Use template for the cluster networking domain 2023-10-17 11:09:33 +02:00
Dominik Henneke
7f7c364071 fix(element): Use a separate image configuration for the bootstrap tasks 2023-10-17 10:54:32 +02:00
Dominik Henneke
fd9e04d992 fix(element): Upgrade the opendesk-element charts to 2.3.0 2023-10-17 10:47:08 +02:00
Dominik Henneke
86657b139a fix(keycloak): Use the correct backchannel logout configuration for element 2023-10-13 15:45:32 +02:00
Dominik Henneke
cdffbe1298 chore(element): Use prerelease of charts 2023-10-13 15:13:12 +02:00
Dominik Henneke
82a037ec7c fix(element): Upgrade Element to v1.11.46 2023-10-13 14:46:12 +02:00
Dominik Henneke
1a4eced998 fix(element): Add an application service for the intercom-service 2023-10-13 14:46:12 +02:00
Dominik Henneke
06dcdd78af fix(intercom-service): Fix the nordeck configuration 2023-10-13 14:46:11 +02:00
Thorsten Roßner
f564efd97f fix(open-xchange): Enable Element calendar integration 2023-10-13 14:46:11 +02:00
Dominik Henneke
16f2ac464e fix(intercom-service): Allow access from the non-istio domain and reference to the correct synapse hostname 2023-10-13 14:46:11 +02:00
Dominik Henneke
30405d182d fix(element): Add the Matrix User Verification Service deployment 2023-10-13 14:46:11 +02:00
Dominik Henneke
785989e91d fix(element): Add the Matrix NeoDateFix Bot deployment 2023-10-13 14:20:07 +02:00
Dominik Henneke
27b6796639 fix(element): Add the Matrix NeoDateFix Widget deployment 2023-10-13 14:17:16 +02:00
Dominik Henneke
7756d35fa1 fix(element): Add the Matrix NeoChoice Widget deployment 2023-10-13 14:17:10 +02:00
Dominik Henneke
5afd2339c2 fix(element): Add the Matrix NeoBoard Widget deployment 2023-10-13 14:17:02 +02:00
Thorsten Roßner
b7f220a6b6 chore(release): 0.5.11 [skip ci] 
## [0.5.11](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.10...v0.5.11) (2023-10-11)

### Bug Fixes

* **helmfile:** Quote all password template strings ([fb7dba7](fb7dba787c))
* **services:** Add memcached service ([72e3afd](72e3afdffd))
 2023-10-11 19:04:59 +00:00
Dominik Kaminski
fb7dba787c fix(helmfile): Quote all password template strings 2023-10-11 16:18:51 +02:00
Dominik Kaminski
72e3afdffd fix(services): Add memcached service 
Add documentation about cache service and refactor into seperate default environment file.
Refactor OpenProject to use external memcached service.
 2023-10-11 15:49:41 +02:00
Thorsten Roßner
85b8fcaab5 chore(release): 0.5.10 [skip ci] 
## [0.5.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.9...v0.5.10) (2023-10-11)

### Bug Fixes

* **intercom-service:** Update intercom-service chart to v2.0.0 ([c3129f1](c3129f1443))
 2023-10-11 07:01:57 +00:00
Dominik Kaminski
c3129f1443 fix(intercom-service): Update intercom-service chart to v2.0.0 2023-10-10 19:09:37 +02:00
Thorsten Roßner
000be8b032 chore(release): 0.5.9 [skip ci] 
## [0.5.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.8...v0.5.9) (2023-10-10)

### Bug Fixes

* **element:** Enable the guest module in Synapse ([da1bf35](da1bf3581c))
 2023-10-10 11:42:54 +00:00
Dominik Henneke
da1bf3581c fix(element): Enable the guest module in Synapse 2023-10-10 09:39:34 +00:00
Thorsten Roßner
4d0011d957 chore(release): 0.5.8 [skip ci] 
## [0.5.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.7...v0.5.8) (2023-10-10)

### Bug Fixes

* **helmfile:** Add default port for SMTP in environment ([74f9ec2](74f9ec28e4))
 2023-10-10 07:01:29 +00:00
Dominik Kaminski
74f9ec28e4 fix(helmfile): Add default port for SMTP in environment 2023-10-09 18:30:50 +02:00
Thorsten Roßner
b1d4b2d8ea chore(release): 0.5.7 [skip ci] 
## [0.5.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.6...v0.5.7) (2023-10-09)

### Bug Fixes

* **openproject:** Mail sender address ([711d29e](711d29e374))
 2023-10-09 09:41:26 +00:00
Thorsten Roßner
711d29e374 fix(openproject): Mail sender address 2023-10-09 09:31:39 +00:00
Thorsten Roßner
0ba7be2a5f chore(release): 0.5.6 [skip ci] 
## [0.5.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.5...v0.5.6) (2023-10-09)

### Bug Fixes

* **helmfile:** Use signed bitnami charts from openDesk Mirror Builds ([70744d0](70744d04c6))
* **services:** Bump redis chart to 18.1.2 ([d4c751d](d4c751d29f))
 2023-10-09 09:30:56 +00:00
Dominik Kaminski
d4c751d29f fix(services): Bump redis chart to 18.1.2 2023-10-09 11:19:50 +02:00
Dominik Kaminski
70744d04c6 fix(helmfile): Use signed bitnami charts from openDesk Mirror Builds 2023-10-09 11:19:50 +02:00
Thorsten Roßner
e4e6d2d60a chore(release): 0.5.5 [skip ci] 
## [0.5.5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.4...v0.5.5) (2023-10-09)

### Bug Fixes

* **openproject:** Switch image to fix central navigation; set email sender address ([e42feb4](e42feb4c26))
 2023-10-09 07:24:26 +00:00
Thorsten Rossner
e42feb4c26 fix(openproject): Switch image to fix central navigation; set email sender address 2023-10-09 07:22:35 +00:00
Thorsten Roßner
f12c2ed0c2 chore(release): 0.5.4 [skip ci] 
## [0.5.4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.3...v0.5.4) (2023-10-02)

### Bug Fixes

* **helmfile:** Add third environment (test) ([7dbcbfe](7dbcbfe723))
 2023-10-02 11:21:03 +00:00
Thorsten Rossner
7dbcbfe723 fix(helmfile): Add third environment (test) 2023-10-02 11:19:29 +00:00
Thorsten Roßner
1d8a0ccf1a chore(release): 0.5.3 [skip ci] 
## [0.5.3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.2...v0.5.3) (2023-09-28)

### Bug Fixes

* **open-xchange:** Rollback MariaDB version to fix OX Guard initialization ([e33acd3](e33acd33e7))
 2023-09-28 16:38:21 +00:00
Thorsten Rossner
e33acd33e7 fix(open-xchange): Rollback MariaDB version to fix OX Guard initialization 2023-09-28 16:36:28 +00:00
Thorsten Roßner
74e206694e chore(release): 0.5.2 [skip ci] 
## [0.5.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.1...v0.5.2) (2023-09-28)

### Bug Fixes

* **ci:** Add Gitlab-CI sledgehammer deployment removal ([6fd655a](6fd655a0b1))
 2023-09-28 09:06:20 +00:00
Dominik Kaminski
6fd655a0b1 fix(ci): Add Gitlab-CI sledgehammer deployment removal 2023-09-28 10:01:01 +02:00
Thorsten Roßner
d4c39025b6 chore(release): 0.5.1 [skip ci] 
## [0.5.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.0...v0.5.1) (2023-09-28)

### Bug Fixes

* **docs:** Add 'Helm Chart Trust Chain' section ([b6b4972](b6b4972a5d))
* **docs:** Highlight that Helmfile >= 0.157.0 is required ([d86f516](d86f516747))
* **element:** Use OCI registry and verify chart signatures ([a41b9a6](a41b9a699c))
* **helmfile:** Add cleanup flag for job resources ([0f01b94](0f01b94aa1))
* **helmfile:** Create directory for gpg pubkeys ([4c5731e](4c5731e6bb))
* **intercom-service:** Use OCI registry and verify chart signatures ([74b3d41](74b3d41381))
* **jitsi:** Verify chart signatures ([1dd6582](1dd6582ec7))
* **keycloak-bootstrap:** Use OCI registry and verify chart signatures ([ca5d5f8](ca5d5f8280))
* **keycloak:** Use OCI registry and verify chart signatures ([095059c](095059c7e5))
* **nextcloud:** Use OCI registry and verify chart signatures ([41dfdc0](41dfdc0c8f))
* **open-xchange:** Use OCI registry and verify chart signatures ([2d5d370](2d5d3708f7))
* **open-xchange:** Use renamed istio gateway ([65d2642](65d2642d34))
* **openproject:** Use OCI registry and verify chart signatures ([5343840](5343840bed))
* **services:** Add wildcard certifcate request support ([15ad8ca](15ad8ca7ab))
* **services:** Bump opendesk-certificates to 2.1.0 ([4372f06](4372f063e0))
* **services:** Only create istio gateway with webmail domain ([6a39011](6a390112da))
* **services:** Use OCI registry for all services and add gpg verify mechanism ([892920b](892920b048))
* **univention-corporate-container:** Use OCI registry and verify chart signatures ([424317e](424317ed58))
 2023-09-28 07:23:23 +00:00
Dominik Kaminski
d86f516747 fix(docs): Highlight that Helmfile >= 0.157.0 is required 2023-09-28 09:00:34 +02:00
Dominik Kaminski
4c5731e6bb fix(helmfile): Create directory for gpg pubkeys 2023-09-28 08:41:49 +02:00
Dominik Kaminski
6a390112da fix(services): Only create istio gateway with webmail domain 2023-09-27 22:13:39 +02:00
Dominik Kaminski
65d2642d34 fix(open-xchange): Use renamed istio gateway 2023-09-27 22:03:41 +02:00
Dominik Kaminski
55f73924df chore(univention-corporate-container): Add missing OCI flag 2023-09-27 21:49:13 +02:00
Dominik Kaminski
11cc708f6e chore(open-xchange): Remove duplicate default key 2023-09-27 21:48:55 +02:00
Dominik Kaminski
b6b4972a5d fix(docs): Add 'Helm Chart Trust Chain' section 2023-09-27 20:55:41 +02:00
Dominik Kaminski
2e3f5f6e53 chore(xwiki): Add source to repo description 2023-09-27 20:55:41 +02:00
Dominik Kaminski
3da2aaaed9 chore(univention-management-stack): Rename repostory to ums-repo 2023-09-27 20:55:41 +02:00
Dominik Kaminski
424317ed58 fix(univention-corporate-container): Use OCI registry and verify chart signatures 2023-09-27 20:55:40 +02:00
Dominik Kaminski
b335bc4c3b chore(provisioning): Add respository comment 2023-09-27 20:55:40 +02:00
Dominik Kaminski
5343840bed fix(openproject): Use OCI registry and verify chart signatures 2023-09-27 20:55:40 +02:00
Dominik Kaminski
2d5d3708f7 fix(open-xchange): Use OCI registry and verify chart signatures 2023-09-27 20:55:40 +02:00
Dominik Kaminski
41dfdc0c8f fix(nextcloud): Use OCI registry and verify chart signatures 2023-09-27 20:55:40 +02:00
Dominik Kaminski
ca5d5f8280 fix(keycloak-bootstrap): Use OCI registry and verify chart signatures 2023-09-27 20:55:40 +02:00
Dominik Kaminski
095059c7e5 fix(keycloak): Use OCI registry and verify chart signatures 2023-09-27 20:55:40 +02:00
Dominik Kaminski
1dd6582ec7 fix(jitsi): Verify chart signatures 2023-09-27 20:55:40 +02:00
Dominik Kaminski
74b3d41381 fix(intercom-service): Use OCI registry and verify chart signatures 2023-09-27 20:55:40 +02:00
Dominik Kaminski
a41b9a699c fix(element): Use OCI registry and verify chart signatures 2023-09-27 20:55:40 +02:00
Dominik Kaminski
0b4cd739fc chore(collabora): Add souce link to repository 2023-09-27 20:55:40 +02:00
Dominik Kaminski
4372f063e0 fix(services): Bump opendesk-certificates to 2.1.0 2023-09-27 20:55:40 +02:00
Dominik Kaminski
15ad8ca7ab fix(services): Add wildcard certifcate request support 2023-09-27 20:55:40 +02:00
Dominik Kaminski
1884a90e6f chore(helmfile): Quote string and fix line endings 2023-09-27 20:55:40 +02:00
Dominik Kaminski
0997f2e4a7 chore(helmfile): Add license for gpg key 2023-09-27 20:55:40 +02:00
Dominik Kaminski
0f01b94aa1 fix(helmfile): Add cleanup flag for job resources 2023-09-27 20:55:40 +02:00
Dominik Kaminski
892920b048 fix(services): Use OCI registry for all services and add gpg verify mechanism 2023-09-27 20:55:40 +02:00
Thorsten Roßner
5c3568871b chore(release): 0.5.0 [skip ci] 
# [0.5.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.9...v0.5.0) (2023-09-27)

### Bug Fixes

* **element:** Move the static configuration into the values.yaml ([f22619b](f22619bd8e))
* **element:** Specify resources for the guest module init container ([275798c](275798c1d6))

### Features

* **element:** Activate the guest module ([5ad25ac](5ad25acafd))
 2023-09-27 14:37:23 +00:00
Dominik Henneke
f22619bd8e fix(element): Move the static configuration into the values.yaml 2023-09-27 16:33:22 +02:00
Dominik Henneke
275798c1d6 fix(element): Specify resources for the guest module init container 2023-09-27 16:33:22 +02:00
Dominik Henneke
5ad25acafd feat(element): Activate the guest module 2023-09-27 16:18:00 +02:00
Thorsten Roßner
437633cda6 chore(release): 0.4.9 [skip ci] 
## [0.4.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.8...v0.4.9) (2023-09-27)

### Bug Fixes

* **nextcloud:** Bump Helm chart to add app "groupfolders" ([62b767e](62b767ef38))
 2023-09-27 13:47:20 +00:00
Thorsten Rossner
62b767ef38 fix(nextcloud): Bump Helm chart to add app "groupfolders" 2023-09-27 13:44:47 +00:00
Thorsten Roßner
02be7c15bb chore(release): 0.4.8 [skip ci] 
## [0.4.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.7...v0.4.8) (2023-09-26)

### Bug Fixes

* **openproject:** Digest rollback ([9acce08](9acce08139))
 2023-09-26 16:11:15 +00:00
Thorsten Roßner
9acce08139 fix(openproject): Digest rollback 2023-09-26 18:02:31 +02:00
Thorsten Roßner
3f8bffbcf3 chore(release): 0.4.7 [skip ci] 
## [0.4.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.6...v0.4.7) (2023-09-26)

### Bug Fixes

* **helmfile:** Add timeout for database services ([98ec02f](98ec02f230))
* **openproject:** Image digest ([b340373](b340373133))
 2023-09-26 14:49:31 +00:00
Thorsten Roßner
98ec02f230 fix(helmfile): Add timeout for database services 2023-09-26 16:32:19 +02:00
Thorsten Roßner
b340373133 fix(openproject): Image digest 2023-09-26 16:30:28 +02:00
Thorsten Roßner
6456f68b7b chore(release): 0.4.6 [skip ci] 
## [0.4.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.5...v0.4.6) (2023-09-26)

### Bug Fixes

* **openproject:** Use renamed registry open_desk ([a37faf3](a37faf3b57))
 2023-09-26 12:51:57 +00:00
Oliver Günther
a37faf3b57 fix(openproject): Use renamed registry open_desk 2023-09-26 12:50:26 +00:00
Thorsten Roßner
fbbf3f253b chore(release): 0.4.5 [skip ci] 
## [0.4.5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.4...v0.4.5) (2023-09-26)

### Bug Fixes

* **helmfile:** Streamline timeouts ([2703615](2703615dff))
 2023-09-26 12:20:31 +00:00
Thorsten Rossner
2703615dff fix(helmfile): Streamline timeouts 2023-09-26 12:18:13 +00:00
Thorsten Roßner
85ad5ecd6d chore(release): 0.4.4 [skip ci] 
## [0.4.4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.3...v0.4.4) (2023-09-25)

### Bug Fixes

* **open-xchange:** Updates for mail templates and mail export ([ae3d0da](ae3d0daa11))
 2023-09-25 17:29:54 +00:00
Thorsten Rossner
ae3d0daa11 fix(open-xchange): Updates for mail templates and mail export 2023-09-25 17:27:48 +00:00
Thorsten Roßner
0a17976aca chore(release): 0.4.3 [skip ci] 
## [0.4.3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.2...v0.4.3) (2023-09-25)

### Bug Fixes

* **nextcloud:** Update image to 27.1.1 ([ce7e5f6](ce7e5f670a))
 2023-09-25 11:24:24 +00:00
Thorsten Rossner
ce7e5f670a fix(nextcloud): Update image to 27.1.1 2023-09-25 11:22:39 +00:00
Thorsten Roßner
917f9fb452 chore(release): 0.4.2 [skip ci] 
## [0.4.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.1...v0.4.2) (2023-09-21)

### Bug Fixes

* **nextcloud:** Add Nextcloud app for OpenProject integration; Bump Collabora Image ([f46c8a9](f46c8a9a5f))
 2023-09-21 12:38:44 +00:00
Thorsten Rossner
f46c8a9a5f fix(nextcloud): Add Nextcloud app for OpenProject integration; Bump Collabora Image 2023-09-21 12:25:53 +00:00
Thorsten Roßner
c2b44da34e chore(release): 0.4.1 [skip ci] 
## [0.4.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.0...v0.4.1) (2023-09-19)

### Bug Fixes

* **univention-management-stack:** Remove doublette triple dashes in helmfile.yaml ([41b9afb](41b9afb364))
 2023-09-19 12:40:28 +00:00
Thorsten Roßner
41b9afb364 fix(univention-management-stack): Remove doublette triple dashes in helmfile.yaml 2023-09-19 13:54:20 +02:00
Thorsten Roßner
63bdcf594b chore(release): 0.4.0 [skip ci] 
# [0.4.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.2...v0.4.0) (2023-09-18)

### Features

* **ci:** Optionally trigger E2E tests of the SouvAP Dev team ([a99c088](a99c088361))
 2023-09-18 14:48:12 +00:00
Dibya Chakravorty
a99c088361 feat(ci): Optionally trigger E2E tests of the SouvAP Dev team 2023-09-18 14:46:17 +00:00
Thorsten Roßner
8d09aa02f9 chore(release): 0.3.2 [skip ci] 
## [0.3.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.1...v0.3.2) (2023-09-14)

### Bug Fixes

* **helmfile:** Fix linter issues ([1514678](1514678db0))
* **univention-management-stack:** Add "commonLabels" into helmfile ([16c08f8](16c08f82c9))
* **univention-management-stack:** Add Helm charts ([a74d662](a74d662404))
* **univention-management-stack:** Add switch "univentionManagementStack.enabled" ([471a2fa](471a2fa262))
* **univention-management-stack:** Adjust Ingress configuration for portal-server ([13bcd78](13bcd785e8))
* **univention-management-stack:** Adjust Ingress configuration for umc ([320da3b](320da3bec3))
* **univention-management-stack:** Adjust Ingress configuration of notifications-api ([5e1a7b1](5e1a7b19e2))
* **univention-management-stack:** Adjust ingress configuration of the portal-frontend ([c54bab1](c54bab165b))
* **univention-management-stack:** Adjust Ingress configuration of udm-rest-api ([c61b1b8](c61b1b8281))
* **univention-management-stack:** Adjust Ingress conifguration of store-dav ([96097e4](96097e4704))
* **univention-management-stack:** Configure cookie banner data ([12c931f](12c931fcff))
* **univention-management-stack:** Define resource requests and limits ([2f8a298](2f8a298925))
* **univention-management-stack:** Disable istio for the stack ([4835a2b](4835a2beec))
* **univention-management-stack:** Prepare persistence configuration ([7ab1cb5](7ab1cb5c7e))
* **univention-management-stack:** Process bases before releases ([ec3f1d9](ec3f1d96ac))
* **univention-management-stack:** Set externalDomainName for bootstrapping the stack ([0ba71f2](0ba71f2749))
* **univention-management-stack:** Split templated from static values ([09079a1](09079a1303))
* **univention-management-stack:** Split values into templated and static ([d3c4390](d3c439038a))
* **univention-management-stack:** Update portal-listener to leverage dependency waiting ([c840608](c840608112))
* **univention-management-stack:** Use global secrets to fill initialPasswordAdministrator ([a4bab40](a4bab4068d))
* **univention-management-stack:** Use global secrets to populate ldap related secrets ([9409ad8](9409ad829a))
* **univention-management-stack:** Use global secrets to set store-dav related passwords ([90019e3](90019e3ef6))
* **univention-management-stack:** Use ldap base DN "dc=swp-ldap,dc=internal" ([77e362f](77e362f6bc))
* **univention-management-stack:** Use postgresql service for notifications-api ([fe0e0cd](fe0e0cdce4))
* **univention-management-stack:** Use the prefix "ums-" for all releases ([edb25bd](edb25bd765))
* **univention-management-stack:** Use the value "global.imagePullPolicy" ([15db5dc](15db5dcbba))
 2023-09-14 20:16:01 +00:00
Johannes Bornhold
1514678db0 fix(helmfile): Fix linter issues 2023-09-14 15:37:35 +02:00
Johannes Bornhold
b7254cf5dc ci(univention-management-stack): Enforce choice between UCS and UMS 2023-09-14 15:26:58 +02:00
Johannes Bornhold
7ab1cb5c7e fix(univention-management-stack): Prepare persistence configuration 2023-09-14 15:21:46 +02:00
Johannes Bornhold
0ba71f2749 fix(univention-management-stack): Set externalDomainName for bootstrapping the stack 2023-09-14 15:21:46 +02:00
Johannes Bornhold
77e362f6bc fix(univention-management-stack): Use ldap base DN "dc=swp-ldap,dc=internal" 2023-09-14 15:21:45 +02:00
Johannes Bornhold
09079a1303 fix(univention-management-stack): Split templated from static values 2023-09-14 15:21:45 +02:00
Johannes Bornhold
15db5dcbba fix(univention-management-stack): Use the value "global.imagePullPolicy" 2023-09-14 15:18:00 +02:00
Johannes Bornhold
d3c439038a fix(univention-management-stack): Split values into templated and static 2023-09-14 15:18:00 +02:00
Johannes Bornhold
9409ad829a fix(univention-management-stack): Use global secrets to populate ldap related secrets 2023-09-14 15:18:00 +02:00
Johannes Bornhold
a4bab4068d fix(univention-management-stack): Use global secrets to fill initialPasswordAdministrator 2023-09-14 15:18:00 +02:00
Johannes Bornhold
90019e3ef6 fix(univention-management-stack): Use global secrets to set store-dav related passwords 2023-09-14 15:18:00 +02:00
Johannes Bornhold
4835a2beec fix(univention-management-stack): Disable istio for the stack 2023-09-14 15:18:00 +02:00
Johannes Bornhold
12c931fcff fix(univention-management-stack): Configure cookie banner data 2023-09-14 15:18:00 +02:00
Johannes Bornhold
2f8a298925 fix(univention-management-stack): Define resource requests and limits 2023-09-14 15:18:00 +02:00
Johannes Bornhold
ec3f1d96ac fix(univention-management-stack): Process bases before releases 2023-09-14 15:17:59 +02:00
Johannes Bornhold
16c08f82c9 fix(univention-management-stack): Add "commonLabels" into helmfile 2023-09-14 15:17:59 +02:00
Johannes Bornhold
edb25bd765 fix(univention-management-stack): Use the prefix "ums-" for all releases 2023-09-14 15:17:59 +02:00
Johannes Bornhold
c840608112 fix(univention-management-stack): Update portal-listener to leverage dependency waiting 2023-09-14 15:17:59 +02:00
Johannes Bornhold
320da3bec3 fix(univention-management-stack): Adjust Ingress configuration for umc 2023-09-14 15:17:59 +02:00
Johannes Bornhold
c61b1b8281 fix(univention-management-stack): Adjust Ingress configuration of udm-rest-api 2023-09-14 15:17:59 +02:00
Johannes Bornhold
96097e4704 fix(univention-management-stack): Adjust Ingress conifguration of store-dav 2023-09-14 15:17:59 +02:00
Johannes Bornhold
5e1a7b19e2 fix(univention-management-stack): Adjust Ingress configuration of notifications-api 2023-09-14 15:17:59 +02:00
Johannes Bornhold
13bcd785e8 fix(univention-management-stack): Adjust Ingress configuration for portal-server 2023-09-14 15:17:58 +02:00
Johannes Bornhold
c54bab165b fix(univention-management-stack): Adjust ingress configuration of the portal-frontend 2023-09-14 15:17:58 +02:00
Johannes Bornhold
836f491766 ci(univention-management-stack): Add option to deploy UMS 2023-09-14 15:17:58 +02:00
Johannes Bornhold
fe0e0cdce4 fix(univention-management-stack): Use postgresql service for notifications-api 2023-09-14 15:17:58 +02:00
Johannes Bornhold
a74d662404 fix(univention-management-stack): Add Helm charts 2023-09-14 15:17:58 +02:00
Johannes Bornhold
471a2fa262 fix(univention-management-stack): Add switch "univentionManagementStack.enabled" 2023-09-14 14:58:22 +02:00
Thorsten Roßner
5f79763e2b chore(release): 0.3.1 [skip ci] 
## [0.3.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.0...v0.3.1) (2023-09-14)

### Bug Fixes

* **collabora:** Update Ingress annotations and set securityContext ([b5583ca](b5583caec1))
* **element:** Improve default container security settings ([882f1fb](882f1fbc93))
* **element:** Update opendesk element version to 2.0.1 ([d725b93](d725b93798))
* **helmfile:** Remove default SMTP credentials and create docs for SMTP/TURN ([e120f5f](e120f5fb9a))
* **helmfile:** Update images and use a tag and digest together ([c7fc187](c7fc187f14))
* **services:** Explicitly set securityContexts ([a799db0](a799db03c4))
* **services:** Update Postfix to 2.0.2 fixing security gaining ([e1070ee](e1070eeb06))
 2023-09-14 11:11:40 +00:00
Dominik Kaminski
e120f5fb9a fix(helmfile): Remove default SMTP credentials and create docs for SMTP/TURN 2023-09-13 23:39:38 +02:00
Dominik Kaminski
a799db03c4 fix(services): Explicitly set securityContexts 2023-09-13 19:33:47 +02:00
Dominik Kaminski
d725b93798 fix(element): Update opendesk element version to 2.0.1 2023-09-13 19:33:47 +02:00
Dominik Kaminski
e1070eeb06 fix(services): Update Postfix to 2.0.2 fixing security gaining 2023-09-13 19:33:47 +02:00
Dominik Kaminski
c7fc187f14 fix(helmfile): Update images and use a tag and digest together 2023-09-13 19:33:47 +02:00
Dominik Kaminski
89ac783dc3 chore(collabora): Quote strings 2023-09-13 19:33:47 +02:00
Dominik Kaminski
882f1fbc93 fix(element): Improve default container security settings 2023-09-13 19:33:43 +02:00
Dominik Kaminski
b5583caec1 fix(collabora): Update Ingress annotations and set securityContext 2023-09-13 16:32:35 +02:00
Thorsten Roßner
6d23534ee0 chore(release): 0.3.0 [skip ci] 
# [0.3.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.10...v0.3.0) (2023-09-12)

### Features

* **ci:** Selective tests ([d2e7ac9](d2e7ac9348))
 2023-09-12 21:18:26 +00:00
Tobias Heinzmann
d2e7ac9348 feat(ci): Selective tests 2023-09-12 21:16:33 +00:00
Thorsten Roßner
2125037a3c chore(release): 0.2.10 [skip ci] 
## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06)

### Bug Fixes

* **helmfile:** Add imagePullPolicy default env variable ([f988644](f9886448b6))
* **helmfile:** Update images and add jitsi, keycloak to security section in docs ([0eceb85](0eceb85e7d))
* **jitsi:** Update chart to 1.4.2 with improved security and fixed change on each deployment ([1349181](1349181d80))
* **jitsi:** Update jitsi to 1.5.1 and fix prosody image ([ed7e5e4](ed7e5e428e))
* **keycloak:** Improve default security settings ([3b90533](3b90533063))
* **nextcloud:** Fix yamllint disable comment ([4380e78](4380e78981))
* **services:** Disable https redirect in istio to fix cert-manager issues ([1ef4a86](1ef4a861ac))
* **services:** Fix capabilities of postifix ([a6fa846](a6fa846afc))
* **services:** Fix OCI registry address of postgresql, mariadb ([be82243](be82243966))
 2023-09-06 17:12:09 +00:00
Dominik Kaminski
ed7e5e428e fix(jitsi): Update jitsi to 1.5.1 and fix prosody image 2023-09-06 19:09:59 +02:00
Dominik Kaminski
d28a425673 chore(release): 0.2.10 [skip ci] 
## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06)

### Bug Fixes

* **helmfile:** Add imagePullPolicy default env variable ([f988644](f9886448b6))
* **helmfile:** Update images and add jitsi, keycloak to security section in docs ([0eceb85](0eceb85e7d))
* **jitsi:** Update chart to 1.4.2 with improved security and fixed change on each deployment ([1349181](1349181d80))
* **keycloak:** Improve default security settings ([3b90533](3b90533063))
* **nextcloud:** Fix yamllint disable comment ([4380e78](4380e78981))
* **services:** Disable https redirect in istio to fix cert-manager issues ([1ef4a86](1ef4a861ac))
* **services:** Fix capabilities of postifix ([a6fa846](a6fa846afc))
* **services:** Fix OCI registry address of postgresql, mariadb ([be82243](be82243966))
 2023-09-06 07:53:01 +00:00
Dominik Kaminski
a6fa846afc fix(services): Fix capabilities of postifix 2023-09-05 21:50:31 +02:00
Dominik Kaminski
4380e78981 fix(nextcloud): Fix yamllint disable comment 2023-09-05 20:31:32 +02:00
Dominik Kaminski
be82243966 fix(services): Fix OCI registry address of postgresql, mariadb 2023-09-05 20:15:03 +02:00
Dominik Kaminski
f9886448b6 fix(helmfile): Add imagePullPolicy default env variable 2023-09-05 19:59:18 +02:00
Dominik Kaminski
0eceb85e7d fix(helmfile): Update images and add jitsi, keycloak to security section in docs 2023-09-05 18:49:09 +02:00
Dominik Kaminski
1ef4a861ac fix(services): Disable https redirect in istio to fix cert-manager issues 2023-09-05 18:48:18 +02:00
Dominik Kaminski
3b90533063 fix(keycloak): Improve default security settings 2023-09-05 18:47:28 +02:00
Dominik Kaminski
1349181d80 fix(jitsi): Update chart to 1.4.2 with improved security and fixed change on each deployment 2023-09-05 18:47:04 +02:00
Thorsten Roßner
e1b84898c5 chore(release): 0.2.9 [skip ci] 
## [0.2.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.8...v0.2.9) (2023-09-05)

### Bug Fixes

* **collabora:** Add websocket support for NGINX Inc. Ingress ([6e5ef63](6e5ef639c2))
* **docs:** Add security part in README ([ff462ab](ff462ab0dc))
* **docs:** Update scaling docs ([63a1e25](63a1e2568e))
* **helmfile:** Reduce icap resources in default enviroment ([c5ab1b8](c5ab1b81fe))
* **helmfile:** Update clamav and nextcloud images in default environment ([4f2a8ae](4f2a8aeee4))
* **nextcloud:** Add support for up to 4G large upload for Ingress NGINX and NGINX Inc. Ingress ([6e68f7f](6e68f7f28c))
* **nextcloud:** Rename sovereign-workplace-nextcloud-bootstrap to opendesk-nextcloud-bootstrap and use OCI ([cef11ac](cef11acbae))
* **nextcloud:** Use clamav-icap when clamavDistributed is activated ([41d40c9](41d40c9b73))
* **services:** Enable security context and use default increased security settings ([9a6d240](9a6d2409a6))
* **services:** Fix image registry templates for postfix ([6321ff5](6321ff50a0))
* **services:** Replace image digest by tag ([f758293](f758293241))
* **services:** Set readOnlyRootFilesystem to true on master ([5fbf86b](5fbf86b6bc))
* **services:** Update clamav to 4.0.0, redis to 18.0.0, postgresql to 2.0.2, mariadb to 2.0.2 and use OCI registries ([9d78664](9d7866480c))
 2023-09-05 11:58:43 +00:00
Dominik Kaminski
63a1e2568e fix(docs): Update scaling docs 2023-09-03 22:45:29 +02:00
Dominik Kaminski
ca4b1da84f chore(helmfile): Fix linting errors for yamllint 2023-09-03 22:26:26 +02:00
Dominik Kaminski
ff462ab0dc fix(docs): Add security part in README 2023-09-03 21:56:55 +02:00
Dominik Kaminski
4f2a8aeee4 fix(helmfile): Update clamav and nextcloud images in default environment 2023-09-03 21:56:45 +02:00
Dominik Kaminski
c5ab1b81fe fix(helmfile): Reduce icap resources in default enviroment 2023-09-03 21:56:31 +02:00
Dominik Kaminski
9d7866480c fix(services): Update clamav to 4.0.0, redis to 18.0.0, postgresql to 2.0.2, mariadb to 2.0.2 and use OCI registries 2023-09-03 21:53:09 +02:00
Dominik Kaminski
9a6d2409a6 fix(services): Enable security context and use default increased security settings 2023-09-03 21:51:33 +02:00
Dominik Kaminski
f758293241 fix(services): Replace image digest by tag 2023-09-03 21:49:39 +02:00
Dominik Kaminski
6321ff50a0 fix(services): Fix image registry templates for postfix 2023-09-03 21:46:40 +02:00
Dominik Kaminski
5fbf86b6bc fix(services): Set readOnlyRootFilesystem to true on master 2023-09-03 21:44:42 +02:00
Dominik Kaminski
6e68f7f28c fix(nextcloud): Add support for up to 4G large upload for Ingress NGINX and NGINX Inc. Ingress 2023-09-03 21:43:55 +02:00
Dominik Kaminski
41d40c9b73 fix(nextcloud): Use clamav-icap when clamavDistributed is activated 2023-09-03 21:43:00 +02:00
Dominik Kaminski
cef11acbae fix(nextcloud): Rename sovereign-workplace-nextcloud-bootstrap to opendesk-nextcloud-bootstrap and use OCI 2023-09-03 21:40:45 +02:00
Dominik Kaminski
6e5ef639c2 fix(collabora): Add websocket support for NGINX Inc. Ingress 2023-09-03 21:40:06 +02:00
Thorsten Roßner
65b0ca5480 chore(release): 0.2.8 [skip ci] 
## [0.2.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.7...v0.2.8) (2023-08-31)

### Bug Fixes

* **open-xchange:** Update images and Helm chart ([39565c7](39565c7cfd))
 2023-08-31 10:57:35 +00:00
Thorsten Rossner
39565c7cfd fix(open-xchange): Update images and Helm chart 2023-08-31 10:56:00 +00:00
Thorsten Roßner
0d374c1fea chore(release): 0.2.7 [skip ci] 
## [0.2.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.6...v0.2.7) (2023-08-30)

### Bug Fixes

* **jitsi:** Update Jitsi Helm chart to set the user's display name as default ([387bd87](387bd8715c))
 2023-08-30 17:08:35 +00:00
Thorsten Rossner
387bd8715c fix(jitsi): Update Jitsi Helm chart to set the user's display name as default 2023-08-30 17:06:57 +00:00
125 changed files with 3599 additions and 501 deletions
Expand all files Collapse all files

4
.gitignore vendored
View File

@@ -5,4 +5,8 @@
# Ignore changes to sample environments
helmfile/environments/dev/values.yaml
helmfile/environments/dev/values.gotmpl
helmfile/environments/test/values.yaml
helmfile/environments/test/values.gotmpl
helmfile/environments/prod/values.yaml
helmfile/environments/prod/values.gotmpl

195
.gitlab-ci.yml
View File

@@ -58,10 +58,13 @@ variables:
- "yes"
- "no"
DEPLOY_UCS:
description: "Enable Univention Corporate Server deployment."
description: >-
Enable Univention Corporate Server deployment.
"ums-eval" does deploy the Univention Management Stack instead of the UCS container.
value: "no"
options:
- "yes"
- "ums-eval"
- "no"
DEPLOY_PROVISIONING:
description: "Enable Provisioning Components."
@@ -75,6 +78,12 @@ variables:
options:
- "yes"
- "no"
DEPLOY_CRYPTPAD:
description: "Enable CryptPad deployment."
value: "no"
options:
- "yes"
- "no"
DEPLOY_ELEMENT:
description: "Enable Element deployment."
value: "no"
@@ -129,8 +138,18 @@ variables:
options:
- "yes"
- "no"
TESTS_PROJECT_URL:
description: "URL of the E2E-test Gitlab project API with project ID."
TESTS_BRANCH:
description: "Branch of E2E-tests on which the test pipeline is triggered"
value: "main"
RUN_UMS_TESTS:
description: "Run E2E test suite of SouvAP Dev team"
value: "no"
options:
- "yes"
- "no"
UMS_TESTS_BRANCH:
description: "Branch of E2E test suite of SouvAP Dev team"
value: "main"
# please use the following set of variables with normalized names:
DOMAIN: "${NAMESPACE}.${CLUSTER}.${BASE_DOMAIN}"
ISTIO_DOMAIN: "${NAMESPACE}.istio.${CLUSTER}.${BASE_DOMAIN}"
@@ -140,23 +159,6 @@ variables:
dependencies: []
extends: ".environments"
image: "registry.souvap-univention.de/souvap/tooling/images/helm:latest"
secrets:
SMTP_PASSWORD:
vault:
engine:
name: "kv-v2"
path: "swp"
path: "accounts/brained/mail/relay@souvap-univention.de"
field: "password"
file: false
TURN_CREDENTIALS:
vault:
engine:
name: "kv-v2"
path: "swp"
path: "accounts/souvap-univention.de/develop/turn/secret"
field: "credentials"
file: false
script:
- "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
# MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD
@@ -187,8 +189,16 @@ env-cleanup:
$ENV_STOP_BEFORE != "no"
when: "always"
script:
- "helmfile destroy --namespace ${NAMESPACE}"
- "kubectl delete pvc --all --namespace ${NAMESPACE}"
- |
if [ "${OPENDESK_SLEDGEHAMMER_DESTROY_ENABLED}" = "yes" ]; then
for OPENDESK_RELEASE in $(helm ls -n ${NAMESPACE} -aq); do
helm uninstall -n ${NAMESPACE} ${OPENDESK_RELEASE};
done
kubectl delete pvc --all --namespace ${NAMESPACE};
kubectl delete jobs --all --namespace ${NAMESPACE};
else
helmfile destroy --namespace ${NAMESPACE};
fi
stage: "env-cleanup"
env-start:
@@ -235,7 +245,7 @@ ucs-deploy:
- if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
$NAMESPACE =~ /.+/ &&
($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UCS != "no")
($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UCS == "yes")
when: "always"
variables:
COMPONENT: "univention-corporate-container"
@@ -252,6 +262,18 @@ provisioning-deploy:
variables:
COMPONENT: "provisioning"
ums-deploy:
stage: "component-deploy-stage-1"
extends: ".deploy-common"
rules:
- if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
$NAMESPACE =~ /.+/ &&
$DEPLOY_UCS == "ums-eval"
when: "always"
variables:
COMPONENT: "univention-management-stack"
keycloak-deploy:
stage: "component-deploy-stage-1"
extends: ".deploy-common"
@@ -326,6 +348,18 @@ collabora-deploy:
variables:
COMPONENT: "collabora"
cryptpad-deploy:
stage: "component-deploy-stage-1"
extends: ".deploy-common"
rules:
- if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
$NAMESPACE =~ /.+/ &&
($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_NEXTCLOUD != "no" || $DEPLOY_CRYPTPAD != "no")
when: "always"
variables:
COMPONENT: "cryptpad"
nextcloud-deploy:
stage: "component-deploy-stage-1"
extends: ".deploy-common"
@@ -408,51 +442,98 @@ run-tests:
when: "always"
script:
- |
COMPONENTS="login or portal or profile or navigation"
if [ "${DEPLOY_ALL_COMPONENTS}" != "no" ]; then
COMPONENTS="${COMPONENTS} or collabora or ics or jitsi or keycloak or nextcloud or openproject or ox or ucs \
or xwiki"
else
[ "${DEPLOY_COLLABORA}" != "no" ] && COMPONENTS="${COMPONENTS} or collabora"
[ "${DEPLOY_ICS}" != "no" ] && COMPONENTS="${COMPONENTS} or ics"
[ "${DEPLOY_JITSI}" != "no" ] && COMPONENTS="${COMPONENTS} or jitsi"
[ "${DEPLOY_KEYCLOAK}" != "no" ] && COMPONENTS="${COMPONENTS} or keycloak"
[ "${DEPLOY_NEXTCLOUD}" != "no" ] && COMPONENTS="${COMPONENTS} or nextcloud"
[ "${DEPLOY_OPENPROJECT}" != "no" ] && COMPONENTS="${COMPONENTS} or openproject"
[ "${DEPLOY_OX}" != "no" ] && COMPONENTS="${COMPONENTS} or ox"
[ "${DEPLOY_UCS}" != "no" ] && COMPONENTS="${COMPONENTS} or ucs"
[ "${DEPLOY_XWIKI}" != "no" ] && COMPONENTS="${COMPONENTS} or xwiki"
fi
echo "Gathering passwords from UCS container ..."
UCS_CONTAINER_NAME=$( \
kubectl -n ${NAMESPACE} get pods --no-headers \
--selector 'app.kubernetes.io/instance=univention-corporate-container' \
kubectl -n ${NAMESPACE} get pods --no-headers --selector \
'app.kubernetes.io/instance=univention-corporate-container' \
| grep Running \
| awk '{print $1}' \
)
echo "UCS_CONTAINER_NAME: ${UCS_CONTAINER_NAME}"
DEFAULT_USER_PASSWORD=$( \
kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
| grep DEFAULT_ACCOUNT_USER_PASSWORD \
| awk '{print $2}' \
)
DEFAULT_ADMIN_PASSWORD=$( \
DEFAULT_ADMIN_PASSWORD=$(
kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
| grep DEFAULT_ACCOUNT_ADMIN_PASSWORD \
| awk '{print $2}' \
)
echo "triggering test pipeline ..."
curl -X POST \
-F "ref=main" \
-F "token=${CI_JOB_TOKEN}" \
-F "variables[url]=https://portal.${DOMAIN}" \
-F "variables[user_name]=${DEFAULT_USER_NAME}" \
-F "variables[user_password]=${DEFAULT_USER_PASSWORD}" \
-F "variables[admin_name]=${DEFAULT_ADMIN_NAME}" \
-F "variables[admin_password]=${DEFAULT_ADMIN_PASSWORD}" \
-F "variables[components]=\"${COMPONENTS}\"" \
https://${TESTS_PROJECT_URL}/trigger/pipeline
curl --request POST \
--header "Content-Type: application/json" \
--data "{ \
\"ref\": \"${TESTS_BRANCH}\", \
\"token\": \"${CI_JOB_TOKEN}\", \
\"variables\": { \
\"url\": \"https://portal.${DOMAIN}\", \
\"user_name\": \"${DEFAULT_USER_NAME}\", \
\"user_password\": \"${DEFAULT_USER_PASSWORD}\", \
\"admin_name\": \"${DEFAULT_ADMIN_NAME}\", \
\"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
\"DEPLOY_ALL_COMPONENTS\": \"${DEPLOY_ALL_COMPONENTS}\", \
\"DEPLOY_COLLABORA\": \"${DEPLOY_COLLABORA}\", \
\"DEPLOY_ELEMENT\": \"${DEPLOY_ELEMENT}\", \
\"DEPLOY_ICS\": \"${DEPLOY_ICS}\", \
\"DEPLOY_JITSI\": \"${DEPLOY_JITSI}\", \
\"DEPLOY_KEYCLOAK\": \"${DEPLOY_KEYCLOAK}\", \
\"DEPLOY_NEXTCLOUD\": \"${DEPLOY_NEXTCLOUD}\", \
\"DEPLOY_OPENPROJECT\": \"${DEPLOY_OPENPROJECT}\", \
\"DEPLOY_OX\": \"${DEPLOY_OX}\", \
\"DEPLOY_SERVICES\": \"${DEPLOY_SERVICES}\", \
\"DEPLOY_UCS\": \"${DEPLOY_UCS}\", \
\"DEPLOY_XWIKI\": \"${DEPLOY_XWIKI}\", \
\"DEPLOY_PROVISIONING\": \"${DEPLOY_PROVISIONING}\" \
} \
}" \
"https://${TESTS_PROJECT_URL}/trigger/pipeline"
run-souvap-dev-tests:
extends: ".deploy-common"
environment:
name: "${NAMESPACE}"
tags:
- "docker"
- "kubernetes"
- "${CLUSTER}"
stage: "tests"
rules:
- if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_UMS_TESTS == "yes"
when: "always"
script:
- |
UCS_CONTAINER_NAME=$( \
kubectl -n ${NAMESPACE} get pods --no-headers --selector \
'app.kubernetes.io/instance=univention-corporate-container' \
| grep Running \
| awk '{print $1}' \
)
DEFAULT_USER_PASSWORD=$( \
kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
| grep DEFAULT_ACCOUNT_USER_PASSWORD \
| awk '{print $2}' \
)
DEFAULT_ADMIN_PASSWORD=$(
kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
| grep DEFAULT_ACCOUNT_ADMIN_PASSWORD \
| awk '{print $2}' \
)
curl --request POST \
--header "Content-Type: application/json" \
--data "{ \
\"ref\": \"${UMS_TESTS_BRANCH}\", \
\"token\": \"${CI_JOB_TOKEN}\", \
\"variables\": { \
\"portal_base_url\": \"https://portal.${DOMAIN}\", \
\"username\": \"${DEFAULT_USER_NAME}\", \
\"password\": \"${DEFAULT_USER_PASSWORD}\", \
\"admin_username\": \"${DEFAULT_ADMIN_NAME}\", \
\"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
\"keycloak_base_url\": \"https://id.${DOMAIN}\" \
} \
}" \
"https://${UMS_TESTS_PROJECT_URL}/trigger/pipeline"
generate-release-assets:
stage: "generate-release-assets"
@@ -463,7 +544,7 @@ generate-release-assets:
- when: "never"
script:
- |
git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/bmi/souveraener_arbeitsplatz/tooling/opendesk-asset-generator
git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/${ASSET_GENERATOR_REPO_PATH}
cd opendesk-asset-generator
export OPENDESK_DEPLOYMENT_AUTOMATION_PATH=${CI_PROJECT_DIR}
./opendesk_asset_generator.py
@@ -476,6 +557,8 @@ generate-release-assets:
- "./build_artefacts/chart-index.json"
- "./build_artefacts/image-index.json"
tags: []
variables:
ASSET_GENERATOR_REPO_PATH: "bmi/souveraener_arbeitsplatz/tooling/opendesk-asset-generator"
# Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.

440
CHANGELOG.md
View File

@@ -1,3 +1,438 @@
## [0.5.29](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.28...v0.5.29) (2023-11-06)
### Bug Fixes
* **xwiki:** Update XWiki Helm configuration to enable LDAP and OIDC user synchronization ([7c56c72](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7c56c7244f3862b6b21627661430a94d804c6974))
## [0.5.28](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.27...v0.5.28) (2023-11-06)
### Bug Fixes
* **open-xchange:** Add Document- and ImageConverter, improve LDAP address book filters ([899a8c5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/899a8c5af9052634b98d9876dfbaea517d89ad49))
## [0.5.27](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.26...v0.5.27) (2023-11-04)
### Bug Fixes
* **docs:** Re-include release artefacts ([4359b21](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4359b21f1cdae91a87b87ad2b270d67a2b1eda21))
## [0.5.26](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.25...v0.5.26) (2023-11-02)
### Bug Fixes
* **element:** Enables user directory search for all users ([8fafd90](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/8fafd906a3b0efa7e4164b357656d7903fc55371))
## [0.5.25](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.24...v0.5.25) (2023-11-01)
### Bug Fixes
* **cryptpad:** Add CryptPad to support editing of diagrams.net files from within Nextcloud ([ab6014f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ab6014f8c6285785be5c56cd656fe0636df4434c))
## [0.5.24](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.23...v0.5.24) (2023-11-01)
### Bug Fixes
* **collabora:** Update image to 23.05.5.3.1 ([38336d0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/38336d024033f4fe1a28b0f76f9c63ecdb076156))
## [0.5.23](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.22...v0.5.23) (2023-11-01)
### Bug Fixes
* **element:** Update Element Web to latest release ([b47de62](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b47de62f987e8778878fee55ecda3032beb55f3d))
## [0.5.22](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.21...v0.5.22) (2023-10-31)
### Bug Fixes
* **openproject:** Nextcloud integration within K8s instances ([d249d0e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d249d0e3ce3ee0966033e870ea5c4d9e1928f045))
## [0.5.21](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.20...v0.5.21) (2023-10-30)
### Bug Fixes
* **helmfile:** Deinstall components if disabled ([7feaadf](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7feaadf7f8830d8d0d5df752733c9b8f47315df6))
* **helmfile:** Put enviroments in first document inside of a yaml ([034e98c](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/034e98c850fa1f67300c04883904737a69448a25))
## [0.5.20](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.19...v0.5.20) (2023-10-30)
### Bug Fixes
* **helmfile:** Remove old XWiki image, set explicit timeout for OP deployment, bump Jitsi Helm chart to enable chat for stand-alone Jitsi ([5d01f8c](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5d01f8ca46384d63d69dab0119998c4bb3183084))
## [0.5.19](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.18...v0.5.19) (2023-10-30)
### Bug Fixes
* **element:** Update Element Web and Nordeck Widgets to latest releases ([2313f75](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2313f75dbe32d855b0c440944bd0de51c8e104ca))
## [0.5.18](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.17...v0.5.18) (2023-10-28)
### Bug Fixes
* **xwiki:** Switch to Alpine/Jetty slim image ([b399869](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b39986907cece3cec06012531a55b2699d131f90))
## [0.5.17](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.16...v0.5.17) (2023-10-28)
### Bug Fixes
* **nextcloud:** Update swp_integration app and prepare CryptPad integration ([a046dea](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a046deaf173ab41029c2ab5e3161bd89e0fdabcb))
## [0.5.16](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.15...v0.5.16) (2023-10-26)
### Bug Fixes
* **openproject:** Slim container with upgraded helm-chart ([535823e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/535823e0a8b2bde72d159835248b2287fd136af7))
## [0.5.15](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.14...v0.5.15) (2023-10-25)
### Bug Fixes
* **helmfile:** Add XWiki Jetty and UniventionKeycloak to image.yaml for Compliance checks. They are not yet part of standard deployment. ([8e376bb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/8e376bb4a5e37e16d76ea527cd02a5f614cdfe3d))
## [0.5.14](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.13...v0.5.14) (2023-10-20)
### Bug Fixes
* **element:** Support for openDesk top bar with central navigation ([e609b75](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e609b75cc7fcbb7f03997cb5e26dd9cf4628f77d))
## [0.5.13](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.12...v0.5.13) (2023-10-20)
### Bug Fixes
* **element:** Configure rights and roles ([59d58e3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/59d58e320e503727e42dbfe0b027ba7948275ac6))
## [0.5.12](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.11...v0.5.12) (2023-10-19)
### Bug Fixes
* **element:** Add an application service for the intercom-service ([1a4eced](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1a4eced998998faa7ac862b8c409bbd743b16ec0))
* **element:** Add the Matrix NeoBoard Widget deployment ([5afd233](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5afd2339c20a0be41078ae4c3ce703c62f332557))
* **element:** Add the Matrix NeoChoice Widget deployment ([7756d35](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7756d35fa156b36ed50ba8f837273db56323f45f))
* **element:** Add the Matrix NeoDateFix Bot deployment ([785989e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/785989e91df5547ab5ac60914b82bc99c4f1a790))
* **element:** Add the Matrix NeoDateFix Widget deployment ([27b6796](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/27b6796639f37dbd6c26f21fd54502153398aed0))
* **element:** Add the Matrix User Verification Service deployment ([30405d1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/30405d182d44a5586a4070738dfbe1c141841d19))
* **element:** Upgrade Element to v1.11.46 ([82a037e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/82a037ec7c25baf41bd0542c3ded47402adc2844))
* **element:** Upgrade the opendesk-element charts to 2.3.0 ([fd9e04d](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/fd9e04d9922b949d0f213016169a9024a66a1ded))
* **element:** Upgrade the opendesk-matrix-widgets charts to 2.3.0 ([cbe5141](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/cbe514176a4d86d166db248d7297d215409016d2))
* **element:** Use a separate image configuration for the bootstrap tasks ([7f7c364](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7f7c364071072b01d485d3e248a3f8de49a07309))
* **intercom-service:** Allow access from the non-istio domain and reference to the correct synapse hostname ([16f2ac4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/16f2ac464eb7267f1c4d87c3ccaca2c91a7ecc1b))
* **intercom-service:** Fix the nordeck configuration ([06dcdd7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/06dcdd78afe0e6514c1f30d24924d3e7077ae6da))
* **jitsi:** Use template for the cluster networking domain ([0898d96](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0898d9657145d66fd4c52fe6036c955ad58a0cfe))
* **keycloak:** Use the correct backchannel logout configuration for element ([86657b1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/86657b139a6d8f4ff3f921b8755e04cb790c3786))
* **open-xchange:** Enable Element calendar integration ([f564efd](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f564efd97f8db39cffaea317e36db3825fc9121e))
## [0.5.11](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.10...v0.5.11) (2023-10-11)
### Bug Fixes
* **helmfile:** Quote all password template strings ([fb7dba7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/fb7dba787c232c402aa9c989c0e8ace51869d534))
* **services:** Add memcached service ([72e3afd](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/72e3afdffdeb6f88f8e926426dbc26adf4b54e7a))
## [0.5.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.9...v0.5.10) (2023-10-11)
### Bug Fixes
* **intercom-service:** Update intercom-service chart to v2.0.0 ([c3129f1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c3129f14437728be890187bb7c4a1bfc42d90958))
## [0.5.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.8...v0.5.9) (2023-10-10)
### Bug Fixes
* **element:** Enable the guest module in Synapse ([da1bf35](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/da1bf3581c5790786601948cabcef8a1d1c680ad))
## [0.5.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.7...v0.5.8) (2023-10-10)
### Bug Fixes
* **helmfile:** Add default port for SMTP in environment ([74f9ec2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/74f9ec28e401f7caeefc4e50ac0a7e95fea41a53))
## [0.5.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.6...v0.5.7) (2023-10-09)
### Bug Fixes
* **openproject:** Mail sender address ([711d29e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/711d29e374d13a3c8b7bcdf3e8440d03e0ef2b7d))
## [0.5.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.5...v0.5.6) (2023-10-09)
### Bug Fixes
* **helmfile:** Use signed bitnami charts from openDesk Mirror Builds ([70744d0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/70744d04c66f32d65dc968c8570ed7a397f4efcc))
* **services:** Bump redis chart to 18.1.2 ([d4c751d](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d4c751d29f15c718957f6bc388a99347e2923c87))
## [0.5.5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.4...v0.5.5) (2023-10-09)
### Bug Fixes
* **openproject:** Switch image to fix central navigation; set email sender address ([e42feb4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e42feb4c260fc24692bc2742c97754230f8e2857))
## [0.5.4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.3...v0.5.4) (2023-10-02)
### Bug Fixes
* **helmfile:** Add third environment (test) ([7dbcbfe](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7dbcbfe7237b365cf53f4c850b149e8b95149901))
## [0.5.3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.2...v0.5.3) (2023-09-28)
### Bug Fixes
* **open-xchange:** Rollback MariaDB version to fix OX Guard initialization ([e33acd3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e33acd33e79740144e8fe318fe34dc705834ddf3))
## [0.5.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.1...v0.5.2) (2023-09-28)
### Bug Fixes
* **ci:** Add Gitlab-CI sledgehammer deployment removal ([6fd655a](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6fd655a0b1afd40303ac11130692202146bab215))
## [0.5.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.0...v0.5.1) (2023-09-28)
### Bug Fixes
* **docs:** Add 'Helm Chart Trust Chain' section ([b6b4972](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b6b4972a5dd426bcc8fa00137d7e7b60056376c8))
* **docs:** Highlight that Helmfile >= 0.157.0 is required ([d86f516](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d86f516747323d117f620658c4368408926c507a))
* **element:** Use OCI registry and verify chart signatures ([a41b9a6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a41b9a699c79bf90163bbb3c233c805b8d0a999e))
* **helmfile:** Add cleanup flag for job resources ([0f01b94](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0f01b94aa19b40b4774ba11d9886fe6f12090e73))
* **helmfile:** Create directory for gpg pubkeys ([4c5731e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4c5731e6bb057cb272f660b4df0369b67709c203))
* **intercom-service:** Use OCI registry and verify chart signatures ([74b3d41](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/74b3d41381474efd2fbc5a9f3a0f1c0713811106))
* **jitsi:** Verify chart signatures ([1dd6582](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1dd6582ec7d742250ba08f69eba9a4679984b1ae))
* **keycloak-bootstrap:** Use OCI registry and verify chart signatures ([ca5d5f8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ca5d5f82800ea6d7ecfa38eb2b5d8b85e709bb9f))
* **keycloak:** Use OCI registry and verify chart signatures ([095059c](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/095059c7e53bbe8a874773f574cc6794ef8af6e4))
* **nextcloud:** Use OCI registry and verify chart signatures ([41dfdc0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/41dfdc0c8f83e3d79fa5a763ac449f6edfc76676))
* **open-xchange:** Use OCI registry and verify chart signatures ([2d5d370](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2d5d3708f7f45600961c22ce11e750561de1fd27))
* **open-xchange:** Use renamed istio gateway ([65d2642](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/65d2642d34c1c21a00a29278f7e1143f7fabb2aa))
* **openproject:** Use OCI registry and verify chart signatures ([5343840](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5343840bed01992b3132eace362f91588c705a98))
* **services:** Add wildcard certifcate request support ([15ad8ca](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/15ad8ca7ab34b079252f7b69219ede81ad43aa1c))
* **services:** Bump opendesk-certificates to 2.1.0 ([4372f06](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4372f063e0a27d5156da963d44d3ed4e72490fc4))
* **services:** Only create istio gateway with webmail domain ([6a39011](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6a390112dab11afaca06118a0ca7a18afe633a30))
* **services:** Use OCI registry for all services and add gpg verify mechanism ([892920b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/892920b0487b41a35b5a96596c61101827e8dd6d))
* **univention-corporate-container:** Use OCI registry and verify chart signatures ([424317e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/424317ed585f7bd5036259d7e3d77d081d2aec1b))
# [0.5.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.9...v0.5.0) (2023-09-27)
### Bug Fixes
* **element:** Move the static configuration into the values.yaml ([f22619b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f22619bd8ef11cb43147ef19dcff2c02d9fe0503))
* **element:** Specify resources for the guest module init container ([275798c](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/275798c1d6aa47ef33fbb0da3bb03a86d3e4b0ee))
### Features
* **element:** Activate the guest module ([5ad25ac](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5ad25acafd54d19dd2ed330b19f7860aff5d49f4))
## [0.4.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.8...v0.4.9) (2023-09-27)
### Bug Fixes
* **nextcloud:** Bump Helm chart to add app "groupfolders" ([62b767e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/62b767ef38c8eae2874b20a9aa51e85d2a3fe5a3))
## [0.4.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.7...v0.4.8) (2023-09-26)
### Bug Fixes
* **openproject:** Digest rollback ([9acce08](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9acce081397c06426820b61f39c9aa0dcc1234a5))
## [0.4.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.6...v0.4.7) (2023-09-26)
### Bug Fixes
* **helmfile:** Add timeout for database services ([98ec02f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/98ec02f230f1691eb8c17d8d3552fceda329bf7c))
* **openproject:** Image digest ([b340373](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b340373133ad973cfd6a3632adc9a74a23419cc7))
## [0.4.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.5...v0.4.6) (2023-09-26)
### Bug Fixes
* **openproject:** Use renamed registry open_desk ([a37faf3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a37faf3b5769aea9944ffa7626096c16296dcc85))
## [0.4.5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.4...v0.4.5) (2023-09-26)
### Bug Fixes
* **helmfile:** Streamline timeouts ([2703615](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2703615dffb2ba5c70704a4f08bb0485629218f3))
## [0.4.4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.3...v0.4.4) (2023-09-25)
### Bug Fixes
* **open-xchange:** Updates for mail templates and mail export ([ae3d0da](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ae3d0daa117d3d0ff307f379590394914a757546))
## [0.4.3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.2...v0.4.3) (2023-09-25)
### Bug Fixes
* **nextcloud:** Update image to 27.1.1 ([ce7e5f6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ce7e5f670a4dbc980eb8be73e5f7d15b27e8b1de))
## [0.4.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.1...v0.4.2) (2023-09-21)
### Bug Fixes
* **nextcloud:** Add Nextcloud app for OpenProject integration; Bump Collabora Image ([f46c8a9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f46c8a9a5f4f9778cb171d65e9a0280e4ce61c16))
## [0.4.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.0...v0.4.1) (2023-09-19)
### Bug Fixes
* **univention-management-stack:** Remove doublette triple dashes in helmfile.yaml ([41b9afb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/41b9afb3648a0e1fddc5aa4337cc1501756b370c))
# [0.4.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.2...v0.4.0) (2023-09-18)
### Features
* **ci:** Optionally trigger E2E tests of the SouvAP Dev team ([a99c088](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a99c088361b95b2bb7ee2b161e3a254f02bcd9ae))
## [0.3.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.1...v0.3.2) (2023-09-14)
### Bug Fixes
* **helmfile:** Fix linter issues ([1514678](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1514678db00d32c1463d8fc496c0e6d1c2a2df96))
* **univention-management-stack:** Add "commonLabels" into helmfile ([16c08f8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/16c08f82c9b4934567bb3b9c7fccab754bfad494))
* **univention-management-stack:** Add Helm charts ([a74d662](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a74d66240423fd5ba87854cc2b71132f11271ec7))
* **univention-management-stack:** Add switch "univentionManagementStack.enabled" ([471a2fa](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/471a2fa26205b8ca3afb5eeeb4524897a57f5c20))
* **univention-management-stack:** Adjust Ingress configuration for portal-server ([13bcd78](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/13bcd785e8f7db22d20903020e0cdd28094309a9))
* **univention-management-stack:** Adjust Ingress configuration for umc ([320da3b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/320da3bec3a49d974765e567878d5c2f2b4e93ef))
* **univention-management-stack:** Adjust Ingress configuration of notifications-api ([5e1a7b1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5e1a7b19e278147d010c48dac2da111f828dd115))
* **univention-management-stack:** Adjust ingress configuration of the portal-frontend ([c54bab1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c54bab165bf81854471d790200781b4181eba22a))
* **univention-management-stack:** Adjust Ingress configuration of udm-rest-api ([c61b1b8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c61b1b828150caa8d2fe1a5b9f0a862b2fbef4f1))
* **univention-management-stack:** Adjust Ingress conifguration of store-dav ([96097e4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/96097e470483a5251acd81eb772da70ad7f55137))
* **univention-management-stack:** Configure cookie banner data ([12c931f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/12c931fcff5536116af11df1c9c0468429949fe2))
* **univention-management-stack:** Define resource requests and limits ([2f8a298](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2f8a2989250ea0f3b50dd3417f214a8864fe62d0))
* **univention-management-stack:** Disable istio for the stack ([4835a2b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4835a2beec408ec6267177f82257edd9ccb0d937))
* **univention-management-stack:** Prepare persistence configuration ([7ab1cb5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7ab1cb5c7e7bca85394eae2ed17141e513dd5a42))
* **univention-management-stack:** Process bases before releases ([ec3f1d9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ec3f1d96ac17cf1fb9d34ab692240460d5bd4ba1))
* **univention-management-stack:** Set externalDomainName for bootstrapping the stack ([0ba71f2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0ba71f2749eaf51b09429a5f3c705bd0075c1efa))
* **univention-management-stack:** Split templated from static values ([09079a1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/09079a13031be7894a34bf92945bd25a040c2290))
* **univention-management-stack:** Split values into templated and static ([d3c4390](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d3c439038a2551ec90324ab8659d24b65b223d4f))
* **univention-management-stack:** Update portal-listener to leverage dependency waiting ([c840608](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c84060811229bb131bcd473a9e4668dfa73f97d7))
* **univention-management-stack:** Use global secrets to fill initialPasswordAdministrator ([a4bab40](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a4bab4068dc298056ed864e60a244d49a2934c8b))
* **univention-management-stack:** Use global secrets to populate ldap related secrets ([9409ad8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9409ad829a725c84ebc3de5d1c4d42fe735e9d0c))
* **univention-management-stack:** Use global secrets to set store-dav related passwords ([90019e3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/90019e3ef6de5e4ed1742ee9ddc3bbb256cd3dec))
* **univention-management-stack:** Use ldap base DN "dc=swp-ldap,dc=internal" ([77e362f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/77e362f6bc053c5d456bf65649f15130ce53547c))
* **univention-management-stack:** Use postgresql service for notifications-api ([fe0e0cd](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/fe0e0cdce4622352afbf74875adcae8324d769a3))
* **univention-management-stack:** Use the prefix "ums-" for all releases ([edb25bd](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/edb25bd7655beeefa73a62fb9a8c85e076c4cc2f))
* **univention-management-stack:** Use the value "global.imagePullPolicy" ([15db5dc](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/15db5dcbba33c39f752499f2d73c77cac32d1e8c))
## [0.3.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.0...v0.3.1) (2023-09-14)
### Bug Fixes
* **collabora:** Update Ingress annotations and set securityContext ([b5583ca](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b5583caec10c24e3bfb312edcb2800e6a60a9b10))
* **element:** Improve default container security settings ([882f1fb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/882f1fbc93ceb4ac33683d445e100e445798b202))
* **element:** Update opendesk element version to 2.0.1 ([d725b93](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d725b937989987ffacf87d7a9ee05803dcdd4c93))
* **helmfile:** Remove default SMTP credentials and create docs for SMTP/TURN ([e120f5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e120f5fb9a91b80ba71ce78eace99852b4da5fda))
* **helmfile:** Update images and use a tag and digest together ([c7fc187](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c7fc187f14b78cdcc698abbbaec1ba0bbfc718a1))
* **services:** Explicitly set securityContexts ([a799db0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a799db03c4115ba69303be1c265f7aefef95d659))
* **services:** Update Postfix to 2.0.2 fixing security gaining ([e1070ee](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e1070eeb0602523c240a91dae1b0869a7cc42a78))
# [0.3.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.10...v0.3.0) (2023-09-12)
### Features
* **ci:** Selective tests ([d2e7ac9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d2e7ac93481249e9eb7e5e1a41a6c6e333abe2dc))
## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06)
### Bug Fixes
* **helmfile:** Add imagePullPolicy default env variable ([f988644](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f9886448b60bbbd917b5ba04d188401275293eec))
* **helmfile:** Update images and add jitsi, keycloak to security section in docs ([0eceb85](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0eceb85e7df7455fa61cb17a854807069fbcf51a))
* **jitsi:** Update chart to 1.4.2 with improved security and fixed change on each deployment ([1349181](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1349181d802ccb80d9e48cf50fe39f1505116c8e))
* **jitsi:** Update jitsi to 1.5.1 and fix prosody image ([ed7e5e4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ed7e5e428e5d9213a92f97dc03d72fa3e04334c2))
* **keycloak:** Improve default security settings ([3b90533](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/3b90533063c151a9f3cdc9861a115481f6dc440a))
* **nextcloud:** Fix yamllint disable comment ([4380e78](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4380e789814ec2b0458fb2c341c8160ab2743afc))
* **services:** Disable https redirect in istio to fix cert-manager issues ([1ef4a86](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1ef4a861acc955e2e85715c62f715a6629ada940))
* **services:** Fix capabilities of postifix ([a6fa846](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a6fa846afc9744f2b399c37cc754f878b6b9e90b))
* **services:** Fix OCI registry address of postgresql, mariadb ([be82243](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/be822439661f766c4db6044fd3581db0cce214bb))
## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06)
### Bug Fixes
* **helmfile:** Add imagePullPolicy default env variable ([f988644](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f9886448b60bbbd917b5ba04d188401275293eec))
* **helmfile:** Update images and add jitsi, keycloak to security section in docs ([0eceb85](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0eceb85e7df7455fa61cb17a854807069fbcf51a))
* **jitsi:** Update chart to 1.4.2 with improved security and fixed change on each deployment ([1349181](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1349181d802ccb80d9e48cf50fe39f1505116c8e))
* **keycloak:** Improve default security settings ([3b90533](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/3b90533063c151a9f3cdc9861a115481f6dc440a))
* **nextcloud:** Fix yamllint disable comment ([4380e78](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4380e789814ec2b0458fb2c341c8160ab2743afc))
* **services:** Disable https redirect in istio to fix cert-manager issues ([1ef4a86](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1ef4a861acc955e2e85715c62f715a6629ada940))
* **services:** Fix capabilities of postifix ([a6fa846](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a6fa846afc9744f2b399c37cc754f878b6b9e90b))
* **services:** Fix OCI registry address of postgresql, mariadb ([be82243](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/be822439661f766c4db6044fd3581db0cce214bb))
## [0.2.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.8...v0.2.9) (2023-09-05)
### Bug Fixes
* **collabora:** Add websocket support for NGINX Inc. Ingress ([6e5ef63](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6e5ef639c22aad93fd2d0eb75f7a1ffc00d6cc9a))
* **docs:** Add security part in README ([ff462ab](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ff462ab0dc2252cc7b517874f5337427b8d19053))
* **docs:** Update scaling docs ([63a1e25](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/63a1e2568e8c5ff62081c6e6594d2019c1aa4b74))
* **helmfile:** Reduce icap resources in default enviroment ([c5ab1b8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c5ab1b81fecbce46788c50b282ed6d1770124fa5))
* **helmfile:** Update clamav and nextcloud images in default environment ([4f2a8ae](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4f2a8aeee4ee6c3d27b1c8a99bad14f603486be5))
* **nextcloud:** Add support for up to 4G large upload for Ingress NGINX and NGINX Inc. Ingress ([6e68f7f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6e68f7f28c937319d93f8afe1dbb302012f77233))
* **nextcloud:** Rename sovereign-workplace-nextcloud-bootstrap to opendesk-nextcloud-bootstrap and use OCI ([cef11ac](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/cef11acbae28510809f9bfa13224dc3a6996207f))
* **nextcloud:** Use clamav-icap when clamavDistributed is activated ([41d40c9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/41d40c9b731b866da2666fa4ffa8cb6493737112))
* **services:** Enable security context and use default increased security settings ([9a6d240](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9a6d2409a697f7e9811a0f4f8d31bb18bac1b926))
* **services:** Fix image registry templates for postfix ([6321ff5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6321ff50a00203abbfb7f5822e67a3c0e00d4b01))
* **services:** Replace image digest by tag ([f758293](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f7582932412f13b1a087d40459e97cf633b1a97e))
* **services:** Set readOnlyRootFilesystem to true on master ([5fbf86b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5fbf86b6bc7b63c81b3ac07c5e0fa8cd464fdad1))
* **services:** Update clamav to 4.0.0, redis to 18.0.0, postgresql to 2.0.2, mariadb to 2.0.2 and use OCI registries ([9d78664](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9d7866480cee889fd3b3003b2eea313a6ed73344))
## [0.2.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.7...v0.2.8) (2023-08-31)
### Bug Fixes
* **open-xchange:** Update images and Helm chart ([39565c7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/39565c7cfd89a8d1c2e645e3ecea28fba703ccc1))
## [0.2.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.6...v0.2.7) (2023-08-30)
### Bug Fixes
* **jitsi:** Update Jitsi Helm chart to set the user's display name as default ([387bd87](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/387bd8715c5a1cf54733c6642cf57c6ef9a44316))
## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)
@@ -173,3 +608,8 @@
* **open-xchange:** OX AppSuite 8 within SWP is now publicly available ([6dc470f](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/6dc470fd67edbb9711e406acb067569ca357b989))
* **services:** Add clamav-simple deployment ([505f25c](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/505f25c5493ebb9e0181233ed5b7d8018e3a315d))
* **sovereign-workplace:** Initial commit ([533c504](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/533c5040faebd91f4012b604d0f4779ea1510424))
<!--
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
-->

228
README.md
View File

@@ -6,11 +6,20 @@ SPDX-License-Identifier: Apache-2.0
[[_TOC_]]
# Disclaimer August 2023
# Disclaimer
The current state of the Sovereign Workplace contains components that are going to be
replaced. Like for example the UCS dev container monolith will be substituted by
multiple Univention Management Stack containers.
openDesk will face breaking changes in the near future without upgrade paths.
While most components support upgrades, major configuration or component changes
may occur, therefore we recommend always installing from scratch.
Components that are going to be replaced soon are:
- The UCS dev container monolith will be substituted by multiple Univention
Management Stack containers,
- the Nextcloud community container is going to be replaced by an openDesk
specific Nextcloud distroless container and
- Dovecot Community is going to be replaced by a Dovecot container tailored for the
needs of the public sector.
In the next months we not only expect upstream updates of the functional
components within their feature scope, but we are also going to address
@@ -19,8 +28,6 @@ operational issues like monitoring and network policies.
Of course, further development also includes enhancing the documentation.
The first release of the Sovereign Workplace is scheduled for December 2023.
Before that release there will be breaking changes in the deployment.
# The Sovereign Workplace (SWP)
@@ -66,11 +73,12 @@ up your own instance for development purposes. Please see the project
These are the requirements of the Sovereign Workplace deployment:
- Vanilla K8s cluster
- K8s cluster >= 1.24, [CNCF Certified Kubernetes Distro](https://www.cncf.io/certification/software-conformance/)
- Domain and DNS Service
- Ingress controller (supported are nginx-ingress, ingress-nginx, HAProxy)
- [Helm](https://helm.sh/), [HelmFile](https://helmfile.readthedocs.io/en/latest/) and
[HelmDiff](https://github.com/databus23/helm-diff)
- [Helm](https://helm.sh/) >= v3.9.0
- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v0.157.0**
- [HelmDiff](https://github.com/databus23/helm-diff) >= 3.6.0
- Volume provisioner supporting RWO (read-write-once)
- Certificate handling with [cert-manager](https://cert-manager.io/)
- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8, we are talking to Open-Xchange and will try to get rid of this dependency.
@@ -91,8 +99,6 @@ installation.
| `DOMAIN` | `souvap.cloud` | External reachable domain |
| `ISTIO_DOMAIN` | `istio.souvap.cloud` | External reachable domain for Istio Gateway |
| `MASTER_PASSWORD` | `sovereign-workplace` | The password that seeds the autogenerated secrets |
| `SMTP_PASSWORD` | | Password for SMTP relay gateway |
| `TURN_CREDENTIALS` | | Credentials for coturn server |
Please ensure that you set the DNS records pointing to the loadbalancer/IP for
`DOMAIN` and `ISTIO_DOMAIN`.
@@ -157,6 +163,12 @@ and wait a little. After the deployment is finished some bootstrapping is
executed which might take some more minutes before you can log in your new
instance.
Deployments can be removed with:
```shell
helmfile destroy -n <NAMESPACE>
```
## Offline deployment
Before executing a [local deployment](#local-deployment), you can set following
@@ -204,12 +216,14 @@ subdirectory `/helmfile/apps/services`.
| ClamAV (Distributed) | `clamavDistributed.enabled` | `false` | Antivirus engine | Eval |
| ClamAV (Simple) | `clamavSimple.enabled` | `true` | Antivirus engine | Eval |
| Collabora | `collabora.enabled` | `true` | Weboffice | Functional |
| CryptPad | `cryptpad.enabled` | `true` | Weboffice | Functional |
| Dovecot | `dovecot.enabled` | `true` | Mail backend | Functional |
| Element | `element.enabled` | `true` | Secure communications platform | Functional |
| Intercom Service | `intercom.enabled` | `true` | Cross service data exchange | Functional |
| Jitsi | `jitsi.enabled` | `true` | Videoconferencing | Functional |
| Keycloak | `keycloak.enabled` | `true` | Identity Provider | Functional |
| MariaDB | `mariadb.enabled` | `true` | Database | Eval |
| Memcached | `memcached.enabled` | `true` | Cache Database | Eval |
| Nextcloud | `nextcloud.enabled` | `true` | File share | Functional |
| OpenProject | `openproject.enabled` | `true` | Project management | Functional |
| OX Appsuite | `oxAppsuite.enabled` | `true` | Groupware | Functional |
@@ -218,6 +232,7 @@ subdirectory `/helmfile/apps/services`.
| PostgreSQL | `postgresql.enabled` | `true` | Database | Eval |
| Redis | `redis.enabled` | `true` | Cache Database | Eval |
| Univention Corporate Server | `univentionCorporateServer.enabled` | `true` | Identity Management & Portal | Functional |
| Univention Management Stack | `univentionManagementStack.enabled` | `false` | Identity Management & Portal | Eval |
| XWiki | `xwiki.enabled` | `true` | Knowledgebase | Functional |
@@ -232,8 +247,8 @@ subdirectory `/helmfile/apps/services`.
#### Databases
In case you don't got for a develop or evaluation environment you want to point
the application to your own database instances.
When deploying this suite to production, you need to configure the applications to use your production grade database
service.
| Component | Name | Type | Parameter | Key | Default |
|-------------|--------------------|------------|-----------|----------------------------------------|----------------------------|
@@ -277,33 +292,153 @@ the application to your own database instances.
| | | | Username | `databases.xwiki.username` | `xwiki_user` |
| | | | Password | `databases.xwiki.password` | |
#### Cache
When deploying this suite to production, you need to configure the applications to use your production grade cache
service.
| Component | Name | Type | Parameter | Key | Default |
|------------------|------------------|-----------|-----------|------------------------------|------------------|
| Intercom Service | Intercom Service | Redis | | | |
| | | | Host | `cache.intercomService.host` | `redis-headless` |
| | | | Port | `cache.intercomService.port` | `6379` |
| Nextcloud | Nextcloud | Redis | | | |
| | | | Host | `cache.nextcloud.host` | `redis-headless` |
| | | | Port | `cache.nextcloud.port` | `6379` |
| OpenProject | OpenProject | Memcached | | | |
| | | | Host | `cache.openproject.host` | `memcached` |
| | | | Port | `cache.openproject.port` | `11211` |
### Scaling
The Replicas of components can be increased, while we still have to look in the
actual scalability of the components (see column `Scales at least to 2`).
actual scalability of the components (see column `Scaling (verified)`).
| Component | Name | Default | Service | Scaling | Scales at least to 2 |
|-------------|------------------------|---------|--------------------|--------------------|----------------------|
| ClamAV | `replicas.clamav` | `1` | :white_check_mark: | :white_check_mark: | not tested |
| | `replicas.clamd` | `1` | :white_check_mark: | :white_check_mark: | not tested |
| | `replicas.freshclam` | `1` | :white_check_mark: | :x: | not tested |
| | `replicas.icap` | `1` | :white_check_mark: | :white_check_mark: | not tested |
| | `replicas.milter` | `1` | :white_check_mark: | :white_check_mark: | not tested |
| Collabora | `replicas.collabora` | `1` | :white_check_mark: | :white_check_mark: | not tested |
| Dovecot | `replicas.dovecot` | `1` | :white_check_mark: | :x: | not tested |
| Element | `replicas.element` | `2` | :white_check_mark: | :white_check_mark: | :white_check_mark: |
| | `replicas.synapse` | `1` | :white_check_mark: | :x: | not tested |
| | `replicas.synapseWeb` | `2` | :white_check_mark: | :white_check_mark: | :white_check_mark: |
| | `replicas.wellKnown` | `2` | :white_check_mark: | :white_check_mark: | :white_check_mark: |
| Jitsi | `replicas.jibri` | `1` | :white_check_mark: | :white_check_mark: | not tested |
| | `replicas.jicofo` | `1` | :white_check_mark: | :white_check_mark: | not tested |
| | `replicas.jitsi ` | `1` | :white_check_mark: | :white_check_mark: | not tested |
| | `replicas.jvb ` | `1` | :white_check_mark: | :x: | :x: |
| Keycloak | `replicas.keycloak` | `1` | :white_check_mark: | :white_check_mark: | not tested |
| Nextcloud | `replicas.nextcloud` | `1` | :white_check_mark: | :white_check_mark: | not tested |
| OpenProject | `replicas.openproject` | `1` | :white_check_mark: | :white_check_mark: | not tested |
| Postfix | `replicas.postfix` | `1` | :white_check_mark: | :x: | not tested |
| XWiki | `replicas.xwiki` | `1` | :white_check_mark: | :white_check_mark: | not tested |
| Component | Name | Scaling (effective) | Scaling (verified) |
|-------------|------------------------|:-------------------:|:------------------:|
| ClamAV | `replicas.clamav` | :white_check_mark: | :white_check_mark: |
| | `replicas.clamd` | :white_check_mark: | :white_check_mark: |
| | `replicas.freshclam` | :x: | :x: |
| | `replicas.icap` | :white_check_mark: | :white_check_mark: |
| | `replicas.milter` | :white_check_mark: | :white_check_mark: |
| Collabora | `replicas.collabora` | :white_check_mark: | :gear: |
| CryptPad | `replicas.cryptpad` | :white_check_mark: | :gear: |
| Dovecot | `replicas.dovecot` | :x: | :gear: |
| Element | `replicas.element` | :white_check_mark: | :white_check_mark: |
| | `replicas.synapse` | :x: | :gear: |
| | `replicas.synapseWeb` | :white_check_mark: | :white_check_mark: |
| | `replicas.wellKnown` | :white_check_mark: | :white_check_mark: |
| Jitsi | `replicas.jibri` | :white_check_mark: | :gear: |
| | `replicas.jicofo` | :white_check_mark: | :gear: |
| | `replicas.jitsi ` | :white_check_mark: | :gear: |
| | `replicas.jvb ` | :x: | :x: |
| Keycloak | `replicas.keycloak` | :white_check_mark: | :gear: |
| Nextcloud | `replicas.nextcloud` | :white_check_mark: | :gear: |
| OpenProject | `replicas.openproject` | :white_check_mark: | :gear: |
| Postfix | `replicas.postfix` | :x: | :gear: |
| XWiki | `replicas.xwiki` | :white_check_mark: | :gear: |
### Mail/SMTP configuration
To use the full potential of the openDesk, you need to set up a STMP Smarthost/Relay which allows to send emails from
the whole subdomain.
```yaml
smtp:
host: # your SMTP host or IP-address
username: # username/email for authentication
password: # password for authentication, or via environment variable SMTP_PASSWORD
```
### TURN configuration
Some components (Jitsi, Element) use for direct communication a TURN server.
You can configure your own TURN server with these options:
```yaml
turn:
transport: # "udp" or "tcp"
credentials: # turn credential string
server: # configuration for unsecure connections
host: # your TURN host or IP-address
port: # server port
tls: # configuration for secure connections
host: # your TURN host or IP-address
port: # server port
```
## Security
This section summarizes various aspects of security and compliance aspects.
### Kubernetes Security Enforcements
This list gives you an overview of default security settings and if they comply with security standards:
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|-------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
| CryptPad | cryptpad | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 4001 |
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
| OpenProject | openproject | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | - |
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
### Helm Chart Trust Chain
Helm Charts which are released via openDesk CI/CD process are always signed. The public GPG keys are present in
`pubkey.gpg` file and are validated during helmfile installation.
| Repository | OCI | Verifiable |
|--------------------------------------|:---:|:------------------:|
| bitnami-repo (openDesk build) | yes | :white_check_mark: |
| clamav-repo | yes | :white_check_mark: |
| collabora-online-repo | no | :x: |
| cryptpad-online-repo | no | :x: |
| intercom-service-repo | yes | :white_check_mark: |
| istio-resources-repo | yes | :white_check_mark: |
| jitsi-repo | yes | :white_check_mark: |
| keycloak-extensions-repo | no | :x: |
| keycloak-theme-repo | yes | :white_check_mark: |
| mariadb-repo | yes | :white_check_mark: |
| nextcloud-repo | no | :x: |
| opendesk-certificates-repo | yes | :white_check_mark: |
| opendesk-dovecot-repo | yes | :white_check_mark: |
| opendesk-element-repo | yes | :white_check_mark: |
| opendesk-keycloak-bootstrap-repo | yes | :white_check_mark: |
| opendesk-nextcloud-bootstrap-repo | yes | :white_check_mark: |
| opendesk-open-xchange-bootstrap-repo | yes | :white_check_mark: |
| openproject-repo | no | :x: |
| openxchange-repo | yes | :x: |
| ox-connector-repo | no | :x: |
| postfix-repo | yes | :white_check_mark: |
| postgresql-repo | yes | :white_check_mark: |
| univention-corporate-container-repo | yes | :white_check_mark: |
| ums-repo | no | :x: |
| xwiki-repo | no | :x: |
# Component integration
@@ -392,6 +527,7 @@ flowchart TD
J[Jitsi]-->K
I[IntercomService]-->K
C[Collabora]-->N
R[CryptPad]-->N
F[Postfix]-->D
```
@@ -434,18 +570,20 @@ components we are going to cover various aspects:
## Tests
There is a frontend end-to-end test suite that can get triggered if the
deployment is performed via a Gitlab pipeline.
The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project.
The `DEPLOY_`-variables are used to determine which components should be tested.
In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this gitlab project's CI variables
that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
`<domain of gitlab>/api/v4/projects/<id>`.
Currently, the test suite is in progress to be published, so right now it is
only usable by project members. But that will change soon, and it could be used
to create custom tests and perform them after deployment.
If the branch of the test pipeline is not `main` this can be set with the .gitlab-ci.yml variable
`TESTS_BRANCH` while creating a new pipeline.
The deployment pipeline provides a variable named `TESTS_PROJECT_URL` that
points to the test pipeline residing in another Gitlab repository. At the end of
the deployment the test pipeline is triggered. Tests are just performed for
components that have been deployed prior.
# License
This project uses the following license: Apache-2.0
# Copyright
Copyright (C) 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# Footnotes

10
helmfile.yaml
View File

@@ -9,6 +9,7 @@ helmfiles:
- path: "helmfile/apps/services/helmfile.yaml"
- path: "helmfile/apps/keycloak/helmfile.yaml"
- path: "helmfile/apps/univention-corporate-container/helmfile.yaml"
- path: "helmfile/apps/univention-management-stack/helmfile.yaml"
- path: "helmfile/apps/keycloak-bootstrap/helmfile.yaml"
- path: "helmfile/apps/intercom-service/helmfile.yaml"
- path: "helmfile/apps/open-xchange/helmfile.yaml"
@@ -28,6 +29,7 @@ missingFileHandler: "Error"
# - Installing a single release from root via helmfile apply -f helmfile/apps/<app>/helmfile.yaml
# - Installing a single release from app directory via helmfile apply
# Issue: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/issues/2
environments:
default:
values:
@@ -38,9 +40,17 @@ environments:
- "helmfile/environments/default/*.gotmpl"
- "helmfile/environments/default/*.yaml"
- "helmfile/environments/dev/values.yaml"
- "helmfile/environments/dev/values.gotmpl"
test:
values:
- "helmfile/environments/default/*.gotmpl"
- "helmfile/environments/default/*.yaml"
- "helmfile/environments/test/values.yaml"
- "helmfile/environments/test/values.gotmpl"
prod:
values:
- "helmfile/environments/default/*.gotmpl"
- "helmfile/environments/default/*.yaml"
- "helmfile/environments/prod/values.yaml"
- "helmfile/environments/prod/values.gotmpl"
...

11
helmfile/apps/collabora/helmfile.yaml
View File

@@ -1,7 +1,13 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# Collabora Online
# Source: https://github.com/CollaboraOnline/online
- name: "collabora-online-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
@@ -14,12 +20,9 @@ releases:
values:
- "values.yaml"
- "values.gotmpl"
condition: "collabora.enabled"
installed: {{ .Values.collabora.enabled }}
commonLabels:
deploy-stage: "component-1"
component: "collabora"
bases:
- "../../bases/environments.yaml"
...

14
helmfile/apps/collabora/values.gotmpl
View File

@@ -6,6 +6,7 @@ SPDX-License-Identifier: Apache-2.0
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.collabora.repository }}"
tag: "{{ .Values.images.collabora.tag }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
@@ -28,18 +29,13 @@ ingress:
collabora:
# Admin Console Credentials: https://CODE-domain/browser/dist/admin/admin.html
username: "collabora-internal-admin"
password: {{ .Values.secrets.collabora.adminPassword }}
password: {{ .Values.secrets.collabora.adminPassword | quote }}
aliasgroups:
- host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
{{- if not (eq .Values.cluster.container.engine "containerd") }}
# In case of issues with "Failed to exec command '/usr/bin/loolforkit' (EPERM: Operation not permitted)...", activate:
# Ref.: https://github.com/CollaboraOnline/online/issues/2800
securityContext:
capabilities:
add:
- "MKNOD"
{{- end }}
replicaCount: {{ .Values.replicas.collabora }}
resources:
{{ .Values.resources.collabora | toYaml | nindent 2 }}
...

73
helmfile/apps/collabora/values.yaml
View File

@@ -14,19 +14,74 @@ collabora:
ingress:
annotations:
# nginx
# Ingress NGINX
nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
nginx.ingress.kubernetes.io/server-snippet: |
# block admin and metrics endpoint from outside by default
location /cool/getMetrics { deny all; return 403; }
location /cool/adminws/ { deny all; return 403; }
location /browser/dist/admin/admin.html { deny all; return 403; }
# NGINX
nginx.org/websocket-services: "collabora"
nginx.org/lb-method: "hash $arg_WOPISrc consistent"
nginx.org/proxy-read-timeout: "600"
nginx.org/proxy-send-timeout: "600"
nginx.org/client-max-body-size: "0"
nginx.org/server-snippets: |
# block admin and metrics endpoint from outside by default
location /cool/getMetrics { deny all; return 403; }
location /cool/adminws/ { deny all; return 403; }
location /browser/dist/admin/admin.html { deny all; return 403; }
# HAProxy
haproxy.org/timeout-tunnel: "3600s"
haproxy.org/backend-config-snippet: |
mode http
balance leastconn
stick-table type string len 2048 size 1k store conn_cur
http-request set-var(txn.wopisrcconns) url_param(WOPISrc),table_conn_cur()
http-request track-sc1 url_param(WOPISrc)
stick match url_param(WOPISrc) if { var(txn.wopisrcconns) -m int gt 0 }
stick store-request url_param(WOPISrc)
balance url_param WOPISrc check_post
hash-type consistent
# HAProxy - Community: https://haproxy-ingress.github.io/
haproxy-ingress.github.io/timeout-tunnel: "3600s"
haproxy-ingress.github.io/balance-algorithm: "url_param WOPISrc check_post"
haproxy-ingress.github.io/config-backend: |
hash-type consistent
# block admin urls from outside
acl admin_url path_beg /cool/getMetrics
acl admin_url path_beg /cool/adminws/
acl admin_url path_beg /browser/dist/admin/admin.html
http-request deny if admin_url
autoscaling:
enabled: false
serviceAccount:
create: true
securityContext:
allowPrivilegeEscalation: true
privileged: false
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
- "MKNOD"
podSecurityContext:
fsGroup: 100
...

28
helmfile/apps/cryptpad/helmfile.yaml Normal file
View File

@@ -0,0 +1,28 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# CryptPad
# Source: https://github.com/cryptpad/helm
- name: "cryptpad-online-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://cryptpad.github.io/helm" }}
releases:
- name: "cryptpad"
chart: "cryptpad-online-repo/cryptpad"
version: "0.0.13"
values:
- "values.yaml"
- "values.gotmpl"
installed: {{ .Values.cryptpad.enabled }}
commonLabels:
deploy-stage: "component-1"
component: "cryptpad"
...

33
helmfile/apps/cryptpad/values.gotmpl Normal file
View File

@@ -0,0 +1,33 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.cryptpad.repository }}"
tag: {{ .Values.images.cryptpad.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
ingress:
enabled: {{ .Values.ingress.enabled }}
className: {{ .Values.ingress.ingressClassName | quote }}
hosts:
- host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
paths:
- path: "/"
pathType: "ImplementationSpecific"
tls:
- secretName: {{ .Values.ingress.tls.secretName | quote }}
hosts:
- "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
replicaCount: {{ .Values.replicas.cryptpad }}
resources:
{{ .Values.resources.cryptpad | toYaml | nindent 2 }}
...

45
helmfile/apps/cryptpad/values.yaml Normal file
View File

@@ -0,0 +1,45 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
# https://github.com/cryptpad/helm/blob/main/charts/cryptpad/README.md or
# https://github.com/cryptpad/helm/blob/main/charts/cryptpad/values.yaml
# Disable registration and access to unregistered users:
# (https://docs.cryptpad.org/en/admin_guide/customization.html#application-config)
application_config:
availablePadTypes:
- "diagram"
# Deactivating public access breaks nextcloud plugin!
# registeredOnlyTypes:
# - "diagram"
autoscaling:
enabled: false
enableEmbedding: true
fullnameOverride: "cryptpad"
persistence:
enabled: false
podSecurityContext:
fsGroup: 4001
securityContext:
seccompProfile:
type: "RuntimeDefault"
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
serviceAccount:
create: true
workloadStateful: false
...

134
helmfile/apps/element/helmfile.yaml
View File

@@ -1,46 +1,136 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
- name: "sovereign-workplace-element-repo"
# openDesk Element
# Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/sovereign-workplace-element
- name: "opendesk-element-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://gitlab.souvap-univention.de/api/v4/projects/148/packages/helm/stable" }}
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
# openDesk Matrix Widgets
# Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/opendesk-matrix-widgets
- name: "opendesk-matrix-widgets-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/opendesk-matrix-widgets" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
releases:
- name: "sovereign-workplace-element"
chart: "sovereign-workplace-element-repo/sovereign-workplace-element"
version: "1.3.0"
- name: "opendesk-element"
chart: "opendesk-element-repo/opendesk-element"
version: "2.5.0"
values:
- "values-element.yaml"
- "values-element.gotmpl"
condition: "element.enabled"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "sovereign-workplace-well-known"
chart: "sovereign-workplace-element-repo/sovereign-workplace-well-known"
version: "1.3.0"
- name: "opendesk-well-known"
chart: "opendesk-element-repo/opendesk-well-known"
version: "2.5.0"
values:
- "values-well-known.yaml"
- "values-well-known.gotmpl"
condition: "element.enabled"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "sovereign-workplace-synapse-web"
chart: "sovereign-workplace-element-repo/sovereign-workplace-synapse-web"
version: "1.3.0"
- name: "opendesk-synapse-web"
chart: "opendesk-element-repo/opendesk-synapse-web"
version: "2.5.0"
values:
- "values-synapse-web.yaml"
- "values-synapse-web.gotmpl"
condition: "element.enabled"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "sovereign-workplace-synapse"
chart: "sovereign-workplace-element-repo/sovereign-workplace-synapse"
version: "1.3.0"
- name: "opendesk-synapse"
chart: "opendesk-element-repo/opendesk-synapse"
version: "2.5.0"
values:
- "values-synapse.yaml"
- "values-synapse.gotmpl"
condition: "element.enabled"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "opendesk-matrix-user-verification-service-bootstrap"
chart: "opendesk-element-repo/opendesk-synapse-create-account"
version: "2.5.0"
values:
- "values-matrix-user-verification-service-bootstrap.yaml"
- "values-matrix-user-verification-service-bootstrap.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "opendesk-matrix-user-verification-service"
chart: "opendesk-element-repo/opendesk-matrix-user-verification-service"
version: "2.5.0"
values:
- "values-matrix-user-verification-service.yaml"
- "values-matrix-user-verification-service.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "matrix-neoboard-widget"
chart: "opendesk-matrix-widgets-repo/matrix-neoboard-widget"
version: "3.1.0"
values:
- "values-matrix-neoboard-widget.yaml"
- "values-matrix-neoboard-widget.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "matrix-neochoice-widget"
chart: "opendesk-matrix-widgets-repo/matrix-neochoice-widget"
version: "3.1.0"
values:
- "values-matrix-neochoice-widget.yaml"
- "values-matrix-neochoice-widget.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "matrix-neodatefix-widget"
chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-widget"
version: "3.1.0"
values:
- "values-matrix-neodatefix-widget.yaml"
- "values-matrix-neodatefix-widget.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "matrix-neodatefix-bot-bootstrap"
chart: "opendesk-element-repo/opendesk-synapse-create-account"
version: "2.5.0"
values:
- "values-matrix-neodatefix-bot-bootstrap.yaml"
- "values-matrix-neodatefix-bot-bootstrap.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "matrix-neodatefix-bot"
chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-bot"
version: "3.1.0"
values:
- "values-matrix-neodatefix-bot.yaml"
- "values-matrix-neodatefix-bot.gotmpl"
installed: {{ .Values.element.enabled }}
timeout: 900
commonLabels:
deploy-stage: "component-1"
component: "element"
bases:
- "../../bases/environments.yaml"
...

88
helmfile/apps/element/values-element.gotmpl
View File

@@ -15,7 +15,95 @@ configuration:
additionalConfiguration:
logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
"net.nordeck.element_web.module.opendesk":
config:
ics_navigation_json_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/navigation.json"
ics_silent_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/silent"
portal_logo_svg_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
portal_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/"
custom_css_variables:
--cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }}
"net.nordeck.element_web.module.widget_lifecycle":
widget_permissions:
"https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/jitsi.html":
identity_approved: true
"https://{{ .Values.global.hosts.matrixNeoBoardWidget }}.{{ .Values.global.domain }}/*":
preload_approved: true
capabilities_approved:
- org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.create
- org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.create
- org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.chunk
- org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.chunk
- org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.snapshot
- org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.snapshot
- org.matrix.msc2762.send.state_event:m.room.power_levels#
- org.matrix.msc2762.receive.state_event:m.room.power_levels#
- org.matrix.msc2762.receive.state_event:m.room.member
- org.matrix.msc2762.receive.state_event:m.room.name
- org.matrix.msc2762.send.state_event:net.nordeck.whiteboard
- org.matrix.msc2762.receive.state_event:net.nordeck.whiteboard
- org.matrix.msc2762.send.state_event:net.nordeck.whiteboard.sessions#*
- org.matrix.msc2762.receive.state_event:net.nordeck.whiteboard.sessions
- org.matrix.msc3819.send.to_device:net.nordeck.whiteboard.connection_signaling
- org.matrix.msc3819.receive.to_device:net.nordeck.whiteboard.connection_signaling
- town.robin.msc3846.turn_servers
"https://{{ .Values.global.hosts.matrixNeoChoiceWidget }}.{{ .Values.global.domain }}/*":
preload_approved: true
capabilities_approved:
- org.matrix.msc2762.send.event:net.nordeck.poll.vote
- org.matrix.msc2762.receive.event:net.nordeck.poll.vote
- org.matrix.msc2762.send.state_event:net.nordeck.poll
- org.matrix.msc2762.receive.state_event:net.nordeck.poll
- org.matrix.msc2762.send.state_event:net.nordeck.poll.settings
- org.matrix.msc2762.receive.state_event:net.nordeck.poll.settings
- org.matrix.msc2762.receive.state_event:m.room.power_levels
- org.matrix.msc2762.receive.state_event:m.room.name
- org.matrix.msc2762.receive.state_event:m.room.member
- org.matrix.msc2762.send.state_event:net.nordeck.poll.group
- org.matrix.msc2762.receive.state_event:net.nordeck.poll.group
- org.matrix.msc2762.send.event:net.nordeck.poll.start
- org.matrix.msc2762.receive.event:net.nordeck.poll.start
"https://{{ .Values.global.hosts.matrixNeoDateFixWidget }}.{{ .Values.global.domain }}/*":
preload_approved: true
identity_approved: true
capabilities_approved:
- org.matrix.msc2931.navigate
- org.matrix.msc2762.timeline:*
- org.matrix.msc2762.receive.state_event:m.room.power_levels
- org.matrix.msc2762.receive.event:m.reaction
- org.matrix.msc2762.receive.state_event:m.room.create
- org.matrix.msc2762.receive.state_event:m.room.tombstone
- org.matrix.msc2762.receive.state_event:m.room.member
- org.matrix.msc2762.send.state_event:m.room.member
- org.matrix.msc2762.receive.state_event:m.room.name
- org.matrix.msc2762.receive.state_event:m.room.topic
- org.matrix.msc2762.receive.state_event:m.space.parent
- org.matrix.msc2762.receive.state_event:m.space.child
- org.matrix.msc2762.receive.state_event:net.nordeck.meetings.metadata
- org.matrix.msc2762.receive.state_event:im.vector.modular.widgets
- org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.create
- org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.create
- org.matrix.msc2762.send.event:net.nordeck.meetings.breakoutsessions.create
- org.matrix.msc2762.receive.event:net.nordeck.meetings.breakoutsessions.create
- org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.close
- org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.close
- org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.widgets.handle
- org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.widgets.handle
- org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.participants.handle
- org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.participants.handle
- org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.update
- org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.update
- org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.change.message_permissions
- org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.change.message_permissions
- org.matrix.msc2762.send.event:net.nordeck.meetings.sub_meetings.send_message
- org.matrix.msc2762.receive.event:net.nordeck.meetings.sub_meetings.send_message
- org.matrix.msc3973.user_directory_search
welcomeUserId: "@meetings-bot:{{ .Values.global.domain }}"
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.element.repository }}"
tag: "{{ .Values.images.element.tag }}"

21
helmfile/apps/element/values-element.yaml Normal file
View File

@@ -0,0 +1,21 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
...

33
helmfile/apps/element/values-matrix-neoboard-widget.gotmpl Normal file
View File

@@ -0,0 +1,33 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
imageRegistry: "{{ .Values.global.imageRegistry }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.matrixNeoBoardWidget.repository }}"
tag: "{{ .Values.images.matrixNeoBoardWidget.tag }}"
ingress:
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
theme:
{{ .Values.theme | toYaml | nindent 2 }}
replicaCount: {{ .Values.replicas.matrixNeoBoardWidget }}
resources:
{{ .Values.resources.matrixNeoBoardWidget | toYaml | nindent 2 }}
...

21
helmfile/apps/element/values-matrix-neoboard-widget.yaml Normal file
View File

@@ -0,0 +1,21 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
...

33
helmfile/apps/element/values-matrix-neochoice-widget.gotmpl Normal file
View File

@@ -0,0 +1,33 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
imageRegistry: "{{ .Values.global.imageRegistry }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.matrixNeoChoiceWidget.repository }}"
tag: "{{ .Values.images.matrixNeoChoiceWidget.tag }}"
ingress:
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
theme:
{{ .Values.theme | toYaml | nindent 2 }}
replicaCount: {{ .Values.replicas.matrixNeoChoiceWidget }}
resources:
{{ .Values.resources.matrixNeoChoiceWidget | toYaml | nindent 2 }}
...

21
helmfile/apps/element/values-matrix-neochoice-widget.yaml Normal file
View File

@@ -0,0 +1,21 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
...

23
helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.gotmpl Normal file
View File

@@ -0,0 +1,23 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
configuration:
password: {{ .Values.secrets.matrixNeoDateFixBot.password | quote }}
image:
registry: "{{ .Values.global.imageRegistry }}"
url: "{{ .Values.images.synapseCreateUser.repository }}"
tag: "{{ .Values.images.synapseCreateUser.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
...

8
helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml Normal file
View File

@@ -0,0 +1,8 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
configuration:
username: "meetings-bot"
pod: "opendesk-synapse-0"
secretName: "matrix-neodatefix-bot-account"
...

37
helmfile/apps/element/values-matrix-neodatefix-bot.gotmpl Normal file
View File

@@ -0,0 +1,37 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
imageRegistry: "{{ .Values.global.imageRegistry }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
configuration:
openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.matrixNeoDateFixBot.repository }}"
tag: "{{ .Values.images.matrixNeoDateFixBot.tag }}"
ingress:
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
persistence:
size: "{{ .Values.persistence.size.matrixNeoDateFixBot }}"
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}
resources:
{{ .Values.resources.matrixNeoDateFixBot | toYaml | nindent 2 }}
...

50
helmfile/apps/element/values-matrix-neodatefix-bot.yaml Normal file
View File

@@ -0,0 +1,50 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
configuration:
bot:
username: "meetings-bot"
displayname: "Terminplaner Bot"
strings:
breakoutSessionWidgetName: "Breakoutsessions"
calendarRoomName: "Terminplaner"
calendarWidgetName: "Terminplaner"
cockpitWidgetName: "Meeting Steuerung"
jitsiWidgetName: "Videokonferenz"
matrixNeoBoardWidgetName: "Whiteboard"
matrixNeoChoiceWidgetName: "Abstimmungen"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
extraEnvVars:
- name: "ACCESS_TOKEN"
valueFrom:
secretKeyRef:
name: "matrix-neodatefix-bot-account"
key: "access_token"
# TODO: The health endpoint does not work with the haproxy configuration, yet
livenessProbe:
enabled: false
podSecurityContext:
enabled: true
fsGroup: 101
# TODO: The health endpoint does not work with the haproxy configuration, yet
readinessProbe:
enabled: false
...

33
helmfile/apps/element/values-matrix-neodatefix-widget.gotmpl Normal file
View File

@@ -0,0 +1,33 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
imageRegistry: "{{ .Values.global.imageRegistry }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.matrixNeoDateFixWidget.repository }}"
tag: "{{ .Values.images.matrixNeoDateFixWidget.tag }}"
ingress:
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
theme:
{{ .Values.theme | toYaml | nindent 2 }}
replicaCount: {{ .Values.replicas.matrixNeoDateFixWidget }}
resources:
{{ .Values.resources.matrixNeoDateFixWidget | toYaml | nindent 2 }}
...

25
helmfile/apps/element/values-matrix-neodatefix-widget.yaml Normal file
View File

@@ -0,0 +1,25 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
configuration:
bot:
username: "meetings-bot"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
...

23
helmfile/apps/element/values-matrix-user-verification-service-bootstrap.gotmpl Normal file
View File

@@ -0,0 +1,23 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
configuration:
password: {{ .Values.secrets.matrixUserVerificationService.password }}
image:
registry: "{{ .Values.global.imageRegistry }}"
url: "{{ .Values.images.synapseCreateUser.repository }}"
tag: "{{ .Values.images.synapseCreateUser.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
...

8
helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml Normal file
View File

@@ -0,0 +1,8 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
configuration:
username: "uvs"
pod: "opendesk-synapse-0"
secretName: "opendesk-matrix-user-verification-service-account"
...

23
helmfile/apps/element/values-matrix-user-verification-service.gotmpl Normal file
View File

@@ -0,0 +1,23 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
imageRegistry: "{{ .Values.global.imageRegistry }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.matrixUserVerificationService.repository }}"
tag: "{{ .Values.images.matrixUserVerificationService.tag }}"
replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
resources:
{{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
...

29
helmfile/apps/element/values-matrix-user-verification-service.yaml Normal file
View File

@@ -0,0 +1,29 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
# TODO: the service can't run with read only filesystem or as non-root
# readOnlyRootFilesystem: true
# runAsGroup: 101
# runAsNonRoot: true
# runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
extraEnvVars:
- name: "UVS_ACCESS_TOKEN"
valueFrom:
secretKeyRef:
name: "opendesk-matrix-user-verification-service-account"
key: "access_token"
podSecurityContext:
enabled: true
fsGroup: 101
...

1
helmfile/apps/element/values-synapse-web.gotmpl
View File

@@ -12,6 +12,7 @@ global:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.synapseWeb.repository }}"
tag: "{{ .Values.images.synapseWeb.tag }}"

21
helmfile/apps/element/values-synapse-web.yaml Normal file
View File

@@ -0,0 +1,21 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
...

21
helmfile/apps/element/values-synapse.gotmpl
View File

@@ -12,6 +12,7 @@ global:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.synapse.repository }}"
tag: "{{ .Values.images.synapse.tag }}"
@@ -21,9 +22,20 @@ configuration:
host: "{{ .Values.databases.synapse.host }}"
name: "{{ .Values.databases.synapse.name }}"
user: "{{ .Values.databases.synapse.username }}"
password: "{{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser }}"
password: {{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser | quote }}
homeserver:
appServiceConfigs:
- as_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
hs_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
id: intercom-service
namespaces:
users:
- exclusive: false
regex: "@.*"
url: null
sender_localpart: intercom-service
oidc:
clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix }}
issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
@@ -41,6 +53,13 @@ configuration:
transport: {{ .Values.turn.transport }}
{{- end }}
guestModule:
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.synapseGuestModule.repository }}"
tag: "{{ .Values.images.synapseGuestModule.tag }}"
persistence:
size: "{{ .Values.persistence.size.synapse }}"
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"

35
helmfile/apps/element/values-synapse.yaml Normal file
View File

@@ -0,0 +1,35 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
configuration:
additionalConfiguration:
user_directory:
enabled: true
search_all_users: true
room_prejoin_state:
additional_event_types:
- "m.space.parent"
- "net.nordeck.meetings.metadata"
- "m.room.power_levels"
homeserver:
guestModule:
enabled: true
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 10991
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 10991
...

1
helmfile/apps/element/values-well-known.gotmpl
View File

@@ -12,6 +12,7 @@ global:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.wellKnown.repository }}"
tag: "{{ .Values.images.wellKnown.tag }}"

18
helmfile/apps/element/values-well-known.yaml
View File

@@ -4,4 +4,22 @@
configuration:
e2ee:
forceDisable: true
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
...

21
helmfile/apps/intercom-service/helmfile.yaml
View File

@@ -1,25 +1,30 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# Intercom Service
# Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
- name: "intercom-service-repo"
oci: true
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://gitlab.souvap-univention.de/api/v4/projects/66/packages/helm/stable" }}
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/intercom-service" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
releases:
- name: "intercom-service"
chart: "intercom-service-repo/intercom-service"
version: "1.1.3"
version: "2.0.0"
values:
- "values.yaml"
- "values.gotmpl"
condition: "intercom.enabled"
installed: {{ .Values.intercom.enabled }}
commonLabels:
deploy-stage: "component-1"
component: "intercom-service"
bases:
- "../../bases/environments.yaml"
...

16
helmfile/apps/intercom-service/values.gotmpl
View File

@@ -4,6 +4,7 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
domain: "{{ .Values.global.domain }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
@@ -13,23 +14,28 @@ global:
ics:
secret: {{ .Values.secrets.intercom.secret }}
issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
originRegex: "{{ .Values.istio.domain }}"
originRegex: "{{ .Values.istio.domain }}|{{ .Values.global.domain }}"
default:
domain: "{{ .Values.global.domain }}"
oidc:
secret: {{ .Values.secrets.keycloak.clientSecret.intercom }}
matrix:
asSecret: {{ .Values.secrets.jitsi.synapseAsToken }}
serverName: "matrix.{{ .Values.global.domain }}"
asSecret: {{ .Values.secrets.intercom.synapseAsToken | quote }}
subdomain: {{ .Values.global.hosts.synapse }}
serverName: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
nordeck:
subdomain: {{ .Values.global.hosts.matrixNeoDateFixBot }}
portal:
apiKey: {{ .Values.secrets.centralnavigation.apiKey }}
redis:
password: {{ .Values.secrets.redis.password }}
host: {{ .Values.cache.intercomService.host }}
port: {{ .Values.cache.intercomService.port }}
password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }}
openxchange:
url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
image:
registry: "{{ .Values.global.imageRegistry }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.intercom.repository }}"
tag: "{{ .Values.images.intercom.tag }}"

17
helmfile/apps/jitsi/helmfile.yaml
View File

@@ -1,24 +1,31 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# openDesk Jitsi
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-jitsi
- name: "jitsi-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
"external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-jitsi" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
releases:
- name: "jitsi"
chart: "jitsi-repo/sovereign-workplace-jitsi"
version: "1.3.0"
version: "1.7.1"
values:
- "values-jitsi.gotmpl"
condition: "jitsi.enabled"
installed: {{ .Values.jitsi.enabled }}
timeout: 900
commonLabels:
deploy-stage: "component-1"
component: "jitsi"
bases:
- "../../bases/environments.yaml"
...

11
helmfile/apps/jitsi/values-jitsi.gotmpl
View File

@@ -11,7 +11,11 @@ global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.jitsiKeycloakAdapter.repository }}"
tag: "{{ .Values.images.jitsiKeycloakAdapter.tag }}"
@@ -59,6 +63,10 @@ jitsi:
value: "myappid"
- name: "JWT_APP_SECRET"
value: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
- name: "MATRIX_UVS_SYNC_POWER_LEVELS"
value: "true"
- name: "MATRIX_UVS_URL"
value: "http://opendesk-matrix-user-verification-service.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}"
- name: TURNS_HOST
value: "{{ .Values.turn.tls.host }}"
- name: TURNS_PORT
@@ -82,7 +90,7 @@ jitsi:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jicofo.repository }}"
tag: "{{ .Values.images.jicofo.tag }}"
xmpp:
password: "{{ .Values.secrets.jitsi.jicofoAuthPassword }}"
password: {{ .Values.secrets.jitsi.jicofoAuthPassword | quote }}
componentSecret: "{{ .Values.secrets.jitsi.jicofoComponentPassword }}"
resources:
{{ .Values.resources.jicofo | toYaml | nindent 6 }}
@@ -118,6 +126,7 @@ patchJVB:
staticLoadbalancerIP: "{{ .Values.cluster.networking.ingressGatewayIP }}"
loadbalancerStatusField: "{{ .Values.cluster.networking.loadBalancerStatusField }}"
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.jitsiPatchJVB.repository }}"
tag: "{{ .Values.images.jitsiPatchJVB.tag }}"

26
helmfile/apps/keycloak-bootstrap/helmfile.yaml
View File

@@ -1,27 +1,35 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
- name: "sovereign-workplace-keycloak-bootstrap-repo"
# openDesk Keycloak Bootstrap
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-keycloak-bootstrap
- name: "opendesk-keycloak-bootstrap-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://gitlab.souvap-univention.de/api/v4/projects/138/packages/helm/stable" }}
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-keycloak-bootstrap" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
releases:
- name: "sovereign-workplace-keycloak-bootstrap"
chart: "sovereign-workplace-keycloak-bootstrap-repo/sovereign-workplace-keycloak-bootstrap"
- name: "opendesk-keycloak-bootstrap"
chart: "opendesk-keycloak-bootstrap-repo/sovereign-workplace-keycloak-bootstrap"
version: "1.1.11"
values:
- "values-bootstrap.gotmpl"
- "values-bootstrap.yaml"
condition: "keycloak.enabled"
installed: {{ .Values.keycloak.enabled }}
# as we have seen some slow clusters we want to ensure we not just fail due to a timeout.
timeout: 1800
commonLabels:
deploy-stage: "component-1"
component: "keycloak-bootstrap"
bases:
- "../../bases/environments.yaml"
...

7
helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl
View File

@@ -11,14 +11,19 @@ global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
config:
administrator:
password: "{{ .Values.secrets.keycloak.adminPassword }}"
password: {{ .Values.secrets.keycloak.adminPassword | quote }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.keycloakBootstrap.repository }}"
tag: "{{ .Values.images.keycloakBootstrap.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
resources:
{{ .Values.resources.keycloakBootstrap | toYaml | nindent 2 }}

3
helmfile/apps/keycloak-bootstrap/values-bootstrap.yaml
View File

@@ -4,7 +4,4 @@
config:
administrator:
username: "kcadmin"
cleanup:
deletePodsOnSuccess: true
...

37
helmfile/apps/keycloak/helmfile.yaml
View File

@@ -1,16 +1,30 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# VMWare Bitnami
# Source: https://github.com/bitnami/charts/
- name: "bitnami-repo"
oci: true
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "registry-1.docker.io/bitnamicharts" }}
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
# openDesk Keycloak Theme
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-keycloak-theme
- name: "keycloak-theme-repo"
oci: true
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://gitlab.souvap-univention.de/api/v4/projects/96/packages/helm/stable" }}
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/keycloak-theme" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
# openDesk Keycloak Extensions
- name: "keycloak-extensions-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
@@ -18,20 +32,20 @@ repositories:
releases:
- name: "keycloak-theme"
chart: "keycloak-theme-repo/sovereign-workplace-theme"
version: "1.1.0"
chart: "keycloak-theme-repo/opendesk-keycloak-theme"
version: "2.0.0"
values:
- "values-theme.gotmpl"
condition: "keycloak.enabled"
installed: {{ .Values.keycloak.enabled }}
- name: "keycloak"
chart: "bitnami-repo/keycloak"
version: "12.2.0"
version: "12.1.5"
values:
- "values-keycloak.gotmpl"
- "values-keycloak.yaml"
- "values-keycloak-idp.yaml"
wait: true
condition: "keycloak.enabled"
installed: {{ .Values.keycloak.enabled }}
- name: "keycloak-extensions"
chart: "keycloak-extensions-repo/keycloak-extensions"
version: "0.1.0"
@@ -40,12 +54,9 @@ releases:
values:
- "values-extensions.yaml"
- "values-extensions.gotmpl"
condition: "keycloak.enabled"
installed: {{ .Values.keycloak.enabled }}
commonLabels:
deploy-stage: "component-1"
component: "keycloak"
bases:
- "../../bases/environments.yaml"
...

21
helmfile/apps/keycloak/values-extensions.gotmpl
View File

@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0
---
global:
keycloak:
adminPassword: {{ .Values.secrets.keycloak.adminPassword }}
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
postgresql:
connection:
host: "{{ .Values.databases.keycloakExtension.host }}"
@@ -13,19 +13,15 @@ global:
auth:
database: "{{ .Values.databases.keycloakExtension.name }}"
username: "{{ .Values.databases.keycloakExtension.username }}"
password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser }}
password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
handler:
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.keycloakExtensionHandler.repository }}"
{{- if .Values.images.keycloakExtensionHandler.digest }}
sha256: "{{ .Values.images.keycloakExtensionHandler.digest}}"
{{- else if .Values.images.keycloakExtensionHandler.tag }}
tag: "{{ .Values.images.keycloakExtensionHandler.tag }}"
{{- end }}
imagePullPolicy: "Always"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
appConfig:
smtpPassword: "{{ .Values.smtp.password }}"
smtpPassword: {{ .Values.smtp.password | quote }}
smtpHost: "{{ .Values.smtp.host }}"
smtpUsername: "{{ .Values.smtp.username }}"
mailFrom: "noreply@{{ .Values.global.domain }}"
@@ -35,18 +31,11 @@ proxy:
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.keycloakExtensionProxy.repository }}"
{{- if .Values.images.keycloakExtensionProxy.digest }}
sha256: "{{ .Values.images.keycloakExtensionProxy.digest}}"
{{- else if .Values.images.keycloakExtensionProxy.tag }}
tag: "{{ .Values.images.keycloakExtensionProxy.tag }}"
{{- end }}
imagePullPolicy: "Always"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
ingress:
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
annotations:
nginx.org/proxy-buffer-size: "8k"
nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"

28
helmfile/apps/keycloak/values-extensions.yaml
View File

@@ -11,11 +11,35 @@ global:
handler:
appConfig:
captchaProtectionEnable: "False"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
postgresql:
enabled: false
proxy:
image:
tag: "latest"
ingress:
annotations:
nginx.org/proxy-buffer-size: "8k"
nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
...

2
helmfile/apps/keycloak/values-keycloak-idp.yaml
View File

@@ -181,7 +181,7 @@ keycloakConfigCli:
"attributes": {
"backchannel.logout.revoke.offline.tokens": "true",
"backchannel.logout.session.required": "true",
"backchannel.logout.url": "https://$(ELEMENT_DOMAIN)/_synapse/client/oidc/backchannel_logout",
"backchannel.logout.url": "https://$(MATRIX_DOMAIN)/_synapse/client/oidc/backchannel_logout",
"post.logout.redirect.uris": "https://$(ELEMENT_DOMAIN)/*##https://$(MATRIX_DOMAIN)/*##https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*"
},
"authenticationFlowBindingOverrides": {},

8
helmfile/apps/keycloak/values-keycloak.gotmpl
View File

@@ -13,17 +13,17 @@ image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.keycloak.repository }}"
tag: "{{ .Values.images.keycloak.tag }}"
digest: "{{ .Values.images.keycloak.digest }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
externalDatabase:
host: "{{ .Values.databases.keycloak.host }}"
port: {{ .Values.databases.keycloak.port }}
user: "{{ .Values.databases.keycloak.username }}"
database: "{{ .Values.databases.keycloak.name }}"
password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser }}
password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
auth:
adminPassword: {{ .Values.secrets.keycloak.adminPassword }}
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
replicaCount: {{ .Values.replicas.keycloak }}
@@ -81,6 +81,8 @@ keycloakConfigCli:
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak }}
- name: "LDAPSEARCH_USERNAME"
value: "ldapsearch_keycloak"
resources:
{{ .Values.resources.keycloak | toYaml | nindent 4 }}
resources:
{{ .Values.resources.keycloak | toYaml | nindent 2 }}

27
helmfile/apps/keycloak/values-keycloak.yaml
View File

@@ -54,5 +54,32 @@ keycloakConfigCli:
- "--import.var-substitution.enabled=true"
cache:
enabled: false
containerSecurityContext:
enabled: true
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
podSecurityContext:
fsGroup: 1001
fsGroupChangePolicy: "OnRootMismatch"
...

39
helmfile/apps/nextcloud/helmfile.yaml
View File

@@ -1,43 +1,54 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
- name: "sovereign-workplace-nextcloud-bootstrap-repo"
# openDesk Keycloak Bootstrap
# Source:
# https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/sovereign-workplace-nextcloud-bootstrap
- name: "opendesk-nextcloud-bootstrap-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://gitlab.souvap-univention.de/api/v4/projects/130/packages/helm/stable" }}
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
"external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
# Nextcloud
# Source: https://github.com/nextcloud/helm/
- name: "nextcloud-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://nextcloud.github.io/helm/" }}
releases:
- name: "sovereign-workplace-nextcloud-bootstrap"
chart: "sovereign-workplace-nextcloud-bootstrap-repo/sovereign-workplace-nextcloud-bootstrap"
version: "2.3.0"
- name: "opendesk-nextcloud-bootstrap"
chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap"
version: "3.2.2"
wait: true
waitForJobs: true
values:
- "values-bootstrap.gotmpl"
- "values-bootstrap.yaml"
condition: "nextcloud.enabled"
timeout: 1800
installed: {{ .Values.nextcloud.enabled }}
timeout: 900
- name: "nextcloud"
chart: "nextcloud-repo/nextcloud"
version: "3.5.19"
needs:
- "sovereign-workplace-nextcloud-bootstrap"
- "opendesk-nextcloud-bootstrap"
values:
- "values-nextcloud.gotmpl"
- "values-nextcloud.yaml"
condition: "nextcloud.enabled"
timeout: 1800
installed: {{ .Values.nextcloud.enabled }}
timeout: 900
commonLabels:
deploy-stage: "component-1"
component: "nextcloud"
bases:
- "../../bases/environments.yaml"
...

16
helmfile/apps/nextcloud/values-bootstrap.gotmpl
View File

@@ -14,26 +14,26 @@ global:
config:
administrator:
password: {{ .Values.secrets.nextcloud.adminPassword }}
password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
antivirus:
{{- if .Values.clamavDistributed.enabled }}
host: "clamav-sovereign-workplace-icap"
host: "clamav-icap"
{{- else if .Values.clamavSimple.enabled }}
host: "clamav-simple"
{{- end }}
apps:
integrationSwp:
password: {{ .Values.secrets.centralnavigation.apiKey }}
password: {{ .Values.secrets.centralnavigation.apiKey | quote }}
userOidc:
password: {{ .Values.secrets.keycloak.clientSecret.ncoidc }}
password: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
database:
host: "{{ .Values.databases.nextcloud.host }}"
name: "{{ .Values.databases.nextcloud.name }}"
user: "{{ .Values.databases.nextcloud.username }}"
password: "{{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser }}"
password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
ldapSearch:
password: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud }}"
@@ -43,7 +43,13 @@ config:
username: "{{ .Values.smtp.username }}"
password: "{{ .Values.smtp.password }}"
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.nextcloud.repository }}"
tag: "{{ .Values.images.nextcloud.tag }}"

6
helmfile/apps/nextcloud/values-bootstrap.yaml
View File

@@ -11,9 +11,9 @@ config:
userOidc:
username: "ncoidc"
cryptpad:
enabled: true
ldapSearch:
host: "univention-corporate-container"
cleanup:
deletePodsOnSuccess: false
...

12
helmfile/apps/nextcloud/values-nextcloud.gotmpl
View File

@@ -6,16 +6,20 @@ SPDX-License-Identifier: Apache-2.0
nextcloud:
host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
username: "nextcloud"
password: {{ .Values.secrets.nextcloud.adminPassword }}
password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
externalDatabase:
database: "{{ .Values.databases.nextcloud.name }}"
user: "{{ .Values.databases.nextcloud.username }}"
host: "{{ .Values.databases.nextcloud.host }}"
password: "{{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser }}"
password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
extraEnv:
REDIS_HOST: {{ .Values.cache.nextcloud.host | quote }}
REDIS_HOST_PORT: {{ .Values.cache.nextcloud.port | quote }}
REDIS_HOST_PASSWORD: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
redis:
auth:
enabled: true
password: {{ .Values.secrets.redis.password }}
password: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
ingress:
enabled: {{ .Values.ingress.enabled }}
className: {{ .Values.ingress.ingressClassName }}
@@ -25,7 +29,7 @@ ingress:
- "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloud.repository }}"
pullPolicy: "Always"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.nextcloud.tag }}"
pullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

17
helmfile/apps/nextcloud/values-nextcloud.yaml
View File

@@ -21,6 +21,11 @@ cronjob:
sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f
\/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data
ingress:
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "4G"
nginx.org/client-max-body-size: "4G"
internalDatabase:
enabled: false
postgresql:
@@ -39,6 +44,18 @@ externalDatabase:
metrics:
enabled: false
nextcloud:
configs:
mimetypealiases.json: |-
{
"application/x-drawio": "image"
}
mimetypemapping.json: |-
{
"drawio": ["application/x-drawio"]
}
# this is not documented but can be found in values.yaml
service:
port: "80"

56
helmfile/apps/open-xchange/helmfile.yaml
View File

@@ -1,49 +1,67 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
- name: "dovecot-repo"
# openDesk Dovecot
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-dovecot
- name: "opendesk-dovecot-repo"
oci: true
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://gitlab.souvap-univention.de/api/v4/projects/80/packages/helm/stable" }}
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
"external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/dovecot" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
# Open-Xchange
- name: "openxchange-repo"
oci: true
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "registry.open-xchange.com" }}
- name: "sovereign-workplace-open-xchange-bootstrap-repo"
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "registry.open-xchange.com" }}
# openDesk Open-Xchange Bootstrap
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-open-xchange-bootstrap
- name: "opendesk-open-xchange-bootstrap-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://gitlab.souvap-univention.de/api/v4/projects/139/packages/helm/stable" }}
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
"external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-open-xchange-bootstrap" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
releases:
- name: "dovecot"
chart: "dovecot-repo/dovecot"
chart: "opendesk-dovecot-repo/dovecot"
version: "1.3.1"
values:
- "values-dovecot.yaml"
- "values-dovecot.gotmpl"
condition: "dovecot.enabled"
installed: {{ .Values.dovecot.enabled }}
timeout: 900
- name: "open-xchange"
chart: "openxchange-repo/appsuite-public-sector/charts/appsuite-public-sector"
version: "1.2.13"
version: "2.1.1"
values:
- "values-openxchange.yaml"
- "values-openxchange.gotmpl"
- "values-openxchange-enterprise-contact-picker.yaml"
- "values-openxchange-enterprise-contact-picker.gotmpl"
condition: "oxAppsuite.enabled"
- name: "sovereign-workplace-open-xchange-bootstrap"
chart: "sovereign-workplace-open-xchange-bootstrap-repo/sovereign-workplace-open-xchange-bootstrap"
installed: {{ .Values.oxAppsuite.enabled }}
timeout: 900
- name: "opendesk-open-xchange-bootstrap"
chart: "opendesk-open-xchange-bootstrap-repo/sovereign-workplace-open-xchange-bootstrap"
version: "1.3.1"
values:
- "values-openxchange-bootstrap.yaml"
condition: "oxAppsuite.enabled"
- "values-openxchange-bootstrap.gotmpl"
installed: {{ .Values.oxAppsuite.enabled }}
timeout: 900
commonLabels:
deploy-stage: "component-1"
component: "open-xchange"
bases:
- "../../bases/environments.yaml"
...

7
helmfile/apps/open-xchange/values-dovecot.gotmpl
View File

@@ -6,7 +6,8 @@ SPDX-License-Identifier: Apache-2.0
image:
registry: "{{ .Values.global.imageRegistry }}"
url: "{{ .Values.images.dovecot.repository }}"
digest: "{{ .Values.images.dovecot.digest }}"
tag: "{{ .Values.images.dovecot.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
@@ -15,10 +16,10 @@ imagePullSecrets:
dovecot:
mailDomain: "{{ .Values.global.domain }}"
password: {{ .Values.secrets.dovecot.doveadm }}
password: {{ .Values.secrets.dovecot.doveadm | quote }}
ldap:
dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot }}
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
oidc:
introspectionURL: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token/introspect"
clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc }}

7
helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl
View File

@@ -3,10 +3,15 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
SPDX-License-Identifier: Apache-2.0
*/}}
---
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
image:
registry: "{{ .Values.global.imageRegistry }}"
url: "{{ .Values.images.openxchangeBootstrap.repository }}"
digest: "{{ .Values.images.openxchangeBootstrap.digest }}"
tag: "{{ .Values.images.openxchangeBootstrap.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}

52
helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml
View File

@@ -6,7 +6,7 @@ appsuite:
properties:
# Enterprise contact picker
com.openexchange.contacts.ldap.accounts: "opendesk"
com.openexchange.contacts.ldap.accounts: "opendesk,other,functional"
com.openexchange.admin.bypassAccessCombinationChecks: "true"
ENABLE_INTERNAL_USER_EDIT: "false"
@@ -153,7 +153,7 @@ appsuite:
# allows to sort the attributes lexicographically, either "ascending" or "descending".
dynamicAttributes:
attributeName: "o"
contactFilterTemplate: "(&(univentionObjectType=users/user)(o=[value]))"
contactFilterTemplate: "(&(univentionObjectType=users/user)(isOxUser=OK)(o=[value]))"
contactSearchScope: "sub"
# refreshInterval: 1h
refreshInterval: "5m"
@@ -174,6 +174,48 @@ appsuite:
- "Management"
- "Human Resources"
other:
name: "Other contacts"
ldapClientId: "contactsLdapClient"
mappings: "ucs"
folders:
mode: "static"
usedForSync:
protected: true
defaultValue: false
usedInPicker:
protected: false
defaultValue: true
shownInTree:
protected: false
defaultValue: true
static:
commonContactFilter: "(&(univentionObjectType=users/user)(isOxUser=OK)(!(o=*)))"
folders:
- name: "Ohne Organisation"
contactFilter: "(&(univentionObjectType=users/user)(isOxUser=OK)(!(o=*)))"
functional:
name: "Functional mailboxes"
ldapClientId: "contactsLdapClient"
mappings: "functional"
folders:
mode: "static"
usedForSync:
protected: true
defaultValue: false
usedInPicker:
protected: false
defaultValue: true
shownInTree:
protected: false
defaultValue: true
static:
commonContactFilter: "(univentionObjectType=oxmail/functional_account)"
folders:
- name: "Funktionale Postfächer"
contactFilter: "(univentionObjectType=oxmail/functional_account)"
contacts-provider-ldap-mappings.yml:
# Example definitions of contact property <-> LDAP attribute mappings.
#
@@ -347,3 +389,9 @@ appsuite:
# image_last_modified :
# Will be set automatically to "image/jpeg" if not defined.
# image1_content_type :
functional:
objectid: "mailPrimaryAddress"
displayname: "oxPersonal,cn,mailPrimaryAddress"
file_as: "oxPersonal,cn,mailPrimaryAddress"
email1: "mailPrimaryAddress"

38
helmfile/apps/open-xchange/values-openxchange.gotmpl
View File

@@ -11,8 +11,8 @@ global:
database: "{{ .Values.databases.oxAppsuite.name }}"
auth:
user: "{{ .Values.databases.oxAppsuite.username }}"
password: "{{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword }}"
rootPassword: "{{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword }}"
password: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
rootPassword: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
istio:
enabled: {{ .Values.istio.enabled }}
@@ -34,6 +34,7 @@ public-sector-ui:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
appsuite:
istio:
@@ -52,6 +53,15 @@ appsuite:
core-mw:
masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
gotenberg:
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
image:
repository: {{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGotenberg.repository }}
tag: {{ .Values.images.openxchangeGotenberg.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
properties:
"com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/certs"
"com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
@@ -93,9 +103,13 @@ appsuite:
oxguardpass: |
{{ .Values.secrets.oxAppsuite.oxguardMC }}
{{ .Values.secrets.oxAppsuite.oxguardRC }}
redis:
auth:
password: {{ .Values.secrets.redis.password | quote }}
image:
repository: {{ .Values.images.openxchangeCoreMW.repository }}
tag: {{ .Values.images.openxchangeCoreMW.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
update:
image:
repository: {{ .Values.images.openxchangeCoreMW.repository }}
@@ -113,6 +127,7 @@ appsuite:
image:
repository: {{ .Values.images.openxchangeCoreUI.repository }}
tag: {{ .Values.images.openxchangeCoreUI.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
core-ui-middleware:
ingress:
@@ -126,6 +141,17 @@ appsuite:
image:
repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository }}
tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
redis:
auth:
password: {{ .Values.secrets.redis.password | quote }}
core-documentconverter:
image:
repository: {{ .Values.images.openxchangeDocumentConverter.repository }}
tag: {{ .Values.images.openxchangeDocumentConverter.tag }}
resources:
{{- .Values.resources.oxDocumentConverter | toYaml | nindent 6 }}
core-guidedtours:
imagePullSecrets:
@@ -135,6 +161,12 @@ appsuite:
image:
repository: {{ .Values.images.openxchangeCoreGuidedtours.repository }}
tag: {{ .Values.images.openxchangeCoreGuidedtours.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
core-imageconverter:
image:
repository: {{ .Values.images.openxchangeImageConverter.repository }}
tag: {{ .Values.images.openxchangeImageConverter.tag }}
guard-ui:
imagePullSecrets:
@@ -144,11 +176,13 @@ appsuite:
image:
repository: {{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}
tag: {{ .Values.images.openxchangeGuardUI.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
core-user-guide:
image:
repository: {{ .Values.images.openxchangeCoreUserGuide.repository }}
tag: {{ .Values.images.openxchangeCoreUserGuide.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}

69
helmfile/apps/open-xchange/values-openxchange.yaml
View File

@@ -4,11 +4,16 @@
appsuite:
istio:
ingressGateway:
name: "sovereign-workplace-gateway-istio-gateway"
name: "opendesk-gateway-istio-gateway"
switchboard:
enabled: false
core-mw:
enabled: true
masterAdmin: "admin"
gotenberg:
enabled: true
features:
status:
# enable admin pack
@@ -22,6 +27,13 @@ appsuite:
open-xchange-authentication-oauth: "enabled"
properties:
com.openexchange.UIWebPath: "/appsuite/"
# PDF Export
com.openexchange.capability.mail_export_pdf: "true"
com.openexchange.mail.exportpdf.gotenberg.enabled: "true"
com.openexchange.mail.exportpdf.collabora.enabled: "true"
com.openexchange.mail.exportpdf.pdfa.collabora.enabled: "true"
com.openexchange.mail.exportpdf.collabora.url: "http://collabora:9980"
com.openexchange.mail.exportpdf.gotenberg.url: "http://open-xchange-gotenberg:3000"
# OIDC
com.openexchange.oidc.enabled: "true"
com.openexchange.oidc.autologinCookieMode: "ox_direct"
@@ -54,17 +66,24 @@ appsuite:
com.openexchange.mail.filter.credentialSource: "mail"
com.openexchange.mail.filter.server: "dovecot"
com.openexchange.mail.filter.preferredSaslMech: "XOAUTH2"
# Dovecot
com.openexchange.imap.attachmentMarker.enabled: "true"
# Capabilities
# Old capability can be used to toggle all integrations with a single switch
com.openexchange.capability.public-sector: "true"
# New capabilities in 2.0
com.openexchange.capability.public-sector-element: "true"
com.openexchange.capability.public-sector-navigation: "true"
com.openexchange.capability.client-onboarding: "true"
com.openexchange.capability.dynamic-theme: "true"
com.openexchange.capability.filestorage_nextcloud: "true"
com.openexchange.capability.filestorage_nextcloud_oauth: "true"
com.openexchange.capability.guard: "true"
com.openexchange.capability.guard-mail: "true"
com.openexchange.capability.public-sector: "true"
com.openexchange.capability.smime: "true"
com.openexchange.capability.share_links: "false"
com.openexchange.capability.invite_guests: "false"
com.openexchange.capability.document_preview: "true"
# Secondary Accounts
com.openexchange.mail.secondary.authType: "XOAUTH2"
com.openexchange.mail.transport.secondary.authType: "xoauth2"
@@ -76,6 +95,8 @@ appsuite:
com.openexchange.gdpr.dataexport.enabled: "false"
com.openexchange.gdpr.dataexport.active: "false"
# Guard
com.openexchange.guard.storage.file.fileStorageType: "file"
com.openexchange.guard.storage.file.uploadDirectory: "/opt/open-xchange/guard-files/"
com.openexchange.guard.guestSMTPServer: "postfix"
# S/MIME
# Usage (in browser console after login):
@@ -95,6 +116,11 @@ appsuite:
bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
uiSettings:
# Show the Enterprise Picker in the top right corner instead of the launcher drop-down
io.ox/core//features/enterprisePicker/showLauncher: "false"
io.ox/core//features/enterprisePicker/showTopRightLauncher: "true"
# Text and icon color in the topbar
io.ox/dynamic-theme//topbarColor: "#000"
io.ox/dynamic-theme//logoWidth: "82"
io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)"
# Resources
@@ -111,6 +137,8 @@ appsuite:
# io.ox.public-sector//ics/url: "https://ics.<DOMAIN>/"
io.ox/core//apps/quickLaunchCount: "0"
io.ox/core//coloredIcons: "false"
# Mail templates
io.ox/core//features/templates: "true"
asConfig:
default:
@@ -119,10 +147,31 @@ appsuite:
oidcLogin: true
oidcPath: "/oidc"
redis:
enabled: true
mode: "standalone"
hosts:
- "redis-master"
hooks:
beforeAppsuiteStart:
create-guard-dir.sh: |
mkdir -p /opt/open-xchange/guard-files
chown open-xchange:open-xchange /opt/open-xchange/guard-files
core-ui:
enabled: true
core-ui-middleware:
enabled: true
overrides: {}
redis:
mode: "standalone"
hosts:
- "redis-master:6379"
auth:
enabled: true
core-guidedtours:
enabled: true
guard-ui:
@@ -131,12 +180,26 @@ appsuite:
enabled: false
core-user-guide:
enabled: true
core-imageconverter:
enabled: false
enabled: true
objectCache:
s3ObjectStores:
- id: -1
endpoint: "."
accessKey: "."
secretKey: "."
core-spellcheck:
enabled: false
core-documentconverter:
enabled: true
documentConverter:
cache:
remoteCache:
enabled: false
core-documents-collaboration:
enabled: false
office-web:

16
helmfile/apps/openproject/helmfile.yaml
View File

@@ -1,7 +1,13 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# OpenProject
# Source: https://github.com/opf/helm-charts
- name: "openproject-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
@@ -10,16 +16,16 @@ repositories:
releases:
- name: "openproject"
chart: "openproject-repo/openproject"
version: "1.8.0"
version: "2.0.4"
wait: true
waitForJobs: true
values:
- "values.yaml"
- "values.gotmpl"
condition: "openproject.enabled"
installed: {{ .Values.openproject.enabled }}
timeout: 900
commonLabels:
deploy-stage: "component-1"
component: "openproject"
bases:
- "../../bases/environments.yaml"
...

16
helmfile/apps/openproject/values.gotmpl
View File

@@ -10,10 +10,13 @@ global:
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.openproject.repository }}"
pullPolicy: "Always"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.openproject.tag }}"
memcached:
connection:
host: "{{ .Values.cache.openproject.host }}"
port: {{ .Values.cache.openproject.port }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.memcached.repository }}"
@@ -21,7 +24,7 @@ memcached:
postgresql:
auth:
password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser }}
password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser | quote }}
username: "{{ .Values.databases.openproject.username }}"
database: "{{ .Values.databases.openproject.name }}"
connection:
@@ -35,7 +38,7 @@ openproject:
name: "OpenProject Interal Admin"
mail: "openproject-admin@swp-domain.internal"
password_reset: "false"
password: "{{ .Values.secrets.openproject.adminPassword }}"
password: {{ .Values.secrets.openproject.adminPassword | quote }}
ingress:
host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
@@ -51,20 +54,21 @@ environment:
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey }}
OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
OPENPROJECT_SMTP__DOMAIN: "{{ .Values.global.domain }}"
OPENPROJECT_SMTP__USER__NAME: "{{ .Values.smtp.username }}"
OPENPROJECT_SMTP__PASSWORD: "{{ .Values.smtp.password }}"
OPENPROJECT_SMTP__PORT: "587" # (default=587)
OPENPROJECT_SMTP__PORT: "{{ .Values.smtp.port }}"
OPENPROJECT_SMTP__SSL: "false" # (default=false)
OPENPROJECT_SMTP__ADDRESS: "{{ .Values.smtp.host }}"
OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}"
# Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject }}"
persistence:
size: "{{ .Values.persistence.size.openproject }}"
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
storageClassName: "{{ .Values.persistence.storageClassNames.RWX }}"
replicaCount: {{ .Values.replicas.openproject }}

15
helmfile/apps/openproject/values.yaml
View File

@@ -4,6 +4,9 @@
image:
registry: "registry.souvap-univention.de"
memcached:
bundled: false
probes:
liveness:
initialDelaySeconds: 300
@@ -27,6 +30,16 @@ openproject:
# seed will only be executed on initial installation
seed_locale: "de"
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
persistence:
accessModes:
- "ReadWriteMany"
# For more details and more options see
# https://www.openproject.org/docs/installation-and-operations/configuration/environment/
environment:
@@ -34,12 +47,14 @@ environment:
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_LOGIN: "phoenixusername"
OPENPROJECT_LOGIN__REQUIRED: "true"
OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_DISPLAY__NAME: "Keycloak"
OPENPROJECT_PER__PAGE__OPTIONS: "20, 50, 100, 200"
OPENPROJECT_EMAIL__DELIVERY__METHOD: "smtp"
OPENPROJECT_SMTP__AUTHENTICATION: "plain"
OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc"
# Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
OPENPROJECT_SEED_LDAP_OPENDESK_HOST: "univention-corporate-container"
OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"

10
helmfile/apps/provisioning/helmfile.yaml
View File

@@ -1,7 +1,12 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# OX Connector
- name: "ox-connector-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
@@ -14,12 +19,9 @@ releases:
values:
- "values-oxconnector.yaml"
- "values-oxconnector.gotmpl"
condition: "oxConnector.enabled"
installed: {{ .Values.oxConnector.enabled }}
commonLabels:
deploy-stage: "component-2"
component: "provisioning"
bases:
- "../../bases/environments.yaml"
...

4
helmfile/apps/provisioning/values-oxconnector.gotmpl
View File

@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.oxConnector.repository }}"
pullPolicy: "Always"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.oxConnector.tag }}"
imagePullSecrets:
@@ -21,7 +21,7 @@ oxConnector:
domainName: "{{ .Values.global.domain }}"
#oxMasterAdmin: "(( .Values.appsuite.core-mw.masterAdmin ))"
oxMasterAdmin: "admin"
oxMasterPassword: "{{ .Values.secrets.oxAppsuite.adminPassword }}"
oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
oxDefaultContext: "1"

135
helmfile/apps/services/helmfile.yaml
View File

@@ -1,95 +1,144 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
- name: "sovereign-workplace-certificates-repo"
# openDesk Certificates
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-certificates
- name: "opendesk-certificates-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://gitlab.souvap-univention.de/api/v4/projects/133/packages/helm/stable" }}
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-certificates" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
# openDesk PostgreSQL
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postgresql
- name: "postgresql-repo"
oci: true
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://gitlab.souvap-univention.de/api/v4/projects/83/packages/helm/stable" }}
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postgresql" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
# openDesk MariaDB
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-mariadb
- name: "mariadb-repo"
oci: true
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://gitlab.souvap-univention.de/api/v4/projects/86/packages/helm/stable" }}
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/mariadb" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
# openDesk Postfix
# https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postfix
- name: "postfix-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://gitlab.souvap-univention.de/api/v4/projects/85/packages/helm/stable" }}
- name: "istio-resources-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://gitlab.souvap-univention.de/api/v4/projects/69/packages/helm/stable" }}
- name: "clamav-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://gitlab.souvap-univention.de/api/v4/projects/73/packages/helm/stable" }}
- name: "bitnami-repo"
oci: true
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "registry-1.docker.io/bitnamicharts" }}
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postfix" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
# openDesk Istio Resources
# https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-istio-resources
- name: "istio-resources-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/istio-ressources" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
# openDesk ClamAV
# https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-clamav
- name: "clamav-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/clamav" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
# VMWare Bitnami
# Source: https://github.com/bitnami/charts/
- name: "bitnami-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
releases:
- name: "sovereign-workplace-certificates"
chart: "sovereign-workplace-certificates-repo/sovereign-workplace-certificates"
version: "1.2.2"
- name: "opendesk-certificates"
chart: "opendesk-certificates-repo/opendesk-certificates"
version: "2.1.0"
values:
- "values-certificates.gotmpl"
condition: "certificates.enabled"
installed: {{ .Values.certificates.enabled }}
- name: "redis"
chart: "bitnami-repo/redis"
version: "17.9.3"
version: "18.1.2"
values:
- "values-redis.gotmpl"
- "values-redis.yaml"
condition: "redis.enabled"
installed: {{ .Values.redis.enabled }}
- name: "memcached"
chart: "bitnami-repo/memcached"
version: "6.6.2"
values:
- "values-memcached.yaml"
- "values-memcached.gotmpl"
installed: {{ .Values.memcached.enabled }}
- name: "postgresql"
chart: "postgresql-repo/postgresql"
version: "2.0.0"
version: "2.0.2"
values:
- "values-postgresql.yaml"
- "values-postgresql.gotmpl"
condition: "postgresql.enabled"
installed: {{ .Values.postgresql.enabled }}
timeout: 900
- name: "mariadb"
chart: "mariadb-repo/mariadb"
version: "2.0.0"
version: "2.0.2"
values:
- "values-mariadb.yaml"
- "values-mariadb.gotmpl"
condition: "mariadb.enabled"
installed: {{ .Values.mariadb.enabled }}
timeout: 900
- name: "postfix"
chart: "postfix-repo/postfix"
version: "1.13.0"
version: "2.0.3"
values:
- "values-postfix.yaml"
- "values-postfix.gotmpl"
condition: "postfix.enabled"
installed: {{ .Values.postfix.enabled }}
- name: "clamav"
chart: "clamav-repo/sovereign-workplace-clamav"
version: "2.1.0"
chart: "clamav-repo/opendesk-clamav"
version: "4.0.0"
values:
- "values-clamav-distributed.yaml"
- "values-clamav-distributed.gotmpl"
condition: "clamavDistributed.enabled"
installed: {{ .Values.clamavDistributed.enabled }}
- name: "clamav-simple"
chart: "clamav-repo/clamav-simple"
version: "2.1.0"
version: "4.0.0"
values:
- "values-clamav-simple.yaml"
- "values-clamav-simple.gotmpl"
condition: "clamavSimple.enabled"
- name: "sovereign-workplace-gateway"
installed: {{ .Values.clamavSimple.enabled }}
- name: "opendesk-gateway"
chart: "istio-resources-repo/istio-gateway"
version: "1.1.2"
version: "2.0.0"
values:
- "values-istio-gateway.yaml"
- "values-istio-gateway.gotmpl"
condition: "istio.enabled"
installed: {{ .Values.istio.enabled }}
commonLabels:
deploy-stage: "services"
component: "services"
bases:
- "../../bases/environments.yaml"
...

5
helmfile/apps/services/values-certificates.gotmpl
View File

@@ -18,4 +18,9 @@ istio:
issuerRef:
name: "{{ .Values.istio.issuerRef.name }}"
{{- end }}
cleanup:
keepRessourceOnDelete: {{ .Values.cleanup.keepRessourceOnDelete }}
wildcard: {{ .Values.certificate.wildcard }}
...

10
helmfile/apps/services/values-clamav-distributed.gotmpl
View File

@@ -5,25 +5,23 @@ SPDX-License-Identifier: Apache-2.0
---
clamd:
podSecurityContext:
{{/* Disabled until NFS Provisioner on IONOS is fixed */}}
enabled: false
replicaCount: {{ .Values.replicas.clamd }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.clamd.repository }}"
tag: "{{ .Values.images.clamd.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
resources:
{{ .Values.resources.clamd | toYaml | nindent 4 }}
freshclam:
podSecurityContext:
{{/* Disabled until NFS Provisioner on IONOS is fixed */}}
enabled: false
replicaCount: {{ .Values.replicas.freshclam }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.freshclam.repository }}"
tag: "{{ .Values.images.freshclam.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
resources:
{{ .Values.resources.freshclam | toYaml | nindent 4 }}
@@ -37,18 +35,18 @@ icap:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.icap.repository }}"
tag: "{{ .Values.images.icap.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
resources:
{{ .Values.resources.icap | toYaml | nindent 4 }}
milter:
podSecurityContext:
{{/* Disabled until NFS Provisioner on IONOS is fixed */}}
enabled: false
replicaCount: {{ .Values.replicas.milter }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.milter.repository }}"
tag: "{{ .Values.images.milter.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
resources:
{{ .Values.resources.milter | toYaml | nindent 4 }}

80
helmfile/apps/services/values-clamav-distributed.yaml Normal file
View File

@@ -0,0 +1,80 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
enabled: true
readOnlyRootFilesystem: true
clamd:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
freshclam:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
icap:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
milter:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
...

7
helmfile/apps/services/values-clamav-simple.gotmpl
View File

@@ -3,11 +3,6 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
SPDX-License-Identifier: Apache-2.0
*/}}
---
podSecurityContext:
{{/* Disabled until NFS Provisioner on IONOS is fixed */}}
enabled: false
replicaCount: {{ .Values.replicas.clamav }}
image:
@@ -15,10 +10,12 @@ image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.clamd.repository }}"
tag: "{{ .Values.images.clamd.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
icap:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.icap.repository }}"
tag: "{{ .Values.images.icap.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
resources:
{{ .Values.resources.clamd | toYaml | nindent 4 }}

19
helmfile/apps/services/values-clamav-simple.yaml Normal file
View File

@@ -0,0 +1,19 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
...

2
helmfile/apps/services/values-istio-gateway.gotmpl
View File

@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
global:
domain: "{{ .Values.istio.domain }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
openxchange: "{{ .Values.global.hosts.openxchange }}"
tls:
secretName: "{{ .Values.istio.domain }}-tls"

4
helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml → helmfile/apps/services/values-istio-gateway.yaml
View File

@@ -1,6 +1,6 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
cleanup:
deletePodsOnSuccess: true
tls:
httpsRedirect: false
...

9
helmfile/apps/services/values-mariadb.gotmpl
View File

@@ -11,17 +11,18 @@ global:
image:
repository: "{{ .Values.images.mariadb.repository }}"
tag: "{{ .Values.images.mariadb.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
# Open-Xchange and XWiki require the permission to create database schemas, so they use the `root` account anyway.
# Please refer to `databases.yaml` for details.
job:
users:
- username: "xwiki_user"
password: "{{ .Values.secrets.mariadb.xwikiUser }}"
password: {{ .Values.secrets.mariadb.xwikiUser | quote }}
- username: "openxchange_user"
password: "{{ .Values.secrets.mariadb.openxchangeUser }}"
password: {{ .Values.secrets.mariadb.openxchangeUser | quote }}
- username: "nextcloud_user"
password: "{{ .Values.secrets.mariadb.nextcloudUser }}"
password: {{ .Values.secrets.mariadb.nextcloudUser | quote}}
databases:
- name: "xwiki"
user: "xwiki_user"
@@ -31,7 +32,7 @@ job:
user: "openxchange_user"
mariadb:
rootPassword: "{{ .Values.secrets.mariadb.rootPassword }}"
rootPassword: {{ .Values.secrets.mariadb.rootPassword | quote }}
persistence:
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"

19
helmfile/apps/services/values-mariadb.yaml
View File

@@ -1,6 +1,25 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1001
runAsGroup: 1001
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
job:
enabled: true
podSecurityContext:
enabled: true
fsGroup: 1001
fsGroupChangePolicy: "OnRootMismatch"
...

19
helmfile/apps/services/values-memcached.gotmpl Normal file
View File

@@ -0,0 +1,19 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.memcached.repository }}"
tag: "{{ .Values.images.memcached.tag }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
resources:
{{ .Values.resources.memcached | toYaml | nindent 2 }}
...

18
helmfile/apps/services/values-memcached.yaml Normal file
View File

@@ -0,0 +1,18 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1001
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
serviceAccount:
create: true
...

16
helmfile/apps/services/values-postfix.gotmpl
View File

@@ -3,14 +3,16 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
url: "{{ .Values.global.imageRegistry }}/{{ .Values.images.postfix.repository }}"
digest: "{{ .Values.images.postfix.digest }}"
global:
registry: {{ .Values.global.imageRegistry }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: {{ .Values.global.imageRegistry }}
repository: "{{ .Values.images.postfix.repository }}"
tag: "{{ .Values.images.postfix.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
certificate:
secretName: "{{ .Values.ingress.tls.secretName }}"

13
helmfile/apps/services/values-postfix.yaml
View File

@@ -5,6 +5,19 @@ certificate:
request:
enabled: false
containerSecurityContext:
allowPrivilegeEscalation: true
capabilities: {}
enabled: true
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsNonRoot: false
podSecurityContext:
enabled: true
fsGroup: 101
postfix:
hostname: "postfix"
inetProtocols: "ipv4"

13
helmfile/apps/services/values-postgresql.gotmpl
View File

@@ -11,19 +11,20 @@ global:
image:
repository: "{{ .Values.images.postgresql.repository }}"
tag: "{{ .Values.images.postgresql.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
job:
users:
- username: "keycloak_user"
password: {{ .Values.secrets.postgresql.keycloakUser }}
password: {{ .Values.secrets.postgresql.keycloakUser | quote }}
- username: "openproject_user"
password: {{ .Values.secrets.postgresql.openprojectUser }}
password: {{ .Values.secrets.postgresql.openprojectUser | quote }}
- username: "keycloak_extensions_user"
password: {{ .Values.secrets.postgresql.keycloakExtensionUser }}
password: {{ .Values.secrets.postgresql.keycloakExtensionUser | quote }}
- username: "matrix_user"
password: {{ .Values.secrets.postgresql.matrixUser }}
password: {{ .Values.secrets.postgresql.matrixUser | quote }}
- username: "notificationsapi_user"
password: {{ .Values.secrets.postgresql.notificationsapiUser }}
password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
databases:
- name: "keycloak"
user: "keycloak_user"
@@ -42,7 +43,7 @@ persistence:
size: "{{ .Values.persistence.size.postgresql }}"
postgres:
password: {{ .Values.secrets.postgresql.postgresUser }}
password: {{ .Values.secrets.postgresql.postgresUser | quote }}
resources:
{{ .Values.resources.postgresql | toYaml | nindent 2 }}

18
helmfile/apps/services/values-postgresql.yaml
View File

@@ -1,11 +1,29 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1001
runAsGroup: 1001
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
job:
image:
digest: "sha256:de7451b563ef79eb6acb2851dbadd18388e6436cd757b65d275a3dc60dbb0b73"
podSecurityContext:
enabled: true
fsGroup: 1001
fsGroupChangePolicy: "OnRootMismatch"
postgres:
user: "postgres"
...

3
helmfile/apps/services/values-redis.gotmpl
View File

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
auth:
password: {{ .Values.secrets.redis.password }}
password: {{ .Values.secrets.redis.password | quote }}
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
@@ -16,6 +16,7 @@ image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.redis.repository }}"
tag: "{{ .Values.images.redis.tag }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
master:
persistence:

4
helmfile/apps/services/values-redis.yaml
View File

@@ -8,4 +8,8 @@ sentinel:
metrics:
enabled: false
master:
containerSecurityContext:
readOnlyRootFilesystem: true
...

19
helmfile/apps/univention-corporate-container/helmfile.yaml
View File

@@ -1,11 +1,21 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# openDesk Univention Corporate Server (as eval Container)
- name: "univention-corporate-container-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://gitlab.souvap-univention.de/api/v4/projects/132/packages/helm/stable" }}
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
"external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/univention-corporate-container" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
releases:
- name: "univention-corporate-container"
@@ -14,12 +24,9 @@ releases:
values:
- "values.yaml"
- "values.gotmpl"
condition: "univentionCorporateServer.enabled"
installed: {{ .Values.univentionCorporateServer.enabled }}
commonLabels:
deploy-stage: "component-1"
component: "univention-corporate-container"
bases:
- "../../bases/environments.yaml"
...

18
helmfile/apps/univention-corporate-container/values.gotmpl
View File

@@ -13,7 +13,7 @@ global:
image:
registry: "{{ .Values.global.imageRegistry }}"
imagePullPolicy: "Always"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.univentionCorporateServer.repository }}"
tag: "{{ .Values.images.univentionCorporateServer.tag }}"
@@ -37,31 +37,31 @@ extraEnvVars:
- name: LDAPSEARCH_OX_USERNAME
value: "ldapsearch_ox"
- name: LDAPSEARCH_OX_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox }}
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
- name: LDAPSEARCH_DOVECOT_USERNAME
value: "ldapsearch_dovecot"
- name: LDAPSEARCH_DOVECOT_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot }}
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
- name: LDAPSEARCH_KEYCLOAK_USERNAME
value: "ldapsearch_keycloak"
- name: LDAPSEARCH_KEYCLOAK_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak }}
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak | quote }}
- name: LDAPSEARCH_NEXTCLOUD_USERNAME
value: "ldapsearch_nextcloud"
- name: LDAPSEARCH_NEXTCLOUD_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud }}
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud | quote }}
- name: LDAPSEARCH_OPENPROJECT_USERNAME
value: "ldapsearch_openproject"
- name: LDAPSEARCH_OPENPROJECT_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject }}
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }}
- name: LDAPSEARCH_XWIKI_USERNAME
value: "ldapsearch_xwiki"
- name: LDAPSEARCH_XWIKI_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki }}
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki | quote }}
- name: DEFAULT_ACCOUNT_USER_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.userPassword }}
value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.userPassword | quote }}
- name: DEFAULT_ACCOUNT_ADMIN_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.adminPassword }}
value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.adminPassword | quote }}
resources:
{{ .Values.resources.univentionCorporateServer | toYaml | nindent 2 }}

120
helmfile/apps/univention-management-stack/helmfile.yaml Normal file
View File

@@ -0,0 +1,120 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# Univention Management Stack
- name: "ums-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable" }}
releases:
- name: "ums-store-dav"
chart: "ums-repo/store-dav"
version: "0.2.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-store-dav.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-ldap-server"
chart: "ums-repo/ldap-server"
version: "0.1.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-ldap-server.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-ldap-notifier"
chart: "ums-repo/ldap-notifier"
version: "0.1.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-ldap-notifier.gotmpl"
- "values-ldap-notifier.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-udm-rest-api"
chart: "ums-repo/udm-rest-api"
version: "0.1.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-udm-rest-api.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-stack-data-ums"
chart: "ums-repo/stack-data-ums"
version: "0.1.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-stack-data-ums.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-stack-data-swp"
chart: "ums-repo/stack-data-swp"
version: "0.1.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-stack-data-swp.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-portal-server"
chart: "ums-repo/portal-server"
version: "0.1.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-portal-server.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-notifications-api"
chart: "ums-repo/notifications-api"
version: "0.1.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-notifications-api.gotmpl"
- "values-notifications-api.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-portal-listener"
chart: "ums-repo/portal-listener"
version: "0.1.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-portal-listener.gotmpl"
- "values-portal-listener.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-portal-frontend"
chart: "ums-repo/portal-frontend"
version: "0.1.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-portal-frontend.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-umc-gateway"
chart: "ums-repo/umc-gateway"
version: "0.1.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-umc-gateway.gotmpl"
- "values-umc-gateway.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-umc-server"
chart: "ums-repo/umc-server"
version: "0.1.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-umc-server.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
commonLabels:
deploy-stage: "component-1"
component: "univention-management-stack"
...

14
helmfile/apps/univention-management-stack/values-common.gotmpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
ingress:
enabled: {{ .Values.ingress.enabled }}
host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
tls:
# The TLS configuration is on the "master" Ingress, see "portal-frontend"
enabled: false
secretName: ""

4
helmfile/apps/intercom-service/values.yaml → helmfile/apps/univention-management-stack/values-common.yaml
View File

@@ -1,8 +1,6 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
istio:
enabled: false
virtualService:
enabled: false
...

20
helmfile/apps/univention-management-stack/values-ldap-notifier.gotmpl Normal file
View File

@@ -0,0 +1,20 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsLdapNotifier.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsLdapNotifier.tag }}"
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
resources:
{{ .Values.resources.umsLdapNotifier | toYaml | nindent 2 }}
...

10
helmfile/apps/univention-management-stack/values-ldap-notifier.yaml Normal file
View File

@@ -0,0 +1,10 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
volumes:
claims:
shared-data: "shared-data-ums-ldap-server-0"
shared-run: "shared-run-ums-ldap-server-0"
...

44
helmfile/apps/univention-management-stack/values-ldap-server.gotmpl Normal file
View File

@@ -0,0 +1,44 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
ldapServer:
ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
ldapBaseDn: "dc=swp-ldap,dc=internal"
# TODO: Certificates handling
# caCert: ""
# certPem: ""
# privateKey: ""
# dhParam: ""
tlsMode: "off"
# TODO: SAML integration
# samlMetadataUrl: "http://localhost:8097/realms/ucs/protocol/saml/descriptor"
# samlMetadataUrlInternal: "http://keycloak.default/realms/ucs/protocol/saml/descriptor"
# serviceProviders: "http://localhost:8000/univention/saml/metadata,http://localhost:8000/auth/realms/ucs"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsLdapServer.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsLdapServer.tag }}"
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
# TODO: Pending upstream support, #199
persistence:
data:
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.univentionManagementStack.ldapServerData }}"
shared:
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.univentionManagementStack.ldapServerShared }}"
resources:
{{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}
...

28
helmfile/apps/univention-management-stack/values-notifications-api.gotmpl Normal file
View File

@@ -0,0 +1,28 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
postgresql:
bundled: false
connection:
host: "postgresql"
port: 5432
auth:
username: "notificationsapi_user"
database: "notificationsapi"
password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsNotificationsApi.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsNotificationsApi.tag }}"
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
resources:
{{ .Values.resources.umsNotificationsApi | toYaml | nindent 2 }}
...

12
helmfile/apps/univention-management-stack/values-notifications-api.yaml Normal file
View File

@@ -0,0 +1,12 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
notificationsapi:
apply_database_migrations: "True"
dev_mode: "False"
environment: "staging"
log_level: "DEBUG"
sql_echo: "False"
api_prefix: "/univention/portal/notifications-api"
...

31
helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl Normal file
View File

@@ -0,0 +1,31 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsPortalFrontend.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsPortalFrontend.tag }}"
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
extraIngresses:
redirects:
# The TLS configuration is on the "master" Ingress, see below.
tls:
enabled: false
master:
enabled: {{ .Values.ingress.enabled }}
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: "{{ .Values.ingress.tls.secretName }}"
resources:
{{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }}
...

54
helmfile/apps/univention-management-stack/values-portal-listener.gotmpl Normal file
View File

@@ -0,0 +1,54 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
portalListener:
adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
environment: "staging"
debugLevel: "4"
assetsRoot: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-assets/"
ucsInternalUrl: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-data/"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
ldapBaseDn: "dc=swp-ldap,dc=internal"
ldapHost: "ums-ldap-server"
ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
notifierServer: "ums-ldap-notifier"
portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,dc=swp-ldap,dc=internal"
udmApiUrl: "http://ums-udm-rest-api/udm/"
udmApiUsername: "cn=admin"
tlsMode: "off"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsPortalListener.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsPortalListener.tag }}"
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
waitForDependency:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsWaitForDependency.repository }}"
imagePullPolicy: "Always"
tag: "{{ .Values.images.umsWaitForDependency.tag }}"
# TODO: Pending upstream support, #200
persistence:
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.univentionManagementStack.portalListener }}"
resources:
{{ .Values.resources.umsPortalListener | toYaml | nindent 2 }}
resourcesDependencyWaiter:
{{ .Values.resources.umsPortalListenerDependencies | toYaml | nindent 2 }}
...

8
helmfile/apps/univention-management-stack/values-portal-listener.yaml Normal file
View File

@@ -0,0 +1,8 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
store-dav:
bundled: false
...

28
helmfile/apps/univention-management-stack/values-portal-server.gotmpl Normal file
View File

@@ -0,0 +1,28 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
portalServer:
adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
authMode: "saml"
environment: "staging"
editable: "true"
logLevel: "DEBUG"
ucsInternalUrl: "http://portal-server:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}@ums-store-dav/portal-data"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsPortalServer.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsPortalServer.tag }}"
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
resources:
{{ .Values.resources.umsPortalServer | toYaml | nindent 2 }}
...

38
helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl Normal file
View File

@@ -0,0 +1,38 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
stackDataSwp:
udmApiUsername: "cn=admin"
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
udmApiUrl: "http://ums-udm-rest-api/udm/"
loadDevData: true
stackDataContext:
ldapBase: "dc=swp-ldap,dc=internal"
externalDomainName: "{{ .Values.global.domain }}"
externalMailDomain: "{{ .Values.global.domain }}"
portalGroupwareLinkBase: "https://webmail.{{ .Values.istio.domain }}"
portalFileshareLinkBase: "https://fs.{{ .Values.global.domain }}"
portalRealtimeCollaborationLinkBase: "https://chat.{{ .Values.global.domain }}"
portalRealtimeVideoconferenceLinkBase: "https://meet.{{ .Values.global.domain }}"
portalManagementProjectLinkBase: "https://project.{{ .Values.global.domain }}"
portalManagementKnowledgeLinkBase: "https://wiki.{{ .Values.global.domain }}"
oxDefaultContext: "10"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsDataLoader.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsDataLoader.tag }}"
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
resources:
{{ .Values.resources.umsStackDataSwp | toYaml | nindent 2 }}
...

31
helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl Normal file
View File

@@ -0,0 +1,31 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
stackDataUms:
udmApiUser: "cn=admin"
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
udmApiUrl: "http://ums-udm-rest-api/udm/"
loadDevData: true
stackDataContext:
ldapBase: "dc=swp-ldap,dc=internal"
initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
# The SWP configuration brings its own UMC policies.
installUmcPolicies: false
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsDataLoader.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsDataLoader.tag }}"
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
resources:
{{ .Values.resources.umsStackDataUms | toYaml | nindent 2 }}
...

39
helmfile/apps/univention-management-stack/values-store-dav.gotmpl Normal file
View File

@@ -0,0 +1,39 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
storeDav:
auth:
basicAuth:
portal-listener: "{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}"
portal-server: "{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsStoreDav.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsStoreDav.tag }}"
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
configHtpasswd:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsConfigHtpasswd.repository }}"
pullPolicy: "Always"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsConfigHtpasswd.tag }}"
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
# TODO: Pending upstream support, #201
persistence:
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.univentionManagementStack.storeDav }}"
resources:
{{ .Values.resources.umsStoreDav | toYaml | nindent 2 }}
...

44
helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl Normal file
View File

@@ -0,0 +1,44 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
udmRestApi:
apiLogLevel: "4"
authGroups:
dcBackup: "cn=DC Backup Hosts,cn=groups,dc=swp-ldap,dc=internal"
dcSlaves: "cn=DC Slave Hosts,cn=groups,dc=swp-ldap,dc=internal"
domainAdmins: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
ldapHost: "ums-ldap-server"
ldapBaseDn: "dc=swp-ldap,dc=internal"
# TODO: This should not be required, the machine account is not there
# ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
# TODO: Secret should be entered without b64enc
ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
# TODO: Secret should be entered without b64enc
machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
# TODO: why do we need this many subprocesses?
numberOfSubprocesses: 8
# TODO: Stub value currently
caCert: ""
# TODO: This should not be part of the udm-rest-api anymore
loadJoinData:
enabled: true
# TODO: configurable
tlsMode: "off"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsUdmRestApi.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsUdmRestApi.tag }}"
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
resources:
{{ .Values.resources.umsUdmRestApi | toYaml | nindent 2 }}
...

23
helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl Normal file
View File

@@ -0,0 +1,23 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
umcGateway:
domainname: "{{ .Values.global.domain }}"
hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
ssoFqdn: "localhost:8097"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsUmcGateway.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsUmcGateway.tag }}"
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
resources:
{{ .Values.resources.umsUmcGateway | toYaml | nindent 2 }}
...

Some files were not shown because too many files have changed in this diff Show More