mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-08 16:28:36 +01:00
Compare commits
9 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
5f79763e2b | ||
|
|
e120f5fb9a | ||
|
|
a799db03c4 | ||
|
|
d725b93798 | ||
|
|
e1070eeb06 | ||
|
|
c7fc187f14 | ||
|
|
89ac783dc3 | ||
|
|
882f1fbc93 | ||
|
|
b5583caec1 |
@@ -141,23 +141,6 @@ variables:
|
||||
dependencies: []
|
||||
extends: ".environments"
|
||||
image: "registry.souvap-univention.de/souvap/tooling/images/helm:latest"
|
||||
secrets:
|
||||
SMTP_PASSWORD:
|
||||
vault:
|
||||
engine:
|
||||
name: "kv-v2"
|
||||
path: "swp"
|
||||
path: "accounts/brained/mail/relay@souvap-univention.de"
|
||||
field: "password"
|
||||
file: false
|
||||
TURN_CREDENTIALS:
|
||||
vault:
|
||||
engine:
|
||||
name: "kv-v2"
|
||||
path: "swp"
|
||||
path: "accounts/souvap-univention.de/develop/turn/secret"
|
||||
field: "credentials"
|
||||
file: false
|
||||
script:
|
||||
- "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
|
||||
# MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD
|
||||
@@ -463,8 +446,7 @@ generate-release-assets:
|
||||
- when: "never"
|
||||
script:
|
||||
- |
|
||||
# yamllint disable-line rule:line-length
|
||||
git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/bmi/souveraener_arbeitsplatz/tooling/opendesk-asset-generator
|
||||
git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/${ASSET_GENERATOR_REPO_PATH}
|
||||
cd opendesk-asset-generator
|
||||
export OPENDESK_DEPLOYMENT_AUTOMATION_PATH=${CI_PROJECT_DIR}
|
||||
./opendesk_asset_generator.py
|
||||
@@ -477,6 +459,8 @@ generate-release-assets:
|
||||
- "./build_artefacts/chart-index.json"
|
||||
- "./build_artefacts/image-index.json"
|
||||
tags: []
|
||||
variables:
|
||||
ASSET_GENERATOR_REPO_PATH: "bmi/souveraener_arbeitsplatz/tooling/opendesk-asset-generator"
|
||||
|
||||
|
||||
# Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.
|
||||
|
||||
13
CHANGELOG.md
13
CHANGELOG.md
@@ -1,3 +1,16 @@
|
||||
## [0.3.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.0...v0.3.1) (2023-09-14)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **collabora:** Update Ingress annotations and set securityContext ([b5583ca](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b5583caec10c24e3bfb312edcb2800e6a60a9b10))
|
||||
* **element:** Improve default container security settings ([882f1fb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/882f1fbc93ceb4ac33683d445e100e445798b202))
|
||||
* **element:** Update opendesk element version to 2.0.1 ([d725b93](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d725b937989987ffacf87d7a9ee05803dcdd4c93))
|
||||
* **helmfile:** Remove default SMTP credentials and create docs for SMTP/TURN ([e120f5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e120f5fb9a91b80ba71ce78eace99852b4da5fda))
|
||||
* **helmfile:** Update images and use a tag and digest together ([c7fc187](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c7fc187f14b78cdcc698abbbaec1ba0bbfc718a1))
|
||||
* **services:** Explicitly set securityContexts ([a799db0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a799db03c4115ba69303be1c265f7aefef95d659))
|
||||
* **services:** Update Postfix to 2.0.2 fixing security gaining ([e1070ee](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e1070eeb0602523c240a91dae1b0869a7cc42a78))
|
||||
|
||||
# [0.3.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.10...v0.3.0) (2023-09-12)
|
||||
|
||||
|
||||
|
||||
74
README.md
74
README.md
@@ -91,8 +91,6 @@ installation.
|
||||
| `DOMAIN` | `souvap.cloud` | External reachable domain |
|
||||
| `ISTIO_DOMAIN` | `istio.souvap.cloud` | External reachable domain for Istio Gateway |
|
||||
| `MASTER_PASSWORD` | `sovereign-workplace` | The password that seeds the autogenerated secrets |
|
||||
| `SMTP_PASSWORD` | | Password for SMTP relay gateway |
|
||||
| `TURN_CREDENTIALS` | | Credentials for coturn server |
|
||||
|
||||
Please ensure that you set the DNS records pointing to the loadbalancer/IP for
|
||||
`DOMAIN` and `ISTIO_DOMAIN`.
|
||||
@@ -306,30 +304,64 @@ actual scalability of the components (see column `Scaling (verified)`).
|
||||
| XWiki | `replicas.xwiki` | :white_check_mark: | :gear: |
|
||||
|
||||
|
||||
### Mail/SMTP configuration
|
||||
|
||||
To use the full potential of the openDesk, you need to set up a STMP Smarthost/Relay which allows to send emails from
|
||||
the whole subdomain.
|
||||
|
||||
```yaml
|
||||
smtp:
|
||||
host: # your SMTP host or IP-address
|
||||
username: # username/email for authentication
|
||||
password: # password for authentication, or via environment variable SMTP_PASSWORD
|
||||
```
|
||||
|
||||
### TURN configuration
|
||||
|
||||
Some components (Jitsi, Element) use for direct communication a TURN server.
|
||||
You can configure your own TURN server with these options:
|
||||
|
||||
```yaml
|
||||
turn:
|
||||
transport: # "udp" or "tcp"
|
||||
credentials: # turn credential string
|
||||
server: # configuration for unsecure connections
|
||||
host: # your TURN host or IP-address
|
||||
port: # server port
|
||||
tls: # configuration for secure connections
|
||||
host: # your TURN host or IP-address
|
||||
port: # server port
|
||||
```
|
||||
|
||||
## Security
|
||||
|
||||
This list gives you an overview of default security settings and if they comply with security standards:
|
||||
|
||||
|
||||
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|
||||
|------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
|
||||
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| Jitsi | jibri | :x: | :white_check_mark: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
|
||||
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| Postfix | postfix | :x: | :white_check_mark: | :x: (`DAC_OVERRIDE`, `FOWNER`, `SETUID`, `SETGID`, `NET_BIND_SERVICE`, `NET_ADMIN`, `NET_RAW`) | :white_check_mark: | :x: | :x: | - | - | 101 |
|
||||
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|
||||
|------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
|
||||
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
|
||||
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
|
||||
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
|
||||
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
|
||||
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
|
||||
|
||||
# Component integration
|
||||
|
||||
@@ -33,14 +33,9 @@ collabora:
|
||||
aliasgroups:
|
||||
- host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
|
||||
|
||||
{{- if not (eq .Values.cluster.container.engine "containerd") }}
|
||||
# In case of issues with "Failed to exec command '/usr/bin/loolforkit' (EPERM: Operation not permitted)...", activate:
|
||||
# Ref.: https://github.com/CollaboraOnline/online/issues/2800
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- "MKNOD"
|
||||
{{- end }}
|
||||
|
||||
replicaCount: {{ .Values.replicas.collabora }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.collabora | toYaml | nindent 2 }}
|
||||
...
|
||||
|
||||
@@ -14,20 +14,74 @@ collabora:
|
||||
|
||||
ingress:
|
||||
annotations:
|
||||
# nginx
|
||||
# Ingress NGINX
|
||||
nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc"
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: "0"
|
||||
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
|
||||
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
|
||||
nginx.ingress.kubernetes.io/server-snippet: |
|
||||
# block admin and metrics endpoint from outside by default
|
||||
location /cool/getMetrics { deny all; return 403; }
|
||||
location /cool/adminws/ { deny all; return 403; }
|
||||
location /browser/dist/admin/admin.html { deny all; return 403; }
|
||||
# NGINX
|
||||
nginx.org/websocket-services: "collabora"
|
||||
nginx.org/lb-method: "hash $arg_WOPISrc consistent"
|
||||
nginx.org/proxy-read-timeout: "600"
|
||||
nginx.org/proxy-send-timeout: "600"
|
||||
nginx.org/client-max-body-size: "0"
|
||||
nginx.org/server-snippets: |
|
||||
# block admin and metrics endpoint from outside by default
|
||||
location /cool/getMetrics { deny all; return 403; }
|
||||
location /cool/adminws/ { deny all; return 403; }
|
||||
location /browser/dist/admin/admin.html { deny all; return 403; }
|
||||
# HAProxy
|
||||
haproxy.org/timeout-tunnel: "3600s"
|
||||
haproxy.org/backend-config-snippet: |
|
||||
mode http
|
||||
balance leastconn
|
||||
stick-table type string len 2048 size 1k store conn_cur
|
||||
http-request set-var(txn.wopisrcconns) url_param(WOPISrc),table_conn_cur()
|
||||
http-request track-sc1 url_param(WOPISrc)
|
||||
stick match url_param(WOPISrc) if { var(txn.wopisrcconns) -m int gt 0 }
|
||||
stick store-request url_param(WOPISrc)
|
||||
nginx.org/websocket-services: "collabora"
|
||||
nginx.org/lb-method: "hash $arg_WOPISrc consistent"
|
||||
balance url_param WOPISrc check_post
|
||||
hash-type consistent
|
||||
# HAProxy - Community: https://haproxy-ingress.github.io/
|
||||
haproxy-ingress.github.io/timeout-tunnel: "3600s"
|
||||
haproxy-ingress.github.io/balance-algorithm: "url_param WOPISrc check_post"
|
||||
haproxy-ingress.github.io/config-backend: |
|
||||
hash-type consistent
|
||||
# block admin urls from outside
|
||||
acl admin_url path_beg /cool/getMetrics
|
||||
acl admin_url path_beg /cool/adminws/
|
||||
acl admin_url path_beg /browser/dist/admin/admin.html
|
||||
http-request deny if admin_url
|
||||
autoscaling:
|
||||
enabled: false
|
||||
|
||||
serviceAccount:
|
||||
create: true
|
||||
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
runAsNonRoot: true
|
||||
runAsUser: 100
|
||||
runAsGroup: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
add:
|
||||
- "CHOWN"
|
||||
- "DAC_OVERRIDE"
|
||||
- "FOWNER"
|
||||
- "FSETID"
|
||||
- "KILL"
|
||||
- "SETGID"
|
||||
- "SETUID"
|
||||
- "SETPCAP"
|
||||
- "NET_BIND_SERVICE"
|
||||
- "NET_RAW"
|
||||
- "SYS_CHROOT"
|
||||
- "MKNOD"
|
||||
|
||||
podSecurityContext:
|
||||
fsGroup: 100
|
||||
...
|
||||
|
||||
@@ -2,38 +2,41 @@
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
repositories:
|
||||
- name: "sovereign-workplace-element-repo"
|
||||
- name: "opendesk-element-repo"
|
||||
url: >-
|
||||
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
|
||||
default "https://gitlab.souvap-univention.de/api/v4/projects/148/packages/helm/stable" }}
|
||||
|
||||
releases:
|
||||
- name: "sovereign-workplace-element"
|
||||
chart: "sovereign-workplace-element-repo/sovereign-workplace-element"
|
||||
version: "1.3.0"
|
||||
- name: "opendesk-element"
|
||||
chart: "opendesk-element-repo/opendesk-element"
|
||||
version: "2.0.1"
|
||||
values:
|
||||
- "values-element.yaml"
|
||||
- "values-element.gotmpl"
|
||||
condition: "element.enabled"
|
||||
|
||||
- name: "sovereign-workplace-well-known"
|
||||
chart: "sovereign-workplace-element-repo/sovereign-workplace-well-known"
|
||||
version: "1.3.0"
|
||||
- name: "opendesk-well-known"
|
||||
chart: "opendesk-element-repo/opendesk-well-known"
|
||||
version: "2.0.1"
|
||||
values:
|
||||
- "values-well-known.yaml"
|
||||
- "values-well-known.gotmpl"
|
||||
condition: "element.enabled"
|
||||
|
||||
- name: "sovereign-workplace-synapse-web"
|
||||
chart: "sovereign-workplace-element-repo/sovereign-workplace-synapse-web"
|
||||
version: "1.3.0"
|
||||
- name: "opendesk-synapse-web"
|
||||
chart: "opendesk-element-repo/opendesk-synapse-web"
|
||||
version: "2.0.1"
|
||||
values:
|
||||
- "values-synapse-web.yaml"
|
||||
- "values-synapse-web.gotmpl"
|
||||
condition: "element.enabled"
|
||||
|
||||
- name: "sovereign-workplace-synapse"
|
||||
chart: "sovereign-workplace-element-repo/sovereign-workplace-synapse"
|
||||
version: "1.3.0"
|
||||
- name: "opendesk-synapse"
|
||||
chart: "opendesk-element-repo/opendesk-synapse"
|
||||
version: "2.0.1"
|
||||
values:
|
||||
- "values-synapse.yaml"
|
||||
- "values-synapse.gotmpl"
|
||||
condition: "element.enabled"
|
||||
|
||||
|
||||
21
helmfile/apps/element/values-element.yaml
Normal file
21
helmfile/apps/element/values-element.yaml
Normal file
@@ -0,0 +1,21 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 101
|
||||
runAsNonRoot: true
|
||||
runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 101
|
||||
...
|
||||
21
helmfile/apps/element/values-synapse-web.yaml
Normal file
21
helmfile/apps/element/values-synapse-web.yaml
Normal file
@@ -0,0 +1,21 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 101
|
||||
runAsNonRoot: true
|
||||
runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 101
|
||||
...
|
||||
20
helmfile/apps/element/values-synapse.yaml
Normal file
20
helmfile/apps/element/values-synapse.yaml
Normal file
@@ -0,0 +1,20 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 10991
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 10991
|
||||
...
|
||||
@@ -4,4 +4,22 @@
|
||||
configuration:
|
||||
e2ee:
|
||||
forceDisable: true
|
||||
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 101
|
||||
runAsNonRoot: true
|
||||
runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 101
|
||||
...
|
||||
|
||||
@@ -18,11 +18,7 @@ handler:
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.keycloakExtensionHandler.repository }}"
|
||||
{{- if .Values.images.keycloakExtensionHandler.digest }}
|
||||
sha256: "{{ .Values.images.keycloakExtensionHandler.digest}}"
|
||||
{{- else if .Values.images.keycloakExtensionHandler.tag }}
|
||||
tag: "{{ .Values.images.keycloakExtensionHandler.tag }}"
|
||||
{{- end }}
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
appConfig:
|
||||
smtpPassword: "{{ .Values.smtp.password }}"
|
||||
@@ -35,11 +31,7 @@ proxy:
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.keycloakExtensionProxy.repository }}"
|
||||
{{- if .Values.images.keycloakExtensionProxy.digest }}
|
||||
sha256: "{{ .Values.images.keycloakExtensionProxy.digest}}"
|
||||
{{- else if .Values.images.keycloakExtensionProxy.tag }}
|
||||
tag: "{{ .Values.images.keycloakExtensionProxy.tag }}"
|
||||
{{- end }}
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
ingress:
|
||||
enabled: "{{ .Values.ingress.enabled }}"
|
||||
|
||||
@@ -13,7 +13,6 @@ image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.keycloak.repository }}"
|
||||
tag: "{{ .Values.images.keycloak.tag }}"
|
||||
digest: "{{ .Values.images.keycloak.digest }}"
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
|
||||
externalDatabase:
|
||||
|
||||
@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
url: "{{ .Values.images.dovecot.repository }}"
|
||||
digest: "{{ .Values.images.dovecot.digest }}"
|
||||
tag: "{{ .Values.images.dovecot.tag }}"
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
|
||||
imagePullSecrets:
|
||||
|
||||
@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
url: "{{ .Values.images.openxchangeBootstrap.repository }}"
|
||||
digest: "{{ .Values.images.openxchangeBootstrap.digest }}"
|
||||
tag: "{{ .Values.images.openxchangeBootstrap.tag }}"
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
|
||||
imagePullSecrets:
|
||||
|
||||
@@ -44,7 +44,7 @@ releases:
|
||||
condition: "certificates.enabled"
|
||||
- name: "redis"
|
||||
chart: "bitnami-repo/redis"
|
||||
version: "18.0.0"
|
||||
version: "18.0.4"
|
||||
values:
|
||||
- "values-redis.gotmpl"
|
||||
- "values-redis.yaml"
|
||||
@@ -58,14 +58,14 @@ releases:
|
||||
condition: "postgresql.enabled"
|
||||
- name: "mariadb"
|
||||
chart: "mariadb-repo/mariadb"
|
||||
version: "2.0.2"
|
||||
version: "2.1.0"
|
||||
values:
|
||||
- "values-mariadb.yaml"
|
||||
- "values-mariadb.gotmpl"
|
||||
condition: "mariadb.enabled"
|
||||
- name: "postfix"
|
||||
chart: "postfix-repo/postfix"
|
||||
version: "2.0.1"
|
||||
version: "2.0.3"
|
||||
values:
|
||||
- "values-postfix.yaml"
|
||||
- "values-postfix.gotmpl"
|
||||
@@ -74,12 +74,14 @@ releases:
|
||||
chart: "clamav-repo/opendesk-clamav"
|
||||
version: "4.0.0"
|
||||
values:
|
||||
- "values-clamav-distributed.yaml"
|
||||
- "values-clamav-distributed.gotmpl"
|
||||
condition: "clamavDistributed.enabled"
|
||||
- name: "clamav-simple"
|
||||
chart: "clamav-repo/clamav-simple"
|
||||
version: "4.0.0"
|
||||
values:
|
||||
- "values-clamav-simple.yaml"
|
||||
- "values-clamav-simple.gotmpl"
|
||||
condition: "clamavSimple.enabled"
|
||||
- name: "sovereign-workplace-gateway"
|
||||
|
||||
80
helmfile/apps/services/values-clamav-distributed.yaml
Normal file
80
helmfile/apps/services/values-clamav-distributed.yaml
Normal file
@@ -0,0 +1,80 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
enabled: true
|
||||
readOnlyRootFilesystem: true
|
||||
|
||||
clamd:
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 100
|
||||
runAsGroup: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 101
|
||||
fsGroupChangePolicy: "Always"
|
||||
|
||||
freshclam:
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 100
|
||||
runAsGroup: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 101
|
||||
fsGroupChangePolicy: "Always"
|
||||
|
||||
icap:
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 100
|
||||
runAsGroup: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 101
|
||||
fsGroupChangePolicy: "Always"
|
||||
|
||||
milter:
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 100
|
||||
runAsGroup: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 101
|
||||
fsGroupChangePolicy: "Always"
|
||||
...
|
||||
19
helmfile/apps/services/values-clamav-simple.yaml
Normal file
19
helmfile/apps/services/values-clamav-simple.yaml
Normal file
@@ -0,0 +1,19 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 100
|
||||
runAsGroup: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 101
|
||||
fsGroupChangePolicy: "Always"
|
||||
...
|
||||
@@ -1,6 +1,25 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
privileged: false
|
||||
runAsUser: 1001
|
||||
runAsGroup: 1001
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
|
||||
job:
|
||||
enabled: true
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 1001
|
||||
fsGroupChangePolicy: "OnRootMismatch"
|
||||
...
|
||||
|
||||
@@ -5,6 +5,19 @@ certificate:
|
||||
request:
|
||||
enabled: false
|
||||
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities: {}
|
||||
enabled: true
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
runAsNonRoot: false
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 101
|
||||
|
||||
postfix:
|
||||
hostname: "postfix"
|
||||
inetProtocols: "ipv4"
|
||||
|
||||
@@ -1,11 +1,29 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
enabled: true
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 1001
|
||||
runAsGroup: 1001
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
|
||||
job:
|
||||
image:
|
||||
digest: "sha256:de7451b563ef79eb6acb2851dbadd18388e6436cd757b65d275a3dc60dbb0b73"
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 1001
|
||||
fsGroupChangePolicy: "OnRootMismatch"
|
||||
|
||||
|
||||
postgres:
|
||||
user: "postgres"
|
||||
...
|
||||
|
||||
@@ -6,16 +6,14 @@ images:
|
||||
repository: "clamav/clamav"
|
||||
tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
|
||||
collabora:
|
||||
# repository: "collabora/code"
|
||||
# tag: "23.05.2.2.1"
|
||||
repository: "souvap/tooling/images/collabora"
|
||||
tag: "23.05.3.1.1@sha256:f1248a50e67940e3be3dfa58dc37eca73267cf73a679b459707d2520cee7720e"
|
||||
dovecot:
|
||||
repository: "dovecot/dovecot"
|
||||
digest: "sha256:96d414aa3f6978669b417f6468c16313a54ee6143a4846870e9f0eda280806e7"
|
||||
tag: "2.3.20@sha256:96d414aa3f6978669b417f6468c16313a54ee6143a4846870e9f0eda280806e7"
|
||||
element:
|
||||
repository: "souvap/tooling/images/element-web@sha256"
|
||||
tag: "16506bba9da546b1bf5896892f6f4afefea3d0f1d8ed93eae511212627a029b9"
|
||||
repository: "souvap/tooling/images/element-web"
|
||||
tag: "latest@sha256:16506bba9da546b1bf5896892f6f4afefea3d0f1d8ed93eae511212627a029b9"
|
||||
freshclam:
|
||||
repository: "clamav/clamav"
|
||||
tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
|
||||
@@ -42,92 +40,89 @@ images:
|
||||
tag: "0.5.10@sha256:cd665e77a42460bb1e6df4282bc1d8737be241fc9f4143d43509e31de3a7993d"
|
||||
intercom:
|
||||
repository: "univention/intercom-service"
|
||||
tag: "1.4-kubernetes"
|
||||
tag: "1.4-kubernetes@sha256:e4fa2e0df49595bf9ba5bf73e36a50e8f1b44334a1a326a43488b8f9c8bbcb9c"
|
||||
keycloak:
|
||||
repository: "bitnami/keycloak"
|
||||
tag: "19.0.3-debian-11-r15"
|
||||
digest: ""
|
||||
tag: "19.0.3-debian-11-r22@sha256:4ac04104d20d4861ecca24ff2d07d71b34a98ee1148c6e6b6e7969a6b2ad085e"
|
||||
keycloakBootstrap:
|
||||
repository: "souvap/tooling/images/ansible"
|
||||
tag: "4.10.0"
|
||||
tag: "4.10.0@sha256:89d8212c20e03b0fd079e08afaf3247c1b96b380c4db1b572d68d0b4a6abc0ac"
|
||||
keycloakExtensionHandler:
|
||||
repository: "souvap/tooling/images/keycloak-extensions/keycloak-handler"
|
||||
digest: "cdaaab8fb1b658ee2ca45557e76570153bb306c43061db5b5ee0f418c40e2200"
|
||||
tag: "latest@sha256:e67bdfc655e43b7fb83b025e13f949b04fdd98e089b33401275d03e340e03e2e"
|
||||
keycloakExtensionProxy:
|
||||
repository: "souvap/tooling/images/keycloak-extensions/keycloak-proxy"
|
||||
digest: "15ad665620368178d98721c0bd91744dd9c965c2e470abc3838e353fff530093"
|
||||
tag: "latest@sha256:57026fb4ba7d4579461e7ddd4b1b8ce9585d1cac4adbe64040f5e1063c80a6ba"
|
||||
mariadb:
|
||||
repository: "mariadb"
|
||||
tag: "10"
|
||||
tag: "11.1.2-jammy@sha256:b6440c4f4e1471bdcee202e4c4e21c1f93af87421f6d33028363dd224e54f481"
|
||||
memcached:
|
||||
repository: "bitnami/memcached"
|
||||
tag: "1.6.21-debian-11-r4"
|
||||
tag: "1.6.21-debian-11-r84@sha256:81747acd297d3fcd05706ea771d441a6f01b28d722c366a06f922b6b7d4033dd"
|
||||
milter:
|
||||
repository: "clamav/clamav"
|
||||
tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
|
||||
nextcloud:
|
||||
repository: "nextcloud"
|
||||
tag: "26.0.5-apache"
|
||||
tag: "26.0.5-apache@sha256:2a129ba3258300424319e7023e8e60c28d79178ae4143e7ba2d41148646c30e1"
|
||||
openproject:
|
||||
repository: "souvap/tooling/images/openproject/souvap@sha256"
|
||||
tag: "5da1ae8be3d7483bf0f3d9ec50c3470586528e0ff51b663e2c3a57bceb489423"
|
||||
repository: "souvap/tooling/images/openproject/souvap"
|
||||
tag: "dev@sha256:03eb1eacc0c0c4e9e7d0f0c3d265fd0c15fd01cda33bc4f89cbc487ad53474a8"
|
||||
openxchangeBootstrap:
|
||||
repository: "alpine/k8s"
|
||||
digest: "sha256:199a4457602b4e260d9781358cd2e342f63c177f4bcfa8053493be01e57beddf"
|
||||
tag: "1.26.8@sha256:acde24d2a8ebaafda76f464591a5ddc7d0acd08bb38b12560961c1b1c4fc85ec"
|
||||
openxchangeCoreGuidedtours:
|
||||
repository: "appsuite-public-sector/core-guidedtours"
|
||||
tag: "8.5.1"
|
||||
tag: "8.5.1@sha256:469457562a378cca50460e08d9437a954fc6f19622f18128fa74979f7905ecd9"
|
||||
openxchangeCoreMW:
|
||||
repository: "appsuite-public-sector/middleware-public-sector"
|
||||
tag: "8.16.55"
|
||||
tag: "8.16.55@sha256:11317124714725d61204188ebfebc2220f295fd59b245adcef0b6c3186a68fd3"
|
||||
openxchangeCoreUI:
|
||||
repository: "appsuite-public-sector/core-ui"
|
||||
tag: "8.16.5"
|
||||
tag: "8.16.5@sha256:4f4dd4e36fb8a1b493c195e38e2f13b87c9582bfcdc3d23b646698fce2ffef8c"
|
||||
openxchangeCoreUIMiddleware:
|
||||
repository: "appsuite-public-sector/core-ui-middleware"
|
||||
tag: "1.8.4"
|
||||
tag: "1.8.4@sha256:c707fbd5496c894f201dab8f4e78aad98f1ad80c8058778f04dfa5e6e201ed64"
|
||||
openxchangeCoreUserGuide:
|
||||
repository: "appsuite-public-sector/core-user-guide"
|
||||
tag: "8.16.727397"
|
||||
tag: "8.16.727397@sha256:5d8dbf9a91456dea59a235b495dcd002b971e2b23ef6c3a2ea5fd2071664e2a4"
|
||||
openxchangeGuardUI:
|
||||
repository: "appsuite-public-sector/guard-ui"
|
||||
tag: "4.0.6"
|
||||
tag: "4.0.6@sha256:7bb8fdf944228dd78a5c33bbd8d0019d5a9e4ce1c35bda674166f2febc5d9a02"
|
||||
openxchangeNextcloudIntegrationUI:
|
||||
repository: "appsuite-public-sector/nextcloud-integration-ui"
|
||||
tag: "1.0.3"
|
||||
tag: "1.0.3@sha256:193fd07a8b83164d175cd55f7e28fb7ec6d81f1037945035ca709825725c038e"
|
||||
openxchangePublicSectorUI:
|
||||
repository: "appsuite-public-sector/public-sector-ui"
|
||||
tag: "2.0.1"
|
||||
tag: "2.0.1@sha256:8df90f6dfb59008567d8ded0dbd17b8f92f409c78ba2cf4ab2a39e1b23e34d3b"
|
||||
oxConnector:
|
||||
repository: "souvap/tooling/images/ox-connector/ox-connector-standalone"
|
||||
tag: "branch-jconde-listener-entrypoint-chaining"
|
||||
tag: "branch-jconde-listener-entrypoint-chaining@sha256:54748d49e37d52529d4a857ff834d1217bd2cb8c89c7eed25c0873159ed6853c"
|
||||
postfix:
|
||||
repository: "souvap/tooling/images/postfix"
|
||||
tag: "1.0.0@sha256:69e0c53ade77ffb89673672f5c8183ec2edfc81d4e990aca3ec594f33c55a7ac"
|
||||
postgresql:
|
||||
repository: "postgres"
|
||||
tag: "15-alpine"
|
||||
tag: "15.4-alpine3.18@sha256:f36c528a2dc8747ea40b4cb8578da69fa75c5063fd6a71dcea3e3b2a6404ff7b"
|
||||
prosody:
|
||||
repository: "jitsi/prosody"
|
||||
tag: "stable-8922@sha256:243547f24ae7d686d1f0c18ee230cf93119a66f095dda282bacbf45d4bb69f77"
|
||||
redis:
|
||||
repository: "bitnami/redis"
|
||||
tag: "7.0.12-debian-11-r0"
|
||||
tag: "7.2.1-debian-11-r5@sha256:e664fa63dfe88cd099180c32f2c9a109a958f053b75d195beb48b06ffd8a0b5b"
|
||||
synapse:
|
||||
repository: "matrixdotorg/synapse"
|
||||
tag: "v1.87.0"
|
||||
tag: "v1.91.2@sha256:1d19508db417bb2b911c8e086bd3dc3b719ee75c6f6194d58af59b4c32b11322"
|
||||
synapseWeb:
|
||||
repository: "library/haproxy"
|
||||
tag: "2.4"
|
||||
repository: "rapidfort/haproxy-official"
|
||||
tag: "2.6.6-bullseye@sha256:bf22cfb1301aae433213f5f8c687bc5d9ecc6b86daf1084be5f7a339bd27cadd"
|
||||
univentionCorporateServer:
|
||||
repository: "souvap/tooling/images/univention-corporate-server-swp/ucs@sha256"
|
||||
tag: "6415847851ee3b474cea756212698f4a110fbbde74882e22da92500a6358a4f8"
|
||||
repository: "souvap/tooling/images/univention-corporate-server-swp/ucs"
|
||||
tag: "20230829T094822@sha256:6415847851ee3b474cea756212698f4a110fbbde74882e22da92500a6358a4f8"
|
||||
wellKnown:
|
||||
repository: "library/nginx"
|
||||
tag: "1.23"
|
||||
tag: "1.25.2-bookworm@sha256:9504f3f64a3f16f0eaf9adca3542ff8b2a6880e6abfb13e478cca23f6380080a"
|
||||
xwiki:
|
||||
# repository: "xwikisas/swp/xwiki"
|
||||
# tag: "0.10-mariadb-tomcat"
|
||||
repository: "xwikisas/swp/xwiki@sha256"
|
||||
tag: "02f0ff6407ccdd8dab17814202e28991fe0aa8d44fa106ba171cff5249eaf58f"
|
||||
repository: "xwikisas/swp/xwiki"
|
||||
tag: "0.10-mariadb-tomcat@sha256:02f0ff6407ccdd8dab17814202e28991fe0aa8d44fa106ba171cff5249eaf58f"
|
||||
...
|
||||
|
||||
@@ -9,6 +9,13 @@ resources:
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "2Gi"
|
||||
collabora:
|
||||
limits:
|
||||
cpu: 1
|
||||
memory: "500Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "16Mi"
|
||||
dovecot:
|
||||
limits:
|
||||
cpu: 0.5
|
||||
|
||||
@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
smtp:
|
||||
host: "mail.brained.io"
|
||||
username: "relay@souvap-univention.de"
|
||||
host: ""
|
||||
username: ""
|
||||
password: "{{ env "SMTP_PASSWORD" }}"
|
||||
...
|
||||
|
||||
Reference in New Issue
Block a user