sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 15:31:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: sheppy:v0.5.20
Branches Tags
sheppy:develop sheppy:renovate/univention sheppy:renovate/openxchange sheppy:trossner/gpg-keys sheppy:trossner/mail_doc sheppy:tkaltenbrunner/fix-milter sheppy:ntretkowski/intercom-update sheppy:b1-boekhorst/nc_testing_encryption_bfp_nginx sheppy:trossner/ox_deputy sheppy:kuntke/size-profiles sheppy:trossner/misc_1.11.0 sheppy:feat/openproject/bump-16-6-2 sheppy:renovate/opf-helm-charts-openproject-11.x sheppy:rohland/selfsigned sheppy:sschmidt/feat_update_otterize sheppy:sell/opendesk-exporter sheppy:trossner/coco-update sheppy:renovate/lasuite-impress-y-provider-4.x sheppy:renovate/opf-helm-charts-openproject-10.x sheppy:renovate/openproject sheppy:renovate/nordeck sheppy:renovate/element sheppy:renovate/collabora sheppy:lender/test-externalsecrets sheppy:rfischer/baseline_requirements_update_2025 sheppy:chore/kyverno-sec sheppy:sell/pythonic-charts-local sheppy:trossner/ox-jitsi sheppy:irondesk-preview sheppy:chore/open-xchange/update-8.43 sheppy:b1-boekhorst/nc_basicauth_testing sheppy:lluerenbaum/develop sheppy:rfischer/nc_sharereview_app sheppy:tkaltenbrunner/fix/new-element-chart sheppy:vpracht/demo sheppy:main sheppy:b1-boekhorst/nc_status_php sheppy:gaberb1/postfix-sasl-security-options sheppy:ntretkowski/nubus-v1.15.0 sheppy:ntretkowski/ox-connector-v0.32.2 sheppy:sschmidt/feat_add_otterize_chart sheppy:b1-boekhorst/nc_bfp sheppy:trossner/nc_31-0-9 sheppy:trossner/token_exchange sheppy:boekhorst/nc_31-0-10_testing sheppy:ntretkowski/nubus-v1.14.1 sheppy:tkaltenbrunner/fix/dovecot-migration sheppy:tkaltenbrunner/fix/dovecot-caches sheppy:tkaltenbrunner/fix/postfix-transport sheppy:chore/open-xchange/update-8.42 sheppy:dkaminski/ca_certs sheppy:dpapoutsis/bundled-keycloak-secrets sheppy:boekhorst/favicon_resize sheppy:irondesk sheppy:boekhorst/nc_31-0-9 sheppy:migration_test sheppy:sschmidt/fix_services_otterize_intents sheppy:mmeschter/nats-secrets-refactor sheppy:sccon_2025 sheppy:jtorres/ox-test sheppy:lender/feat-externalsecrets-xwiki sheppy:sschmidt/fix_nubus_opendesk_keycloak_bootstrap_annotation sheppy:ntretkowski/nubus-2fa-upgrade-fix sheppy:jlohmer/ox-connector-helm-unittests sheppy:mmeschter/develop sheppy:tkaltenbrunner/fix/ox-push-notification sheppy:cgarcia/develop sheppy:trossner/fix_storageclassnames sheppy:jconde/ox-groups-deletion sheppy:ntretkowski/nubus-v1.13.1 sheppy:jtorres/develop sheppy:tkaltenbrunner/fix/opendesk-impress-customization sheppy:jconde/develop sheppy:mgcm/test/mas-upstream sheppy:document-nordeck-widgets sheppy:trossner/upd_jitsi_10431 sheppy:chaack/feat_add_jitsi_patchJVB_backoffLimit sheppy:trossner/xwiki_solr_image sheppy:1.7+harbor-fixes sheppy:lender/feat-externalsecrets-notes sheppy:tkaltenbrunner/fix/dovecot-fts sheppy:lender/feat-externalsecrets-postfix-dovecot sheppy:heading-capitalization-harmonization sheppy:lender/feat-externalsecrets-minio sheppy:jconde/debug-no-portal-tiles sheppy:hermann/feat-support-nginx-security-defaults sheppy:jtorres/ox-connector-manager-tests sheppy:jtorres/1.12.0-kc-bootstrap sheppy:sell/prometheus-nats-exporter sheppy:jconde/ics-secret-refactor sheppy:tkaltenbrunner/fix/postfix-submissions sheppy:jconde/debug-ics-with-keycloak-26.3 sheppy:data_storage_doc sheppy:tkaltenbrunner/fix/coco-internal sheppy:sell/keycloak-metrics sheppy:jconde/ox-connector-fixes sheppy:jlohmer/ox-connector-test sheppy:gaberb1/wip-ci sheppy:weber/update-notes sheppy:lender/feat-externalsecrets-redis sheppy:lender/feat-externalsecrets-opendesk-services sheppy:lender/feat-externalsecrets-collabora sheppy:lender/feat-externalsecrets-cassandra sheppy:lender/feat-externalsecrets-nextcloud sheppy:lender/feat-externalsecrets-openproject-bootstrap sheppy:thollwed/doc-bawue-migration-dev sheppy:1.5+nats-fix sheppy:trossner/nc_31.0.5 sheppy:sell/nubus-liveness-customization sheppy:integration-opendesk-family sheppy:gsautner/fix_nc_custom_baseDn sheppy:tkaltenbrunner/fix/ox-external-secrets sheppy:tlatz/portal_update sheppy:jbornhold/tmp-portal-update sheppy:trossner/temp_kc26.2.2_preview sheppy:yschmidt/nubus-v1.9.1-twofa-helpdesk sheppy:mmoura/phone-dial-in sheppy:lender/feat-externalsecrets-mariadb sheppy:lender/feat-externalsecrets-postgresql sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap-1725.191 sheppy:ys/dev-helpdesk sheppy:tkaltenbrunner/fix/dovecot-acls sheppy:ox-vpracht/dovecot-conf sheppy:renovate/major-openproject sheppy:renovate/major-platform sheppy:renovate/lasuite-impress-y-provider-3.x sheppy:renovate/lasuite-impress-y-provider-2.x sheppy:renovate/xwiki sheppy:trossner/nc_notifypush sheppy:cnegrini/load sheppy:nic/feat/ZO-155_dialin_docs sheppy:feat/dovecot-config sheppy:yschmidt/s3-region-example sheppy:trossner/nubus_ox_consumer sheppy:yschmidt/s3-region-vars sheppy:jschulz/fix_nubus-consumer-pvc-size sheppy:el/t3chguy/element-web-modules sheppy:jahlers/2fa-helpdesk sheppy:trossner/notes_guest_access sheppy:thollwed/nubus-v1.6.0-integration sheppy:jschulz/fix_set_jitsi_element_antiaffinity sheppy:jbornhold/nubus-v1.6.0-s3-ingress sheppy:chore/open-xchange/release-8.34 sheppy:jconde/test-ox-packaging sheppy:jtorres/ox-extension-integration sheppy:jschulz/feat_helmfile-enable-intents sheppy:chore/openproject/15-3-changes sheppy:nc-main sheppy:fischer/review-apps sheppy:jconde/fix-intercom-element sheppy:trossner/nc_notify_push sheppy:docs/nubus-version sheppy:schneemann/ingress-nginx-max-version sheppy:jlohmer/configurable-udm-listener-password sheppy:jtorres/hotfix-ics-secret sheppy:jtorres/ics-redis-ssl sheppy:dkaminski/feat/annotations sheppy:trossner/fix/openproject sheppy:jconde/ox-connector-kyverno sheppy:jconde/ics-kyverno-changes sheppy:chore/open-xchange/bump-8-31 sheppy:mmoura/feat_test sheppy:dkaminski/fix/nubus-v0.72.0 sheppy:jconde/ics-filepicker-fix sheppy:trossner/update_migrs sheppy:nic/qa/develop sheppy:nic/fix/widgets-no-guests sheppy:uv-jconde/plain-nubus sheppy:nubus/main sheppy:uv-jbornhold/preview-fe sheppy:nic/fix/undo-439-add-widgets sheppy:jtorres/bump-0.60-cache-http sheppy:acaceres/develop sheppy:fix/trossner/dominiks_improvements sheppy:uv-jbornhold/plain-nubus-3 sheppy:nubus-update-2024-09-16-backup sheppy:trossner/nubus-update-2024-09-16-ldap-mig sheppy:nic/feat/matrix-neoboard-widget-1.19.1 sheppy:jconde/integrate-ox-connector sheppy:jbornhold/include-ldap-migration-script sheppy:acaceres/integrate-ox-connector sheppy:uv-jbornhold/plain-nubus-2 sheppy:jtorres/clients-fixup sheppy:jconde/system-information sheppy:jtorres/remove-admin-credentials sheppy:jbornhold/develop sheppy:chore/openproject/bump-14-5-0 sheppy:temp/trossner/kcupd-fr sheppy:nubus/fix-domain-configuration sheppy:uv-fix/default-service-loglevel sheppy:uv-jlohmer/consumer-race-condition sheppy:uv-jconde/umc-plain-login sheppy:uv-jconde/statefulset-keycloak sheppy:jlohmer/develop sheppy:fix/tkaltenbrunner/oxmonitoring sheppy:jtorres/udm-loader sheppy:nubus/tkintscher/fix-fsnotify-load sheppy:nubus/wip-jbornhold-test sheppy:jbornhold/small-fixes sheppy:nubus/jconde-test-users sheppy:feat/nubus-updates sheppy:uv-jlohmer/manual-deploy-jobs sheppy:uv-jtorres/login-tiles sheppy:uv-jbornhold/fix-e2e-test-configuration sheppy:uv-jlohmer/fix-feature-flag-typo sheppy:uv-jbornhold/fix-e2e-test-configuration-test sheppy:uv-acaceres/register-ox-connector sheppy:uv-jtorres/keycloak-upgrade sheppy:uv-jtorres/create-readonly-user sheppy:uv-acaceres/update-provisioning-and-stack-data sheppy:uv-jlohmer/selfservice-consumer sheppy:uv-jlohmer/provisioning-consumer-feature-flag sheppy:uv-jconde/test-email-e2e-tests sheppy:jlohmer/nubus-updates-provisioning sheppy:nubus/provisioning-consumer-integration sheppy:uv-dkaminski/cert-manager-support sheppy:uv-jbornhold/update-portal-frontend sheppy:uv-provisioning-consumer-integration sheppy:uv-jtorres/opendesk-udm-loader sheppy:uv-jtorres/ox-extensions-to-data-loader sheppy:uv-jbornhold/update-stack-data sheppy:uv-maildev-ci-setup sheppy:uv-jconde/umc-server-session-stickyness sheppy:uv-jbornhold/cleanup sheppy:uv-dtroeder/raise-helm-timeout sheppy:uv-dtroeder/prov-int-biscet sheppy:uv-spike-plain-nubus sheppy:jtorres/univention-keycloak-provisioning sheppy:fix/trossner/proxy_ips sheppy:uv-jlohmer/provisioning-consumer-integration sheppy:uv-jconde/menu-patches sheppy:jconde/use-nubus-umbrella sheppy:jconde/udm-rest-api-fix sheppy:sandersen/develop sheppy:b1-demo1 sheppy:jbornhold/tmp-test-od-main-0.9.0 sheppy:feat/use-nubus-umbrella-2 sheppy:OC000007901454-main-patch-76476 sheppy:jtorres/allow-theme-configuration sheppy:acaceres/debug-ox-error sheppy:101-add-configmap-checksum-check-to-postfix-helm-chart sheppy:trossner/fix/op_guests sheppy:renovate/platform sheppy:feat/ldap-scalability sheppy:jlohmer/split-provisioning-listener sheppy:feat/update-keycloak-related-charts sheppy:acaceres/update-selfservice-to-use-provisioning sheppy:feat/nubus-keycloak-extensions sheppy:feat/nubus-keycloak-bootstrap sheppy:feat/nubus-provisioning-with-selfservice sheppy:refactor/ums-umbrella-values sheppy:54-issue-with-invitation-password-reset-mails sheppy:nic/fix/ew-1.11.59-widget-sync sheppy:trossner/fix/renovate sheppy:nic/test/ew-1.11.59 sheppy:feat/mon-redis sheppy:feat/mon-jitsi sheppy:feat/mon-ox sheppy:feat/mon-xwiki sheppy:v0.5.74-patch1
sheppy:v1.10.0 sheppy:v1.9.0 sheppy:v1.8.0 sheppy:v1.7.1 sheppy:v1.7.0 sheppy:v1.6.0 sheppy:v1.5.0 sheppy:v1.4.1 sheppy:v1.4.0 sheppy:v1.3.2 sheppy:v1.3.1 sheppy:v1.3.0 sheppy:v1.2.1 sheppy:v1.2.0 sheppy:v1.1.2 sheppy:v1.1.1 sheppy:v1.1.0 sheppy:v1.0.0 sheppy:v0.9.0 sheppy:v0.8.1 sheppy:v0.8.0 sheppy:v0.7.1 sheppy:v0.7.0 sheppy:v0.6.0 sheppy:v0.5.81 sheppy:v0.5.80 sheppy:v0.5.79 sheppy:v0.5.78 sheppy:v0.5.74 sheppy:24.03 sheppy:v0.5.77 sheppy:v0.5.76 sheppy:v0.5.75 sheppy:v0.5.73 sheppy:v0.5.72 sheppy:v0.5.71 sheppy:v0.5.70 sheppy:v0.5.69 sheppy:v0.5.68 sheppy:v0.5.67 sheppy:v0.5.66 sheppy:v0.5.65 sheppy:v0.5.64 sheppy:v0.5.63 sheppy:v0.5.62 sheppy:v0.5.61 sheppy:v0.5.60 sheppy:v0.5.59 sheppy:v0.5.58 sheppy:v0.5.57 sheppy:v0.5.56 sheppy:v0.5.55 sheppy:v0.5.54 sheppy:v0.5.53 sheppy:v0.5.52 sheppy:v0.5.51 sheppy:v0.5.50 sheppy:v0.5.49 sheppy:v0.5.48 sheppy:v0.5.47 sheppy:v0.5.46 sheppy:v0.5.45 sheppy:v0.5.44 sheppy:v0.5.43 sheppy:v0.5.42 sheppy:v0.5.41 sheppy:v0.5.40 sheppy:v0.5.39 sheppy:v0.5.38 sheppy:23.12 sheppy:v0.5.37 sheppy:v0.5.36 sheppy:v0.5.35 sheppy:v0.5.34 sheppy:v0.5.33 sheppy:v0.5.32 sheppy:v0.5.31 sheppy:v0.5.30 sheppy:v0.5.29 sheppy:v0.5.28 sheppy:v0.5.27 sheppy:v0.5.26 sheppy:v0.5.25 sheppy:v0.5.24 sheppy:v0.5.23 sheppy:v0.5.22 sheppy:v0.5.21 sheppy:v0.5.20 sheppy:v0.5.19 sheppy:v0.5.18 sheppy:v0.5.17 sheppy:v0.5.16 sheppy:v0.5.15 sheppy:v0.5.14 sheppy:v0.5.13 sheppy:v0.5.12 sheppy:v0.5.11 sheppy:v0.5.10 sheppy:v0.5.9 sheppy:v0.5.8 sheppy:v0.5.7 sheppy:v0.5.6 sheppy:v0.5.5 sheppy:v0.5.4 sheppy:v0.5.3 sheppy:v0.5.2 sheppy:v0.5.1 sheppy:v0.5.0 sheppy:v0.4.9 sheppy:v0.4.8 sheppy:v0.4.7 sheppy:v0.4.6 sheppy:v0.4.5 sheppy:v0.4.4 sheppy:v0.4.3 sheppy:v0.4.2 sheppy:v0.4.1 sheppy:v0.4.0 sheppy:v0.3.2 sheppy:v0.3.1 sheppy:v0.3.0 sheppy:v0.2.10 sheppy:v0.2.9 sheppy:v0.2.8 sheppy:v0.2.7 sheppy:v0.2.6 sheppy:v0.2.5 sheppy:v0.2.4 sheppy:v0.2.3 sheppy:v0.2.2 sheppy:v0.2.1 sheppy:v0.2.0 sheppy:v0.1.2 sheppy:v0.1.1 sheppy:v0.1.0 sheppy:v0.0.6 sheppy:v0.0.5 sheppy:v0.0.4 sheppy:v0.0.3 sheppy:v0.0.2 sheppy:v0.0.1
...
compare: sheppy:v0.5.44
Branches Tags
sheppy:renovate/univention sheppy:renovate/openxchange sheppy:trossner/gpg-keys sheppy:trossner/mail_doc sheppy:tkaltenbrunner/fix-milter sheppy:ntretkowski/intercom-update sheppy:b1-boekhorst/nc_testing_encryption_bfp_nginx sheppy:trossner/ox_deputy sheppy:kuntke/size-profiles sheppy:trossner/misc_1.11.0 sheppy:feat/openproject/bump-16-6-2 sheppy:renovate/opf-helm-charts-openproject-11.x sheppy:rohland/selfsigned sheppy:sschmidt/feat_update_otterize sheppy:sell/opendesk-exporter sheppy:trossner/coco-update sheppy:renovate/lasuite-impress-y-provider-4.x sheppy:renovate/opf-helm-charts-openproject-10.x sheppy:renovate/openproject sheppy:renovate/nordeck sheppy:renovate/element sheppy:renovate/collabora sheppy:lender/test-externalsecrets sheppy:develop sheppy:rfischer/baseline_requirements_update_2025 sheppy:chore/kyverno-sec sheppy:sell/pythonic-charts-local sheppy:trossner/ox-jitsi sheppy:irondesk-preview sheppy:chore/open-xchange/update-8.43 sheppy:b1-boekhorst/nc_basicauth_testing sheppy:lluerenbaum/develop sheppy:rfischer/nc_sharereview_app sheppy:tkaltenbrunner/fix/new-element-chart sheppy:vpracht/demo sheppy:main sheppy:b1-boekhorst/nc_status_php sheppy:gaberb1/postfix-sasl-security-options sheppy:ntretkowski/nubus-v1.15.0 sheppy:ntretkowski/ox-connector-v0.32.2 sheppy:sschmidt/feat_add_otterize_chart sheppy:b1-boekhorst/nc_bfp sheppy:trossner/nc_31-0-9 sheppy:trossner/token_exchange sheppy:boekhorst/nc_31-0-10_testing sheppy:ntretkowski/nubus-v1.14.1 sheppy:tkaltenbrunner/fix/dovecot-migration sheppy:tkaltenbrunner/fix/dovecot-caches sheppy:tkaltenbrunner/fix/postfix-transport sheppy:chore/open-xchange/update-8.42 sheppy:dkaminski/ca_certs sheppy:dpapoutsis/bundled-keycloak-secrets sheppy:boekhorst/favicon_resize sheppy:irondesk sheppy:boekhorst/nc_31-0-9 sheppy:migration_test sheppy:sschmidt/fix_services_otterize_intents sheppy:mmeschter/nats-secrets-refactor sheppy:sccon_2025 sheppy:jtorres/ox-test sheppy:lender/feat-externalsecrets-xwiki sheppy:sschmidt/fix_nubus_opendesk_keycloak_bootstrap_annotation sheppy:ntretkowski/nubus-2fa-upgrade-fix sheppy:jlohmer/ox-connector-helm-unittests sheppy:mmeschter/develop sheppy:tkaltenbrunner/fix/ox-push-notification sheppy:cgarcia/develop sheppy:trossner/fix_storageclassnames sheppy:jconde/ox-groups-deletion sheppy:ntretkowski/nubus-v1.13.1 sheppy:jtorres/develop sheppy:tkaltenbrunner/fix/opendesk-impress-customization sheppy:jconde/develop sheppy:mgcm/test/mas-upstream sheppy:document-nordeck-widgets sheppy:trossner/upd_jitsi_10431 sheppy:chaack/feat_add_jitsi_patchJVB_backoffLimit sheppy:trossner/xwiki_solr_image sheppy:1.7+harbor-fixes sheppy:lender/feat-externalsecrets-notes sheppy:tkaltenbrunner/fix/dovecot-fts sheppy:lender/feat-externalsecrets-postfix-dovecot sheppy:heading-capitalization-harmonization sheppy:lender/feat-externalsecrets-minio sheppy:jconde/debug-no-portal-tiles sheppy:hermann/feat-support-nginx-security-defaults sheppy:jtorres/ox-connector-manager-tests sheppy:jtorres/1.12.0-kc-bootstrap sheppy:sell/prometheus-nats-exporter sheppy:jconde/ics-secret-refactor sheppy:tkaltenbrunner/fix/postfix-submissions sheppy:jconde/debug-ics-with-keycloak-26.3 sheppy:data_storage_doc sheppy:tkaltenbrunner/fix/coco-internal sheppy:sell/keycloak-metrics sheppy:jconde/ox-connector-fixes sheppy:jlohmer/ox-connector-test sheppy:gaberb1/wip-ci sheppy:weber/update-notes sheppy:lender/feat-externalsecrets-redis sheppy:lender/feat-externalsecrets-opendesk-services sheppy:lender/feat-externalsecrets-collabora sheppy:lender/feat-externalsecrets-cassandra sheppy:lender/feat-externalsecrets-nextcloud sheppy:lender/feat-externalsecrets-openproject-bootstrap sheppy:thollwed/doc-bawue-migration-dev sheppy:1.5+nats-fix sheppy:trossner/nc_31.0.5 sheppy:sell/nubus-liveness-customization sheppy:integration-opendesk-family sheppy:gsautner/fix_nc_custom_baseDn sheppy:tkaltenbrunner/fix/ox-external-secrets sheppy:tlatz/portal_update sheppy:jbornhold/tmp-portal-update sheppy:trossner/temp_kc26.2.2_preview sheppy:yschmidt/nubus-v1.9.1-twofa-helpdesk sheppy:mmoura/phone-dial-in sheppy:lender/feat-externalsecrets-mariadb sheppy:lender/feat-externalsecrets-postgresql sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap-1725.191 sheppy:ys/dev-helpdesk sheppy:tkaltenbrunner/fix/dovecot-acls sheppy:ox-vpracht/dovecot-conf sheppy:renovate/major-openproject sheppy:renovate/major-platform sheppy:renovate/lasuite-impress-y-provider-3.x sheppy:renovate/lasuite-impress-y-provider-2.x sheppy:renovate/xwiki sheppy:trossner/nc_notifypush sheppy:cnegrini/load sheppy:nic/feat/ZO-155_dialin_docs sheppy:feat/dovecot-config sheppy:yschmidt/s3-region-example sheppy:trossner/nubus_ox_consumer sheppy:yschmidt/s3-region-vars sheppy:jschulz/fix_nubus-consumer-pvc-size sheppy:el/t3chguy/element-web-modules sheppy:jahlers/2fa-helpdesk sheppy:trossner/notes_guest_access sheppy:thollwed/nubus-v1.6.0-integration sheppy:jschulz/fix_set_jitsi_element_antiaffinity sheppy:jbornhold/nubus-v1.6.0-s3-ingress sheppy:chore/open-xchange/release-8.34 sheppy:jconde/test-ox-packaging sheppy:jtorres/ox-extension-integration sheppy:jschulz/feat_helmfile-enable-intents sheppy:chore/openproject/15-3-changes sheppy:nc-main sheppy:fischer/review-apps sheppy:jconde/fix-intercom-element sheppy:trossner/nc_notify_push sheppy:docs/nubus-version sheppy:schneemann/ingress-nginx-max-version sheppy:jlohmer/configurable-udm-listener-password sheppy:jtorres/hotfix-ics-secret sheppy:jtorres/ics-redis-ssl sheppy:dkaminski/feat/annotations sheppy:trossner/fix/openproject sheppy:jconde/ox-connector-kyverno sheppy:jconde/ics-kyverno-changes sheppy:chore/open-xchange/bump-8-31 sheppy:mmoura/feat_test sheppy:dkaminski/fix/nubus-v0.72.0 sheppy:jconde/ics-filepicker-fix sheppy:trossner/update_migrs sheppy:nic/qa/develop sheppy:nic/fix/widgets-no-guests sheppy:uv-jconde/plain-nubus sheppy:nubus/main sheppy:uv-jbornhold/preview-fe sheppy:nic/fix/undo-439-add-widgets sheppy:jtorres/bump-0.60-cache-http sheppy:acaceres/develop sheppy:fix/trossner/dominiks_improvements sheppy:uv-jbornhold/plain-nubus-3 sheppy:nubus-update-2024-09-16-backup sheppy:trossner/nubus-update-2024-09-16-ldap-mig sheppy:nic/feat/matrix-neoboard-widget-1.19.1 sheppy:jconde/integrate-ox-connector sheppy:jbornhold/include-ldap-migration-script sheppy:acaceres/integrate-ox-connector sheppy:uv-jbornhold/plain-nubus-2 sheppy:jtorres/clients-fixup sheppy:jconde/system-information sheppy:jtorres/remove-admin-credentials sheppy:jbornhold/develop sheppy:chore/openproject/bump-14-5-0 sheppy:temp/trossner/kcupd-fr sheppy:nubus/fix-domain-configuration sheppy:uv-fix/default-service-loglevel sheppy:uv-jlohmer/consumer-race-condition sheppy:uv-jconde/umc-plain-login sheppy:uv-jconde/statefulset-keycloak sheppy:jlohmer/develop sheppy:fix/tkaltenbrunner/oxmonitoring sheppy:jtorres/udm-loader sheppy:nubus/tkintscher/fix-fsnotify-load sheppy:nubus/wip-jbornhold-test sheppy:jbornhold/small-fixes sheppy:nubus/jconde-test-users sheppy:feat/nubus-updates sheppy:uv-jlohmer/manual-deploy-jobs sheppy:uv-jtorres/login-tiles sheppy:uv-jbornhold/fix-e2e-test-configuration sheppy:uv-jlohmer/fix-feature-flag-typo sheppy:uv-jbornhold/fix-e2e-test-configuration-test sheppy:uv-acaceres/register-ox-connector sheppy:uv-jtorres/keycloak-upgrade sheppy:uv-jtorres/create-readonly-user sheppy:uv-acaceres/update-provisioning-and-stack-data sheppy:uv-jlohmer/selfservice-consumer sheppy:uv-jlohmer/provisioning-consumer-feature-flag sheppy:uv-jconde/test-email-e2e-tests sheppy:jlohmer/nubus-updates-provisioning sheppy:nubus/provisioning-consumer-integration sheppy:uv-dkaminski/cert-manager-support sheppy:uv-jbornhold/update-portal-frontend sheppy:uv-provisioning-consumer-integration sheppy:uv-jtorres/opendesk-udm-loader sheppy:uv-jtorres/ox-extensions-to-data-loader sheppy:uv-jbornhold/update-stack-data sheppy:uv-maildev-ci-setup sheppy:uv-jconde/umc-server-session-stickyness sheppy:uv-jbornhold/cleanup sheppy:uv-dtroeder/raise-helm-timeout sheppy:uv-dtroeder/prov-int-biscet sheppy:uv-spike-plain-nubus sheppy:jtorres/univention-keycloak-provisioning sheppy:fix/trossner/proxy_ips sheppy:uv-jlohmer/provisioning-consumer-integration sheppy:uv-jconde/menu-patches sheppy:jconde/use-nubus-umbrella sheppy:jconde/udm-rest-api-fix sheppy:sandersen/develop sheppy:b1-demo1 sheppy:jbornhold/tmp-test-od-main-0.9.0 sheppy:feat/use-nubus-umbrella-2 sheppy:OC000007901454-main-patch-76476 sheppy:jtorres/allow-theme-configuration sheppy:acaceres/debug-ox-error sheppy:101-add-configmap-checksum-check-to-postfix-helm-chart sheppy:trossner/fix/op_guests sheppy:renovate/platform sheppy:feat/ldap-scalability sheppy:jlohmer/split-provisioning-listener sheppy:feat/update-keycloak-related-charts sheppy:acaceres/update-selfservice-to-use-provisioning sheppy:feat/nubus-keycloak-extensions sheppy:feat/nubus-keycloak-bootstrap sheppy:feat/nubus-provisioning-with-selfservice sheppy:refactor/ums-umbrella-values sheppy:54-issue-with-invitation-password-reset-mails sheppy:nic/fix/ew-1.11.59-widget-sync sheppy:trossner/fix/renovate sheppy:nic/test/ew-1.11.59 sheppy:feat/mon-redis sheppy:feat/mon-jitsi sheppy:feat/mon-ox sheppy:feat/mon-xwiki sheppy:v0.5.74-patch1
sheppy:v1.10.0 sheppy:v1.9.0 sheppy:v1.8.0 sheppy:v1.7.1 sheppy:v1.7.0 sheppy:v1.6.0 sheppy:v1.5.0 sheppy:v1.4.1 sheppy:v1.4.0 sheppy:v1.3.2 sheppy:v1.3.1 sheppy:v1.3.0 sheppy:v1.2.1 sheppy:v1.2.0 sheppy:v1.1.2 sheppy:v1.1.1 sheppy:v1.1.0 sheppy:v1.0.0 sheppy:v0.9.0 sheppy:v0.8.1 sheppy:v0.8.0 sheppy:v0.7.1 sheppy:v0.7.0 sheppy:v0.6.0 sheppy:v0.5.81 sheppy:v0.5.80 sheppy:v0.5.79 sheppy:v0.5.78 sheppy:v0.5.74 sheppy:24.03 sheppy:v0.5.77 sheppy:v0.5.76 sheppy:v0.5.75 sheppy:v0.5.73 sheppy:v0.5.72 sheppy:v0.5.71 sheppy:v0.5.70 sheppy:v0.5.69 sheppy:v0.5.68 sheppy:v0.5.67 sheppy:v0.5.66 sheppy:v0.5.65 sheppy:v0.5.64 sheppy:v0.5.63 sheppy:v0.5.62 sheppy:v0.5.61 sheppy:v0.5.60 sheppy:v0.5.59 sheppy:v0.5.58 sheppy:v0.5.57 sheppy:v0.5.56 sheppy:v0.5.55 sheppy:v0.5.54 sheppy:v0.5.53 sheppy:v0.5.52 sheppy:v0.5.51 sheppy:v0.5.50 sheppy:v0.5.49 sheppy:v0.5.48 sheppy:v0.5.47 sheppy:v0.5.46 sheppy:v0.5.45 sheppy:v0.5.44 sheppy:v0.5.43 sheppy:v0.5.42 sheppy:v0.5.41 sheppy:v0.5.40 sheppy:v0.5.39 sheppy:v0.5.38 sheppy:23.12 sheppy:v0.5.37 sheppy:v0.5.36 sheppy:v0.5.35 sheppy:v0.5.34 sheppy:v0.5.33 sheppy:v0.5.32 sheppy:v0.5.31 sheppy:v0.5.30 sheppy:v0.5.29 sheppy:v0.5.28 sheppy:v0.5.27 sheppy:v0.5.26 sheppy:v0.5.25 sheppy:v0.5.24 sheppy:v0.5.23 sheppy:v0.5.22 sheppy:v0.5.21 sheppy:v0.5.20 sheppy:v0.5.19 sheppy:v0.5.18 sheppy:v0.5.17 sheppy:v0.5.16 sheppy:v0.5.15 sheppy:v0.5.14 sheppy:v0.5.13 sheppy:v0.5.12 sheppy:v0.5.11 sheppy:v0.5.10 sheppy:v0.5.9 sheppy:v0.5.8 sheppy:v0.5.7 sheppy:v0.5.6 sheppy:v0.5.5 sheppy:v0.5.4 sheppy:v0.5.3 sheppy:v0.5.2 sheppy:v0.5.1 sheppy:v0.5.0 sheppy:v0.4.9 sheppy:v0.4.8 sheppy:v0.4.7 sheppy:v0.4.6 sheppy:v0.4.5 sheppy:v0.4.4 sheppy:v0.4.3 sheppy:v0.4.2 sheppy:v0.4.1 sheppy:v0.4.0 sheppy:v0.3.2 sheppy:v0.3.1 sheppy:v0.3.0 sheppy:v0.2.10 sheppy:v0.2.9 sheppy:v0.2.8 sheppy:v0.2.7 sheppy:v0.2.6 sheppy:v0.2.5 sheppy:v0.2.4 sheppy:v0.2.3 sheppy:v0.2.2 sheppy:v0.2.1 sheppy:v0.2.0 sheppy:v0.1.2 sheppy:v0.1.1 sheppy:v0.1.0 sheppy:v0.0.6 sheppy:v0.0.5 sheppy:v0.0.4 sheppy:v0.0.3 sheppy:v0.0.2 sheppy:v0.0.1

54 Commits
v0.5.20 ... v0.5.44

Author SHA1 Message Date
openDesk
d7cae3b1fa chore(release): 0.5.44 [skip ci] 
## [0.5.44](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.43...v0.5.44) (2023-11-21)

### Bug Fixes

* **ci:** Remove default BASE_DOMAIN in .gitlab-ci.yml ([7ae65a3](7ae65a36a2))
 2023-11-21 12:05:51 +00:00
Dominik Kaminski
7ae65a36a2 fix(ci): Remove default BASE_DOMAIN in .gitlab-ci.yml 2023-11-20 14:52:16 +01:00
openDesk
01466947cc chore(release): 0.5.43 [skip ci] 
## [0.5.43](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.42...v0.5.43) (2023-11-20)

### Bug Fixes

* **univention-management-stack:** Update optional UMS preview state ([061e588](061e588da9))
 2023-11-20 13:30:24 +00:00
Johannes Bornhold
061e588da9 fix(univention-management-stack): Update optional UMS preview state 2023-11-20 13:25:35 +00:00
openDesk
b460206bd4 chore(release): 0.5.42 [skip ci] 
## [0.5.42](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.41...v0.5.42) (2023-11-20)

### Bug Fixes

* **nextcloud:** Add exporter and serviceMonitor ([feed270](feed270fd7))
* **nextcloud:** Bump openDesk bootstrap to 3.2.3 to support serverinfo token ([ea14f95](ea14f953a4))
 2023-11-20 10:12:23 +00:00
Dominik Kaminski
ea14f953a4 fix(nextcloud): Bump openDesk bootstrap to 3.2.3 to support serverinfo token 2023-11-20 09:41:37 +01:00
Martin Müller
feed270fd7 fix(nextcloud): Add exporter and serviceMonitor 2023-11-20 09:40:53 +01:00
openDesk
225398b5a6 chore(release): 0.5.41 [skip ci] 
## [0.5.41](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.40...v0.5.41) (2023-11-16)

### Bug Fixes

* **helmfile:** Split README into docs ([cd0e94f](cd0e94f96f))
 2023-11-16 10:29:38 +00:00
Dominik Kaminski
cd0e94f96f fix(helmfile): Split README into docs 2023-11-16 07:56:46 +01:00
openDesk
767c382091 chore(release): 0.5.40 [skip ci] 
## [0.5.40](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.39...v0.5.40) (2023-11-14)

### Bug Fixes

* **open-xchange:** Bump Dovecot and fix out-of-office replys ([55f6ba2](55f6ba21dc))
 2023-11-14 19:08:44 +00:00
Thomas Kaltenbrunner
55f6ba21dc fix(open-xchange): Bump Dovecot and fix out-of-office replys 2023-11-14 19:06:52 +00:00
openDesk
b3c4ec5165 chore(release): 0.5.39 [skip ci] 
## [0.5.39](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.38...v0.5.39) (2023-11-14)

### Bug Fixes

* **univention-management-stack:** Update optional UMS preview state ([e231e57](e231e5749d))
 2023-11-14 07:36:24 +00:00
Johannes Bornhold
e231e5749d fix(univention-management-stack): Update optional UMS preview state 2023-11-14 07:33:34 +00:00
openDesk
f98c48616b chore(release): 0.5.38 [skip ci] 
## [0.5.38](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.37...v0.5.38) (2023-11-13)

### Bug Fixes

* **collabora:** Update image to 23.05.5.4.1 ([c460467](c460467d74))
 2023-11-13 16:14:05 +00:00
Thorsten Rossner
c460467d74 fix(collabora): Update image to 23.05.5.4.1 2023-11-13 16:12:04 +00:00
openDesk
3f7faf88fb chore(release): 0.5.37 [skip ci] 
## [0.5.37](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.36...v0.5.37) (2023-11-12)

### Bug Fixes

* **openproject:** Add bootstrapping of Nextcloud filestore ([1971dfb](1971dfbded))
 2023-11-12 15:54:06 +00:00
Thorsten Rossner
1971dfbded fix(openproject): Add bootstrapping of Nextcloud filestore 2023-11-12 15:52:22 +00:00
openDesk
b50e5c982b chore(release): 0.5.36 [skip ci] 
## [0.5.36](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.35...v0.5.36) (2023-11-10)

### Bug Fixes

* **element:** Update Element and Widgets ([97034a5](97034a556f))
 2023-11-10 11:57:05 +00:00
Milton Moura
97034a556f fix(element): Update Element and Widgets 2023-11-10 11:54:48 +00:00
openDesk
8b87432317 chore(release): 0.5.35 [skip ci] 
## [0.5.35](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.34...v0.5.35) (2023-11-10)

### Bug Fixes

* **helmfile:** Eliminate some yamllint errors ([1d03a6e](1d03a6e11f))
* **helmfile:** Move ldap host variable into helpers ([08811de](08811decd9))
* **helmfile:** Update charts to use proper quoting ([69ea840](69ea840517))
* **services:** Add minio as service and consume by OpenProject ([baa5827](baa5827de3))
 2023-11-10 01:35:55 +00:00
Robin Rush
baa5827de3 fix(services): Add minio as service and consume by OpenProject 2023-11-09 19:15:46 -06:00
Dominik Kaminski
1d03a6e11f fix(helmfile): Eliminate some yamllint errors 2023-11-09 17:01:17 -06:00
Dominik Kaminski
08811decd9 fix(helmfile): Move ldap host variable into helpers 2023-11-09 16:25:21 -06:00
Thomas Kaltenbrunner
69ea840517 fix(helmfile): Update charts to use proper quoting 2023-11-09 22:01:21 +00:00
openDesk
ea5bd0a6b7 chore(release): 0.5.34 [skip ci] 
## [0.5.34](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.33...v0.5.34) (2023-11-09)

### Bug Fixes

* **openproject:** Bump helmchart and properly template OP's initdb image ([0d8e92f](0d8e92fc5a))
 2023-11-09 16:23:55 +00:00
Thorsten Rossner
0d8e92fc5a fix(openproject): Bump helmchart and properly template OP's initdb image 2023-11-09 16:21:30 +00:00
openDesk
d7119a656b chore(release): 0.5.33 [skip ci] 
## [0.5.33](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.32...v0.5.33) (2023-11-09)

### Bug Fixes

* **cryptpad:** Update security context ([89ae1d9](89ae1d94ea))
 2023-11-09 08:54:47 +00:00
Thomas Kaltenbrunner
89ae1d94ea fix(cryptpad): Update security context 2023-11-09 08:52:55 +00:00
openDesk
dfc7fed325 chore(release): 0.5.32 [skip ci] 
## [0.5.32](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.31...v0.5.32) (2023-11-09)

### Bug Fixes

* **collabora:** Resource definitions ([65ce9a1](65ce9a171b))
 2023-11-09 06:44:45 +00:00
Thorsten Roßner
65ce9a171b fix(collabora): Resource definitions 2023-11-08 21:01:11 +01:00
openDesk
5e50ed119f chore(release): 0.5.31 [skip ci] 
## [0.5.31](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.30...v0.5.31) (2023-11-08)

### Bug Fixes

* **univention-management-stack:** Update optional UMS preview state ([d0a0799](d0a07997c1))
 2023-11-08 13:43:13 +00:00
Johannes Bornhold
d0a07997c1 fix(univention-management-stack): Update optional UMS preview state 2023-11-08 13:41:22 +00:00
openDesk
985df5906f chore(release): 0.5.30 [skip ci] 
## [0.5.30](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.29...v0.5.30) (2023-11-06)

### Bug Fixes

* **collabora:** Init monitoring in defaults and in collabora (for prometheus-monitor, -rules and grafana dashboard) ([0ad0434](0ad043406b))
* **helmfile:** Add monitoring.yaml for optional monitoring ([385d81b](385d81b9a9))
 2023-11-06 23:26:23 +00:00
Dominik Kaminski
385d81b9a9 fix(helmfile): Add monitoring.yaml for optional monitoring 2023-11-06 17:12:53 -06:00
Martin Müller
0ad043406b fix(collabora): Init monitoring in defaults and in collabora (for prometheus-monitor, -rules and grafana dashboard) 2023-11-06 16:12:15 -06:00
openDesk
4a79728f01 chore(release): 0.5.29 [skip ci] 
## [0.5.29](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.28...v0.5.29) (2023-11-06)

### Bug Fixes

* **xwiki:** Update XWiki Helm configuration to enable LDAP and OIDC user synchronization ([7c56c72](7c56c7244f))
 2023-11-06 19:34:52 +00:00
Clément Aubin
7c56c7244f fix(xwiki): Update XWiki Helm configuration to enable LDAP and OIDC user synchronization 2023-11-06 15:41:23 +00:00
openDesk
e0fce6631b chore(release): 0.5.28 [skip ci] 
## [0.5.28](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.27...v0.5.28) (2023-11-06)

### Bug Fixes

* **open-xchange:** Add Document- and ImageConverter, improve LDAP address book filters ([899a8c5](899a8c5af9))
 2023-11-06 15:40:22 +00:00
Viktor Pracht
899a8c5af9 fix(open-xchange): Add Document- and ImageConverter, improve LDAP address book filters 2023-11-06 15:38:35 +00:00
openDesk
6cee2c878b chore(release): 0.5.27 [skip ci] 
## [0.5.27](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.26...v0.5.27) (2023-11-04)

### Bug Fixes

* **docs:** Re-include release artefacts ([4359b21](4359b21f1c))
 2023-11-04 12:21:17 +00:00
Thorsten Rossner
4359b21f1c fix(docs): Re-include release artefacts 2023-11-04 12:19:45 +00:00
openDesk
d8b2bd3af0 chore(release): 0.5.26 [skip ci] 
## [0.5.26](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.25...v0.5.26) (2023-11-02)

### Bug Fixes

* **element:** Enables user directory search for all users ([8fafd90](8fafd906a3))
 2023-11-02 14:32:46 +00:00
Milton Moura
8fafd906a3 fix(element): Enables user directory search for all users 2023-11-02 11:45:05 -01:00
openDesk
fece4ace87 chore(release): 0.5.25 [skip ci] 
## [0.5.25](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.24...v0.5.25) (2023-11-01)

### Bug Fixes

* **cryptpad:** Add CryptPad to support editing of diagrams.net files from within Nextcloud ([ab6014f](ab6014f8c6))
 2023-11-01 17:25:13 +00:00
Thomas Kaltenbrunner
ab6014f8c6 fix(cryptpad): Add CryptPad to support editing of diagrams.net files from within Nextcloud 2023-11-01 17:23:21 +00:00
openDesk
fecd13612b chore(release): 0.5.24 [skip ci] 
## [0.5.24](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.23...v0.5.24) (2023-11-01)

### Bug Fixes

* **collabora:** Update image to 23.05.5.3.1 ([38336d0](38336d0240))
 2023-11-01 16:27:49 +00:00
Thorsten Roßner
38336d0240 fix(collabora): Update image to 23.05.5.3.1 2023-11-01 08:53:27 +01:00
openDesk
9f9e4e9521 chore(release): 0.5.23 [skip ci] 
## [0.5.23](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.22...v0.5.23) (2023-11-01)

### Bug Fixes

* **element:** Update Element Web to latest release ([b47de62](b47de62f98))
 2023-11-01 14:29:33 +00:00
Mikhail Aheichyk
b47de62f98 fix(element): Update Element Web to latest release 2023-11-01 16:55:14 +03:00
openDesk
9e54299917 chore(release): 0.5.22 [skip ci] 
## [0.5.22](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.21...v0.5.22) (2023-10-31)

### Bug Fixes

* **openproject:** Nextcloud integration within K8s instances ([d249d0e](d249d0e3ce))
 2023-10-31 14:04:35 +00:00
Oliver Günther
d249d0e3ce fix(openproject): Nextcloud integration within K8s instances 2023-10-31 14:02:40 +00:00
Thorsten Roßner
fbe7de3c56 chore(release): 0.5.21 [skip ci] 
## [0.5.21](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.20...v0.5.21) (2023-10-30)

### Bug Fixes

* **helmfile:** Deinstall components if disabled ([7feaadf](7feaadf7f8))
* **helmfile:** Put enviroments in first document inside of a yaml ([034e98c](034e98c850))
 2023-10-30 17:01:00 +00:00
Martin Müller
034e98c850 fix(helmfile): Put enviroments in first document inside of a yaml 
see: https://helmfile.readthedocs.io/en/latest/#environment
 2023-10-30 17:55:26 +01:00
Martin Müller
7feaadf7f8 fix(helmfile): Deinstall components if disabled 2023-10-30 17:42:35 +01:00
119 changed files with 3257 additions and 1476 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -2,6 +2,7 @@
# SPDX-License-Identifier: Apache-2.0
.vscode
.idea
.yamllint
# Ignore changes to sample environments
helmfile/environments/dev/values.yaml

45
.gitlab-ci.yml
View File

@@ -33,9 +33,6 @@ variables:
description: "Define which cluster to use. Cluster must be defined in gitlab/environments.yaml of
sovereign-workplace-env included above."
value: "dev"
BASE_DOMAIN:
description: "Define the Cluster Base Domain."
value: "souvap.cloud"
MASTER_PASSWORD_WEB_VAR:
description: "Optional: Provide a passphrase to be used for password generation."
value: ""
@@ -78,6 +75,12 @@ variables:
options:
- "yes"
- "no"
DEPLOY_CRYPTPAD:
description: "Enable CryptPad deployment."
value: "no"
options:
- "yes"
- "no"
DEPLOY_ELEMENT:
description: "Enable Element deployment."
value: "no"
@@ -144,9 +147,6 @@ variables:
UMS_TESTS_BRANCH:
description: "Branch of E2E test suite of SouvAP Dev team"
value: "main"
# please use the following set of variables with normalized names:
DOMAIN: "${NAMESPACE}.${CLUSTER}.${BASE_DOMAIN}"
ISTIO_DOMAIN: "${NAMESPACE}.istio.${CLUSTER}.${BASE_DOMAIN}"
.deploy-common:
cache: {}
@@ -198,7 +198,6 @@ env-cleanup:
env-start:
environment:
name: "${NAMESPACE}"
url: "https://portal.${DOMAIN}"
on_stop: "env-stop"
extends: ".deploy-common"
image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
@@ -342,6 +341,18 @@ collabora-deploy:
variables:
COMPONENT: "collabora"
cryptpad-deploy:
stage: "component-deploy-stage-1"
extends: ".deploy-common"
rules:
- if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
$NAMESPACE =~ /.+/ &&
($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_NEXTCLOUD != "no" || $DEPLOY_CRYPTPAD != "no")
when: "always"
variables:
COMPONENT: "cryptpad"
nextcloud-deploy:
stage: "component-deploy-stage-1"
extends: ".deploy-common"
@@ -366,6 +377,18 @@ openproject-deploy:
variables:
COMPONENT: "openproject"
openproject-bootstrap-deploy:
stage: "component-deploy-stage-2"
extends: ".deploy-common"
rules:
- if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
$NAMESPACE =~ /.+/ &&
($DEPLOY_ALL_COMPONENTS != "no" || ($DEPLOY_OPENPROJECT != "no" && $DEPLOY_NEXTCLOUD != "no"))
when: "always"
variables:
COMPONENT: "openproject-bootstrap"
jitsi-deploy:
stage: "component-deploy-stage-1"
extends: ".deploy-common"
@@ -413,10 +436,6 @@ run-tests:
extends: ".deploy-common"
environment:
name: "${NAMESPACE}"
tags:
- "docker"
- "kubernetes"
- "${CLUSTER}"
stage: "tests"
rules:
- if: >
@@ -473,10 +492,6 @@ run-souvap-dev-tests:
extends: ".deploy-common"
environment:
name: "${NAMESPACE}"
tags:
- "docker"
- "kubernetes"
- "${CLUSTER}"
stage: "tests"
rules:
- if: >

174
CHANGELOG.md
View File

@@ -1,3 +1,177 @@
## [0.5.44](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.43...v0.5.44) (2023-11-21)
### Bug Fixes
* **ci:** Remove default BASE_DOMAIN in .gitlab-ci.yml ([7ae65a3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7ae65a36a2777d249ba3784bf965da4c790a1b21))
## [0.5.43](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.42...v0.5.43) (2023-11-20)
### Bug Fixes
* **univention-management-stack:** Update optional UMS preview state ([061e588](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/061e588da90e52b531df0688347675bf4dcb431e))
## [0.5.42](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.41...v0.5.42) (2023-11-20)
### Bug Fixes
* **nextcloud:** Add exporter and serviceMonitor ([feed270](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/feed270fd7949743e8f9974e7f147e89ab623347))
* **nextcloud:** Bump openDesk bootstrap to 3.2.3 to support serverinfo token ([ea14f95](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ea14f953a4a54c01cc0d66db1bdb645ca4a661e5))
## [0.5.41](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.40...v0.5.41) (2023-11-16)
### Bug Fixes
* **helmfile:** Split README into docs ([cd0e94f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/cd0e94f96fa5b377ab382b6c7738ed279cb2a199))
## [0.5.40](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.39...v0.5.40) (2023-11-14)
### Bug Fixes
* **open-xchange:** Bump Dovecot and fix out-of-office replys ([55f6ba2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/55f6ba21dc9eab811ac501bf0e2b78d4ae772194))
## [0.5.39](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.38...v0.5.39) (2023-11-14)
### Bug Fixes
* **univention-management-stack:** Update optional UMS preview state ([e231e57](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e231e5749d3804f888ec23e12b58783856043219))
## [0.5.38](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.37...v0.5.38) (2023-11-13)
### Bug Fixes
* **collabora:** Update image to 23.05.5.4.1 ([c460467](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c460467d7449b107134562b785e95f6280e3473d))
## [0.5.37](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.36...v0.5.37) (2023-11-12)
### Bug Fixes
* **openproject:** Add bootstrapping of Nextcloud filestore ([1971dfb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1971dfbded21d16909e889ba6d19ff9cf3e4cb20))
## [0.5.36](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.35...v0.5.36) (2023-11-10)
### Bug Fixes
* **element:** Update Element and Widgets ([97034a5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/97034a556f4cdcc447f61003ad9cd036c186bc3b))
## [0.5.35](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.34...v0.5.35) (2023-11-10)
### Bug Fixes
* **helmfile:** Eliminate some yamllint errors ([1d03a6e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1d03a6e11f368fd81dd10b91b0d9d7fc29c0cb24))
* **helmfile:** Move ldap host variable into helpers ([08811de](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/08811decd92e7fd7802d0eba2644046512ec58a4))
* **helmfile:** Update charts to use proper quoting ([69ea840](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/69ea84051721f3aaf36a5dbafdfb37dd86b66dbb))
* **services:** Add minio as service and consume by OpenProject ([baa5827](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/baa5827de3e1e368abf238a932a5849f169af723))
## [0.5.34](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.33...v0.5.34) (2023-11-09)
### Bug Fixes
* **openproject:** Bump helmchart and properly template OP's initdb image ([0d8e92f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0d8e92fc5a4729ff7649e5a10e629b962a9b671b))
## [0.5.33](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.32...v0.5.33) (2023-11-09)
### Bug Fixes
* **cryptpad:** Update security context ([89ae1d9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/89ae1d94ea4c4e8a15a395a80847a7f235365747))
## [0.5.32](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.31...v0.5.32) (2023-11-09)
### Bug Fixes
* **collabora:** Resource definitions ([65ce9a1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/65ce9a171b7c8ebc453fb6bbe96743c8516da2c6))
## [0.5.31](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.30...v0.5.31) (2023-11-08)
### Bug Fixes
* **univention-management-stack:** Update optional UMS preview state ([d0a0799](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d0a07997c12ddb9731a0dfed0d6fa71d9a3790e7))
## [0.5.30](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.29...v0.5.30) (2023-11-06)
### Bug Fixes
* **collabora:** Init monitoring in defaults and in collabora (for prometheus-monitor, -rules and grafana dashboard) ([0ad0434](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0ad043406bef7bb10d561ef1418b58cbd8714d43))
* **helmfile:** Add monitoring.yaml for optional monitoring ([385d81b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/385d81b9a9e1ec319706493c51629c8e48822aa7))
## [0.5.29](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.28...v0.5.29) (2023-11-06)
### Bug Fixes
* **xwiki:** Update XWiki Helm configuration to enable LDAP and OIDC user synchronization ([7c56c72](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7c56c7244f3862b6b21627661430a94d804c6974))
## [0.5.28](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.27...v0.5.28) (2023-11-06)
### Bug Fixes
* **open-xchange:** Add Document- and ImageConverter, improve LDAP address book filters ([899a8c5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/899a8c5af9052634b98d9876dfbaea517d89ad49))
## [0.5.27](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.26...v0.5.27) (2023-11-04)
### Bug Fixes
* **docs:** Re-include release artefacts ([4359b21](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4359b21f1cdae91a87b87ad2b270d67a2b1eda21))
## [0.5.26](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.25...v0.5.26) (2023-11-02)
### Bug Fixes
* **element:** Enables user directory search for all users ([8fafd90](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/8fafd906a3b0efa7e4164b357656d7903fc55371))
## [0.5.25](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.24...v0.5.25) (2023-11-01)
### Bug Fixes
* **cryptpad:** Add CryptPad to support editing of diagrams.net files from within Nextcloud ([ab6014f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ab6014f8c6285785be5c56cd656fe0636df4434c))
## [0.5.24](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.23...v0.5.24) (2023-11-01)
### Bug Fixes
* **collabora:** Update image to 23.05.5.3.1 ([38336d0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/38336d024033f4fe1a28b0f76f9c63ecdb076156))
## [0.5.23](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.22...v0.5.23) (2023-11-01)
### Bug Fixes
* **element:** Update Element Web to latest release ([b47de62](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b47de62f987e8778878fee55ecda3032beb55f3d))
## [0.5.22](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.21...v0.5.22) (2023-10-31)
### Bug Fixes
* **openproject:** Nextcloud integration within K8s instances ([d249d0e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d249d0e3ce3ee0966033e870ea5c4d9e1928f045))
## [0.5.21](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.20...v0.5.21) (2023-10-30)
### Bug Fixes
* **helmfile:** Deinstall components if disabled ([7feaadf](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7feaadf7f8830d8d0d5df752733c9b8f47315df6))
* **helmfile:** Put enviroments in first document inside of a yaml ([034e98c](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/034e98c850fa1f67300c04883904737a69448a25))
## [0.5.20](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.19...v0.5.20) (2023-10-30)

28
COMPONENTS-FUNCTIONAL.md
View File

@@ -1,28 +0,0 @@
<!--
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
-->
**Content / Quick navigation**
[[_TOC_]]
# Functional Components
Functional components are the core of the SWP as they provide it's rich functionaly. We use the community versions of the named products. For production environments please use enterprise versions for support and scalabiliy reasons.
## Groupware - Open-Xchange AppSuite
## WebOffice - Collabora Development Edition
## File & Share - Nextcloud
## Kollaboration - Element
## Videokonferenzen - Jitsi
## Knowledge Management - XWiki
## Project Management - OpenProject
## Portal & IAM - Univention Corporate Services

3
COMPONENTS-SERVICE.md
View File

@@ -60,3 +60,6 @@ This service is used by
- Open-Xchange
## Objectstore - MinIO
This services is used by:
- OpenProject (attachment storage)

618
README.md
View File

@@ -2,577 +2,105 @@
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
-->
**Content / Quick navigation**
[[_TOC_]]
![logo](./helmfile/environments/default/theme/logo_portal_background.svg)
# Disclaimer August 2023
openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the "Projektgruppe für
Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
The current state of the Sovereign Workplace contains components that are going to be
replaced. Like for example the UCS dev container monolith will be substituted by
multiple Univention Management Stack containers.
It features:
- Fully integrated Identity Management (Univention, Keycloak)
- File storage (Nextcloud)
- Weboffice (Collabora)
- Videoconference (Jitsi)
- Encrypted Chat (Synapse, Element)
- Groupware (OX Appsuite)
- Wiki (XWiki)
- Notes and Diagrams (Cryptpad, Draw.io)
In the next months we not only expect upstream updates of the functional
components within their feature scope, but we are also going to address
operational issues like monitoring and network policies.
openDesk integrates these components and is working towards a seamless user experience.
While not all components are perfectly shaped for the execution inside containers, one of the project objectives is to
align the applications with the best practises regarding container design and operations.
This documentation aims to give you all that is needed to set up your own instance of the openDesk.
Basic knowledge of Kubernetes and Devops is required though.
<!-- TOC -->
* [Active development notice](#active-development-notice)
* [Feedback](#feedback)
* [Requirements](#requirements)
* [Getting started](#getting-started)
* [Advanced customization](#advanced-customization)
* [Releases](#releases)
* [Components](#components)
* [License](#license)
* [Copyright](#copyright)
<!-- TOC -->
# Active development notice
openDesk will face breaking changes in the near future without upgrade paths before
[technical release](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/releases
v1.0.0 is reached.
While most components support upgrades, major configuration or component changes may occur, therefore we recommend
at the moment always installing from scratch.
Components that are going to be replaced soon are:
- the UCS dev container monolith will be substituted by multiple Univention Management Stack containers,
- the Nextcloud community container is going to be replaced by an openDesk specific Nextcloud distroless container and
- Dovecot Community is going to be replaced by a Dovecot container tailored for the needs of the public sector.
In the next months, we not only expect upstream updates of the functional components within their feature scope, but we
are also going to address operational issues like monitoring and network policies.
Of course, further development also includes enhancing the documentation.
The first release of the Sovereign Workplace is scheduled for December 2023.
Before that release there will be breaking changes in the deployment.
# Feedback
# The Sovereign Workplace (SWP)
The Sovereign Workplace's runtime environment is [Kubernetes](https://kubernetes.io/), or "K8s" in
short.
While not all components are still perfectly shaped for the execution inside
containers, one of the projects objectives is it to align the applications
with the best practises regarding container design and operations.
This documentation aims to give you all that is needed to set up your own
instance of the Sovereign Workplace. Basic knowledge of Kubernetes and Devops is
required though.
To have an overview of what can be found at Open CoDE and the basic components
of the Sovereign Workplace, please check out the
[OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md) in the [Info repository](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info).
We love to get feedback from you! Related to the deployment / contents of this
repository please use the [issues within this project](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/issues).
We love to get feedback from you!
Related to the deployment / contents of this repository,
please use the [issues within this project](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/issues).
If you want to address other topics, please check the section
["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
# Requirements
⟶ Visit our detailed [Requirements](docs/requirements.md) overview.
# Getting started
⟶ Visit our detailed [Getting started](docs/getting-started.md) guide.
# Advanced customization
- [External services](docs/external-services.md)
- [Security](docs/security.md)
- [Scaling](docs/scaling.md)
- [Monitoring](docs/monitoring.md)
- [Theming](docs/theming.md)
# Releases
All technical releases are created using [Semantic Versioning](https://semver.org/lang/de/).
Gitlab provides an [overview on the releases](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/releases) of this project.
Gitlab provides an
[overview on the releases](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/releases)
of this project.
The following release artefacts are provided beside the default source code assets:
- `chart-index.json`: An overview of all Helm charts used by the release.
- `image-index.json`: An overview of all container images used by the release.
# Deployment
**Note for project members:** You can use the project's `dev` K8s cluster to set
up your own instance for development purposes. Please see the project
`sovereign-workplace-env` on the internal Gitlab for more details.
# Components
## Prerequisites
⟶ Visit our detailed [Component](docs/getting-started.md) docs.
### Mandatory technical prerequisites
These are the requirements of the Sovereign Workplace deployment:
- K8s cluster >= 1.24, [CNCF Certified Kubernetes Distro](https://www.cncf.io/certification/software-conformance/)
- Domain and DNS Service
- Ingress controller (supported are nginx-ingress, ingress-nginx, HAProxy)
- [Helm](https://helm.sh/) >= v3.9.0
- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v0.157.0**
- [HelmDiff](https://github.com/databus23/helm-diff) >= 3.6.0
- Volume provisioner supporting RWO (read-write-once)
- Certificate handling with [cert-manager](https://cert-manager.io/)
- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8, we are talking to Open-Xchange and will try to get rid of this dependency.
#### TLS Certificate
The setup will create a `cert-manager.io` Certificate resource.
You can set the ClusterIssuer via `certificate.issuerRef.name`
### Required input variables
You need to expose following environment variables in order to run the
installation.
| name | default | description |
|---------------------|-----------------------|---------------------------------------------------|
| `DOMAIN` | `souvap.cloud` | External reachable domain |
| `ISTIO_DOMAIN` | `istio.souvap.cloud` | External reachable domain for Istio Gateway |
| `MASTER_PASSWORD` | `sovereign-workplace` | The password that seeds the autogenerated secrets |
Please ensure that you set the DNS records pointing to the loadbalancer/IP for
`DOMAIN` and `ISTIO_DOMAIN`.
If you want inbound email you need to set the MX records that points to the
public IP address of the Postfix-pods.
More details on DNS options including SPF/DKIM and autodiscovery options
are to come...
### Optional or feature based prerequisites
All of these requirements are optional as long as you do not want to use the
related feature.
| Feature | Component(s) | Requirement |
|------------------------------|----------------|-----------------------------|
| Component Scalability | Various[^1] | Read-Write-Many Provisioner |
| Sending outbound emails | Various | SMTP relay/gateway |
| S/MIME Support | OX AppSuite8 | PKI / CI |
| Improved videoconferencing | Jitsi | STUN/TURN server |
## CI based deployment
The project includes a `.gitlab-ci.yml` that allows you to execute the
deployment from a Gitlab instance of your choice.
Please ensure to provide the environment variables listed at
[Required input variables](#required-input-variables).
When starting the pipeline through the Gitlab UI you will be queried for some
of the variables plus the following ones:
- `BASE_DOMAIN`: The base domain the SWP will use. For example: `souvap.cloud`
- `NAMESPACE`: Defines into which namespace of your K8s cluster the SWP will be installed
- `MASTER_PASSWORD_WEB_VAR`: Overwrites value of `MASTER_PASSWORD`
Based on your input the following variables will be set:
- `DOMAIN` = `NAMESPACE`.`BASE_DOMAIN`
- `ISTIO_DOMAIN` = istio.`DOMAIN`
- `MASTER_PASSWORD` = `MASTER_PASSWORD_WEB_VAR`. If `MASTER_PASSWORD_WEB_VAR`
is not set, the default for `MASTER_PASSWORD` will be used, unless you set
`MASTER_PASSWORD` as a masked CI/CD variable in Gitlab to supercede the default.
You might want to set credential variables in the Gitlab project at
`Settings` > `CI/CD` > `Variables`.
## Local deployment
Please ensure to provide the environment variables listed at
[Required input variables](#required-input-variables).
Also, please read [Helmfile](#helmfile) a little below in case of a non default
configuration.
Then go with
```shell
helmfile apply -n <NAMESPACE>
```
and wait a little. After the deployment is finished some bootstrapping is
executed which might take some more minutes before you can log in your new
instance.
Deployments can be removed with:
```shell
helmfile destroy -n <NAMESPACE>
```
## Offline deployment
Before executing a [local deployment](#local-deployment), you can set following
environment variables to use your own container image and helm chart registry:
| name | description |
|------------------------------|--------------------------------|
| PRIVATE_CHART_REPOSITORY_URL | Your helm chart repository url |
| PRIVATE_IMAGE_REGISTRY_URL | Your image registry url |
## Logging in
When successfully deployed the SWP, all K8s jobs from the deployment should be
in the status `Succeeded` and all pods should be `Running`.
You should see the portal's login page at `https://portal.<DOMAIN>`.
Off the shelf you get two accounts with passwords you can look up in the
`univention-corporate-container-*` pod environment. You can use a shell on that
container or a `kubectl describe`-command to get the credentials.
| Username / Login | Password environment variable |
|--------------------|--------------------------------|
| default.user | DEFAULT_ACCOUNT_USER_PASSWORD |
| default.admin | DEFAULT_ACCOUNT_ADMIN_PASSWORD |
If you do not see any tiles in the portal after the login you may want to wait a
couple of minutes, as on the initial start some bootstrapping and cache building
is done. This blocks the portal entries from showing up.
# Helmfile
## Custom Configuration
### Deployment selection
By default, all components are deployed. The components of type `Eval` are used
for development and evaluation purposes only - they need to be replaced in
production deployments. These components are grouped together in the
subdirectory `/helmfile/apps/services`.
| Component | Name | Default | Description | Type |
|-----------------------------|-------------------------------------|---------|--------------------------------|------------|
| Certificates | `certificates.enabled` | `true` | TLS certificates | Eval |
| ClamAV (Distributed) | `clamavDistributed.enabled` | `false` | Antivirus engine | Eval |
| ClamAV (Simple) | `clamavSimple.enabled` | `true` | Antivirus engine | Eval |
| Collabora | `collabora.enabled` | `true` | Weboffice | Functional |
| Dovecot | `dovecot.enabled` | `true` | Mail backend | Functional |
| Element | `element.enabled` | `true` | Secure communications platform | Functional |
| Intercom Service | `intercom.enabled` | `true` | Cross service data exchange | Functional |
| Jitsi | `jitsi.enabled` | `true` | Videoconferencing | Functional |
| Keycloak | `keycloak.enabled` | `true` | Identity Provider | Functional |
| MariaDB | `mariadb.enabled` | `true` | Database | Eval |
| Memcached | `memcached.enabled` | `true` | Cache Database | Eval |
| Nextcloud | `nextcloud.enabled` | `true` | File share | Functional |
| OpenProject | `openproject.enabled` | `true` | Project management | Functional |
| OX Appsuite | `oxAppsuite.enabled` | `true` | Groupware | Functional |
| Provisioning | `oxConnector.enabled` | `true` | Backend provisioning | Functional |
| Postfix | `postfix.enabled` | `true` | MTA | Eval |
| PostgreSQL | `postgresql.enabled` | `true` | Database | Eval |
| Redis | `redis.enabled` | `true` | Cache Database | Eval |
| Univention Corporate Server | `univentionCorporateServer.enabled` | `true` | Identity Management & Portal | Functional |
| Univention Management Stack | `univentionManagementStack.enabled` | `false` | Identity Management & Portal | Eval |
| XWiki | `xwiki.enabled` | `true` | Knowledgebase | Functional |
#### Cluster capabilities
| Capability | Default | Options | Notes |
|-------------------------------------|-----------------|-----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `cluster.service.type` | `LoadBalancer` | `ClusterIP`, `NodePort`, `LoadBalancer` | External access to TCP/UDP services. [Additional Information](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) |
| `cluster.persistence.readWriteMany` | `false` | `true`, `false` | Enable if ReadWriteMany (RWX) storage is available (f.e. CephFS, NFS, ...). |
| `cluster.networking.domain` | `cluster.local` | | Kubernetes cluster domain. |
| `cluster.networking.cidr` | `10.0.0.0/8` | | Kubernetes internal network |
#### Databases
When deploying this suite to production, you need to configure the applications to use your production grade database
service.
| Component | Name | Type | Parameter | Key | Default |
|-------------|--------------------|------------|-----------|----------------------------------------|----------------------------|
| Element | Synapse | PostgreSQL | | | |
| | | | Name | `databases.synapse.name` | `matrix` |
| | | | Host | `databases.synapse.host` | `postgresql` |
| | | | Port | `databases.synapse.port` | `5432` |
| | | | Username | `databases.synapse.username` | `matrix_user` |
| | | | Password | `databases.synapse.password` | |
| Keycloak | Keycloak | PostgreSQL | | | |
| | | | Name | `databases.keycloak.name` | `keycloak` |
| | | | Host | `databases.keycloak.host` | `postgresql` |
| | | | Port | `databases.keycloak.port` | `5432` |
| | | | Username | `databases.keycloak.username` | `keycloak_user` |
| | | | Password | `databases.keycloak.password` | |
| | Keycloak Extension | PostgreSQL | | | |
| | | | Name | `databases.keycloakExtension.name` | `keycloak_extensions` |
| | | | Host | `databases.keycloakExtension.host` | `postgresql` |
| | | | Port | `databases.keycloakExtension.port` | `5432` |
| | | | Username | `databases.keycloakExtension.username` | `keycloak_extensions_user` |
| | | | Password | `databases.keycloakExtension.password` | |
| Nextcloud | Nextcloud | MariaDB | | | |
| | | | Name | `databases.nextcloud.name` | `nextcloud` |
| | | | Host | `databases.nextcloud.host` | `mariadb` |
| | | | Username | `databases.nextcloud.username` | `nextcloud_user` |
| | | | Password | `databases.nextcloud.password` | |
| OpenProject | Keycloak | PostgreSQL | | | |
| | | | Name | `databases.openproject.name` | `openproject` |
| | | | Host | `databases.openproject.host` | `postgresql` |
| | | | Port | `databases.openproject.port` | `5432` |
| | | | Username | `databases.openproject.username` | `openproject_user` |
| | | | Password | `databases.openproject.password` | |
| OX Appsuite | OX Appsuite | MariaDB | | | |
| | | | Name | `databases.oxAppsuite.name` | `CONFIGDB` |
| | | | Host | `databases.oxAppsuite.host` | `mariadb` |
| | | | Username | `databases.oxAppsuite.username` | `root` |
| | | | Password | `databases.oxAppsuite.password` | |
| XWiki | XWiki | MariaDB | | | |
| | | | Name | `databases.xwiki.name` | `xwiki` |
| | | | Host | `databases.xwiki.host` | `mariadb` |
| | | | Username | `databases.xwiki.username` | `xwiki_user` |
| | | | Password | `databases.xwiki.password` | |
#### Cache
When deploying this suite to production, you need to configure the applications to use your production grade cache
service.
| Component | Name | Type | Parameter | Key | Default |
|------------------|------------------|-----------|-----------|------------------------------|------------------|
| Intercom Service | Intercom Service | Redis | | | |
| | | | Host | `cache.intercomService.host` | `redis-headless` |
| | | | Port | `cache.intercomService.port` | `6379` |
| Nextcloud | Nextcloud | Redis | | | |
| | | | Host | `cache.nextcloud.host` | `redis-headless` |
| | | | Port | `cache.nextcloud.port` | `6379` |
| OpenProject | OpenProject | Memcached | | | |
| | | | Host | `cache.openproject.host` | `memcached` |
| | | | Port | `cache.openproject.port` | `11211` |
### Scaling
The Replicas of components can be increased, while we still have to look in the
actual scalability of the components (see column `Scaling (verified)`).
| Component | Name | Scaling (effective) | Scaling (verified) |
|-------------|------------------------|:-------------------:|:------------------:|
| ClamAV | `replicas.clamav` | :white_check_mark: | :white_check_mark: |
| | `replicas.clamd` | :white_check_mark: | :white_check_mark: |
| | `replicas.freshclam` | :x: | :x: |
| | `replicas.icap` | :white_check_mark: | :white_check_mark: |
| | `replicas.milter` | :white_check_mark: | :white_check_mark: |
| Collabora | `replicas.collabora` | :white_check_mark: | :gear: |
| Dovecot | `replicas.dovecot` | :x: | :gear: |
| Element | `replicas.element` | :white_check_mark: | :white_check_mark: |
| | `replicas.synapse` | :x: | :gear: |
| | `replicas.synapseWeb` | :white_check_mark: | :white_check_mark: |
| | `replicas.wellKnown` | :white_check_mark: | :white_check_mark: |
| Jitsi | `replicas.jibri` | :white_check_mark: | :gear: |
| | `replicas.jicofo` | :white_check_mark: | :gear: |
| | `replicas.jitsi ` | :white_check_mark: | :gear: |
| | `replicas.jvb ` | :x: | :x: |
| Keycloak | `replicas.keycloak` | :white_check_mark: | :gear: |
| Nextcloud | `replicas.nextcloud` | :white_check_mark: | :gear: |
| OpenProject | `replicas.openproject` | :white_check_mark: | :gear: |
| Postfix | `replicas.postfix` | :x: | :gear: |
| XWiki | `replicas.xwiki` | :white_check_mark: | :gear: |
### Mail/SMTP configuration
To use the full potential of the openDesk, you need to set up a STMP Smarthost/Relay which allows to send emails from
the whole subdomain.
```yaml
smtp:
host: # your SMTP host or IP-address
username: # username/email for authentication
password: # password for authentication, or via environment variable SMTP_PASSWORD
```
### TURN configuration
Some components (Jitsi, Element) use for direct communication a TURN server.
You can configure your own TURN server with these options:
```yaml
turn:
transport: # "udp" or "tcp"
credentials: # turn credential string
server: # configuration for unsecure connections
host: # your TURN host or IP-address
port: # server port
tls: # configuration for secure connections
host: # your TURN host or IP-address
port: # server port
```
## Security
This section summarizes various aspects of security and compliance aspects.
### Kubernetes Security Enforcements
This list gives you an overview of default security settings and if they comply with security standards:
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|-------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
| OpenProject | openproject | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | - |
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
### Helm Chart Trust Chain
Helm Charts which are released via openDesk CI/CD process are always signed. The public GPG keys are present in
`pubkey.gpg` file and are validated during helmfile installation.
| Repository | OCI | Verifiable |
|--------------------------------------|:---:|:------------------:|
| bitnami-repo (openDesk build) | yes | :white_check_mark: |
| clamav-repo | yes | :white_check_mark: |
| collabora-online-repo | no | :x: |
| intercom-service-repo | yes | :white_check_mark: |
| istio-resources-repo | yes | :white_check_mark: |
| jitsi-repo | yes | :white_check_mark: |
| keycloak-extensions-repo | no | :x: |
| keycloak-theme-repo | yes | :white_check_mark: |
| mariadb-repo | yes | :white_check_mark: |
| nextcloud-repo | no | :x: |
| opendesk-certificates-repo | yes | :white_check_mark: |
| opendesk-dovecot-repo | yes | :white_check_mark: |
| opendesk-element-repo | yes | :white_check_mark: |
| opendesk-keycloak-bootstrap-repo | yes | :white_check_mark: |
| opendesk-nextcloud-bootstrap-repo | yes | :white_check_mark: |
| opendesk-open-xchange-bootstrap-repo | yes | :white_check_mark: |
| openproject-repo | no | :x: |
| openxchange-repo | yes | :x: |
| ox-connector-repo | no | :x: |
| postfix-repo | yes | :white_check_mark: |
| postgresql-repo | yes | :white_check_mark: |
| univention-corporate-container-repo | yes | :white_check_mark: |
| ums-repo | no | :x: |
| xwiki-repo | no | :x: |
# Component integration
## Functional use cases
### Overview
Some use cases require inter component integration.
```mermaid
flowchart TD
OXAppSuiteFrontend-->|SilentLogin, Filepicker, CentralNavigation|IntercomService
IntercomService-->|SilentLogin, TokenExchange|Keycloak
IntercomService-->|Filepicker|Nextcloud
IntercomService-->|CentralNavigation|Portal
OXAppSuiteBackend-->|Filepicker|Nextcloud
Nextcloud-->|CentralNavigation|Portal
OpenProject-->|CentralNavigation|Portal
XWiki-->|CentralNavigation|Portal
Nextcloud-->|CentralContacts|OXAppSuiteBackend
OXAppSuiteFrontend-->|Filepicker|OXAppSuiteBackend
```
#### Intercom Service (ICS)
The UCS Intercom Service's role is to enable cross application integration based
on browser interaction. Handling authentication when the frontend of an
application is using the API from another application is often a challenge.
For more details on the ICS please refer to its own [README.md](./helmfile/apps/intercom-service/README.md).
In order to establish a session with the Intercom Service, the application that
wants to use the ICS must initiate a silent login.
Currently only OX AppSuite is using the frontend based integration, and
therefore it is right now the only consumer of the ICS API.
### Filepicker
The Nextcloud filepicker which is integrated into the OX AppSuite allows you to
add attachments or links to files from and saving attachments to Nextcloud.
The filepicker is using frontend and backend based integration. Frontend based
integration means that OX AppSuite in the browser is communicating with ICS.
While using backend based integration, OX AppSuite middleware is communicating
with Nextcloud, which is especially used when adding a file to an email or
storing a file into Nextcloud.
### Central Navigation
Central navigation is based on an API endpoint in the portal that provides the
contents of the portal for a user in order to allow components to render the
menu showing all available SWP applications for the user.
### (Read & write) Central contacts
Open-Xchange App Suite is used to manage contacts within the Sovereign
Workplace. There is an API in the AppSuite that is being used by
Nextcloud to lookup contacts as well as to create contacts. This is maybe done
when a file is shared with a not yet available personal contact.
# Identity data flows
An overview of
- components that consume the LDAP service. Mostly by using a dedicated LDAP search account.
- components using Keycloak as identity provider. If not otherwise denoted based on the OAuth2 / OIDC flows.
Some components trust others to handle authentication for them.
```mermaid
flowchart TD
K[Keycloak]-->L[LDAP]
N[Nextcloud]-->L
A[OX AppSuite]-->L
D[OX Dovecot]-->L
P[Portal/Admin]-->L
O[OpenProject]-->L
X[XWiki]-->|in 2023|L
A-->K
N-->K
D-->K
O-->K
X-->K
P-->|SAML|K
E[Element]-->K
J[Jitsi]-->K
I[IntercomService]-->K
C[Collabora]-->N
F[Postfix]-->D
```
# Provisioning
Currently active provisioning is only done for OX AppSuite. The OX-Connector
synchronizes creates, modifies and deletes activities for the following objects
to the OX AppSuite using the AppSuite's SOAP API:
- Contexts
- Users
- Groups
- Functional Mailboxes
- Resources
# Component specific documentation
We want to provide more information per component in separate, component
specific `README.md` files. In order to establish a common view on the
components we are going to cover various aspects:
- **Component overview**: Shall provide a quick introduction including the components prerequisites and subcomponents (f.e. pods).
- **Resources**: Will contain a link to the components upstream documentation, the helm chart and image locations.
- **Operational Capabilities**
- **Install**: The components installs within the SWP.
- **Restart**: Deleting and restarting pods works seamlessly.
- **Update**: Redeploying the component with a different configuration works as expected. The component makes use of the updates configuration afterwards.
- **Upgrade**: Component allows to upgrade existing deployments with more current versions of itself.
- **Secrets**: The component uses K8s secrets.
- **Logging**: Only logging to STDOUT, no logs inside the container.
- **Monitoring**: Application provides based on kube-prometheus-stack CRD: ServiceMonitor and PrometheusRule. Optional: Grafana Dashboard.
- **Scale**: If supported (as we use community products) the component should be manually scalable. Optional: Autoscaling.
- **Network policies**: Deny by default, allow application related traffic.
- **Uninstall**: Documented and working complete uninstallation of the component.
- **Debugging**: Some helpful information when it comes to debugging a component, e.g. setting log level.
## Links to component README.mds
- [Intercom-Service](./helmfile/apps/intercom-service/README.md)
## Tests
The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project.
The `DEPLOY_`-variables are used to determine which components should be tested.
In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this gitlab project's CI variables
that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
`<domain of gitlab>/api/v4/projects/<id>`.
If the branch of the test pipeline is not `main` this can be set with the .gitlab-ci.yml variable
`TESTS_BRANCH` while creating a new pipeline.
# License
This project uses the following license: Apache-2.0
# Copyright
Copyright (C) 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# Footnotes
[^1] Required for scaling components Nextcloud, Dovecot and ClamAV Distributed.

43
docs/ci.md Normal file
View File

@@ -0,0 +1,43 @@
<!--
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
-->
<h1>CI/CD</h1>
This page will cover openDesk automation via Gitlab CI.
<!-- TOC -->
* [Deployment](#deployment)
* [Tests](#tests)
<!-- TOC -->
## Deployment
The project includes a `.gitlab-ci.yml` that allows you to execute the deployment from a Gitlab instance of your choice.
When starting the pipeline through the Gitlab UI, you will be queried for some variables plus the following ones:
- `DOMAIN` = The domain to deploy to.
- `ISTIO_DOMAIN` = istio.`DOMAIN`
- `NAMESPACE`: Defines into which namespace of your K8s cluster the SWP will be installed
- `MASTER_PASSWORD_WEB_VAR`: Overwrites value of `MASTER_PASSWORD`
Based on your input, the following variables will be set:
- `MASTER_PASSWORD` = `MASTER_PASSWORD_WEB_VAR`. If `MASTER_PASSWORD_WEB_VAR`
is not set, the default for `MASTER_PASSWORD` will be used, unless you set
`MASTER_PASSWORD` as a masked CI/CD variable in Gitlab to supersede the default.
You might want to set credential variables in the Gitlab project at `Settings` > `CI/CD` > `Variables`.
## Tests
The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project.
The `DEPLOY_`-variables are used to determine which components should be tested.
In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this gitlab project's CI variables
that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
`<domain of gitlab>/api/v4/projects/<id>`.
If the branch of the test pipeline is not `main` this can be set with the .gitlab-ci.yml variable
`TESTS_BRANCH` while creating a new pipeline.

178
docs/components.md Normal file
View File

@@ -0,0 +1,178 @@
<!--
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
-->
<h1>Components</h1>
This section covers the internal system requirements as well as external service requirements for productive use.
<!-- TOC -->
* [Overview](#overview)
* [Component integration](#component-integration)
* [Intercom Service (ICS)](#intercom-service-ics)
* [Filepicker](#filepicker)
* [Central Navigation](#central-navigation)
* [(Read & write) Central contacts](#read--write-central-contacts)
* [OpenProject Filestore](#openproject-filestore)
* [Identity data flows](#identity-data-flows)
* [Provisioning](#provisioning)
* [Component specific documentation](#component-specific-documentation)
* [Links to component docs](#links-to-component-docs)
<!-- TOC -->
## Overview
openDesk consists out of a variety of open-source projects. Here is a list with the description and type.
Components of type `Eval` are used for development and evaluation purposes only,
they need to be replaced in production deployments.
| Component | Description | Type |
|-----------------------------|--------------------------------|------------|
| Certificates | TLS certificates | Eval |
| ClamAV (Distributed) | Antivirus engine | Eval |
| ClamAV (Simple) | Antivirus engine | Eval |
| Collabora | Weboffice | Functional |
| CryptPad | Weboffice | Functional |
| Dovecot | Mail backend | Functional |
| Element | Secure communications platform | Functional |
| Intercom Service | Cross service data exchange | Functional |
| Jitsi | Videoconferencing | Functional |
| Keycloak | Identity Provider | Functional |
| MariaDB | Database | Eval |
| Memcached | Cache Database | Eval |
| MinIO | Object Storage | Eval |
| Nextcloud | File share | Functional |
| OpenProject | Project management | Functional |
| OX Appsuite | Groupware | Functional |
| Provisioning | Backend provisioning | Functional |
| Postfix | MTA | Eval |
| PostgreSQL | Database | Eval |
| Redis | Cache Database | Eval |
| Univention Corporate Server | Identity Management & Portal | Functional |
| Univention Management Stack | Identity Management & Portal | Eval |
| XWiki | Knowledgebase | Functional |
## Component integration
Some use cases require inter component integration.
```mermaid
flowchart TD
OXAppSuiteFrontend-->|SilentLogin, Filepicker, CentralNavigation|IntercomService
IntercomService-->|SilentLogin, TokenExchange|Keycloak
IntercomService-->|Filepicker|Nextcloud
IntercomService-->|CentralNavigation|Portal
OXAppSuiteBackend-->|Filepicker|Nextcloud
Nextcloud-->|CentralNavigation|Portal
OpenProject-->|CentralNavigation|Portal
XWiki-->|CentralNavigation|Portal
Nextcloud-->|CentralContacts|OXAppSuiteBackend
OXAppSuiteFrontend-->|Filepicker|OXAppSuiteBackend
```
### Intercom Service (ICS)
The UCS Intercom Service's role is to enable cross-application integration based on browser interaction.
Handling authentication when the frontend of an application is using the API from another application is often a
challenge.
For more details on the ICS please refer to its own [doc](./components/intercom-service.md).
To establish a session with the Intercom Service, the application that wants to use the ICS must initiate a silent
login.
Currently only OX AppSuite is using the frontend-based integration, and therefore it is right now the only consumer of
the ICS API.
### Filepicker
The Nextcloud filepicker which is integrated into the OX AppSuite allows you to add attachments or links to files from
and saving attachments to Nextcloud.
The filepicker is using frontend and backend based integration.
Frontend-based integration means that OX AppSuite in the browser is communicating with ICS.
While using backend-based integration, OX AppSuite middleware is communicating with Nextcloud, which is especially used
when adding a file to an email or storing a file into Nextcloud.
### Central Navigation
Central navigation is based on an API endpoint in the portal that provides the contents of the portal for a user to
allow components to render the menu showing all available SWP applications for the user.
### (Read & write) Central contacts
Open-Xchange App Suite is used to manage contacts within openDesk. There is an API in the AppSuite that is being used by
Nextcloud to lookup contacts as well as to create contacts. This is maybe done when a file is shared with a not yet
available personal contact.
### OpenProject Filestore
By default, Nextcloud is a configured option for storing attachments in OpenProject.
The Filestore can be enabled on a per-project level in OpenProject's project admin section.
## Identity data flows
An overview of
- components that consume the LDAP service. Mostly by using a dedicated LDAP search account.
- components using Keycloak as identity provider. If not otherwise denoted based on the OAuth2 / OIDC flows.
Some components trust others to handle authentication for them.
```mermaid
flowchart TD
K[Keycloak]-->L[LDAP]
N[Nextcloud]-->L
O[OpenProject] --> L
A[OX AppSuite]-->L
D[OX Dovecot]-->L
P[Portal/Admin]-->L
X[XWiki]-->|in 2023|L
A-->K
N-->K
D-->K
O-->K
X-->K
P-->|SAML|K
E[Element]-->K
J[Jitsi]-->K
I[IntercomService]-->K
C[Collabora]-->N
R[CryptPad]-->N
F[Postfix]-->D
```
## Provisioning
Currently, active provisioning is only done for OX AppSuite. The OX-Connector is synchronizing, creating, modifying and
deleting activities for the following objects to the OX AppSuite using the AppSuite's SOAP API:
- Contexts
- Users
- Groups
- Functional Mailboxes
- Resources
## Component specific documentation
We want to provide more information per component in separate, component-specific markdown file.
To establish a common view on the components, we are going to cover various aspects:
- **Component overview**: Shall provide a quick introduction including the components prerequisites and subcomponents (f.e. pods).
- **Resources**: Will contain a link to the component upstream documentation, the helm chart and image locations.
- **Operational Capabilities**
- **Install**: The components install within the SWP.
- **Restart**: Deleting and restarting pods works seamlessly.
- **Update**: Redeploying the component with a different configuration works as expected. The component makes use of the updates configuration afterwards.
- **Upgrade**: Component allows upgrading existing deployments with more current versions of itself.
- **Secrets**: The component uses K8s secrets.
- **Logging**: Only logging to STDOUT, no logs inside the container.
- **Monitoring**: Application provides based on kube-prometheus-stack CRD: ServiceMonitor and PrometheusRule. Optional: Grafana Dashboard.
- **Scale**: If supported (as we use community products) the component should be manually scalable. Optional: Autoscaling.
- **Network policies**: Deny by default, allow application related traffic.
- **Uninstall**: Documented and working complete uninstallation of the component.
- **Debugging**: Some helpful information when it comes to debugging a component, e.g. setting log level.
## Links to component docs
- [Intercom-Service](./components/intercom-service.md)

0
helmfile/apps/intercom-service/README.md → docs/components/intercom-service.md
View File

77
docs/external-services.md Normal file
View File

@@ -0,0 +1,77 @@
<!--
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
-->
<h1>External services</h1>
This document will cover the additional configuration to use external services like databases, caches or buckets.
<!-- TOC -->
* [Database](#database)
* [Cache](#cache)
<!-- TOC -->
## Database
When deploying this suite to production, you need to configure the applications to use your production grade database
service.
| Component | Name | Type | Parameter | Key | Default |
|-------------|--------------------|------------|-----------|----------------------------------------|----------------------------|
| Element | Synapse | PostgreSQL | | | |
| | | | Name | `databases.synapse.name` | `matrix` |
| | | | Host | `databases.synapse.host` | `postgresql` |
| | | | Port | `databases.synapse.port` | `5432` |
| | | | Username | `databases.synapse.username` | `matrix_user` |
| | | | Password | `databases.synapse.password` | |
| Keycloak | Keycloak | PostgreSQL | | | |
| | | | Name | `databases.keycloak.name` | `keycloak` |
| | | | Host | `databases.keycloak.host` | `postgresql` |
| | | | Port | `databases.keycloak.port` | `5432` |
| | | | Username | `databases.keycloak.username` | `keycloak_user` |
| | | | Password | `databases.keycloak.password` | |
| | Keycloak Extension | PostgreSQL | | | |
| | | | Name | `databases.keycloakExtension.name` | `keycloak_extensions` |
| | | | Host | `databases.keycloakExtension.host` | `postgresql` |
| | | | Port | `databases.keycloakExtension.port` | `5432` |
| | | | Username | `databases.keycloakExtension.username` | `keycloak_extensions_user` |
| | | | Password | `databases.keycloakExtension.password` | |
| Nextcloud | Nextcloud | MariaDB | | | |
| | | | Name | `databases.nextcloud.name` | `nextcloud` |
| | | | Host | `databases.nextcloud.host` | `mariadb` |
| | | | Username | `databases.nextcloud.username` | `nextcloud_user` |
| | | | Password | `databases.nextcloud.password` | |
| OpenProject | OpenProject | PostgreSQL | | | |
| | | | Name | `databases.openproject.name` | `openproject` |
| | | | Host | `databases.openproject.host` | `postgresql` |
| | | | Port | `databases.openproject.port` | `5432` |
| | | | Username | `databases.openproject.username` | `openproject_user` |
| | | | Password | `databases.openproject.password` | |
| OX Appsuite | OX Appsuite | MariaDB | | | |
| | | | Name | `databases.oxAppsuite.name` | `CONFIGDB` |
| | | | Host | `databases.oxAppsuite.host` | `mariadb` |
| | | | Username | `databases.oxAppsuite.username` | `root` |
| | | | Password | `databases.oxAppsuite.password` | |
| XWiki | XWiki | MariaDB | | | |
| | | | Name | `databases.xwiki.name` | `xwiki` |
| | | | Host | `databases.xwiki.host` | `mariadb` |
| | | | Username | `databases.xwiki.username` | `xwiki_user` |
| | | | Password | `databases.xwiki.password` | |
## Cache
When deploying this suite to production, you need to configure the applications to use your production grade cache
service.
| Component | Name | Type | Parameter | Key | Default |
|------------------|------------------|-----------|-----------|------------------------------|------------------|
| Intercom Service | Intercom Service | Redis | | | |
| | | | Host | `cache.intercomService.host` | `redis-headless` |
| | | | Port | `cache.intercomService.port` | `6379` |
| Nextcloud | Nextcloud | Redis | | | |
| | | | Host | `cache.nextcloud.host` | `redis-headless` |
| | | | Port | `cache.nextcloud.port` | `6379` |
| OpenProject | OpenProject | Memcached | | | |
| | | | Host | `cache.openproject.host` | `memcached` |
| | | | Port | `cache.openproject.port` | `11211` |

412
docs/getting-started.md Normal file
View File

@@ -0,0 +1,412 @@
<!--
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
-->
<h1>Getting stated</h1>
This documentation should enable you to create your own evaluation instance of openDesk on your Kubernetes cluster.
<!-- TOC -->
* [Requirements](#requirements)
* [Customize environment](#customize-environment)
* [Domain](#domain)
* [Apps](#apps)
* [Private OCI registry](#private-oci-registry)
* [Private Helm registry](#private-helm-registry)
* [Cluster capabilities](#cluster-capabilities)
* [Service](#service)
* [Networking](#networking)
* [Ingress](#ingress)
* [Container runtime](#container-runtime)
* [Volumes](#volumes)
* [Connectivity](#connectivity)
* [Mail/SMTP configuration](#mailsmtp-configuration)
* [TURN configuration](#turn-configuration)
* [Certificate issuer](#certificate-issuer)
* [Password seed](#password-seed)
* [Install](#install)
* [Install single app](#install-single-app)
* [Install single release/chart](#install-single-releasechart)
* [Access deployment](#access-deployment)
* [Uninstall](#uninstall)
<!-- TOC -->
Thanks for looking into the openDesk Getting started guide. This documents covers essentials configuration steps to
deploy openDesk onto your kubernetes infrastructure.
## Requirements
Detailed system requirements are covered on [requirements](requirements.md) page.
## Customize environment
Before deploying openDesk, you have to configure the deployment to suit your environment.
To keep your deployment up to date, we recommend customizing in `dev`, `test` or `prod` and not in `default` environment
files.
> All configuration options and their default values can be found in files at `helmfile/environments/default/`
For the following guide, we will use `dev` as environment, where variables can be set in
`helmfile/environments/dev/values.yaml`.
### Domain
The deployment is designed to deploy each app under a subdomains. For your convenience, we recommend to create a
`*.domain.tld` A-Record to your cluster ingress controller, otherwise you need to create an A-Record for each subdomain.
A list of all subdomains can be found in `helmfile/environments/default/global.yaml`.
All subdomains can be customized. For example, _Nextcloud_ can be changed to `files.domain.tld` in `dev` environment:
```yaml
global:
hosts:
nextcloud: "files"
```
The domain have to be set either via `dev` environment
```yaml
global:
domain: "my.open.desk"
istio:
domain: "istio.my.open.desk"
```
or via environment variable
```shell
export DOMAIN=my.open.desk
export ISTIO_DOMAIN=istio.my.open.desk
```
When you configure each subdomain individually, you can set `global.domain` and `istio.domain` to the same value.
Istio is only used for Open-Xchange Appsuite 8, when you don't want to install it, you can disable Istio:
```yaml
istio:
enabled: false
oxAppsuite:
enabled: false
```
### Apps
All available apps and their default value can be found in `helmfile/environments/default/workplace.yaml`.
| Component | Name | Default | Description |
|-----------------------------|-------------------------------------|---------|--------------------------------|
| Certificates | `certificates.enabled` | `true` | TLS certificates |
| ClamAV (Distributed) | `clamavDistributed.enabled` | `false` | Antivirus engine |
| ClamAV (Simple) | `clamavSimple.enabled` | `true` | Antivirus engine |
| Collabora | `collabora.enabled` | `true` | Weboffice |
| CryptPad | `cryptpad.enabled` | `true` | Weboffice |
| Dovecot | `dovecot.enabled` | `true` | Mail backend |
| Element | `element.enabled` | `true` | Secure communications platform |
| Intercom Service | `intercom.enabled` | `true` | Cross service data exchange |
| Jitsi | `jitsi.enabled` | `true` | Videoconferencing |
| Keycloak | `keycloak.enabled` | `true` | Identity Provider |
| MariaDB | `mariadb.enabled` | `true` | Database |
| Memcached | `memcached.enabled` | `true` | Cache Database |
| MinIO | `minio.enabled` | `true` | Object Storage |
| Nextcloud | `nextcloud.enabled` | `true` | File share |
| OpenProject | `openproject.enabled` | `true` | Project management |
| OX Appsuite | `oxAppsuite.enabled` | `true` | Groupware |
| Provisioning | `oxConnector.enabled` | `true` | Backend provisioning |
| Postfix | `postfix.enabled` | `true` | MTA |
| PostgreSQL | `postgresql.enabled` | `true` | Database |
| Redis | `redis.enabled` | `true` | Cache Database |
| Univention Corporate Server | `univentionCorporateServer.enabled` | `true` | Identity Management & Portal |
| Univention Management Stack | `univentionManagementStack.enabled` | `false` | Identity Management & Portal |
| XWiki | `xwiki.enabled` | `true` | Knowledgebase |
Exemplary, Jitsi can be disabled like:
```yaml
jitsi:
enabled: false
```
### Private OCI registry
By default, all OCI artifacts are proxied via the project's container registry, which should get replaced soon by the
OCI registries provided by Open CoDE.
You also can set your own registry by:
```yaml
global:
imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
```
or via environments variable:
```shell
export PRIVATE_IMAGE_REGISTRY_URL=external-registry.souvap-univention.de/sovereign-workplace
```
If authentication is required, you can reference imagePullSecrets as following:
```yaml
global:
imagePullSecrets:
- "external-registry"
```
### Private Helm registry
Some apps use Chart Museum style helm registries. You can use your own registry by setting this environment variable:
```shell
export PRIVATE_CHART_REPOSITORY_URL=charts.open.desk
```
### Cluster capabilities
#### Service
Some apps, like Jitsi or Dovecot, require HTTP and external TCP connections.
These apps create a Kubernetes service object.
You can configure, whether `NodePort` (for on-premise), `LoadBalancer` (for cloud) or `ClusterIP` (to disable) should be
used:
```yaml
cluster:
service:
type: "NodePort"
```
#### Networking
If your cluster has not the default `cluster.local` domain configured, you need to provide the domain via:
```yaml
cluster:
networking:
domain: "acme.internal"
```
If your cluster has not the default `10.0.0.0/8` CIDR configured, you need to provide the CIDR via:
```yaml
cluster:
networking:
cidr: "127.0.0.0/8"
```
#### Ingress
By default, the `ingressClassName` is empty to choose your default ingress controller, you may want to customize it by
setting:
```yaml
ingress:
ingressClassName: "cilium"
```
#### Container runtime
Some apps require specific configuration for container runtimes. You can set your container runtime like `cri-o`,
`containerd` or `docker` by:
```yaml
cluster:
container:
engine: "containerd"
```
#### Volumes
When your cluster has a `ReadWriteMany` volume provisioner, you can benefit from distributed or scaling of apps. By
default, only `ReadWriteOnce` is enabled. To enable `ReadWriteMany` you can set:
```yaml
cluster:
persistence:
readWriteMany: true
```
The **StorageClass** can be set by:
```yaml
persistence:
storageClassNames:
RWX: "my-read-write-many-class"
RWO: "my-read-write-once-class"
```
### Connectivity
#### Mail/SMTP configuration
To use the full potential of the openDesk, you need to set up an SMTP Smarthost/Relay which allows to send emails from
the whole subdomain.
```yaml
smtp:
host: "mail.open.desk"
username: "openDesk"
password: "secret"
```
#### TURN configuration
Some components (Jitsi, Element) use for direct communication a TURN server. You can configure your own TURN server with
these options:
```yaml
turn:
transport: "udp" # or tcp
credentials: "secret"
server:
host: "turn.open.desk"
port: "3478"
tls:
host: "turns.open.desk"
port: "5349"
```
#### Certificate issuer
As mentioned in [requirements](requirements.md#certificate-management) you can provide your own valid certificate. A TLS
secret with name `opendesk-certificates-tls` needs to be present in application namespace. For deployment, you can
disable `Certificate` resource creation by:
```yaml
certificates:
enabled: false
```
If you want to leverage the `cert-manager.io` to handle certificates, like `Let's encrypt`, you need to provide the
configured cluster issuer:
```yaml
certificate:
issuerRef:
name: "letsencrypt-prod"
```
Additionally, it is possible to request wildcard certificates by:
```yaml
certificate:
wildcard: true
```
### Password seed
All secrets are generated from a single master password via Master Password (algorithm).
To prevent others from using your openDesk instance, we highly recommend setting an individual master password via:
```shell
export MASTER_PASSWORD="openDesk"
```
## Install
After setting your environment specific values in `dev` environment, you can start deployment by:
```shell
helmfile apply -e dev -n <NAMESPACE> [-l <label>] [--suppress-diff]
```
**Arguments:**
- `-e <env>`: Environment name out of `default`, `dev`, `test`, `prod`
- `-n <namespace>`: Kubernetes namespace
- `-l <label>`: Label selector
- `--suppress-diff`: Disable diff printing
### Install single app
You can also install or upgrade only a single app like Collabora, either by label selector:
```shell
helmfile apply -e dev -n <NAMESPACE> -l component=collabora
```
or by switching into the apps' directory (faster):
```shell
cd helmfile/apps/collabora
helmfile apply -e dev -n <NAMESPACE>
```
### Install single release/chart
Instead of iteration through all services, you can also deploy a single release like mariadb by:
```shell
helmfile apply -e dev -n <NAMESPACE> -l name=mariadb
```
## Access deployment
When all apps are successfully deployed and pod status' went to `Running` or `Succeeded`, you can navigate to
```text
https://portal.domain.tld
```
If you change the subdomain of `univentionCorporateServer` or `univentionManagementStack`, you need to replace `portal`
by your specified subdomain.
**Credentials:**
```shell
# Replace with your namespace
NAMESPACE=your-namespace
# Get UCS container, which contains passwords as env var.
CONTAINER=$(kubectl -n ${NAMESPACE} get po -l app.kubernetes.io/name=univention-corporate-container -o jsonpath='{.items[0].metadata.name}')
# $ kubectl -n ${NAMESPACE} get po -l app.kubernetes.io/name=univention-corporate-container
#
# NAME READY STATUS RESTARTS AGE
# univention-corporate-container-8665c6f8b7-nlhc6 1/1 Running 0 10m
# Password of `default.user`
kubectl -n ${NAMESPACE} get po ${CONTAINER} -o=jsonpath='{.spec.containers[0].env[?(@.name=="DEFAULT_ACCOUNT_USER_PASSWORD")].value}'
# 40615..............................e9e2f
# Password of `default.admin`
kubectl -n ${NAMESPACE} get po ${CONTAINER} -o=jsonpath='{.spec.containers[0].env[?(@.name=="DEFAULT_ACCOUNT_ADMIN_PASSWORD")].value}'
# bdbbb..............................04db6
```
Now you can log in with obtained credentials:
| Username | Password | Description |
|-----------------|--------------------------------------------|------------------|
| `default.user` | `40615..............................e9e2f` | Application user |
| `default.admin` | `bdbbb..............................04db6` | Administrator |
## Uninstall
You can uninstall the deployment by:
```shell
helmfile destroy -n <NAMESPACE>
```
> **Note**
> Not all Jobs, PersistentVolumeClaims or Certificates are deleted; you have to delete them manually
**'Sledgehammer destroy'** - for fast development turn-around times (at your own risk):
```shell
NAMESPACE=your-namespace
# Uninstall all Helm charts
for OPENDESK_RELEASE in $(helm ls -n ${NAMESPACE} -aq); do
helm uninstall -n ${NAMESPACE} ${OPENDESK_RELEASE};
done
# Delete leftover resources
kubectl delete pvc --all --namespace ${NAMESPACE};
kubectl delete jobs --all --namespace ${NAMESPACE};
```
> **Warning**
> Without specifying or empty `--namespace` flag, cluster-wide components get deleted!

71
docs/monitoring.md Normal file
View File

@@ -0,0 +1,71 @@
<!--
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
-->
<h1>Monitoring</h1>
This document will cover how you can enable observability with Prometheus based monitoring and Grafana dashboards, as
well as the overall status of monitoring integration.
<!-- TOC -->
* [Technology](#technology)
* [Defaults](#defaults)
* [Metrics](#metrics)
* [Alerts](#alerts)
* [Dashboards for Grafana](#dashboards-for-grafana)
* [Components](#components)
<!-- TOC -->
## Technology
We provide integration into the Prometheus based monitoring.
Together with
[kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack) you
easily leverage the full potential of open-source cloud-native observability stack.
Before enabling the following options, you need to install the respective CRDs from the kube-prometheus-stack
repository or prometheus operator.
## Defaults
All configurable options and their defaults can be found in
[`monitoring.yaml`](../helmfile/environments/default/monitoring.yaml).
## Metrics
To deploy podMonitor and serviceMonitor custom resources, enable it by:
```yaml
prometheus:
serviceMonitors:
enabled: true
podMonitors:
enabled: true
```
## Alerts
Some helm-charts provide a default set of prometheusRules for alerting, enable it by:
```yaml
prometheus:
prometheusRules:
enabled: true
```
## Dashboards for Grafana
To deploy optional ConfigMaps with Grafana dashboards, enable it by:
```yaml
grafana:
dashboards:
enabled: true
```
## Components
| Component | Metrics (pod- or serviceMonitor) | Alerts (prometheusRule) | Dashboard (Grafana) |
|:----------|-----------------------------------|-------------------------|---------------------|
| Collabora | :white_check_mark: | :white_check_mark: | :white_check_mark: |
| Nextcloud | :white_check_mark: | :x: | :x: |

105
docs/requirements.md Normal file
View File

@@ -0,0 +1,105 @@
<!--
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
-->
<h1>Requirements</h1>
This section covers the internal system requirements as well as external service requirements for productive use.
<!-- TOC -->
* [TL;DR;](#tldr)
* [Hardware](#hardware)
* [Kubernetes](#kubernetes)
* [Ingress controller](#ingress-controller)
* [Volume provisioner](#volume-provisioner)
* [Certificate management](#certificate-management)
* [External services](#external-services)
* [Deployment](#deployment)
<!-- TOC -->
## TL;DR;
openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s) cluster.
- K8s cluster >= 1.24, [CNCF Certified Kubernetes Distro](https://www.cncf.io/certification/software-conformance/)
- Domain and DNS Service
- Ingress controller (supported are nginx-ingress, HAProxy)
- [Helm](https://helm.sh/) >= v3.9.0
- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v0.157.0**
- [HelmDiff](https://github.com/databus23/helm-diff) >= 3.6.0
- Volume provisioner supporting RWO (read-write-once)
- Certificate handling with [cert-manager](https://cert-manager.io/)
- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8
## Hardware
The following minimal requirements are thought for initial evaluation deployment:
| Spec | Value |
|------|------------------------------------------------------|
| CPU | 8 Cores of x64 or x86 CPU (ARM is not supported yet) |
| RAM | 16 GB, recommended 32 GB |
| Disk | HDD or SSD, >10 GB |
## Kubernetes
Any self-hosted or managed K8s cluster >= 1.24 listed in
[CNCF Certified Kubernetes Distros](https://www.cncf.io/certification/software-conformance/) should be supported.
The deployment is tested against [kubespray](https://github.com/kubernetes-sigs/kubespray) based clusters.
> **Note:** The deployment is not tested against OpenShift.
## Ingress controller
The deployment is intended to use only over HTTPS via a configured FQDN, therefor it is required to have a proper
configured ingress controller deployed.
**Maintained controllers:**
- [NGINX Ingress Controller](https://github.com/nginxinc/kubernetes-ingress)
- [HAProxy Kubernetes Ingress Controller](https://github.com/haproxytech/kubernetes-ingress)
**Community Supported:**
- [Ingress NGINX Controller](https://github.com/kubernetes/ingress-nginx)
When you want to use Open-Xchange Appsuite 8, you need to deploy and configure additionally [Istio](https://istio.io/)
## Volume provisioner
Initial evaluation deployment requires a `ReadWriteOnce` volume provisioner. For local deployment a local- or hostPath-
provisioner is sufficient.
> **Note:** Some components requiring a `ReadWriteMany` volume provisioner for distributed mode or scaling.
## Certificate management
This deployment leverages [cert-manager](https://cert-manager.io/) to generate valid certificates. This is **optional**,
but a secret containing a valid TLS certificate is required.
Only `Certificate` resources will be deployed, the `cert-manager` including its CRD must be installed prior to this or
openDesk certificate management disabled.
## External services
Evaluation the openDesk deployment does not require any external service to start, but features may be limited.
| Group | Type | Version | Tested against |
|----------|---------------------|---------|-----------------------|
| Cache | Memached | `1.6.x` | Memached |
| | Redis | `7.x.x` | Redis |
| Database | MariaDB | `10.x` | MariaDB |
| | PostgreSQL | `15.x` | PostgreSQL |
| Mail | Mail Transfer Agent | | Postfix |
| | PKI/CI (SMIME) | | |
| Security | AntiVirus/ICAP | | ClamAV |
| Storage | K8s ReadWriteOnce | | Ceph / Cloud specific |
| | K8s ReadWriteMany | | Ceph / NFS |
| | Object Storage | | MinIO |
| Voice | TURN | | Coturn |
## Deployment
The deployment of each individual component is [Helm](https://helm.sh/) based. The 35+ Helm charts are configured and
templated via [Helmfile](https://helmfile.readthedocs.io/en/latest/) to provide a streamlined deployment experience.
Helmfile requires [HelmDiff](https://github.com/databus23/helm-diff) to compare desired against deployed state.

52
docs/scaling.md Normal file
View File

@@ -0,0 +1,52 @@
<!--
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
-->
<h1>Scaling</h1>
This document should cover the abilities to scale apps.
<!-- TOC -->
* [Replicas](#replicas)
<!-- TOC -->
## Replicas
The Replicas can be increased of almost any component, but is only effective for high-availability or load-balancing for
apps with a check-mark in `Scaling (effective)` column.
Verified positive effects are marke with a check-mark in `Scaling (verified)` column, apps which are not yet tested are
marked with a gear.
| Component | Name | Scaling (effective) | Scaling (verified) |
|-------------|------------------------------------------|:-------------------:|:------------------:|
| ClamAV | `replicas.clamav` | :white_check_mark: | :white_check_mark: |
| | `replicas.clamd` | :white_check_mark: | :white_check_mark: |
| | `replicas.freshclam` | :x: | :x: |
| | `replicas.icap` | :white_check_mark: | :white_check_mark: |
| | `replicas.milter` | :white_check_mark: | :white_check_mark: |
| Collabora | `replicas.collabora` | :white_check_mark: | :gear: |
| CryptPad | `replicas.cryptpad` | :white_check_mark: | :gear: |
| Dovecot | `replicas.dovecot` | :x: | :gear: |
| Element | `replicas.element` | :white_check_mark: | :white_check_mark: |
| | `replicas.matrixNeoBoardWidget` | :white_check_mark: | :gear: |
| | `replicas.matrixNeoChoiceWidget` | :white_check_mark: | :gear: |
| | `replicas.matrixNeoDateFixBot` | :white_check_mark: | :gear: |
| | `replicas.matrixNeoDateFixWidget` | :white_check_mark: | :gear: |
| | `replicas.matrixUserVerificationService` | :white_check_mark: | :gear: |
| | `replicas.synapse` | :x: | :gear: |
| | `replicas.synapseWeb` | :white_check_mark: | :white_check_mark: |
| | `replicas.wellKnown` | :white_check_mark: | :white_check_mark: |
| Jitsi | `replicas.jibri` | :white_check_mark: | :gear: |
| | `replicas.jicofo` | :white_check_mark: | :gear: |
| | `replicas.jitsi ` | :white_check_mark: | :gear: |
| | `replicas.jitsiKeycloakAdapter` | :white_check_mark: | :gear: |
| | `replicas.jvb ` | :x: | :x: |
| Keycloak | `replicas.keycloak` | :white_check_mark: | :gear: |
| Minio | `replicas.minioDistributed` | :white_check_mark: | :white_check_mark: |
| Nextcloud | `replicas.nextcloud` | :white_check_mark: | :gear: |
| OpenProject | `replicas.openproject` | :white_check_mark: | :gear: |
| Postfix | `replicas.postfix` | :x: | :gear: |
| XWiki | `replicas.xwiki` | :white_check_mark: | :gear: |

79
docs/security.md Normal file
View File

@@ -0,0 +1,79 @@
<!--
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
-->
<h1>Security</h1>
This document should cover the current status of security measurements.
<!-- TOC -->
* [Helm Chart Trust Chain](#helm-chart-trust-chain)
* [Kubernetes Security Enforcements](#kubernetes-security-enforcements)
<!-- TOC -->
## Helm Chart Trust Chain
Helm Charts which are released via openDesk CI/CD process are always signed. The public GPG keys are present in
`pubkey.gpg` file and are validated during helmfile installation.
| Repository | OCI | Verifiable |
|--------------------------------------|:---:|:------------------:|
| bitnami-repo (openDesk build) | yes | :white_check_mark: |
| clamav-repo | yes | :white_check_mark: |
| collabora-online-repo | no | :x: |
| cryptpad-online-repo | no | :x: |
| intercom-service-repo | yes | :white_check_mark: |
| istio-resources-repo | yes | :white_check_mark: |
| jitsi-repo | yes | :white_check_mark: |
| keycloak-extensions-repo | no | :x: |
| keycloak-theme-repo | yes | :white_check_mark: |
| mariadb-repo | yes | :white_check_mark: |
| nextcloud-repo | no | :x: |
| opendesk-certificates-repo | yes | :white_check_mark: |
| opendesk-dovecot-repo | yes | :white_check_mark: |
| opendesk-element-repo | yes | :white_check_mark: |
| opendesk-keycloak-bootstrap-repo | yes | :white_check_mark: |
| opendesk-nextcloud-bootstrap-repo | yes | :white_check_mark: |
| opendesk-open-xchange-bootstrap-repo | yes | :white_check_mark: |
| openproject-repo | no | :x: |
| openxchange-repo | yes | :x: |
| ox-connector-repo | no | :x: |
| postfix-repo | yes | :white_check_mark: |
| postgresql-repo | yes | :white_check_mark: |
| univention-corporate-container-repo | yes | :white_check_mark: |
| ums-repo | no | :x: |
| xwiki-repo | no | :x: |
## Kubernetes Security Enforcements
This list gives you an overview of default security settings and if they comply with security standards:
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|-------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
| CryptPad | cryptpad | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 |
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
| OpenProject | openproject | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | - |
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |

59
docs/theming.md Normal file
View File

@@ -0,0 +1,59 @@
<!--
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
-->
<h1>Theming</h1>
This document will cover the theming and customization of your openDesk deployment.
<!-- TOC -->
* [Strings and texts](#strings-and-texts)
* [Colors](#colors)
* [Images and Logos](#images-and-logos)
* [Known limits](#known-limits)
<!-- TOC -->
## Strings and texts
The deployment name can be changed by:
```yaml
theme:
texts:
productName: "openDesk Cloud"
```
## Colors
The primary color and their derivates with lesser opacity be customized by:
```yaml
theme:
colors:
primary: "#5e27dd"
primary65: "#9673e9"
primary35: "#c7b3f3"
primary15: "#e7dffa"
```
## Images and Logos
You can customize the logo and favicon by providing SVG or icon as inline value:
```yaml
theme:
imagery:
logoHeaderSvg: '<?xml version="1.0" encoding="UTF-8"?>...</svg>'
logoHeaderSvgWhite: '<?xml version="1.0" encoding="UTF-8"?>...</svg>'
logoPortalBackgroundSvg: '<?xml version="1.0" encoding="UTF-8"?>...</svg>'
faviconIco: "..."
```
## Known limits
Not all applications support theming. Known exceptions are:
- Univention Corporate Container (should be superseded by the Univention Management Stack which has planned support
for theming through the deployment).
- OpenProject
- Jitsi

1
helmfile.yaml
View File

@@ -20,6 +20,7 @@ helmfiles:
- path: "helmfile/apps/openproject/helmfile.yaml"
- path: "helmfile/apps/xwiki/helmfile.yaml"
- path: "helmfile/apps/provisioning/helmfile.yaml"
- path: "helmfile/apps/openproject-bootstrap/helmfile.yaml"
missingFileHandler: "Error"

9
helmfile/apps/collabora/helmfile.yaml
View File

@@ -1,5 +1,9 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# Collabora Online
@@ -16,12 +20,9 @@ releases:
values:
- "values.yaml"
- "values.gotmpl"
condition: "collabora.enabled"
installed: {{ .Values.collabora.enabled }}
commonLabels:
deploy-stage: "component-1"
component: "collabora"
bases:
- "../../bases/environments.yaml"
...

30
helmfile/apps/collabora/values.gotmpl
View File

@@ -5,24 +5,24 @@ SPDX-License-Identifier: Apache-2.0
---
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.collabora.repository }}"
tag: "{{ .Values.images.collabora.tag }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: {{ .Values.images.collabora.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
ingress:
enabled: {{ .Values.ingress.enabled }}
className: "{{ .Values.ingress.ingressClassName }}"
className: {{ .Values.ingress.ingressClassName | quote }}
hosts:
- host: "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
paths:
- path: "/"
pathType: "Prefix"
tls:
- secretName: "{{ .Values.ingress.tls.secretName }}"
- secretName: {{ .Values.ingress.tls.secretName | quote }}
hosts:
- "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
@@ -33,9 +33,27 @@ collabora:
aliasgroups:
- host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
replicaCount: {{ .Values.replicas.collabora }}
resources:
{{ .Values.resources.collabora | toYaml | nindent 2 }}
prometheus:
servicemonitor:
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
labels:
{{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
rules:
enabled: {{ .Values.prometheus.prometheusRules.enabled }}
additionalLabels:
{{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }}
grafana:
dashboards:
enabled: {{ .Values.grafana.dashboards.enabled }}
labels:
{{- toYaml .Values.grafana.dashboards.labels | nindent 6 }}
annotations:
{{- toYaml .Values.grafana.dashboards.annotations | nindent 6 }}
...

28
helmfile/apps/cryptpad/helmfile.yaml Normal file
View File

@@ -0,0 +1,28 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# CryptPad
# Source: https://github.com/cryptpad/helm
- name: "cryptpad-online-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://cryptpad.github.io/helm" }}
releases:
- name: "cryptpad"
chart: "cryptpad-online-repo/cryptpad"
version: "0.0.13"
values:
- "values.yaml"
- "values.gotmpl"
installed: {{ .Values.cryptpad.enabled }}
commonLabels:
deploy-stage: "component-1"
component: "cryptpad"
...

33
helmfile/apps/cryptpad/values.gotmpl Normal file
View File

@@ -0,0 +1,33 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.cryptpad.repository }}"
tag: {{ .Values.images.cryptpad.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
ingress:
enabled: {{ .Values.ingress.enabled }}
className: {{ .Values.ingress.ingressClassName | quote }}
hosts:
- host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
paths:
- path: "/"
pathType: "ImplementationSpecific"
tls:
- secretName: {{ .Values.ingress.tls.secretName | quote }}
hosts:
- "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
replicaCount: {{ .Values.replicas.cryptpad }}
resources:
{{ .Values.resources.cryptpad | toYaml | nindent 2 }}
...

47
helmfile/apps/cryptpad/values.yaml Normal file
View File

@@ -0,0 +1,47 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
# https://github.com/cryptpad/helm/blob/main/charts/cryptpad/README.md or
# https://github.com/cryptpad/helm/blob/main/charts/cryptpad/values.yaml
# Disable registration and access to unregistered users:
# (https://docs.cryptpad.org/en/admin_guide/customization.html#application-config)
application_config:
availablePadTypes:
- "diagram"
# Deactivating public access breaks nextcloud plugin!
# registeredOnlyTypes:
# - "diagram"
autoscaling:
enabled: false
enableEmbedding: true
fullnameOverride: "cryptpad"
persistence:
enabled: false
podSecurityContext:
fsGroup: 4001
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
# readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 4001
runAsGroup: 4001
serviceAccount:
create: true
workloadStateful: false
...

37
helmfile/apps/element/helmfile.yaml
View File

@@ -1,5 +1,9 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# openDesk Element
@@ -33,7 +37,7 @@ releases:
values:
- "values-element.yaml"
- "values-element.gotmpl"
condition: "element.enabled"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "opendesk-well-known"
@@ -42,7 +46,7 @@ releases:
values:
- "values-well-known.yaml"
- "values-well-known.gotmpl"
condition: "element.enabled"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "opendesk-synapse-web"
@@ -51,7 +55,7 @@ releases:
values:
- "values-synapse-web.yaml"
- "values-synapse-web.gotmpl"
condition: "element.enabled"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "opendesk-synapse"
@@ -60,7 +64,7 @@ releases:
values:
- "values-synapse.yaml"
- "values-synapse.gotmpl"
condition: "element.enabled"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "opendesk-matrix-user-verification-service-bootstrap"
@@ -69,7 +73,7 @@ releases:
values:
- "values-matrix-user-verification-service-bootstrap.yaml"
- "values-matrix-user-verification-service-bootstrap.gotmpl"
condition: "element.enabled"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "opendesk-matrix-user-verification-service"
@@ -78,34 +82,34 @@ releases:
values:
- "values-matrix-user-verification-service.yaml"
- "values-matrix-user-verification-service.gotmpl"
condition: "element.enabled"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "matrix-neoboard-widget"
chart: "opendesk-matrix-widgets-repo/matrix-neoboard-widget"
version: "3.1.0"
version: "3.2.0"
values:
- "values-matrix-neoboard-widget.yaml"
- "values-matrix-neoboard-widget.gotmpl"
condition: "element.enabled"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "matrix-neochoice-widget"
chart: "opendesk-matrix-widgets-repo/matrix-neochoice-widget"
version: "3.1.0"
version: "3.2.0"
values:
- "values-matrix-neochoice-widget.yaml"
- "values-matrix-neochoice-widget.gotmpl"
condition: "element.enabled"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "matrix-neodatefix-widget"
chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-widget"
version: "3.1.0"
version: "3.2.0"
values:
- "values-matrix-neodatefix-widget.yaml"
- "values-matrix-neodatefix-widget.gotmpl"
condition: "element.enabled"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "matrix-neodatefix-bot-bootstrap"
@@ -114,22 +118,19 @@ releases:
values:
- "values-matrix-neodatefix-bot-bootstrap.yaml"
- "values-matrix-neodatefix-bot-bootstrap.gotmpl"
condition: "element.enabled"
installed: {{ .Values.element.enabled }}
timeout: 900
- name: "matrix-neodatefix-bot"
chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-bot"
version: "3.1.0"
version: "3.2.0"
values:
- "values-matrix-neodatefix-bot.yaml"
- "values-matrix-neodatefix-bot.gotmpl"
condition: "element.enabled"
installed: {{ .Values.element.enabled }}
timeout: 900
commonLabels:
deploy-stage: "component-1"
component: "element"
bases:
- "../../bases/environments.yaml"
...

24
helmfile/apps/element/values-element.gotmpl
View File

@@ -4,8 +4,8 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
registry: "{{ .Values.global.imageRegistry }}"
domain: {{ .Values.global.domain | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
@@ -17,12 +17,16 @@ configuration:
"net.nordeck.element_web.module.opendesk":
config:
banner:
ics_navigation_json_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/navigation.json"
ics_silent_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/silent"
portal_logo_svg_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
portal_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/"
custom_css_variables:
--cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }}
widget_types:
- jitsi
- net.nordeck
"net.nordeck.element_web.module.widget_lifecycle":
widget_permissions:
@@ -103,18 +107,18 @@ configuration:
welcomeUserId: "@meetings-bot:{{ .Values.global.domain }}"
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.element.repository }}"
tag: "{{ .Values.images.element.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.element.repository | quote }}
tag: {{ .Values.images.element.tag | quote }}
ingress:
host: "{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}

18
helmfile/apps/element/values-matrix-neoboard-widget.gotmpl
View File

@@ -4,24 +4,24 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
imageRegistry: "{{ .Values.global.imageRegistry }}"
domain: {{ .Values.global.domain | quote }}
imageRegistry: {{ .Values.global.imageRegistry | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.matrixNeoBoardWidget.repository }}"
tag: "{{ .Values.images.matrixNeoBoardWidget.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
repository: {{ .Values.images.matrixNeoBoardWidget.repository | quote }}
tag: {{ .Values.images.matrixNeoBoardWidget.tag | quote }}
ingress:
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}

18
helmfile/apps/element/values-matrix-neochoice-widget.gotmpl
View File

@@ -4,24 +4,24 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
imageRegistry: "{{ .Values.global.imageRegistry }}"
domain: {{ .Values.global.domain | quote }}
imageRegistry: {{ .Values.global.imageRegistry | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.matrixNeoChoiceWidget.repository }}"
tag: "{{ .Values.images.matrixNeoChoiceWidget.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
repository: {{ .Values.images.matrixNeoChoiceWidget.repository | quote }}
tag: {{ .Values.images.matrixNeoChoiceWidget.tag | quote }}
ingress:
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}

10
helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.gotmpl
View File

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
imageRegistry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -16,8 +16,8 @@ configuration:
password: {{ .Values.secrets.matrixNeoDateFixBot.password | quote }}
image:
registry: "{{ .Values.global.imageRegistry }}"
url: "{{ .Values.images.synapseCreateUser.repository }}"
tag: "{{ .Values.images.synapseCreateUser.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
url: {{ .Values.images.synapseCreateUser.repository | quote }}
tag: {{ .Values.images.synapseCreateUser.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
...

22
helmfile/apps/element/values-matrix-neodatefix-bot.gotmpl
View File

@@ -4,8 +4,8 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
imageRegistry: "{{ .Values.global.imageRegistry }}"
domain: {{ .Values.global.domain | quote }}
imageRegistry: {{ .Values.global.imageRegistry | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
@@ -15,20 +15,20 @@ configuration:
openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.matrixNeoDateFixBot.repository }}"
tag: "{{ .Values.images.matrixNeoDateFixBot.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
repository: {{ .Values.images.matrixNeoDateFixBot.repository | quote }}
tag: {{ .Values.images.matrixNeoDateFixBot.tag | quote }}
ingress:
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
persistence:
size: "{{ .Values.persistence.size.matrixNeoDateFixBot }}"
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}

18
helmfile/apps/element/values-matrix-neodatefix-widget.gotmpl
View File

@@ -4,24 +4,24 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
imageRegistry: "{{ .Values.global.imageRegistry }}"
domain: {{ .Values.global.domain | quote }}
imageRegistry: {{ .Values.global.imageRegistry | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.matrixNeoDateFixWidget.repository }}"
tag: "{{ .Values.images.matrixNeoDateFixWidget.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
repository: {{ .Values.images.matrixNeoDateFixWidget.repository | quote }}
tag: {{ .Values.images.matrixNeoDateFixWidget.tag | quote }}
ingress:
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}

12
helmfile/apps/element/values-matrix-user-verification-service-bootstrap.gotmpl
View File

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
imageRegistry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -13,11 +13,11 @@ cleanup:
deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
configuration:
password: {{ .Values.secrets.matrixUserVerificationService.password }}
password: {{ .Values.secrets.matrixUserVerificationService.password | quote }}
image:
registry: "{{ .Values.global.imageRegistry }}"
url: "{{ .Values.images.synapseCreateUser.repository }}"
tag: "{{ .Values.images.synapseCreateUser.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
url: {{ .Values.images.synapseCreateUser.repository | quote }}
tag: {{ .Values.images.synapseCreateUser.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
...

10
helmfile/apps/element/values-matrix-user-verification-service.gotmpl
View File

@@ -4,17 +4,17 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
imageRegistry: "{{ .Values.global.imageRegistry }}"
domain: {{ .Values.global.domain | quote }}
imageRegistry: {{ .Values.global.imageRegistry | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.matrixUserVerificationService.repository }}"
tag: "{{ .Values.images.matrixUserVerificationService.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
replicaCount: {{ .Values.replicas.matrixUserVerificationService }}

20
helmfile/apps/element/values-synapse-web.gotmpl
View File

@@ -4,26 +4,26 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
registry: "{{ .Values.global.imageRegistry }}"
domain: {{ .Values.global.domain | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.synapseWeb.repository }}"
tag: "{{ .Values.images.synapseWeb.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.synapseWeb.repository | quote }}
tag: {{ .Values.images.synapseWeb.tag | quote }}
ingress:
host: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
replicaCount: {{ .Values.replicas.synapseWeb }}

42
helmfile/apps/element/values-synapse.gotmpl
View File

@@ -4,24 +4,24 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
registry: "{{ .Values.global.imageRegistry }}"
domain: {{ .Values.global.domain | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.synapse.repository }}"
tag: "{{ .Values.images.synapse.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.synapse.repository | quote }}
tag: {{ .Values.images.synapse.tag | quote }}
configuration:
database:
host: "{{ .Values.databases.synapse.host }}"
name: "{{ .Values.databases.synapse.name }}"
user: "{{ .Values.databases.synapse.username }}"
host: {{ .Values.databases.synapse.host | quote }}
name: {{ .Values.databases.synapse.name | quote }}
user: {{ .Values.databases.synapse.username | quote }}
password: {{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser | quote }}
homeserver:
@@ -37,32 +37,32 @@ configuration:
sender_localpart: intercom-service
oidc:
clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix }}
clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
turn:
sharedSecret: {{ .Values.turn.credentials }}
sharedSecret: {{ .Values.turn.credentials | quote }}
servers:
{{- if .Values.turn.tls.host }}
- server: {{ .Values.turn.tls.host }}
- server: {{ .Values.turn.tls.host | quote }}
port: {{ .Values.turn.tls.port }}
transport: {{ .Values.turn.transport }}
transport: {{ .Values.turn.transport | quote }}
{{- else if .Values.turn.server.host }}
- server: {{ .Values.turn.server.host }}
- server: {{ .Values.turn.server.host | quote }}
port: {{ .Values.turn.server.port }}
transport: {{ .Values.turn.transport }}
transport: {{ .Values.turn.transport | quote }}
{{- end }}
guestModule:
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.synapseGuestModule.repository }}"
tag: "{{ .Values.images.synapseGuestModule.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.synapseGuestModule.repository | quote }}
tag: {{ .Values.images.synapseGuestModule.tag | quote }}
persistence:
size: "{{ .Values.persistence.size.synapse }}"
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
size: {{ .Values.persistence.size.synapse | quote }}
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
replicaCount: {{ .Values.replicas.synapse }}

3
helmfile/apps/element/values-synapse.yaml
View File

@@ -3,6 +3,9 @@
---
configuration:
additionalConfiguration:
user_directory:
enabled: true
search_all_users: true
room_prejoin_state:
additional_event_types:
- "m.space.parent"

22
helmfile/apps/element/values-well-known.gotmpl
View File

@@ -4,26 +4,26 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
registry: "{{ .Values.global.imageRegistry }}"
domain: {{ .Values.global.domain | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.wellKnown.repository }}"
tag: "{{ .Values.images.wellKnown.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.wellKnown.repository | quote }}
tag: {{ .Values.images.wellKnown.tag | quote }}
ingress:
host: "{{ .Values.global.domain }}"
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
host: {{ .Values.global.domain | quote }}
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
replicaCount: {{ .Values.replicas.wellKnown }}

11
helmfile/apps/intercom-service/helmfile.yaml
View File

@@ -1,5 +1,9 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# Intercom Service
@@ -15,15 +19,12 @@ repositories:
releases:
- name: "intercom-service"
chart: "intercom-service-repo/intercom-service"
version: "2.0.0"
version: "2.0.1"
values:
- "values.gotmpl"
condition: "intercom.enabled"
installed: {{ .Values.intercom.enabled }}
commonLabels:
deploy-stage: "component-1"
component: "intercom-service"
bases:
- "../../bases/environments.yaml"
...

32
helmfile/apps/intercom-service/values.gotmpl
View File

@@ -4,46 +4,46 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
domain: "{{ .Values.global.domain }}"
imageRegistry: {{ .Values.global.imageRegistry | quote }}
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
ics:
secret: {{ .Values.secrets.intercom.secret }}
secret: {{ .Values.secrets.intercom.secret | quote }}
issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
originRegex: "{{ .Values.istio.domain }}|{{ .Values.global.domain }}"
default:
domain: "{{ .Values.global.domain }}"
domain: {{ .Values.global.domain | quote }}
oidc:
secret: {{ .Values.secrets.keycloak.clientSecret.intercom }}
secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
matrix:
asSecret: {{ .Values.secrets.intercom.synapseAsToken | quote }}
subdomain: {{ .Values.global.hosts.synapse }}
subdomain: {{ .Values.global.hosts.synapse | quote }}
serverName: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
nordeck:
subdomain: {{ .Values.global.hosts.matrixNeoDateFixBot }}
subdomain: {{ .Values.global.hosts.matrixNeoDateFixBot | quote }}
portal:
apiKey: {{ .Values.secrets.centralnavigation.apiKey }}
apiKey: {{ .Values.secrets.centralnavigation.apiKey | quote }}
redis:
host: {{ .Values.cache.intercomService.host }}
host: {{ .Values.cache.intercomService.host | quote }}
port: {{ .Values.cache.intercomService.port }}
password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }}
openxchange:
url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.intercom.repository }}"
tag: "{{ .Values.images.intercom.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
repository: {{ .Values.images.intercom.repository | quote }}
tag: {{ .Values.images.intercom.tag | quote }}
ingress:
host: "{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
...

9
helmfile/apps/jitsi/helmfile.yaml
View File

@@ -1,5 +1,9 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# openDesk Jitsi
@@ -18,13 +22,10 @@ releases:
version: "1.7.1"
values:
- "values-jitsi.gotmpl"
condition: "jitsi.enabled"
installed: {{ .Values.jitsi.enabled }}
timeout: 900
commonLabels:
deploy-stage: "component-1"
component: "jitsi"
bases:
- "../../bases/environments.yaml"
...

74
helmfile/apps/jitsi/values-jitsi.gotmpl
View File

@@ -4,8 +4,8 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
registry: "{{ .Values.global.imageRegistry }}"
domain: {{ .Values.global.domain | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
@@ -15,13 +15,13 @@ cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.jitsiKeycloakAdapter.repository }}"
tag: "{{ .Values.images.jitsiKeycloakAdapter.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.jitsiKeycloakAdapter.repository | quote }}
tag: {{ .Values.images.jitsiKeycloakAdapter.tag | quote }}
settings:
jwtAppSecret: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
jwtAppSecret: {{ .Values.secrets.jitsi.jwtAppSecret | quote }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}
@@ -32,16 +32,16 @@ jitsi:
replicaCount: {{ .Values.replicas.jitsi }}
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jitsi.repository }}"
tag: "{{ .Values.images.jitsi.tag }}"
tag: {{ .Values.images.jitsi.tag | quote }}
ingress:
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
hosts:
- host: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
paths:
- "/"
tls:
- secretName: "{{ .Values.ingress.tls.secretName }}"
- secretName: {{ .Values.ingress.tls.secretName | quote }}
hosts:
- "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
extraEnvs:
@@ -51,10 +51,10 @@ jitsi:
prosody:
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.prosody.repository }}"
tag: "{{ .Values.images.prosody.tag }}"
tag: {{ .Values.images.prosody.tag | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
extraEnvs:
- name: "AUTH_TYPE"
@@ -62,74 +62,74 @@ jitsi:
- name: "JWT_APP_ID"
value: "myappid"
- name: "JWT_APP_SECRET"
value: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
value: {{ .Values.secrets.jitsi.jwtAppSecret | quote }}
- name: "MATRIX_UVS_SYNC_POWER_LEVELS"
value: "true"
- name: "MATRIX_UVS_URL"
value: "http://opendesk-matrix-user-verification-service.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}"
- name: TURNS_HOST
value: "{{ .Values.turn.tls.host }}"
value: {{ .Values.turn.tls.host | quote }}
- name: TURNS_PORT
value: "{{ .Values.turn.tls.port }}"
value: {{ .Values.turn.tls.port | quote }}
- name: TURN_HOST
value: "{{ .Values.turn.server.host }}"
value: {{ .Values.turn.server.host | quote }}
- name: TURN_PORT
value: "{{ .Values.turn.server.port }}"
value: {{ .Values.turn.server.port | quote }}
- name: TURN_TRANSPORT
value: "{{ .Values.turn.transport }}"
value: {{ .Values.turn.transport | quote }}
- name: TURN_CREDENTIALS
value: "{{ .Values.turn.credentials }}"
value: {{ .Values.turn.credentials | quote }}
resources:
{{ .Values.resources.prosody | toYaml | nindent 6 }}
persistence:
size: "{{ .Values.persistence.size.prosody }}"
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
size: {{ .Values.persistence.size.prosody | quote }}
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
jicofo:
replicaCount: {{ .Values.replicas.jicofo }}
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jicofo.repository }}"
tag: "{{ .Values.images.jicofo.tag }}"
tag: {{ .Values.images.jicofo.tag | quote }}
xmpp:
password: {{ .Values.secrets.jitsi.jicofoAuthPassword | quote }}
componentSecret: "{{ .Values.secrets.jitsi.jicofoComponentPassword }}"
componentSecret: {{ .Values.secrets.jitsi.jicofoComponentPassword | quote }}
resources:
{{ .Values.resources.jicofo | toYaml | nindent 6 }}
jvb:
replicaCount: {{ .Values.replicas.jvb }}
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jvb.repository }}"
tag: "{{ .Values.images.jvb.tag }}"
tag: {{ .Values.images.jvb.tag | quote }}
xmpp:
password: "{{ .Values.secrets.jitsi.jvbAuthPassword }}"
password: {{ .Values.secrets.jitsi.jvbAuthPassword | quote }}
resources:
{{ .Values.resources.jvb | toYaml | nindent 6 }}
service:
type: "{{ .Values.cluster.service.type }}"
type: {{ .Values.cluster.service.type | quote }}
jibri:
replicaCount: {{ .Values.replicas.jibri }}
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jibri.repository }}"
tag: "{{ .Values.images.jibri.tag }}"
tag: {{ .Values.images.jibri.tag | quote }}
recorder:
password: "{{ .Values.secrets.jitsi.jibriRecorderPassword }}"
password: {{ .Values.secrets.jitsi.jibriRecorderPassword | quote }}
xmpp:
password: "{{ .Values.secrets.jitsi.jibriXmppPassword }}"
password: {{ .Values.secrets.jitsi.jibriXmppPassword | quote }}
resources:
{{ .Values.resources.jibri | toYaml | nindent 6 }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
patchJVB:
configuration:
staticLoadbalancerIP: "{{ .Values.cluster.networking.ingressGatewayIP }}"
loadbalancerStatusField: "{{ .Values.cluster.networking.loadBalancerStatusField }}"
staticLoadbalancerIP: {{ .Values.cluster.networking.ingressGatewayIP | quote }}
loadbalancerStatusField: {{ .Values.cluster.networking.loadBalancerStatusField | quote }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.jitsiPatchJVB.repository }}"
tag: "{{ .Values.images.jitsiPatchJVB.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.jitsiPatchJVB.repository | quote }}
tag: {{ .Values.images.jitsiPatchJVB.tag | quote }}
replicaCount: {{ .Values.replicas.jitsiKeycloakAdapter }}
resources:

11
helmfile/apps/keycloak-bootstrap/helmfile.yaml
View File

@@ -1,5 +1,9 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# openDesk Keycloak Bootstrap
@@ -17,18 +21,15 @@ repositories:
releases:
- name: "opendesk-keycloak-bootstrap"
chart: "opendesk-keycloak-bootstrap-repo/sovereign-workplace-keycloak-bootstrap"
version: "1.1.11"
version: "1.1.12"
values:
- "values-bootstrap.gotmpl"
- "values-bootstrap.yaml"
condition: "keycloak.enabled"
installed: {{ .Values.keycloak.enabled }}
# as we have seen some slow clusters we want to ensure we not just fail due to a timeout.
timeout: 1800
commonLabels:
deploy-stage: "component-1"
component: "keycloak-bootstrap"
bases:
- "../../bases/environments.yaml"
...

12
helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl
View File

@@ -4,10 +4,10 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
registry: "{{ .Values.global.imageRegistry }}"
registry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -20,10 +20,10 @@ config:
password: {{ .Values.secrets.keycloak.adminPassword | quote }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.keycloakBootstrap.repository }}"
tag: "{{ .Values.images.keycloakBootstrap.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.keycloakBootstrap.repository | quote }}
tag: {{ .Values.images.keycloakBootstrap.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.keycloakBootstrap | toYaml | nindent 2 }}

13
helmfile/apps/keycloak/helmfile.yaml
View File

@@ -1,5 +1,9 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# VMWare Bitnami
@@ -32,7 +36,7 @@ releases:
version: "2.0.0"
values:
- "values-theme.gotmpl"
condition: "keycloak.enabled"
installed: {{ .Values.keycloak.enabled }}
- name: "keycloak"
chart: "bitnami-repo/keycloak"
version: "12.1.5"
@@ -41,7 +45,7 @@ releases:
- "values-keycloak.yaml"
- "values-keycloak-idp.yaml"
wait: true
condition: "keycloak.enabled"
installed: {{ .Values.keycloak.enabled }}
- name: "keycloak-extensions"
chart: "keycloak-extensions-repo/keycloak-extensions"
version: "0.1.0"
@@ -50,12 +54,9 @@ releases:
values:
- "values-extensions.yaml"
- "values-extensions.gotmpl"
condition: "keycloak.enabled"
installed: {{ .Values.keycloak.enabled }}
commonLabels:
deploy-stage: "component-1"
component: "keycloak"
bases:
- "../../bases/environments.yaml"
...

37
helmfile/apps/keycloak/values-extensions.gotmpl
View File

@@ -8,39 +8,38 @@ global:
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
postgresql:
connection:
host: "{{ .Values.databases.keycloakExtension.host }}"
port: "{{ .Values.databases.keycloakExtension.port }}"
host: {{ .Values.databases.keycloakExtension.host | quote }}
port: {{ .Values.databases.keycloakExtension.port }}
auth:
database: "{{ .Values.databases.keycloakExtension.name }}"
username: "{{ .Values.databases.keycloakExtension.username }}"
database: {{ .Values.databases.keycloakExtension.name | quote }}
username: {{ .Values.databases.keycloakExtension.username | quote }}
password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
handler:
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.keycloakExtensionHandler.repository }}"
tag: "{{ .Values.images.keycloakExtensionHandler.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.keycloakExtensionHandler.repository | quote }}
tag: {{ .Values.images.keycloakExtensionHandler.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
appConfig:
smtpPassword: {{ .Values.smtp.password | quote }}
smtpHost: "{{ .Values.smtp.host }}"
smtpUsername: "{{ .Values.smtp.username }}"
smtpHost: {{ .Values.smtp.host | quote }}
smtpUsername: {{ .Values.smtp.username | quote }}
mailFrom: "noreply@{{ .Values.global.domain }}"
resources:
{{ .Values.resources.keycloakExtension | toYaml | nindent 4 }}
proxy:
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.keycloakExtensionProxy.repository }}"
tag: "{{ .Values.images.keycloakExtensionProxy.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.keycloakExtensionProxy.repository | quote }}
tag: {{ .Values.images.keycloakExtensionProxy.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
ingress:
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
resources:
{{ .Values.resources.keycloakProxy | toYaml | nindent 4 }}
...

36
helmfile/apps/keycloak/values-keycloak.gotmpl
View File

@@ -4,22 +4,22 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
imageRegistry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.keycloak.repository }}"
tag: "{{ .Values.images.keycloak.tag }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.keycloak.repository | quote }}
tag: {{ .Values.images.keycloak.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
externalDatabase:
host: "{{ .Values.databases.keycloak.host }}"
host: {{ .Values.databases.keycloak.host | quote }}
port: {{ .Values.databases.keycloak.port }}
user: "{{ .Values.databases.keycloak.username }}"
database: "{{ .Values.databases.keycloak.name }}"
user: {{ .Values.databases.keycloak.username | quote }}
database: {{ .Values.databases.keycloak.name | quote }}
password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
auth:
@@ -34,7 +34,7 @@ keycloakConfigCli:
- name: "LDAP_USERS_DN"
value: "cn=users,dc=swp-ldap,dc=internal"
- name: "LDAP_SERVER_URL"
value: "univention-corporate-container"
value: {{ .Values.ldap.host | quote }}
- name: "IDENTIFIER"
value: "souvap"
- name: "THEME"
@@ -62,23 +62,23 @@ keycloakConfigCli:
- name: "INTERCOM_SERVICE_DOMAIN"
value: "{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
- name: "CLIENT_SECRET_INTERCOM_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.intercom }}
value: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
- name: "CLIENT_SECRET_MATRIX_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.matrix }}
value: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
- name: "CLIENT_SECRET_JITSI_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.jitsi }}
value: {{ .Values.secrets.keycloak.clientSecret.jitsi | quote }}
- name: "CLIENT_SECRET_NCOIDC_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.ncoidc }}
value: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
- name: "CLIENT_SECRET_OPENPROJECT_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.openproject }}
value: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
- name: "CLIENT_SECRET_XWIKI_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.xwiki }}
value: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
- name: "CLIENT_SECRET_AS8OIDC_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.as8oidc }}
value: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
- name: "KEYCLOAK_STORAGEPROVICER_UCSLDAP_NAME"
value: "storage_provider_ucsldap"
- name: "LDAPSEARCH_PASSWORD"
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak }}
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak | quote }}
- name: "LDAPSEARCH_USERNAME"
value: "ldapsearch_keycloak"
resources:

2
helmfile/apps/keycloak/values-theme.gotmpl
View File

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}

13
helmfile/apps/nextcloud/helmfile.yaml
View File

@@ -1,5 +1,9 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# openDesk Keycloak Bootstrap
@@ -24,13 +28,13 @@ repositories:
releases:
- name: "opendesk-nextcloud-bootstrap"
chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap"
version: "3.2.2"
version: "3.2.3"
wait: true
waitForJobs: true
values:
- "values-bootstrap.gotmpl"
- "values-bootstrap.yaml"
condition: "nextcloud.enabled"
installed: {{ .Values.nextcloud.enabled }}
timeout: 900
- name: "nextcloud"
@@ -41,13 +45,10 @@ releases:
values:
- "values-nextcloud.gotmpl"
- "values-nextcloud.yaml"
condition: "nextcloud.enabled"
installed: {{ .Values.nextcloud.enabled }}
timeout: 900
commonLabels:
deploy-stage: "component-1"
component: "nextcloud"
bases:
- "../../bases/environments.yaml"
...

40
helmfile/apps/nextcloud/values-bootstrap.gotmpl
View File

@@ -4,11 +4,11 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
istioDomain: "{{ .Values.istio.domain }}"
domain: {{ .Values.global.domain | quote }}
istioDomain: {{ .Values.istio.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
registry: "{{ .Values.global.imageRegistry }}"
registry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -30,18 +30,22 @@ config:
password: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
database:
host: "{{ .Values.databases.nextcloud.host }}"
name: "{{ .Values.databases.nextcloud.name }}"
user: "{{ .Values.databases.nextcloud.username }}"
host: {{ .Values.databases.nextcloud.host | quote }}
name: {{ .Values.databases.nextcloud.name | quote }}
user: {{ .Values.databases.nextcloud.username | quote }}
password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
ldapSearch:
password: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud }}"
host: {{ .Values.ldap.host | quote }}
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud | quote }}
serverinfo:
token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
smtp:
host: "{{ .Values.smtp.host }}"
username: "{{ .Values.smtp.username }}"
password: "{{ .Values.smtp.password }}"
host: {{ .Values.smtp.host | quote }}
username: {{ .Values.smtp.username | quote }}
password: {{ .Values.smtp.password | quote }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
@@ -49,24 +53,24 @@ cleanup:
keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.nextcloud.repository }}"
tag: "{{ .Values.images.nextcloud.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.nextcloud.repository | quote }}
tag: {{ .Values.images.nextcloud.tag | quote }}
persistence:
{{- if .Values.cluster.persistence.readWriteMany.enabled }}
accessModes:
- "ReadWriteMany"
storageClass: "{{ .Values.persistence.storageClassNames.RWX }}"
storageClass: {{ .Values.persistence.storageClassNames.RWX | quote }}
{{- else }}
accessModes:
- "ReadWriteOnce"
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
{{- end }}
size:
main: "{{ .Values.persistence.size.nextcloud.main }}"
data: "{{ .Values.persistence.size.nextcloud.data }}"
main: {{ .Values.persistence.size.nextcloud.main | quote }}
data: {{ .Values.persistence.size.nextcloud.data | quote }}
resources:
{{ .Values.resources.nextcloud | toYaml | nindent 2 }}

4
helmfile/apps/nextcloud/values-bootstrap.yaml
View File

@@ -11,6 +11,6 @@ config:
userOidc:
username: "ncoidc"
ldapSearch:
host: "univention-corporate-container"
cryptpad:
enabled: true
...

29
helmfile/apps/nextcloud/values-nextcloud.gotmpl
View File

@@ -8,9 +8,9 @@ nextcloud:
username: "nextcloud"
password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
externalDatabase:
database: "{{ .Values.databases.nextcloud.name }}"
user: "{{ .Values.databases.nextcloud.username }}"
host: "{{ .Values.databases.nextcloud.host }}"
database: {{ .Values.databases.nextcloud.name | quote }}
user: {{ .Values.databases.nextcloud.username | quote }}
host: {{ .Values.databases.nextcloud.host | quote }}
password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
extraEnv:
REDIS_HOST: {{ .Values.cache.nextcloud.host | quote }}
@@ -22,20 +22,33 @@ redis:
password: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
ingress:
enabled: {{ .Values.ingress.enabled }}
className: {{ .Values.ingress.ingressClassName }}
className: {{ .Values.ingress.ingressClassName | quote }}
tls:
- secretName: "{{ .Values.ingress.tls.secretName }}"
- secretName: {{ .Values.ingress.tls.secretName | quote }}
hosts:
- "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloud.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.nextcloud.tag }}"
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.nextcloud.tag | quote }}
pullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
metrics:
token: "{{ .Values.secrets.nextcloud.metricsToken }}"
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
https: true
token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloudExporter.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: {{ .Values.images.nextcloudExporter.tag | quote }}
pullSecrets:
{{- toYaml .Values.global.imagePullSecrets | nindent 4 }}
serviceMonitor:
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
labels:
{{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
{{- if .Values.cluster.persistence.readWriteMany.enabled }}
replicaCount: {{ .Values.replicas.nextcloud }}

3
helmfile/apps/nextcloud/values-nextcloud.yaml
View File

@@ -41,9 +41,6 @@ externalDatabase:
# to the mariadb:
type: "mysql"
metrics:
enabled: false
nextcloud:
configs:
mimetypealiases.json: |-

17
helmfile/apps/open-xchange/helmfile.yaml
View File

@@ -1,5 +1,9 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# openDesk Dovecot
@@ -31,22 +35,22 @@ repositories:
releases:
- name: "dovecot"
chart: "opendesk-dovecot-repo/dovecot"
version: "1.3.1"
version: "1.3.5"
values:
- "values-dovecot.yaml"
- "values-dovecot.gotmpl"
condition: "dovecot.enabled"
installed: {{ .Values.dovecot.enabled }}
timeout: 900
- name: "open-xchange"
chart: "openxchange-repo/appsuite-public-sector/charts/appsuite-public-sector"
version: "2.0.4"
version: "2.1.1"
values:
- "values-openxchange.yaml"
- "values-openxchange.gotmpl"
- "values-openxchange-enterprise-contact-picker.yaml"
- "values-openxchange-enterprise-contact-picker.gotmpl"
condition: "oxAppsuite.enabled"
installed: {{ .Values.oxAppsuite.enabled }}
timeout: 900
- name: "opendesk-open-xchange-bootstrap"
@@ -54,13 +58,10 @@ releases:
version: "1.3.1"
values:
- "values-openxchange-bootstrap.gotmpl"
condition: "oxAppsuite.enabled"
installed: {{ .Values.oxAppsuite.enabled }}
timeout: 900
commonLabels:
deploy-stage: "component-1"
component: "open-xchange"
bases:
- "../../bases/environments.yaml"
...

28
helmfile/apps/open-xchange/values-dovecot.gotmpl
View File

@@ -4,30 +4,32 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
registry: "{{ .Values.global.imageRegistry }}"
url: "{{ .Values.images.dovecot.repository }}"
tag: "{{ .Values.images.dovecot.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
url: {{ .Values.images.dovecot.repository | quote }}
tag: {{ .Values.images.dovecot.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
dovecot:
mailDomain: "{{ .Values.global.domain }}"
mailDomain: {{ .Values.global.domain | quote }}
password: {{ .Values.secrets.dovecot.doveadm | quote }}
ldap:
dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
host: {{ .Values.ldap.host | quote }}
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
oidc:
introspectionURL: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token/introspect"
clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc }}
introspectionHost: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
introspectionPath: "/realms/souvap/protocol/openid-connect/token/introspect"
clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
clientID: "as8oidc"
loginTrustedNetworks: "{{ .Values.cluster.networking.cidr }}"
loginTrustedNetworks: {{ .Values.cluster.networking.cidr | quote }}
certificate:
secretName: "{{ .Values.ingress.tls.secretName }}"
secretName: {{ .Values.ingress.tls.secretName | quote }}
{{- if .Values.cluster.persistence.readWriteMany.enabled }}
replicaCount: {{ .Values.replicas.dovecot }}
@@ -37,15 +39,15 @@ replicaCount: 1
persistence:
{{- if .Values.cluster.persistence.readWriteMany.enabled }}
storageClassName: "{{ .Values.persistence.storageClassNames.RWX }}"
storageClassName: {{ .Values.persistence.storageClassNames.RWX | quote }}
accessModes:
- "ReadWriteMany"
{{- else }}
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
accessModes:
- "ReadWriteOnce"
{{- end }}
size: "{{ .Values.persistence.size.dovecot }}"
size: {{ .Values.persistence.size.dovecot | quote }}
resources:
{{ .Values.resources.dovecot | toYaml | nindent 2 }}

9
helmfile/apps/open-xchange/values-dovecot.yaml
View File

@@ -1,13 +1,9 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
readOnlyRootFilesystem: false
dovecot:
ldap:
enabled: true
host: "univention-corporate-container"
port: 389
base: "dc=swp-ldap,dc=internal"
@@ -15,4 +11,9 @@ dovecot:
enabled: true
clientID: "as8oidc"
usernameAttribute: "phoenixusername"
submission:
enabled: true
ssl: "no"
host: "postfix:25"
...

10
helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl
View File

@@ -8,13 +8,13 @@ cleanup:
deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
image:
registry: "{{ .Values.global.imageRegistry }}"
url: "{{ .Values.images.openxchangeBootstrap.repository }}"
tag: "{{ .Values.images.openxchangeBootstrap.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
url: {{ .Values.images.openxchangeBootstrap.repository | quote }}
tag: {{ .Values.images.openxchangeBootstrap.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
...

4
helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl
View File

@@ -8,6 +8,10 @@ appsuite:
secretYAMLFiles:
ldap-client-config.yml:
contactsLdapClient:
pool:
host:
address: {{ .Values.ldap.host | quote }}
port: 389
auth:
adminDN:
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}

55
helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml
View File

@@ -6,7 +6,7 @@ appsuite:
properties:
# Enterprise contact picker
com.openexchange.contacts.ldap.accounts: "opendesk"
com.openexchange.contacts.ldap.accounts: "opendesk,other,functional"
com.openexchange.admin.bypassAccessCombinationChecks: "true"
ENABLE_INTERNAL_USER_EDIT: "false"
@@ -16,9 +16,6 @@ appsuite:
contactsLdapClient:
pool:
type: "simple"
host:
address: "univention-corporate-container"
port: 389
auth:
type: "adminDN"
adminDN:
@@ -153,7 +150,7 @@ appsuite:
# allows to sort the attributes lexicographically, either "ascending" or "descending".
dynamicAttributes:
attributeName: "o"
contactFilterTemplate: "(&(univentionObjectType=users/user)(o=[value]))"
contactFilterTemplate: "(&(univentionObjectType=users/user)(isOxUser=OK)(o=[value]))"
contactSearchScope: "sub"
# refreshInterval: 1h
refreshInterval: "5m"
@@ -174,6 +171,48 @@ appsuite:
- "Management"
- "Human Resources"
other:
name: "Other contacts"
ldapClientId: "contactsLdapClient"
mappings: "ucs"
folders:
mode: "static"
usedForSync:
protected: true
defaultValue: false
usedInPicker:
protected: false
defaultValue: true
shownInTree:
protected: false
defaultValue: true
static:
commonContactFilter: "(&(univentionObjectType=users/user)(isOxUser=OK)(!(o=*)))"
folders:
- name: "Ohne Organisation"
contactFilter: "(&(univentionObjectType=users/user)(isOxUser=OK)(!(o=*)))"
functional:
name: "Functional mailboxes"
ldapClientId: "contactsLdapClient"
mappings: "functional"
folders:
mode: "static"
usedForSync:
protected: true
defaultValue: false
usedInPicker:
protected: false
defaultValue: true
shownInTree:
protected: false
defaultValue: true
static:
commonContactFilter: "(univentionObjectType=oxmail/functional_account)"
folders:
- name: "Funktionale Postfächer"
contactFilter: "(univentionObjectType=oxmail/functional_account)"
contacts-provider-ldap-mappings.yml:
# Example definitions of contact property <-> LDAP attribute mappings.
#
@@ -347,3 +386,9 @@ appsuite:
# image_last_modified :
# Will be set automatically to "image/jpeg" if not defined.
# image1_content_type :
functional:
objectid: "mailPrimaryAddress"
displayname: "oxPersonal,cn,mailPrimaryAddress"
file_as: "oxPersonal,cn,mailPrimaryAddress"
email1: "mailPrimaryAddress"

117
helmfile/apps/open-xchange/values-openxchange.gotmpl
View File

@@ -4,13 +4,13 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
imageRegistry: {{ .Values.global.imageRegistry | quote }}
hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
mysql:
host: "{{ .Values.databases.oxAppsuite.host }}"
database: "{{ .Values.databases.oxAppsuite.name }}"
host: {{ .Values.databases.oxAppsuite.host | quote }}
database: {{ .Values.databases.oxAppsuite.name | quote }}
auth:
user: "{{ .Values.databases.oxAppsuite.username }}"
user: {{ .Values.databases.oxAppsuite.username | quote }}
password: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
rootPassword: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
@@ -19,22 +19,22 @@ istio:
nextcloud-integration-ui:
image:
repository: {{ .Values.images.openxchangeNextcloudIntegrationUI.repository }}
tag: {{ .Values.images.openxchangeNextcloudIntegrationUI.tag }}
repository: {{ .Values.images.openxchangeNextcloudIntegrationUI.repository | quote }}
tag: {{ .Values.images.openxchangeNextcloudIntegrationUI.tag | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
public-sector-ui:
image:
repository: {{ .Values.images.openxchangePublicSectorUI.repository }}
tag: {{ .Values.images.openxchangePublicSectorUI.tag }}
repository: {{ .Values.images.openxchangePublicSectorUI.repository | quote }}
tag: {{ .Values.images.openxchangePublicSectorUI.tag | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
appsuite:
istio:
@@ -56,12 +56,12 @@ appsuite:
gotenberg:
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
image:
repository: {{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGotenberg.repository }}
tag: {{ .Values.images.openxchangeGotenberg.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGotenberg.repository }}"
tag: {{ .Values.images.openxchangeGotenberg.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
properties:
"com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/certs"
"com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
@@ -83,19 +83,20 @@ appsuite:
propertiesFiles:
"/opt/open-xchange/etc/ldapauth.properties":
bindDNPassword: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal"
uiSettings:
"io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
"io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"
# Dynamic theme
io.ox/dynamic-theme//mainColor: "{{ .Values.theme.colors.primary }}"
io.ox/dynamic-theme//mainColor: {{ .Values.theme.colors.primary | quote }}
io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
io.ox/dynamic-theme//topbarBackground: "{{ .Values.theme.colors.white }}"
io.ox/dynamic-theme//topbarColor: "{{ .Values.theme.colors.black }}"
io.ox/dynamic-theme//listSelected: "{{ .Values.theme.colors.primary15 }}"
io.ox/dynamic-theme//listHover: "{{ .Values.theme.colors.secondaryGreyLight }}"
io.ox/dynamic-theme//folderBackground: "{{ .Values.theme.colors.white }}"
io.ox/dynamic-theme//folderSelected: "{{ .Values.theme.colors.primary15 }}"
io.ox/dynamic-theme//folderHover: "{{ .Values.theme.colors.secondaryGreyLight }}"
io.ox/dynamic-theme//topbarBackground: {{ .Values.theme.colors.white | quote }}
io.ox/dynamic-theme//topbarColor: {{ .Values.theme.colors.black | quote }}
io.ox/dynamic-theme//listSelected: {{ .Values.theme.colors.primary15 | quote }}
io.ox/dynamic-theme//listHover: {{ .Values.theme.colors.secondaryGreyLight | quote }}
io.ox/dynamic-theme//folderBackground: {{ .Values.theme.colors.white | quote }}
io.ox/dynamic-theme//folderSelected: {{ .Values.theme.colors.primary15 | quote }}
io.ox/dynamic-theme//folderHover: {{ .Values.theme.colors.secondaryGreyLight | quote }}
secretETCFiles:
# Format of the OX Guard master key:
# MC+base64(20 random bytes)
@@ -103,28 +104,31 @@ appsuite:
oxguardpass: |
{{ .Values.secrets.oxAppsuite.oxguardMC }}
{{ .Values.secrets.oxAppsuite.oxguardRC }}
redis:
auth:
password: {{ .Values.secrets.redis.password | quote }}
image:
repository: {{ .Values.images.openxchangeCoreMW.repository }}
tag: {{ .Values.images.openxchangeCoreMW.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
tag: {{ .Values.images.openxchangeCoreMW.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
update:
image:
repository: {{ .Values.images.openxchangeCoreMW.repository }}
tag: {{ .Values.images.openxchangeCoreMW.tag }}
repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
tag: {{ .Values.images.openxchangeCoreMW.tag | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
core-ui:
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
image:
repository: {{ .Values.images.openxchangeCoreUI.repository }}
tag: {{ .Values.images.openxchangeCoreUI.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: {{ .Values.images.openxchangeCoreUI.repository | quote }}
tag: {{ .Values.images.openxchangeCoreUI.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
core-ui-middleware:
ingress:
@@ -133,40 +137,55 @@ appsuite:
enabled: false
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
image:
repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository }}
tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository | quote }}
tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
redis:
auth:
password: {{ .Values.secrets.redis.password | quote }}
core-documentconverter:
image:
repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
resources:
{{- .Values.resources.oxDocumentConverter | toYaml | nindent 6 }}
core-guidedtours:
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
image:
repository: {{ .Values.images.openxchangeCoreGuidedtours.repository }}
tag: {{ .Values.images.openxchangeCoreGuidedtours.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: {{ .Values.images.openxchangeCoreGuidedtours.repository | quote }}
tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
core-imageconverter:
image:
repository: {{ .Values.images.openxchangeImageConverter.repository | quote }}
tag: {{ .Values.images.openxchangeImageConverter.tag | quote }}
guard-ui:
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
image:
repository: {{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}
tag: {{ .Values.images.openxchangeGuardUI.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}"
tag: {{ .Values.images.openxchangeGuardUI.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
core-user-guide:
image:
repository: {{ .Values.images.openxchangeCoreUserGuide.repository }}
tag: {{ .Values.images.openxchangeCoreUserGuide.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: {{ .Values.images.openxchangeCoreUserGuide.repository | quote }}
tag: {{ .Values.images.openxchangeCoreUserGuide.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
...

46
helmfile/apps/open-xchange/values-openxchange.yaml
View File

@@ -6,6 +6,9 @@ appsuite:
ingressGateway:
name: "opendesk-gateway-istio-gateway"
switchboard:
enabled: false
core-mw:
enabled: true
masterAdmin: "admin"
@@ -63,6 +66,8 @@ appsuite:
com.openexchange.mail.filter.credentialSource: "mail"
com.openexchange.mail.filter.server: "dovecot"
com.openexchange.mail.filter.preferredSaslMech: "XOAUTH2"
# Dovecot
com.openexchange.imap.attachmentMarker.enabled: "true"
# Capabilities
# Old capability can be used to toggle all integrations with a single switch
com.openexchange.capability.public-sector: "true"
@@ -78,6 +83,7 @@ appsuite:
com.openexchange.capability.smime: "true"
com.openexchange.capability.share_links: "false"
com.openexchange.capability.invite_guests: "false"
com.openexchange.capability.document_preview: "true"
# Secondary Accounts
com.openexchange.mail.secondary.authType: "XOAUTH2"
com.openexchange.mail.transport.secondary.authType: "xoauth2"
@@ -89,6 +95,8 @@ appsuite:
com.openexchange.gdpr.dataexport.enabled: "false"
com.openexchange.gdpr.dataexport.active: "false"
# Guard
com.openexchange.guard.storage.file.fileStorageType: "file"
com.openexchange.guard.storage.file.uploadDirectory: "/opt/open-xchange/guard-files/"
com.openexchange.guard.guestSMTPServer: "postfix"
# S/MIME
# Usage (in browser console after login):
@@ -103,7 +111,6 @@ appsuite:
/opt/open-xchange/etc/system.properties:
SERVER_NAME: "oxserver"
/opt/open-xchange/etc/ldapauth.properties:
java.naming.provider.url: "ldap://univention-corporate-container:389/dc=swp-ldap,dc=internal"
bindOnly: "false"
bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
@@ -139,10 +146,31 @@ appsuite:
oidcLogin: true
oidcPath: "/oidc"
redis:
enabled: true
mode: "standalone"
hosts:
- "redis-master"
hooks:
beforeAppsuiteStart:
create-guard-dir.sh: |
mkdir -p /opt/open-xchange/guard-files
chown open-xchange:open-xchange /opt/open-xchange/guard-files
core-ui:
enabled: true
core-ui-middleware:
enabled: true
overrides: {}
redis:
mode: "standalone"
hosts:
- "redis-master:6379"
auth:
enabled: true
core-guidedtours:
enabled: true
guard-ui:
@@ -151,12 +179,26 @@ appsuite:
enabled: false
core-user-guide:
enabled: true
core-imageconverter:
enabled: false
enabled: true
objectCache:
s3ObjectStores:
- id: -1
endpoint: "."
accessKey: "."
secretKey: "."
core-spellcheck:
enabled: false
core-documentconverter:
enabled: true
documentConverter:
cache:
remoteCache:
enabled: false
core-documents-collaboration:
enabled: false
office-web:

36
helmfile/apps/openproject-bootstrap/helmfile.yaml Normal file
View File

@@ -0,0 +1,36 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# openDesk OpenProject Bootstrap
# Source: Set when repo is managed on Open CoDE
- name: "opendesk-openproject-bootstrap-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/opendesk-openproject-bootstrap" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
releases:
- name: "opendesk-openproject-bootstrap"
chart: "opendesk-openproject-bootstrap-repo/opendesk-openproject-bootstrap"
version: "1.2.1"
wait: true
waitForJobs: true
values:
- "values.yaml"
- "values.gotmpl"
installed: {{ .Values.openproject.enabled }}
timeout: 900
commonLabels:
deploy-stage: "component-2"
component: "opendesk-openproject-bootstrap"
...

34
helmfile/apps/openproject-bootstrap/values.gotmpl Normal file
View File

@@ -0,0 +1,34 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
registry: "{{ .Values.global.imageRegistry }}"
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: {{ .Values.global.imageRegistry }}
repository: "{{ .Values.images.openprojectBootstrap.repository }}"
tag: "{{ .Values.images.openprojectBootstrap.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
config:
openproject:
fileshareName: "Nextcloud at {{ .Values.global.domain }}"
admin:
username: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
password: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
nextcloud:
admin:
username: "nextcloud"
password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
...

25
helmfile/apps/openproject-bootstrap/values.yaml Normal file
View File

@@ -0,0 +1,25 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
job:
enabled: true
podSecurityContext:
enabled: true
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
...

11
helmfile/apps/openproject/helmfile.yaml
View File

@@ -1,5 +1,9 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# OpenProject
@@ -12,19 +16,16 @@ repositories:
releases:
- name: "openproject"
chart: "openproject-repo/openproject"
version: "2.0.4"
version: "2.4.0"
wait: true
waitForJobs: true
values:
- "values.yaml"
- "values.gotmpl"
condition: "openproject.enabled"
installed: {{ .Values.openproject.enabled }}
timeout: 900
commonLabels:
deploy-stage: "component-1"
component: "openproject"
bases:
- "../../bases/environments.yaml"
...

60
helmfile/apps/openproject/values.gotmpl
View File

@@ -7,35 +7,42 @@ global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.openproject.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.openproject.tag | quote }}
initdb:
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.openproject.repository }}"
repository: "{{ .Values.images.openprojectInitDb.repository }}"
tag: "{{ .Values.images.openprojectInitDb.tag }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.openproject.tag }}"
memcached:
connection:
host: "{{ .Values.cache.openproject.host }}"
host: {{ .Values.cache.openproject.host | quote }}
port: {{ .Values.cache.openproject.port }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.memcached.repository }}"
tag: "{{ .Values.images.memcached.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.memcached.repository | quote }}
tag: {{ .Values.images.memcached.tag | quote }}
postgresql:
auth:
password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser | quote }}
username: "{{ .Values.databases.openproject.username }}"
database: "{{ .Values.databases.openproject.name }}"
username: {{ .Values.databases.openproject.username | quote }}
database: {{ .Values.databases.openproject.name | quote }}
connection:
host: "{{ .Values.databases.openproject.host }}"
port: "{{ .Values.databases.openproject.port }}"
host: {{ .Values.databases.openproject.host | quote }}
port: {{ .Values.databases.openproject.port }}
openproject:
host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
# Will only be set on initial seed / installation
admin_user:
name: "OpenProject Interal Admin"
name: "OpenProject Internal Admin"
mail: "openproject-admin@swp-domain.internal"
password_reset: "false"
password: {{ .Values.secrets.openproject.adminPassword | quote }}
@@ -43,36 +50,39 @@ openproject:
ingress:
host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: "{{ .Values.ingress.tls.secretName }}"
secretName: {{ .Values.ingress.tls.secretName | quote }}
environment:
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: {{ .Values.secrets.keycloak.clientSecret.openproject }}
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
# Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }}
OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
OPENPROJECT_SMTP__DOMAIN: "{{ .Values.global.domain }}"
OPENPROJECT_SMTP__USER__NAME: "{{ .Values.smtp.username }}"
OPENPROJECT_SMTP__PASSWORD: "{{ .Values.smtp.password }}"
OPENPROJECT_SMTP__PORT: "{{ .Values.smtp.port }}"
OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.domain | quote }}
OPENPROJECT_SMTP__USER__NAME: {{ .Values.smtp.username | quote }}
OPENPROJECT_SMTP__PASSWORD: {{ .Values.smtp.password | quote }}
OPENPROJECT_SMTP__PORT: {{ .Values.smtp.port | quote }}
OPENPROJECT_SMTP__SSL: "false" # (default=false)
OPENPROJECT_SMTP__ADDRESS: "{{ .Values.smtp.host }}"
OPENPROJECT_SMTP__ADDRESS: {{ .Values.smtp.host | quote }}
OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}"
# Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject }}"
persistence:
size: "{{ .Values.persistence.size.openproject }}"
storageClassName: "{{ .Values.persistence.storageClassNames.RWX }}"
OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }}
OPENPROJECT_FOG_CREDENTIALS_HOST: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: "https://{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: {{ .Values.secrets.minio.openprojectUser | quote }}
replicaCount: {{ .Values.replicas.openproject }}
resources:
{{ .Values.resources.openproject | toYaml | nindent 2 }}
...

16
helmfile/apps/openproject/values.yaml
View File

@@ -37,8 +37,10 @@ securityContext:
readOnlyRootFilesystem: false
persistence:
accessModes:
- "ReadWriteMany"
enabled: false
s3:
enabled: true
# For more details and more options see
# https://www.openproject.org/docs/installation-and-operations/configuration/environment/
@@ -55,9 +57,6 @@ environment:
OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc"
# Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
OPENPROJECT_SEED_LDAP_OPENDESK_HOST: "univention-corporate-container"
OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"
@@ -74,5 +73,10 @@ environment:
"(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
# Details: https://www.openproject.org/docs/installation-and-operations/configuration/#attachments-storage
OPENPROJECT_ATTACHMENTS__STORAGE: "fog"
OPENPROJECT_FOG_DIRECTORY: "openproject"
OPENPROJECT_FOG_CREDENTIALS_PROVIDER: "AWS"
OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: "openproject_user"
...

9
helmfile/apps/provisioning/helmfile.yaml
View File

@@ -1,5 +1,9 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# OX Connector
@@ -15,12 +19,9 @@ releases:
values:
- "values-oxconnector.yaml"
- "values-oxconnector.gotmpl"
condition: "oxConnector.enabled"
installed: {{ .Values.oxConnector.enabled }}
commonLabels:
deploy-stage: "component-2"
component: "provisioning"
bases:
- "../../bases/environments.yaml"
...

17
helmfile/apps/provisioning/values-oxconnector.gotmpl
View File

@@ -4,26 +4,29 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.oxConnector.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.oxConnector.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.oxConnector.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.oxConnector.tag | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
persistence:
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
oxConnector:
domainName: "{{ .Values.global.domain }}"
domainName: {{ .Values.global.domain | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
notifierServer: {{ .Values.ldap.notifierHost | quote }}
#oxMasterAdmin: "(( .Values.appsuite.core-mw.masterAdmin ))"
oxMasterAdmin: "admin"
oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
oxDefaultContext: "1"
ldapPassword: {{ if eq .Values.ldap.host "univention-corporate-container" }} "ucctempldapstring" {{ else }} {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} {{ end }}
resources:
{{ .Values.resources.oxConnector | toYaml | nindent 2 }}

5
helmfile/apps/provisioning/values-oxconnector.yaml
View File

@@ -5,14 +5,9 @@ ingress:
enabled: false
oxConnector:
ldapHost: "univention-corporate-container"
# ldapHostIp: ""
ldapBaseDn: "dc=swp-ldap,dc=internal"
ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
notifierServer: "univention-corporate-container"
tlsMode: "off"
# current static password for UCC
ldapPassword: "ucctempldapstring"
caCert: "ucctempldapstring"
debugLevel: "5"
logLevel: "DEBUG"

38
helmfile/apps/services/helmfile.yaml
View File

@@ -1,5 +1,9 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# openDesk Certificates
@@ -74,70 +78,74 @@ releases:
version: "2.1.0"
values:
- "values-certificates.gotmpl"
condition: "certificates.enabled"
installed: {{ .Values.certificates.enabled }}
- name: "redis"
chart: "bitnami-repo/redis"
version: "18.1.2"
values:
- "values-redis.gotmpl"
- "values-redis.yaml"
condition: "redis.enabled"
installed: {{ .Values.redis.enabled }}
- name: "memcached"
chart: "bitnami-repo/memcached"
version: "6.6.2"
values:
- "values-memcached.yaml"
- "values-memcached.gotmpl"
condition: "memcached.enabled"
installed: {{ .Values.memcached.enabled }}
- name: "postgresql"
chart: "postgresql-repo/postgresql"
version: "2.0.2"
version: "2.0.3"
values:
- "values-postgresql.yaml"
- "values-postgresql.gotmpl"
condition: "postgresql.enabled"
installed: {{ .Values.postgresql.enabled }}
timeout: 900
- name: "mariadb"
chart: "mariadb-repo/mariadb"
version: "2.0.2"
version: "2.1.1"
values:
- "values-mariadb.yaml"
- "values-mariadb.gotmpl"
condition: "mariadb.enabled"
installed: {{ .Values.mariadb.enabled }}
timeout: 900
- name: "postfix"
chart: "postfix-repo/postfix"
version: "2.0.3"
version: "2.0.4"
values:
- "values-postfix.yaml"
- "values-postfix.gotmpl"
condition: "postfix.enabled"
installed: {{ .Values.postfix.enabled }}
- name: "clamav"
chart: "clamav-repo/opendesk-clamav"
version: "4.0.0"
values:
- "values-clamav-distributed.yaml"
- "values-clamav-distributed.gotmpl"
condition: "clamavDistributed.enabled"
installed: {{ .Values.clamavDistributed.enabled }}
- name: "clamav-simple"
chart: "clamav-repo/clamav-simple"
version: "4.0.0"
values:
- "values-clamav-simple.yaml"
- "values-clamav-simple.gotmpl"
condition: "clamavSimple.enabled"
installed: {{ .Values.clamavSimple.enabled }}
- name: "opendesk-gateway"
chart: "istio-resources-repo/istio-gateway"
version: "2.0.0"
values:
- "values-istio-gateway.yaml"
- "values-istio-gateway.gotmpl"
condition: "istio.enabled"
installed: {{ .Values.istio.enabled }}
- name: "minio"
chart: "bitnami-repo/minio"
version: "12.8.19"
values:
- "values-minio.yaml"
- "values-minio.gotmpl"
installed: {{ .Values.minio.enabled }}
commonLabels:
deploy-stage: "services"
component: "services"
bases:
- "../../bases/environments.yaml"
...

8
helmfile/apps/services/values-certificates.gotmpl
View File

@@ -4,19 +4,19 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
issuerRef:
name: "{{ .Values.certificate.issuerRef.name }}"
name: {{ .Values.certificate.issuerRef.name | quote }}
{{- if .Values.istio.enabled }}
istio:
enabled: {{ .Values.istio.enabled }}
domain: {{ .Values.istio.domain }}
domain: {{ .Values.istio.domain | quote }}
issuerRef:
name: "{{ .Values.istio.issuerRef.name }}"
name: {{ .Values.istio.issuerRef.name | quote }}
{{- end }}
cleanup:

36
helmfile/apps/services/values-clamav-distributed.gotmpl
View File

@@ -7,10 +7,10 @@ clamd:
podSecurityContext:
replicaCount: {{ .Values.replicas.clamd }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.clamd.repository }}"
tag: "{{ .Values.images.clamd.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.clamd.repository | quote }}
tag: {{ .Values.images.clamd.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.clamd | toYaml | nindent 4 }}
@@ -18,10 +18,10 @@ freshclam:
podSecurityContext:
replicaCount: {{ .Values.replicas.freshclam }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.freshclam.repository }}"
tag: "{{ .Values.images.freshclam.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.freshclam.repository | quote }}
tag: {{ .Values.images.freshclam.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.freshclam | toYaml | nindent 4 }}
@@ -32,10 +32,10 @@ global:
icap:
replicaCount: {{ .Values.replicas.icap }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.icap.repository }}"
tag: "{{ .Values.images.icap.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.icap.repository | quote }}
tag: {{ .Values.images.icap.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.icap | toYaml | nindent 4 }}
@@ -43,14 +43,14 @@ milter:
podSecurityContext:
replicaCount: {{ .Values.replicas.milter }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.milter.repository }}"
tag: "{{ .Values.images.milter.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.milter.repository | quote }}
tag: {{ .Values.images.milter.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.milter | toYaml | nindent 4 }}
persistence:
storageClass: "{{ .Values.persistence.storageClassNames.RWX }}"
size: "{{ .Values.persistence.size.clamav }}"
storageClass: {{ .Values.persistence.storageClassNames.RWX | quote }}
size: {{ .Values.persistence.size.clamav | quote }}
...

20
helmfile/apps/services/values-clamav-simple.gotmpl
View File

@@ -7,15 +7,15 @@ replicaCount: {{ .Values.replicas.clamav }}
image:
clamav:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.clamd.repository }}"
tag: "{{ .Values.images.clamd.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.clamd.repository | quote }}
tag: {{ .Values.images.clamd.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
icap:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.icap.repository }}"
tag: "{{ .Values.images.icap.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.icap.repository | quote }}
tag: {{ .Values.images.icap.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.clamd | toYaml | nindent 4 }}
@@ -25,6 +25,6 @@ global:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
persistence:
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.clamav }}"
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.clamav | quote }}
...

4
helmfile/apps/services/values-istio-gateway.gotmpl
View File

@@ -4,9 +4,9 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.istio.domain }}"
domain: {{ .Values.istio.domain | quote }}
hosts:
openxchange: "{{ .Values.global.hosts.openxchange }}"
openxchange: {{ .Values.global.hosts.openxchange | quote }}
tls:
secretName: "{{ .Values.istio.domain }}-tls"

12
helmfile/apps/services/values-mariadb.gotmpl
View File

@@ -4,14 +4,14 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
registry: "{{ .Values.global.imageRegistry }}"
registry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
repository: "{{ .Values.images.mariadb.repository }}"
tag: "{{ .Values.images.mariadb.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: {{ .Values.images.mariadb.repository | quote }}
tag: {{ .Values.images.mariadb.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
# Open-Xchange and XWiki require the permission to create database schemas, so they use the `root` account anyway.
# Please refer to `databases.yaml` for details.
@@ -35,8 +35,8 @@ mariadb:
rootPassword: {{ .Values.secrets.mariadb.rootPassword | quote }}
persistence:
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.mariadb }}"
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.mariadb | quote }}
resources:
{{ .Values.resources.mariadb | toYaml | nindent 2 }}

10
helmfile/apps/services/values-memcached.gotmpl
View File

@@ -4,15 +4,15 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
imageRegistry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.memcached.repository }}"
tag: "{{ .Values.images.memcached.tag }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.memcached.repository | quote }}
tag: {{ .Values.images.memcached.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.memcached | toYaml | nindent 2 }}

80
helmfile/apps/services/values-minio.gotmpl Normal file
View File

@@ -0,0 +1,80 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
registry: "{{ .Values.global.imageRegistry }}"
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.minio.repository }}"
tag: "{{ .Values.images.minio.tag }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
auth:
rootPassword: {{ .Values.secrets.minio.rootPassword | quote }}
statefulset:
replicaCount: {{ .Values.replicas.minioDistributed }}
resources:
{{ .Values.resources.minio | toYaml | nindent 2 }}
ingress:
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
hostname: "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
extraTls:
- hosts:
- "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
apiIngress:
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
hostname: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
extraTls:
- hosts:
- "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
metrics:
serviceMonitor:
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
prometheusRule:
enabled: {{ .Values.prometheus.prometheusRules.enabled }}
persistence:
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.minio }}"
provisioning:
users:
- username: "openproject_user"
password: {{ .Values.secrets.minio.openprojectUser | quote }}
disabled: false
policies:
- "openproject-bucket-policy"
setPolicies: true
- username: "openxchange_user"
password: {{ .Values.secrets.minio.openxchangeUser | quote }}
disabled: false
policies:
- "openxchange-bucket-policy"
setPolicies: true
- username: "ums_user"
password: {{ .Values.secrets.minio.umsUser | quote }}
disabled: false
policies:
- "ums-bucket-policy"
setPolicies: true
- username: "nextcloud_user"
password: {{ .Values.secrets.minio.nextcloudUser | quote }}
disabled: false
policies:
- "nextcloud-bucket-policy"
setPolicies: true
...

114
helmfile/apps/services/values-minio.yaml Normal file
View File

@@ -0,0 +1,114 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
mode: "standalone"
podSecurityContext:
enabled: true
fsGroup: 1000
containerSecurityContext:
enabled: true
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
runAsUser: 1000
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
ingress:
annotations:
nginx.org/websocket-services: "minio"
networkPolicy:
enabled: false
defaultBuckets: "openproject,openxchange,ums,nextcloud"
provisioning:
enabled: true
cleanupAfterFinished:
enabled: true
buckets:
- name: "openproject"
versioning: true
withLock: false
- name: "openxchange"
versioning: true
withLock: false
- name: "ums"
versioning: true
withLock: false
- name: "nextcloud"
versioning: true
withLock: false
policies:
- name: "openproject-bucket-policy"
statements:
- resources:
- "arn:aws:s3:::openproject"
effect: "Allow"
actions:
- "s3:*"
- resources:
- "arn:aws:s3:::openproject/*"
effect: "Allow"
actions:
- "s3:*"
- name: "openxchange-bucket-policy"
statements:
- resources:
- "arn:aws:s3:::openxchange"
effect: "Allow"
actions:
- "s3:*"
- resources:
- "arn:aws:s3:::openxchange/*"
effect: "Allow"
actions:
- "s3:*"
- name: "ums-bucket-policy"
statements:
- resources:
- "arn:aws:s3:::ums"
effect: "Allow"
actions:
- "s3:*"
- resources:
- "arn:aws:s3:::ums/*"
effect: "Allow"
actions:
- "s3:*"
- name: "nextcloud-bucket-policy"
statements:
- resources:
- "arn:aws:s3:::nextcloud"
effect: "Allow"
actions:
- "s3:*"
- resources:
- "arn:aws:s3:::nextcloud/*"
effect: "Allow"
actions:
- "s3:*"
livenessProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 10
readinessProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 10
startupProbe:
enabled: true
periodSeconds: 10
timeoutSeconds: 10
...

26
helmfile/apps/services/values-postfix.gotmpl
View File

@@ -4,28 +4,28 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
registry: {{ .Values.global.imageRegistry }}
registry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: {{ .Values.global.imageRegistry }}
repository: "{{ .Values.images.postfix.repository }}"
tag: "{{ .Values.images.postfix.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.postfix.repository | quote }}
tag: {{ .Values.images.postfix.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
certificate:
secretName: "{{ .Values.ingress.tls.secretName }}"
secretName: {{ .Values.ingress.tls.secretName | quote }}
postfix:
domain: "{{ .Values.global.domain }}"
virtualMailboxDomains: "{{ .Values.global.domain }}"
domain: {{ .Values.global.domain | quote }}
virtualMailboxDomains: {{ .Values.global.domain | quote }}
overrides:
- fileName: "sasl_passwd.map"
content:
- "{{ .Values.smtp.host }} {{ .Values.smtp.username }}:{{ .Values.smtp.password }}"
relayHost: "[{{ .Values.smtp.host }}]:587"
relayNets: {{ .Values.cluster.networking.cidr }}
- {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
relayHost: {{ printf "[%s]:587" .Values.smtp.host | quote }}
relayNets: {{ .Values.cluster.networking.cidr | quote}}
virtualTransport: "lmtps:dovecot:24"
smtpdSASLPath: "inet:dovecot:3659"
{{- if .Values.clamavDistributed.enabled }}
@@ -35,8 +35,8 @@ postfix:
{{- end }}
persistence:
size: "{{ .Values.persistence.size.postfix }}"
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
size: {{ .Values.persistence.size.postfix | quote }}
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote}}
replicaCount: {{ .Values.replicas.postfix }}

12
helmfile/apps/services/values-postgresql.gotmpl
View File

@@ -4,14 +4,14 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
registry: {{ .Values.global.imageRegistry }}
registry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
repository: "{{ .Values.images.postgresql.repository }}"
tag: "{{ .Values.images.postgresql.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: {{ .Values.images.postgresql.repository | quote }}
tag: {{ .Values.images.postgresql.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
job:
users:
@@ -39,8 +39,8 @@ job:
user: "notificationsapi_user"
persistence:
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.postgresql }}"
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.postgresql | quote }}
postgres:
password: {{ .Values.secrets.postgresql.postgresUser | quote }}

14
helmfile/apps/services/values-redis.gotmpl
View File

@@ -7,20 +7,20 @@ auth:
password: {{ .Values.secrets.redis.password | quote }}
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
imageRegistry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.redis.repository }}"
tag: "{{ .Values.images.redis.tag }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.redis.repository | quote }}
tag: {{ .Values.images.redis.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
master:
persistence:
size: "{{ .Values.persistence.size.redis }}"
size: {{ .Values.persistence.size.redis | quote }}
resources:
{{ .Values.resources.redis | toYaml | nindent 4 }}

9
helmfile/apps/univention-corporate-container/helmfile.yaml
View File

@@ -1,5 +1,9 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# openDesk Univention Corporate Server (as eval Container)
@@ -20,12 +24,9 @@ releases:
values:
- "values.yaml"
- "values.gotmpl"
condition: "univentionCorporateServer.enabled"
installed: {{ .Values.univentionCorporateServer.enabled }}
commonLabels:
deploy-stage: "component-1"
component: "univention-corporate-container"
bases:
- "../../bases/environments.yaml"
...

24
helmfile/apps/univention-corporate-container/values.gotmpl
View File

@@ -4,36 +4,36 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
registry: "{{ .Values.global.imageRegistry }}"
registry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: "{{ .Values.global.imageRegistry }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.univentionCorporateServer.repository }}"
tag: "{{ .Values.images.univentionCorporateServer.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
repository: {{ .Values.images.univentionCorporateServer.repository | quote }}
tag: {{ .Values.images.univentionCorporateServer.tag | quote }}
ingress:
host: "{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: "{{ .Values.ingress.tls.secretName }}"
secretName: {{ .Values.ingress.tls.secretName | quote }}
persistence:
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.univentionCorporateServer }}"
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionCorporateServer | quote }}
extraEnvVars:
- name: ISTIO_DOMAIN
value: {{ .Values.istio.domain }}
value: {{ .Values.istio.domain | quote }}
- name: CENTRALNAVIGATION_API_SECRET
value: {{ .Values.secrets.centralnavigation.apiKey }}
value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
- name: LDAPSEARCH_OX_USERNAME
value: "ldapsearch_ox"
- name: LDAPSEARCH_OX_PASSWORD

79
helmfile/apps/univention-management-stack/helmfile.yaml
View File

@@ -4,115 +4,144 @@
bases:
- "../../bases/environments.yaml"
---
repositories:
# Univention Management Stack
- name: "ums-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable" }}
# VMWare Bitnami
# Source: https://github.com/bitnami/charts/
- name: "bitnami-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
releases:
# TODO: Interim, until the UMS stack has a stack umbrella chart and provides a solution
# {{- if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}
- name: "ums-stack-gateway"
chart: "bitnami-repo/nginx"
version: "15.3.5"
values:
- "values-ums-stack-gateway.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
# {{- end }}
- name: "ums-store-dav"
chart: "ums-repo/store-dav"
version: "0.2.0"
version: "0.5.2"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-store-dav.gotmpl"
condition: "univentionManagementStack.enabled"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-ldap-server"
chart: "ums-repo/ldap-server"
version: "0.1.0"
version: "0.7.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-ldap-server.gotmpl"
condition: "univentionManagementStack.enabled"
- "values-ldap-server.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-ldap-notifier"
chart: "ums-repo/ldap-notifier"
version: "0.1.0"
version: "0.7.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-ldap-notifier.gotmpl"
- "values-ldap-notifier.yaml"
condition: "univentionManagementStack.enabled"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-udm-rest-api"
chart: "ums-repo/udm-rest-api"
version: "0.1.0"
version: "0.3.5"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-udm-rest-api.gotmpl"
condition: "univentionManagementStack.enabled"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-stack-data-ums"
chart: "ums-repo/stack-data-ums"
version: "0.1.0"
version: "0.33.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-stack-data-ums.gotmpl"
condition: "univentionManagementStack.enabled"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-stack-data-swp"
chart: "ums-repo/stack-data-swp"
version: "0.1.0"
version: "0.33.0"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-stack-data-swp.gotmpl"
condition: "univentionManagementStack.enabled"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-portal-server"
chart: "ums-repo/portal-server"
version: "0.1.0"
version: "0.4.3"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-portal-server.gotmpl"
condition: "univentionManagementStack.enabled"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-notifications-api"
chart: "ums-repo/notifications-api"
version: "0.1.0"
version: "0.4.3"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-notifications-api.gotmpl"
- "values-notifications-api.yaml"
condition: "univentionManagementStack.enabled"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-portal-listener"
chart: "ums-repo/portal-listener"
version: "0.1.0"
version: "0.4.3"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-portal-listener.gotmpl"
- "values-portal-listener.yaml"
condition: "univentionManagementStack.enabled"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-portal-frontend"
chart: "ums-repo/portal-frontend"
version: "0.1.0"
version: "0.4.3"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-portal-frontend.gotmpl"
condition: "univentionManagementStack.enabled"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-portal-frontend-custom"
# TODO: Replace with our own Nginx chart.
chart: "bitnami-repo/nginx"
version: "15.3.5"
values:
- "values-portal-frontend-custom.yaml"
- "values-portal-frontend-custom.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-umc-gateway"
chart: "ums-repo/umc-gateway"
version: "0.1.0"
version: "0.5.1"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-umc-gateway.gotmpl"
- "values-umc-gateway.yaml"
condition: "univentionManagementStack.enabled"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-umc-server"
chart: "ums-repo/umc-server"
version: "0.1.0"
version: "0.5.1"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-umc-server.gotmpl"
condition: "univentionManagementStack.enabled"
- "values-umc-server.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
commonLabels:
deploy-stage: "component-1"
component: "univention-management-stack"
...

6
helmfile/apps/univention-management-stack/values-common.gotmpl
View File

@@ -3,12 +3,12 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
SPDX-License-Identifier: Apache-2.0
*/}}
---
ingress:
enabled: {{ .Values.ingress.enabled }}
enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
# The TLS configuration is on the "master" Ingress, see "portal-frontend"
enabled: false
secretName: ""
...

4
helmfile/apps/univention-management-stack/values-common.yaml
View File

@@ -1,6 +1,10 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
global:
configMapUcrDefaults: "ums-stack-data-ums-ucr"
configMapUcr: "ums-stack-data-swp-ucr"
configMapUcrForced: null
istio:
enabled: false

12
helmfile/apps/univention-management-stack/values-ldap-notifier.gotmpl
View File

@@ -3,18 +3,16 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsLdapNotifier.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsLdapNotifier.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsLdapNotifier.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsLdapNotifier.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsLdapNotifier | toYaml | nindent 2 }}
...

35
helmfile/apps/univention-management-stack/values-ldap-server.gotmpl
View File

@@ -4,40 +4,41 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
ldapServer:
ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
ldapBaseDn: "dc=swp-ldap,dc=internal"
waitForSamlMetadata: true
# TODO: Certificates handling
# caCert: ""
# certPem: ""
# privateKey: ""
# dhParam: ""
tlsMode: "off"
# TODO: SAML integration
# samlMetadataUrl: "http://localhost:8097/realms/ucs/protocol/saml/descriptor"
# samlMetadataUrlInternal: "http://keycloak.default/realms/ucs/protocol/saml/descriptor"
# serviceProviders: "http://localhost:8000/univention/saml/metadata,http://localhost:8000/auth/realms/ucs"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsLdapServer.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsLdapServer.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsLdapServer.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsLdapServer.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
waitForDependency:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsWaitForDependency.repository }}"
imagePullPolicy: "Always"
tag: "{{ .Values.images.umsWaitForDependency.tag }}"
# TODO: Pending upstream support, #199
persistence:
data:
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.univentionManagementStack.ldapServerData }}"
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
shared:
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.univentionManagementStack.ldapServerShared }}"
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
resources:
{{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}

30
helmfile/apps/univention-management-stack/values-ldap-server.yaml Normal file
View File

@@ -0,0 +1,30 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
service:
type: "ClusterIP"
extraVolumes:
- name: "opendesk-schemas"
configMap:
name: "ums-stack-data-swp-schemas"
extraVolumeMounts:
- name: "opendesk-schemas"
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskFileshare.schema"
subPath: "opendeskFileshare.schema"
- name: "opendesk-schemas"
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskKnowledgemanagement.schema"
subPath: "opendeskKnowledgemanagement.schema"
- name: "opendesk-schemas"
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLearnmanagement.schema"
subPath: "opendeskLearnmanagement.schema"
- name: "opendesk-schemas"
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLivecollaboration.schema"
subPath: "opendeskLivecollaboration.schema"
- name: "opendesk-schemas"
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema"
subPath: "opendeskProjectmanagement.schema"
...

10
helmfile/apps/univention-management-stack/values-notifications-api.gotmpl
View File

@@ -14,13 +14,13 @@ postgresql:
password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsNotificationsApi.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsNotificationsApi.tag }}"
registry: {{ .Values.global.imageRegistry }}
repository: {{ .Values.images.umsNotificationsApi.repository }}
pullPolicy: {{ .Values.global.imagePullPolicy }}
tag: {{ .Values.images.umsNotificationsApi.tag }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
resources:

53
helmfile/apps/univention-management-stack/values-portal-frontend-custom.gotmpl Normal file
View File

@@ -0,0 +1,53 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
ingress:
enabled: true
hostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
ingressClassName: "nginx"
annotations:
nginx.org/mergeable-ingress-type: "minion"
tls: false
pathType: Exact
path: /favicon.ico
extraPaths:
- pathType: Exact
path: /univention/portal/css/custom.css
backend:
service:
name: ums-portal-frontend-custom-nginx
port:
name: http
- pathType: Exact
path: /univention/portal/icons/logo.svg
backend:
service:
name: ums-portal-frontend-custom-nginx
port:
name: http
- pathType: Exact
path: /univention/portal/icons/logo_small_border.svg
backend:
service:
name: ums-portal-frontend-custom-nginx
port:
name: http
- pathType: Exact
path: /univention/portal/custom/portal_background_image.png
backend:
service:
name: ums-portal-frontend-custom-nginx
port:
name: http
- pathType: Exact
path: /univention/portal/custom/portal_background_image.svg
backend:
service:
name: ums-portal-frontend-custom-nginx
port:
name: http
...

33
helmfile/apps/univention-management-stack/values-portal-frontend-custom.yaml Normal file
View File

@@ -0,0 +1,33 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
service:
type: "ClusterIP"
extraVolumes:
- name: "opendesk-branding"
configMap:
name: "ums-stack-data-swp-branding"
extraVolumeMounts:
- name: "opendesk-branding"
mountPath: "/app/favicon.ico"
subPath: "favicon.ico"
- name: "opendesk-branding"
mountPath: "/app/univention/portal/css/custom.css"
subPath: "custom.css"
- name: "opendesk-branding"
mountPath: "/app/univention/portal/icons/logo.svg"
subPath: "logo.svg"
- name: "opendesk-branding"
mountPath: "/app/univention/portal/icons/logo_small_border.svg"
subPath: "logo_small_border.svg"
- name: "opendesk-branding"
mountPath: "/app/univention/portal/custom/portal_background_image.png"
subPath: "portal_background_image.png"
- name: "opendesk-branding"
mountPath: "/app/univention/portal/custom/portal_background_image.svg"
subPath: "portal_background_image.svg"
...

17
helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl
View File

@@ -3,29 +3,28 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsPortalFrontend.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsPortalFrontend.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsPortalFrontend.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsPortalFrontend.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
extraIngresses:
redirects:
enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
# The TLS configuration is on the "master" Ingress, see below.
tls:
enabled: false
master:
enabled: {{ .Values.ingress.enabled }}
enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: "{{ .Values.ingress.tls.secretName }}"
secretName: {{ .Values.ingress.tls.secretName | quote }}
resources:
{{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }}
...

29
helmfile/apps/univention-management-stack/values-portal-listener.gotmpl
View File

@@ -13,11 +13,11 @@ portalListener:
umcSessionUrl: "http://ums-umc-server/get/session-info"
ldapBaseDn: "dc=swp-ldap,dc=internal"
ldapHost: "ums-ldap-server"
ldapHost: "{{ .Values.ldap.host }}"
ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
notifierServer: "ums-ldap-notifier"
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
notifierServer: {{ .Values.ldap.notifierHost | quote }}
portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,dc=swp-ldap,dc=internal"
udmApiUrl: "http://ums-udm-rest-api/udm/"
udmApiUsername: "cn=admin"
@@ -25,30 +25,29 @@ portalListener:
tlsMode: "off"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsPortalListener.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsPortalListener.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsPortalListener.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsPortalListener.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
waitForDependency:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsWaitForDependency.repository }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
imagePullPolicy: "Always"
tag: "{{ .Values.images.umsWaitForDependency.tag }}"
tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
# TODO: Pending upstream support, #200
persistence:
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.univentionManagementStack.portalListener }}"
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }}
resources:
{{ .Values.resources.umsPortalListener | toYaml | nindent 2 }}
resourcesDependencyWaiter:
{{ .Values.resources.umsPortalListenerDependencies | toYaml | nindent 2 }}
...

15
helmfile/apps/univention-management-stack/values-portal-server.gotmpl
View File

@@ -7,20 +7,23 @@ portalServer:
adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
authMode: "saml"
environment: "staging"
editable: "true"
editable: "false"
logLevel: "DEBUG"
ucsInternalUrl: "http://portal-server:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}@ums-store-dav/portal-data"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
centralNavigation:
enabled: true
authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsPortalServer.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsPortalServer.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsPortalServer.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsPortalServer.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
resources:

34
helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl
View File

@@ -4,33 +4,43 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
stackDataSwp:
udmApiUsername: "cn=admin"
udmApiUser: "cn=admin"
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
udmApiUrl: "http://ums-udm-rest-api/udm/"
loadDevData: true
stackDataContext:
ldapBase: "dc=swp-ldap,dc=internal"
ldapSearchUsers:
{{- range $k, $v := .Values.secrets.univentionCorporateServer.ldapSearch }}
- username: {{ printf "ldapsearch_%s" $k | quote }}
password: {{ $v | quote }}
lastname: {{ "LDAP-Search-User" }}
{{- end }}
externalDomainName: "{{ .Values.global.domain }}"
externalMailDomain: "{{ .Values.global.domain }}"
portalGroupwareLinkBase: "https://webmail.{{ .Values.istio.domain }}"
portalFileshareLinkBase: "https://fs.{{ .Values.global.domain }}"
portalRealtimeCollaborationLinkBase: "https://chat.{{ .Values.global.domain }}"
portalRealtimeVideoconferenceLinkBase: "https://meet.{{ .Values.global.domain }}"
portalManagementProjectLinkBase: "https://project.{{ .Values.global.domain }}"
portalManagementKnowledgeLinkBase: "https://wiki.{{ .Values.global.domain }}"
portalGroupwareLinkBase: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
portalFileshareLinkBase: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
portalRealtimeCollaborationLinkBase: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
portalRealtimeVideoconferenceLinkBase: "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
portalManagementProjectLinkBase: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
portalManagementKnowledgeLinkBase: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
oxDefaultContext: "10"
userPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.userPassword | quote }}
adminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsDataLoader.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsDataLoader.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsDataLoader.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsDataLoader.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
resources:

27
helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl
View File

@@ -10,20 +10,35 @@ stackDataUms:
loadDevData: true
stackDataContext:
domainname: "{{ .Values.global.domain }}"
externalMailDomain: "{{ .Values.global.domain }}"
hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
ldapHost: "{{ .Values.ldap.host }}"
ldapBase: "dc=swp-ldap,dc=internal"
initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
# TODO: This should not be required, the machine account is not there
# ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
ldapHostDn: cn=admin,dc=swp-ldap,dc=internal
idpSamlMetadataUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/saml/descriptor"
idpSamlMetadataUrlInternal: null
umcSamlSpFqdn: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
umcSamlSchemes: "https"
idpFqdn: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
ldapSamlSpUrls: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/saml/metadata"
initialPasswordAdministrator: "{{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword }}"
# The SWP configuration brings its own UMC policies.
installUmcPolicies: false
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsDataLoader.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsDataLoader.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsDataLoader.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsDataLoader.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
resources:

28
helmfile/apps/univention-management-stack/values-store-dav.gotmpl
View File

@@ -6,33 +6,33 @@ SPDX-License-Identifier: Apache-2.0
storeDav:
auth:
basicAuth:
portal-listener: "{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}"
portal-server: "{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}"
portal-listener: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener | quote }}
portal-server: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer | quote }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsStoreDav.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsStoreDav.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsStoreDav.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsStoreDav.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
configHtpasswd:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsConfigHtpasswd.repository }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsConfigHtpasswd.repository | quote }}
pullPolicy: "Always"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsConfigHtpasswd.tag }}"
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsConfigHtpasswd.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
# TODO: Pending upstream support, #201
persistence:
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.univentionManagementStack.storeDav }}"
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }}
resources:
{{ .Values.resources.umsStoreDav | toYaml | nindent 2 }}

27
helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl
View File

@@ -4,41 +4,26 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
udmRestApi:
apiLogLevel: "4"
authGroups:
dcBackup: "cn=DC Backup Hosts,cn=groups,dc=swp-ldap,dc=internal"
dcSlaves: "cn=DC Slave Hosts,cn=groups,dc=swp-ldap,dc=internal"
domainAdmins: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
ldapHost: "ums-ldap-server"
ldapBaseDn: "dc=swp-ldap,dc=internal"
# TODO: This should not be required, the machine account is not there
# ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
# TODO: Secret should be entered without b64enc
ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
# TODO: Secret should be entered without b64enc
machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
# TODO: why do we need this many subprocesses?
numberOfSubprocesses: 8
# TODO: Stub value currently
caCert: ""
# TODO: This should not be part of the udm-rest-api anymore
loadJoinData:
enabled: true
# TODO: configurable
tlsMode: "off"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsUdmRestApi.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsUdmRestApi.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsUdmRestApi.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsUdmRestApi.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsUdmRestApi | toYaml | nindent 2 }}
...

24
helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl
View File

@@ -4,18 +4,26 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
umcGateway:
domainname: "{{ .Values.global.domain }}"
hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
ssoFqdn: "localhost:8097"
extraVolumes:
- name: "entrypoint-swp-patches"
configMap:
name: "ums-stack-data-swp-umc-gateway-entrypoint"
defaultMode: 0555
extraVolumeMounts:
- name: "entrypoint-swp-patches"
mountPath: "/entrypoint.d/90-swp.sh"
subPath: "90-swp.sh"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsUmcGateway.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsUmcGateway.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsUmcGateway.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsUmcGateway.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
resources:

18
helmfile/apps/univention-management-stack/values-umc-gateway.yaml
View File

@@ -1,18 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
umcGateway:
showCookieBanner: true
cookieBannerTitleDE: "Cookie Zustimmung"
cookieBannerTitleEN: "Cookie Consent"
cookieBannerTextDE: >-
Die Nutzung dieses Angebots ist nur möglich, wenn Cookies gespeichert und
verarbeitet werden können (essenzielle Cookies). Dafür benötigen wir Ihre
Zustimmung. Bitte akzeptieren Sie um fortzufahren oder schließen Sie die
Seite.
cookieBannerTextEN: >-
Usage of this site is only possible by storing and processing cookie
information (essential cookies). We require your consent. Please accept to
continue or close the page.
...

32
helmfile/apps/univention-management-stack/values-umc-server.gotmpl
View File

@@ -4,37 +4,19 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
umcServer:
domainname: "{{ .Values.global.domain }}"
hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
ldapHost: "ums-ldap-server"
ldapBaseDn: "dc=swp-ldap,dc=internal"
# TODO: This should not be required, the machine account is not there
# ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
ldapHostDn: cn=admin,dc=swp-ldap,dc=internal
enforceSessionCookie: "true"
# TODO: The keycloak integration is pending
samlEnabled: false
samlMetadataUrl: "http://localhost:8097/realms/ucs/protocol/saml/descriptor"
samlMetadataUrlInternal: "http://keycloak/realms/ucs/protocol/saml/descriptor"
samlSpServer: "localhost:8000"
samlSchemes: "http"
tlsMode: "off"
# TODO: Secret should be entered without b64enc
ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
# TODO: Secret should be entered without b64enc
machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsUmcServer.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsUmcServer.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsUmcServer.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsUmcServer.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
resources:

Some files were not shown because too many files have changed in this diff Show More