sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: sheppy:v0.5.22
Branches Tags
sheppy:develop sheppy:renovate/univention sheppy:renovate/openxchange sheppy:trossner/gpg-keys sheppy:trossner/mail_doc sheppy:tkaltenbrunner/fix-milter sheppy:ntretkowski/intercom-update sheppy:b1-boekhorst/nc_testing_encryption_bfp_nginx sheppy:trossner/ox_deputy sheppy:kuntke/size-profiles sheppy:trossner/misc_1.11.0 sheppy:feat/openproject/bump-16-6-2 sheppy:renovate/opf-helm-charts-openproject-11.x sheppy:rohland/selfsigned sheppy:sschmidt/feat_update_otterize sheppy:sell/opendesk-exporter sheppy:trossner/coco-update sheppy:renovate/lasuite-impress-y-provider-4.x sheppy:renovate/opf-helm-charts-openproject-10.x sheppy:renovate/openproject sheppy:renovate/nordeck sheppy:renovate/element sheppy:renovate/collabora sheppy:lender/test-externalsecrets sheppy:rfischer/baseline_requirements_update_2025 sheppy:chore/kyverno-sec sheppy:sell/pythonic-charts-local sheppy:trossner/ox-jitsi sheppy:irondesk-preview sheppy:chore/open-xchange/update-8.43 sheppy:b1-boekhorst/nc_basicauth_testing sheppy:lluerenbaum/develop sheppy:rfischer/nc_sharereview_app sheppy:tkaltenbrunner/fix/new-element-chart sheppy:vpracht/demo sheppy:main sheppy:b1-boekhorst/nc_status_php sheppy:gaberb1/postfix-sasl-security-options sheppy:ntretkowski/nubus-v1.15.0 sheppy:ntretkowski/ox-connector-v0.32.2 sheppy:sschmidt/feat_add_otterize_chart sheppy:b1-boekhorst/nc_bfp sheppy:trossner/nc_31-0-9 sheppy:trossner/token_exchange sheppy:boekhorst/nc_31-0-10_testing sheppy:ntretkowski/nubus-v1.14.1 sheppy:tkaltenbrunner/fix/dovecot-migration sheppy:tkaltenbrunner/fix/dovecot-caches sheppy:tkaltenbrunner/fix/postfix-transport sheppy:chore/open-xchange/update-8.42 sheppy:dkaminski/ca_certs sheppy:dpapoutsis/bundled-keycloak-secrets sheppy:boekhorst/favicon_resize sheppy:irondesk sheppy:boekhorst/nc_31-0-9 sheppy:migration_test sheppy:sschmidt/fix_services_otterize_intents sheppy:mmeschter/nats-secrets-refactor sheppy:sccon_2025 sheppy:jtorres/ox-test sheppy:lender/feat-externalsecrets-xwiki sheppy:sschmidt/fix_nubus_opendesk_keycloak_bootstrap_annotation sheppy:ntretkowski/nubus-2fa-upgrade-fix sheppy:jlohmer/ox-connector-helm-unittests sheppy:mmeschter/develop sheppy:tkaltenbrunner/fix/ox-push-notification sheppy:cgarcia/develop sheppy:trossner/fix_storageclassnames sheppy:jconde/ox-groups-deletion sheppy:ntretkowski/nubus-v1.13.1 sheppy:jtorres/develop sheppy:tkaltenbrunner/fix/opendesk-impress-customization sheppy:jconde/develop sheppy:mgcm/test/mas-upstream sheppy:document-nordeck-widgets sheppy:trossner/upd_jitsi_10431 sheppy:chaack/feat_add_jitsi_patchJVB_backoffLimit sheppy:trossner/xwiki_solr_image sheppy:1.7+harbor-fixes sheppy:lender/feat-externalsecrets-notes sheppy:tkaltenbrunner/fix/dovecot-fts sheppy:lender/feat-externalsecrets-postfix-dovecot sheppy:heading-capitalization-harmonization sheppy:lender/feat-externalsecrets-minio sheppy:jconde/debug-no-portal-tiles sheppy:hermann/feat-support-nginx-security-defaults sheppy:jtorres/ox-connector-manager-tests sheppy:jtorres/1.12.0-kc-bootstrap sheppy:sell/prometheus-nats-exporter sheppy:jconde/ics-secret-refactor sheppy:tkaltenbrunner/fix/postfix-submissions sheppy:jconde/debug-ics-with-keycloak-26.3 sheppy:data_storage_doc sheppy:tkaltenbrunner/fix/coco-internal sheppy:sell/keycloak-metrics sheppy:jconde/ox-connector-fixes sheppy:jlohmer/ox-connector-test sheppy:gaberb1/wip-ci sheppy:weber/update-notes sheppy:lender/feat-externalsecrets-redis sheppy:lender/feat-externalsecrets-opendesk-services sheppy:lender/feat-externalsecrets-collabora sheppy:lender/feat-externalsecrets-cassandra sheppy:lender/feat-externalsecrets-nextcloud sheppy:lender/feat-externalsecrets-openproject-bootstrap sheppy:thollwed/doc-bawue-migration-dev sheppy:1.5+nats-fix sheppy:trossner/nc_31.0.5 sheppy:sell/nubus-liveness-customization sheppy:integration-opendesk-family sheppy:gsautner/fix_nc_custom_baseDn sheppy:tkaltenbrunner/fix/ox-external-secrets sheppy:tlatz/portal_update sheppy:jbornhold/tmp-portal-update sheppy:trossner/temp_kc26.2.2_preview sheppy:yschmidt/nubus-v1.9.1-twofa-helpdesk sheppy:mmoura/phone-dial-in sheppy:lender/feat-externalsecrets-mariadb sheppy:lender/feat-externalsecrets-postgresql sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap-1725.191 sheppy:ys/dev-helpdesk sheppy:tkaltenbrunner/fix/dovecot-acls sheppy:ox-vpracht/dovecot-conf sheppy:renovate/major-openproject sheppy:renovate/major-platform sheppy:renovate/lasuite-impress-y-provider-3.x sheppy:renovate/lasuite-impress-y-provider-2.x sheppy:renovate/xwiki sheppy:trossner/nc_notifypush sheppy:cnegrini/load sheppy:nic/feat/ZO-155_dialin_docs sheppy:feat/dovecot-config sheppy:yschmidt/s3-region-example sheppy:trossner/nubus_ox_consumer sheppy:yschmidt/s3-region-vars sheppy:jschulz/fix_nubus-consumer-pvc-size sheppy:el/t3chguy/element-web-modules sheppy:jahlers/2fa-helpdesk sheppy:trossner/notes_guest_access sheppy:thollwed/nubus-v1.6.0-integration sheppy:jschulz/fix_set_jitsi_element_antiaffinity sheppy:jbornhold/nubus-v1.6.0-s3-ingress sheppy:chore/open-xchange/release-8.34 sheppy:jconde/test-ox-packaging sheppy:jtorres/ox-extension-integration sheppy:jschulz/feat_helmfile-enable-intents sheppy:chore/openproject/15-3-changes sheppy:nc-main sheppy:fischer/review-apps sheppy:jconde/fix-intercom-element sheppy:trossner/nc_notify_push sheppy:docs/nubus-version sheppy:schneemann/ingress-nginx-max-version sheppy:jlohmer/configurable-udm-listener-password sheppy:jtorres/hotfix-ics-secret sheppy:jtorres/ics-redis-ssl sheppy:dkaminski/feat/annotations sheppy:trossner/fix/openproject sheppy:jconde/ox-connector-kyverno sheppy:jconde/ics-kyverno-changes sheppy:chore/open-xchange/bump-8-31 sheppy:mmoura/feat_test sheppy:dkaminski/fix/nubus-v0.72.0 sheppy:jconde/ics-filepicker-fix sheppy:trossner/update_migrs sheppy:nic/qa/develop sheppy:nic/fix/widgets-no-guests sheppy:uv-jconde/plain-nubus sheppy:nubus/main sheppy:uv-jbornhold/preview-fe sheppy:nic/fix/undo-439-add-widgets sheppy:jtorres/bump-0.60-cache-http sheppy:acaceres/develop sheppy:fix/trossner/dominiks_improvements sheppy:uv-jbornhold/plain-nubus-3 sheppy:nubus-update-2024-09-16-backup sheppy:trossner/nubus-update-2024-09-16-ldap-mig sheppy:nic/feat/matrix-neoboard-widget-1.19.1 sheppy:jconde/integrate-ox-connector sheppy:jbornhold/include-ldap-migration-script sheppy:acaceres/integrate-ox-connector sheppy:uv-jbornhold/plain-nubus-2 sheppy:jtorres/clients-fixup sheppy:jconde/system-information sheppy:jtorres/remove-admin-credentials sheppy:jbornhold/develop sheppy:chore/openproject/bump-14-5-0 sheppy:temp/trossner/kcupd-fr sheppy:nubus/fix-domain-configuration sheppy:uv-fix/default-service-loglevel sheppy:uv-jlohmer/consumer-race-condition sheppy:uv-jconde/umc-plain-login sheppy:uv-jconde/statefulset-keycloak sheppy:jlohmer/develop sheppy:fix/tkaltenbrunner/oxmonitoring sheppy:jtorres/udm-loader sheppy:nubus/tkintscher/fix-fsnotify-load sheppy:nubus/wip-jbornhold-test sheppy:jbornhold/small-fixes sheppy:nubus/jconde-test-users sheppy:feat/nubus-updates sheppy:uv-jlohmer/manual-deploy-jobs sheppy:uv-jtorres/login-tiles sheppy:uv-jbornhold/fix-e2e-test-configuration sheppy:uv-jlohmer/fix-feature-flag-typo sheppy:uv-jbornhold/fix-e2e-test-configuration-test sheppy:uv-acaceres/register-ox-connector sheppy:uv-jtorres/keycloak-upgrade sheppy:uv-jtorres/create-readonly-user sheppy:uv-acaceres/update-provisioning-and-stack-data sheppy:uv-jlohmer/selfservice-consumer sheppy:uv-jlohmer/provisioning-consumer-feature-flag sheppy:uv-jconde/test-email-e2e-tests sheppy:jlohmer/nubus-updates-provisioning sheppy:nubus/provisioning-consumer-integration sheppy:uv-dkaminski/cert-manager-support sheppy:uv-jbornhold/update-portal-frontend sheppy:uv-provisioning-consumer-integration sheppy:uv-jtorres/opendesk-udm-loader sheppy:uv-jtorres/ox-extensions-to-data-loader sheppy:uv-jbornhold/update-stack-data sheppy:uv-maildev-ci-setup sheppy:uv-jconde/umc-server-session-stickyness sheppy:uv-jbornhold/cleanup sheppy:uv-dtroeder/raise-helm-timeout sheppy:uv-dtroeder/prov-int-biscet sheppy:uv-spike-plain-nubus sheppy:jtorres/univention-keycloak-provisioning sheppy:fix/trossner/proxy_ips sheppy:uv-jlohmer/provisioning-consumer-integration sheppy:uv-jconde/menu-patches sheppy:jconde/use-nubus-umbrella sheppy:jconde/udm-rest-api-fix sheppy:sandersen/develop sheppy:b1-demo1 sheppy:jbornhold/tmp-test-od-main-0.9.0 sheppy:feat/use-nubus-umbrella-2 sheppy:OC000007901454-main-patch-76476 sheppy:jtorres/allow-theme-configuration sheppy:acaceres/debug-ox-error sheppy:101-add-configmap-checksum-check-to-postfix-helm-chart sheppy:trossner/fix/op_guests sheppy:renovate/platform sheppy:feat/ldap-scalability sheppy:jlohmer/split-provisioning-listener sheppy:feat/update-keycloak-related-charts sheppy:acaceres/update-selfservice-to-use-provisioning sheppy:feat/nubus-keycloak-extensions sheppy:feat/nubus-keycloak-bootstrap sheppy:feat/nubus-provisioning-with-selfservice sheppy:refactor/ums-umbrella-values sheppy:54-issue-with-invitation-password-reset-mails sheppy:nic/fix/ew-1.11.59-widget-sync sheppy:trossner/fix/renovate sheppy:nic/test/ew-1.11.59 sheppy:feat/mon-redis sheppy:feat/mon-jitsi sheppy:feat/mon-ox sheppy:feat/mon-xwiki sheppy:v0.5.74-patch1
sheppy:v1.10.0 sheppy:v1.9.0 sheppy:v1.8.0 sheppy:v1.7.1 sheppy:v1.7.0 sheppy:v1.6.0 sheppy:v1.5.0 sheppy:v1.4.1 sheppy:v1.4.0 sheppy:v1.3.2 sheppy:v1.3.1 sheppy:v1.3.0 sheppy:v1.2.1 sheppy:v1.2.0 sheppy:v1.1.2 sheppy:v1.1.1 sheppy:v1.1.0 sheppy:v1.0.0 sheppy:v0.9.0 sheppy:v0.8.1 sheppy:v0.8.0 sheppy:v0.7.1 sheppy:v0.7.0 sheppy:v0.6.0 sheppy:v0.5.81 sheppy:v0.5.80 sheppy:v0.5.79 sheppy:v0.5.78 sheppy:v0.5.74 sheppy:24.03 sheppy:v0.5.77 sheppy:v0.5.76 sheppy:v0.5.75 sheppy:v0.5.73 sheppy:v0.5.72 sheppy:v0.5.71 sheppy:v0.5.70 sheppy:v0.5.69 sheppy:v0.5.68 sheppy:v0.5.67 sheppy:v0.5.66 sheppy:v0.5.65 sheppy:v0.5.64 sheppy:v0.5.63 sheppy:v0.5.62 sheppy:v0.5.61 sheppy:v0.5.60 sheppy:v0.5.59 sheppy:v0.5.58 sheppy:v0.5.57 sheppy:v0.5.56 sheppy:v0.5.55 sheppy:v0.5.54 sheppy:v0.5.53 sheppy:v0.5.52 sheppy:v0.5.51 sheppy:v0.5.50 sheppy:v0.5.49 sheppy:v0.5.48 sheppy:v0.5.47 sheppy:v0.5.46 sheppy:v0.5.45 sheppy:v0.5.44 sheppy:v0.5.43 sheppy:v0.5.42 sheppy:v0.5.41 sheppy:v0.5.40 sheppy:v0.5.39 sheppy:v0.5.38 sheppy:23.12 sheppy:v0.5.37 sheppy:v0.5.36 sheppy:v0.5.35 sheppy:v0.5.34 sheppy:v0.5.33 sheppy:v0.5.32 sheppy:v0.5.31 sheppy:v0.5.30 sheppy:v0.5.29 sheppy:v0.5.28 sheppy:v0.5.27 sheppy:v0.5.26 sheppy:v0.5.25 sheppy:v0.5.24 sheppy:v0.5.23 sheppy:v0.5.22 sheppy:v0.5.21 sheppy:v0.5.20 sheppy:v0.5.19 sheppy:v0.5.18 sheppy:v0.5.17 sheppy:v0.5.16 sheppy:v0.5.15 sheppy:v0.5.14 sheppy:v0.5.13 sheppy:v0.5.12 sheppy:v0.5.11 sheppy:v0.5.10 sheppy:v0.5.9 sheppy:v0.5.8 sheppy:v0.5.7 sheppy:v0.5.6 sheppy:v0.5.5 sheppy:v0.5.4 sheppy:v0.5.3 sheppy:v0.5.2 sheppy:v0.5.1 sheppy:v0.5.0 sheppy:v0.4.9 sheppy:v0.4.8 sheppy:v0.4.7 sheppy:v0.4.6 sheppy:v0.4.5 sheppy:v0.4.4 sheppy:v0.4.3 sheppy:v0.4.2 sheppy:v0.4.1 sheppy:v0.4.0 sheppy:v0.3.2 sheppy:v0.3.1 sheppy:v0.3.0 sheppy:v0.2.10 sheppy:v0.2.9 sheppy:v0.2.8 sheppy:v0.2.7 sheppy:v0.2.6 sheppy:v0.2.5 sheppy:v0.2.4 sheppy:v0.2.3 sheppy:v0.2.2 sheppy:v0.2.1 sheppy:v0.2.0 sheppy:v0.1.2 sheppy:v0.1.1 sheppy:v0.1.0 sheppy:v0.0.6 sheppy:v0.0.5 sheppy:v0.0.4 sheppy:v0.0.3 sheppy:v0.0.2 sheppy:v0.0.1
...
compare: sheppy:v0.5.37
Branches Tags
sheppy:renovate/univention sheppy:renovate/openxchange sheppy:trossner/gpg-keys sheppy:trossner/mail_doc sheppy:tkaltenbrunner/fix-milter sheppy:ntretkowski/intercom-update sheppy:b1-boekhorst/nc_testing_encryption_bfp_nginx sheppy:trossner/ox_deputy sheppy:kuntke/size-profiles sheppy:trossner/misc_1.11.0 sheppy:feat/openproject/bump-16-6-2 sheppy:renovate/opf-helm-charts-openproject-11.x sheppy:rohland/selfsigned sheppy:sschmidt/feat_update_otterize sheppy:sell/opendesk-exporter sheppy:trossner/coco-update sheppy:renovate/lasuite-impress-y-provider-4.x sheppy:renovate/opf-helm-charts-openproject-10.x sheppy:renovate/openproject sheppy:renovate/nordeck sheppy:renovate/element sheppy:renovate/collabora sheppy:lender/test-externalsecrets sheppy:develop sheppy:rfischer/baseline_requirements_update_2025 sheppy:chore/kyverno-sec sheppy:sell/pythonic-charts-local sheppy:trossner/ox-jitsi sheppy:irondesk-preview sheppy:chore/open-xchange/update-8.43 sheppy:b1-boekhorst/nc_basicauth_testing sheppy:lluerenbaum/develop sheppy:rfischer/nc_sharereview_app sheppy:tkaltenbrunner/fix/new-element-chart sheppy:vpracht/demo sheppy:main sheppy:b1-boekhorst/nc_status_php sheppy:gaberb1/postfix-sasl-security-options sheppy:ntretkowski/nubus-v1.15.0 sheppy:ntretkowski/ox-connector-v0.32.2 sheppy:sschmidt/feat_add_otterize_chart sheppy:b1-boekhorst/nc_bfp sheppy:trossner/nc_31-0-9 sheppy:trossner/token_exchange sheppy:boekhorst/nc_31-0-10_testing sheppy:ntretkowski/nubus-v1.14.1 sheppy:tkaltenbrunner/fix/dovecot-migration sheppy:tkaltenbrunner/fix/dovecot-caches sheppy:tkaltenbrunner/fix/postfix-transport sheppy:chore/open-xchange/update-8.42 sheppy:dkaminski/ca_certs sheppy:dpapoutsis/bundled-keycloak-secrets sheppy:boekhorst/favicon_resize sheppy:irondesk sheppy:boekhorst/nc_31-0-9 sheppy:migration_test sheppy:sschmidt/fix_services_otterize_intents sheppy:mmeschter/nats-secrets-refactor sheppy:sccon_2025 sheppy:jtorres/ox-test sheppy:lender/feat-externalsecrets-xwiki sheppy:sschmidt/fix_nubus_opendesk_keycloak_bootstrap_annotation sheppy:ntretkowski/nubus-2fa-upgrade-fix sheppy:jlohmer/ox-connector-helm-unittests sheppy:mmeschter/develop sheppy:tkaltenbrunner/fix/ox-push-notification sheppy:cgarcia/develop sheppy:trossner/fix_storageclassnames sheppy:jconde/ox-groups-deletion sheppy:ntretkowski/nubus-v1.13.1 sheppy:jtorres/develop sheppy:tkaltenbrunner/fix/opendesk-impress-customization sheppy:jconde/develop sheppy:mgcm/test/mas-upstream sheppy:document-nordeck-widgets sheppy:trossner/upd_jitsi_10431 sheppy:chaack/feat_add_jitsi_patchJVB_backoffLimit sheppy:trossner/xwiki_solr_image sheppy:1.7+harbor-fixes sheppy:lender/feat-externalsecrets-notes sheppy:tkaltenbrunner/fix/dovecot-fts sheppy:lender/feat-externalsecrets-postfix-dovecot sheppy:heading-capitalization-harmonization sheppy:lender/feat-externalsecrets-minio sheppy:jconde/debug-no-portal-tiles sheppy:hermann/feat-support-nginx-security-defaults sheppy:jtorres/ox-connector-manager-tests sheppy:jtorres/1.12.0-kc-bootstrap sheppy:sell/prometheus-nats-exporter sheppy:jconde/ics-secret-refactor sheppy:tkaltenbrunner/fix/postfix-submissions sheppy:jconde/debug-ics-with-keycloak-26.3 sheppy:data_storage_doc sheppy:tkaltenbrunner/fix/coco-internal sheppy:sell/keycloak-metrics sheppy:jconde/ox-connector-fixes sheppy:jlohmer/ox-connector-test sheppy:gaberb1/wip-ci sheppy:weber/update-notes sheppy:lender/feat-externalsecrets-redis sheppy:lender/feat-externalsecrets-opendesk-services sheppy:lender/feat-externalsecrets-collabora sheppy:lender/feat-externalsecrets-cassandra sheppy:lender/feat-externalsecrets-nextcloud sheppy:lender/feat-externalsecrets-openproject-bootstrap sheppy:thollwed/doc-bawue-migration-dev sheppy:1.5+nats-fix sheppy:trossner/nc_31.0.5 sheppy:sell/nubus-liveness-customization sheppy:integration-opendesk-family sheppy:gsautner/fix_nc_custom_baseDn sheppy:tkaltenbrunner/fix/ox-external-secrets sheppy:tlatz/portal_update sheppy:jbornhold/tmp-portal-update sheppy:trossner/temp_kc26.2.2_preview sheppy:yschmidt/nubus-v1.9.1-twofa-helpdesk sheppy:mmoura/phone-dial-in sheppy:lender/feat-externalsecrets-mariadb sheppy:lender/feat-externalsecrets-postgresql sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap-1725.191 sheppy:ys/dev-helpdesk sheppy:tkaltenbrunner/fix/dovecot-acls sheppy:ox-vpracht/dovecot-conf sheppy:renovate/major-openproject sheppy:renovate/major-platform sheppy:renovate/lasuite-impress-y-provider-3.x sheppy:renovate/lasuite-impress-y-provider-2.x sheppy:renovate/xwiki sheppy:trossner/nc_notifypush sheppy:cnegrini/load sheppy:nic/feat/ZO-155_dialin_docs sheppy:feat/dovecot-config sheppy:yschmidt/s3-region-example sheppy:trossner/nubus_ox_consumer sheppy:yschmidt/s3-region-vars sheppy:jschulz/fix_nubus-consumer-pvc-size sheppy:el/t3chguy/element-web-modules sheppy:jahlers/2fa-helpdesk sheppy:trossner/notes_guest_access sheppy:thollwed/nubus-v1.6.0-integration sheppy:jschulz/fix_set_jitsi_element_antiaffinity sheppy:jbornhold/nubus-v1.6.0-s3-ingress sheppy:chore/open-xchange/release-8.34 sheppy:jconde/test-ox-packaging sheppy:jtorres/ox-extension-integration sheppy:jschulz/feat_helmfile-enable-intents sheppy:chore/openproject/15-3-changes sheppy:nc-main sheppy:fischer/review-apps sheppy:jconde/fix-intercom-element sheppy:trossner/nc_notify_push sheppy:docs/nubus-version sheppy:schneemann/ingress-nginx-max-version sheppy:jlohmer/configurable-udm-listener-password sheppy:jtorres/hotfix-ics-secret sheppy:jtorres/ics-redis-ssl sheppy:dkaminski/feat/annotations sheppy:trossner/fix/openproject sheppy:jconde/ox-connector-kyverno sheppy:jconde/ics-kyverno-changes sheppy:chore/open-xchange/bump-8-31 sheppy:mmoura/feat_test sheppy:dkaminski/fix/nubus-v0.72.0 sheppy:jconde/ics-filepicker-fix sheppy:trossner/update_migrs sheppy:nic/qa/develop sheppy:nic/fix/widgets-no-guests sheppy:uv-jconde/plain-nubus sheppy:nubus/main sheppy:uv-jbornhold/preview-fe sheppy:nic/fix/undo-439-add-widgets sheppy:jtorres/bump-0.60-cache-http sheppy:acaceres/develop sheppy:fix/trossner/dominiks_improvements sheppy:uv-jbornhold/plain-nubus-3 sheppy:nubus-update-2024-09-16-backup sheppy:trossner/nubus-update-2024-09-16-ldap-mig sheppy:nic/feat/matrix-neoboard-widget-1.19.1 sheppy:jconde/integrate-ox-connector sheppy:jbornhold/include-ldap-migration-script sheppy:acaceres/integrate-ox-connector sheppy:uv-jbornhold/plain-nubus-2 sheppy:jtorres/clients-fixup sheppy:jconde/system-information sheppy:jtorres/remove-admin-credentials sheppy:jbornhold/develop sheppy:chore/openproject/bump-14-5-0 sheppy:temp/trossner/kcupd-fr sheppy:nubus/fix-domain-configuration sheppy:uv-fix/default-service-loglevel sheppy:uv-jlohmer/consumer-race-condition sheppy:uv-jconde/umc-plain-login sheppy:uv-jconde/statefulset-keycloak sheppy:jlohmer/develop sheppy:fix/tkaltenbrunner/oxmonitoring sheppy:jtorres/udm-loader sheppy:nubus/tkintscher/fix-fsnotify-load sheppy:nubus/wip-jbornhold-test sheppy:jbornhold/small-fixes sheppy:nubus/jconde-test-users sheppy:feat/nubus-updates sheppy:uv-jlohmer/manual-deploy-jobs sheppy:uv-jtorres/login-tiles sheppy:uv-jbornhold/fix-e2e-test-configuration sheppy:uv-jlohmer/fix-feature-flag-typo sheppy:uv-jbornhold/fix-e2e-test-configuration-test sheppy:uv-acaceres/register-ox-connector sheppy:uv-jtorres/keycloak-upgrade sheppy:uv-jtorres/create-readonly-user sheppy:uv-acaceres/update-provisioning-and-stack-data sheppy:uv-jlohmer/selfservice-consumer sheppy:uv-jlohmer/provisioning-consumer-feature-flag sheppy:uv-jconde/test-email-e2e-tests sheppy:jlohmer/nubus-updates-provisioning sheppy:nubus/provisioning-consumer-integration sheppy:uv-dkaminski/cert-manager-support sheppy:uv-jbornhold/update-portal-frontend sheppy:uv-provisioning-consumer-integration sheppy:uv-jtorres/opendesk-udm-loader sheppy:uv-jtorres/ox-extensions-to-data-loader sheppy:uv-jbornhold/update-stack-data sheppy:uv-maildev-ci-setup sheppy:uv-jconde/umc-server-session-stickyness sheppy:uv-jbornhold/cleanup sheppy:uv-dtroeder/raise-helm-timeout sheppy:uv-dtroeder/prov-int-biscet sheppy:uv-spike-plain-nubus sheppy:jtorres/univention-keycloak-provisioning sheppy:fix/trossner/proxy_ips sheppy:uv-jlohmer/provisioning-consumer-integration sheppy:uv-jconde/menu-patches sheppy:jconde/use-nubus-umbrella sheppy:jconde/udm-rest-api-fix sheppy:sandersen/develop sheppy:b1-demo1 sheppy:jbornhold/tmp-test-od-main-0.9.0 sheppy:feat/use-nubus-umbrella-2 sheppy:OC000007901454-main-patch-76476 sheppy:jtorres/allow-theme-configuration sheppy:acaceres/debug-ox-error sheppy:101-add-configmap-checksum-check-to-postfix-helm-chart sheppy:trossner/fix/op_guests sheppy:renovate/platform sheppy:feat/ldap-scalability sheppy:jlohmer/split-provisioning-listener sheppy:feat/update-keycloak-related-charts sheppy:acaceres/update-selfservice-to-use-provisioning sheppy:feat/nubus-keycloak-extensions sheppy:feat/nubus-keycloak-bootstrap sheppy:feat/nubus-provisioning-with-selfservice sheppy:refactor/ums-umbrella-values sheppy:54-issue-with-invitation-password-reset-mails sheppy:nic/fix/ew-1.11.59-widget-sync sheppy:trossner/fix/renovate sheppy:nic/test/ew-1.11.59 sheppy:feat/mon-redis sheppy:feat/mon-jitsi sheppy:feat/mon-ox sheppy:feat/mon-xwiki sheppy:v0.5.74-patch1
sheppy:v1.10.0 sheppy:v1.9.0 sheppy:v1.8.0 sheppy:v1.7.1 sheppy:v1.7.0 sheppy:v1.6.0 sheppy:v1.5.0 sheppy:v1.4.1 sheppy:v1.4.0 sheppy:v1.3.2 sheppy:v1.3.1 sheppy:v1.3.0 sheppy:v1.2.1 sheppy:v1.2.0 sheppy:v1.1.2 sheppy:v1.1.1 sheppy:v1.1.0 sheppy:v1.0.0 sheppy:v0.9.0 sheppy:v0.8.1 sheppy:v0.8.0 sheppy:v0.7.1 sheppy:v0.7.0 sheppy:v0.6.0 sheppy:v0.5.81 sheppy:v0.5.80 sheppy:v0.5.79 sheppy:v0.5.78 sheppy:v0.5.74 sheppy:24.03 sheppy:v0.5.77 sheppy:v0.5.76 sheppy:v0.5.75 sheppy:v0.5.73 sheppy:v0.5.72 sheppy:v0.5.71 sheppy:v0.5.70 sheppy:v0.5.69 sheppy:v0.5.68 sheppy:v0.5.67 sheppy:v0.5.66 sheppy:v0.5.65 sheppy:v0.5.64 sheppy:v0.5.63 sheppy:v0.5.62 sheppy:v0.5.61 sheppy:v0.5.60 sheppy:v0.5.59 sheppy:v0.5.58 sheppy:v0.5.57 sheppy:v0.5.56 sheppy:v0.5.55 sheppy:v0.5.54 sheppy:v0.5.53 sheppy:v0.5.52 sheppy:v0.5.51 sheppy:v0.5.50 sheppy:v0.5.49 sheppy:v0.5.48 sheppy:v0.5.47 sheppy:v0.5.46 sheppy:v0.5.45 sheppy:v0.5.44 sheppy:v0.5.43 sheppy:v0.5.42 sheppy:v0.5.41 sheppy:v0.5.40 sheppy:v0.5.39 sheppy:v0.5.38 sheppy:23.12 sheppy:v0.5.37 sheppy:v0.5.36 sheppy:v0.5.35 sheppy:v0.5.34 sheppy:v0.5.33 sheppy:v0.5.32 sheppy:v0.5.31 sheppy:v0.5.30 sheppy:v0.5.29 sheppy:v0.5.28 sheppy:v0.5.27 sheppy:v0.5.26 sheppy:v0.5.25 sheppy:v0.5.24 sheppy:v0.5.23 sheppy:v0.5.22 sheppy:v0.5.21 sheppy:v0.5.20 sheppy:v0.5.19 sheppy:v0.5.18 sheppy:v0.5.17 sheppy:v0.5.16 sheppy:v0.5.15 sheppy:v0.5.14 sheppy:v0.5.13 sheppy:v0.5.12 sheppy:v0.5.11 sheppy:v0.5.10 sheppy:v0.5.9 sheppy:v0.5.8 sheppy:v0.5.7 sheppy:v0.5.6 sheppy:v0.5.5 sheppy:v0.5.4 sheppy:v0.5.3 sheppy:v0.5.2 sheppy:v0.5.1 sheppy:v0.5.0 sheppy:v0.4.9 sheppy:v0.4.8 sheppy:v0.4.7 sheppy:v0.4.6 sheppy:v0.4.5 sheppy:v0.4.4 sheppy:v0.4.3 sheppy:v0.4.2 sheppy:v0.4.1 sheppy:v0.4.0 sheppy:v0.3.2 sheppy:v0.3.1 sheppy:v0.3.0 sheppy:v0.2.10 sheppy:v0.2.9 sheppy:v0.2.8 sheppy:v0.2.7 sheppy:v0.2.6 sheppy:v0.2.5 sheppy:v0.2.4 sheppy:v0.2.3 sheppy:v0.2.2 sheppy:v0.2.1 sheppy:v0.2.0 sheppy:v0.1.2 sheppy:v0.1.1 sheppy:v0.1.0 sheppy:v0.0.6 sheppy:v0.0.5 sheppy:v0.0.4 sheppy:v0.0.3 sheppy:v0.0.2 sheppy:v0.0.1

34 Commits
v0.5.22 ... v0.5.37

Author SHA1 Message Date
openDesk
3f7faf88fb chore(release): 0.5.37 [skip ci] 
## [0.5.37](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.36...v0.5.37) (2023-11-12)

### Bug Fixes

* **openproject:** Add bootstrapping of Nextcloud filestore ([1971dfb](1971dfbded))
 2023-11-12 15:54:06 +00:00
Thorsten Rossner
1971dfbded fix(openproject): Add bootstrapping of Nextcloud filestore 2023-11-12 15:52:22 +00:00
openDesk
b50e5c982b chore(release): 0.5.36 [skip ci] 
## [0.5.36](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.35...v0.5.36) (2023-11-10)

### Bug Fixes

* **element:** Update Element and Widgets ([97034a5](97034a556f))
 2023-11-10 11:57:05 +00:00
Milton Moura
97034a556f fix(element): Update Element and Widgets 2023-11-10 11:54:48 +00:00
openDesk
8b87432317 chore(release): 0.5.35 [skip ci] 
## [0.5.35](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.34...v0.5.35) (2023-11-10)

### Bug Fixes

* **helmfile:** Eliminate some yamllint errors ([1d03a6e](1d03a6e11f))
* **helmfile:** Move ldap host variable into helpers ([08811de](08811decd9))
* **helmfile:** Update charts to use proper quoting ([69ea840](69ea840517))
* **services:** Add minio as service and consume by OpenProject ([baa5827](baa5827de3))
 2023-11-10 01:35:55 +00:00
Robin Rush
baa5827de3 fix(services): Add minio as service and consume by OpenProject 2023-11-09 19:15:46 -06:00
Dominik Kaminski
1d03a6e11f fix(helmfile): Eliminate some yamllint errors 2023-11-09 17:01:17 -06:00
Dominik Kaminski
08811decd9 fix(helmfile): Move ldap host variable into helpers 2023-11-09 16:25:21 -06:00
Thomas Kaltenbrunner
69ea840517 fix(helmfile): Update charts to use proper quoting 2023-11-09 22:01:21 +00:00
openDesk
ea5bd0a6b7 chore(release): 0.5.34 [skip ci] 
## [0.5.34](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.33...v0.5.34) (2023-11-09)

### Bug Fixes

* **openproject:** Bump helmchart and properly template OP's initdb image ([0d8e92f](0d8e92fc5a))
 2023-11-09 16:23:55 +00:00
Thorsten Rossner
0d8e92fc5a fix(openproject): Bump helmchart and properly template OP's initdb image 2023-11-09 16:21:30 +00:00
openDesk
d7119a656b chore(release): 0.5.33 [skip ci] 
## [0.5.33](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.32...v0.5.33) (2023-11-09)

### Bug Fixes

* **cryptpad:** Update security context ([89ae1d9](89ae1d94ea))
 2023-11-09 08:54:47 +00:00
Thomas Kaltenbrunner
89ae1d94ea fix(cryptpad): Update security context 2023-11-09 08:52:55 +00:00
openDesk
dfc7fed325 chore(release): 0.5.32 [skip ci] 
## [0.5.32](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.31...v0.5.32) (2023-11-09)

### Bug Fixes

* **collabora:** Resource definitions ([65ce9a1](65ce9a171b))
 2023-11-09 06:44:45 +00:00
Thorsten Roßner
65ce9a171b fix(collabora): Resource definitions 2023-11-08 21:01:11 +01:00
openDesk
5e50ed119f chore(release): 0.5.31 [skip ci] 
## [0.5.31](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.30...v0.5.31) (2023-11-08)

### Bug Fixes

* **univention-management-stack:** Update optional UMS preview state ([d0a0799](d0a07997c1))
 2023-11-08 13:43:13 +00:00
Johannes Bornhold
d0a07997c1 fix(univention-management-stack): Update optional UMS preview state 2023-11-08 13:41:22 +00:00
openDesk
985df5906f chore(release): 0.5.30 [skip ci] 
## [0.5.30](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.29...v0.5.30) (2023-11-06)

### Bug Fixes

* **collabora:** Init monitoring in defaults and in collabora (for prometheus-monitor, -rules and grafana dashboard) ([0ad0434](0ad043406b))
* **helmfile:** Add monitoring.yaml for optional monitoring ([385d81b](385d81b9a9))
 2023-11-06 23:26:23 +00:00
Dominik Kaminski
385d81b9a9 fix(helmfile): Add monitoring.yaml for optional monitoring 2023-11-06 17:12:53 -06:00
Martin Müller
0ad043406b fix(collabora): Init monitoring in defaults and in collabora (for prometheus-monitor, -rules and grafana dashboard) 2023-11-06 16:12:15 -06:00
openDesk
4a79728f01 chore(release): 0.5.29 [skip ci] 
## [0.5.29](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.28...v0.5.29) (2023-11-06)

### Bug Fixes

* **xwiki:** Update XWiki Helm configuration to enable LDAP and OIDC user synchronization ([7c56c72](7c56c7244f))
 2023-11-06 19:34:52 +00:00
Clément Aubin
7c56c7244f fix(xwiki): Update XWiki Helm configuration to enable LDAP and OIDC user synchronization 2023-11-06 15:41:23 +00:00
openDesk
e0fce6631b chore(release): 0.5.28 [skip ci] 
## [0.5.28](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.27...v0.5.28) (2023-11-06)

### Bug Fixes

* **open-xchange:** Add Document- and ImageConverter, improve LDAP address book filters ([899a8c5](899a8c5af9))
 2023-11-06 15:40:22 +00:00
Viktor Pracht
899a8c5af9 fix(open-xchange): Add Document- and ImageConverter, improve LDAP address book filters 2023-11-06 15:38:35 +00:00
openDesk
6cee2c878b chore(release): 0.5.27 [skip ci] 
## [0.5.27](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.26...v0.5.27) (2023-11-04)

### Bug Fixes

* **docs:** Re-include release artefacts ([4359b21](4359b21f1c))
 2023-11-04 12:21:17 +00:00
Thorsten Rossner
4359b21f1c fix(docs): Re-include release artefacts 2023-11-04 12:19:45 +00:00
openDesk
d8b2bd3af0 chore(release): 0.5.26 [skip ci] 
## [0.5.26](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.25...v0.5.26) (2023-11-02)

### Bug Fixes

* **element:** Enables user directory search for all users ([8fafd90](8fafd906a3))
 2023-11-02 14:32:46 +00:00
Milton Moura
8fafd906a3 fix(element): Enables user directory search for all users 2023-11-02 11:45:05 -01:00
openDesk
fece4ace87 chore(release): 0.5.25 [skip ci] 
## [0.5.25](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.24...v0.5.25) (2023-11-01)

### Bug Fixes

* **cryptpad:** Add CryptPad to support editing of diagrams.net files from within Nextcloud ([ab6014f](ab6014f8c6))
 2023-11-01 17:25:13 +00:00
Thomas Kaltenbrunner
ab6014f8c6 fix(cryptpad): Add CryptPad to support editing of diagrams.net files from within Nextcloud 2023-11-01 17:23:21 +00:00
openDesk
fecd13612b chore(release): 0.5.24 [skip ci] 
## [0.5.24](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.23...v0.5.24) (2023-11-01)

### Bug Fixes

* **collabora:** Update image to 23.05.5.3.1 ([38336d0](38336d0240))
 2023-11-01 16:27:49 +00:00
Thorsten Roßner
38336d0240 fix(collabora): Update image to 23.05.5.3.1 2023-11-01 08:53:27 +01:00
openDesk
9f9e4e9521 chore(release): 0.5.23 [skip ci] 
## [0.5.23](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.22...v0.5.23) (2023-11-01)

### Bug Fixes

* **element:** Update Element Web to latest release ([b47de62](b47de62f98))
 2023-11-01 14:29:33 +00:00
Mikhail Aheichyk
b47de62f98 fix(element): Update Element Web to latest release 2023-11-01 16:55:14 +03:00
99 changed files with 1920 additions and 791 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -2,6 +2,7 @@
# SPDX-License-Identifier: Apache-2.0
.vscode
.idea
.yamllint
# Ignore changes to sample environments
helmfile/environments/dev/values.yaml

30
.gitlab-ci.yml
View File

@@ -78,6 +78,12 @@ variables:
options:
- "yes"
- "no"
DEPLOY_CRYPTPAD:
description: "Enable CryptPad deployment."
value: "no"
options:
- "yes"
- "no"
DEPLOY_ELEMENT:
description: "Enable Element deployment."
value: "no"
@@ -342,6 +348,18 @@ collabora-deploy:
variables:
COMPONENT: "collabora"
cryptpad-deploy:
stage: "component-deploy-stage-1"
extends: ".deploy-common"
rules:
- if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
$NAMESPACE =~ /.+/ &&
($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_NEXTCLOUD != "no" || $DEPLOY_CRYPTPAD != "no")
when: "always"
variables:
COMPONENT: "cryptpad"
nextcloud-deploy:
stage: "component-deploy-stage-1"
extends: ".deploy-common"
@@ -366,6 +384,18 @@ openproject-deploy:
variables:
COMPONENT: "openproject"
openproject-bootstrap-deploy:
stage: "component-deploy-stage-2"
extends: ".deploy-common"
rules:
- if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
$NAMESPACE =~ /.+/ &&
($DEPLOY_ALL_COMPONENTS != "no" || ($DEPLOY_OPENPROJECT != "no" && $DEPLOY_NEXTCLOUD != "no"))
when: "always"
variables:
COMPONENT: "openproject-bootstrap"
jitsi-deploy:
stage: "component-deploy-stage-1"
extends: ".deploy-common"

109
CHANGELOG.md
View File

@@ -1,3 +1,112 @@
## [0.5.37](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.36...v0.5.37) (2023-11-12)
### Bug Fixes
* **openproject:** Add bootstrapping of Nextcloud filestore ([1971dfb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1971dfbded21d16909e889ba6d19ff9cf3e4cb20))
## [0.5.36](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.35...v0.5.36) (2023-11-10)
### Bug Fixes
* **element:** Update Element and Widgets ([97034a5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/97034a556f4cdcc447f61003ad9cd036c186bc3b))
## [0.5.35](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.34...v0.5.35) (2023-11-10)
### Bug Fixes
* **helmfile:** Eliminate some yamllint errors ([1d03a6e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1d03a6e11f368fd81dd10b91b0d9d7fc29c0cb24))
* **helmfile:** Move ldap host variable into helpers ([08811de](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/08811decd92e7fd7802d0eba2644046512ec58a4))
* **helmfile:** Update charts to use proper quoting ([69ea840](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/69ea84051721f3aaf36a5dbafdfb37dd86b66dbb))
* **services:** Add minio as service and consume by OpenProject ([baa5827](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/baa5827de3e1e368abf238a932a5849f169af723))
## [0.5.34](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.33...v0.5.34) (2023-11-09)
### Bug Fixes
* **openproject:** Bump helmchart and properly template OP's initdb image ([0d8e92f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0d8e92fc5a4729ff7649e5a10e629b962a9b671b))
## [0.5.33](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.32...v0.5.33) (2023-11-09)
### Bug Fixes
* **cryptpad:** Update security context ([89ae1d9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/89ae1d94ea4c4e8a15a395a80847a7f235365747))
## [0.5.32](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.31...v0.5.32) (2023-11-09)
### Bug Fixes
* **collabora:** Resource definitions ([65ce9a1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/65ce9a171b7c8ebc453fb6bbe96743c8516da2c6))
## [0.5.31](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.30...v0.5.31) (2023-11-08)
### Bug Fixes
* **univention-management-stack:** Update optional UMS preview state ([d0a0799](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d0a07997c12ddb9731a0dfed0d6fa71d9a3790e7))
## [0.5.30](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.29...v0.5.30) (2023-11-06)
### Bug Fixes
* **collabora:** Init monitoring in defaults and in collabora (for prometheus-monitor, -rules and grafana dashboard) ([0ad0434](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0ad043406bef7bb10d561ef1418b58cbd8714d43))
* **helmfile:** Add monitoring.yaml for optional monitoring ([385d81b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/385d81b9a9e1ec319706493c51629c8e48822aa7))
## [0.5.29](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.28...v0.5.29) (2023-11-06)
### Bug Fixes
* **xwiki:** Update XWiki Helm configuration to enable LDAP and OIDC user synchronization ([7c56c72](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7c56c7244f3862b6b21627661430a94d804c6974))
## [0.5.28](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.27...v0.5.28) (2023-11-06)
### Bug Fixes
* **open-xchange:** Add Document- and ImageConverter, improve LDAP address book filters ([899a8c5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/899a8c5af9052634b98d9876dfbaea517d89ad49))
## [0.5.27](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.26...v0.5.27) (2023-11-04)
### Bug Fixes
* **docs:** Re-include release artefacts ([4359b21](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4359b21f1cdae91a87b87ad2b270d67a2b1eda21))
## [0.5.26](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.25...v0.5.26) (2023-11-02)
### Bug Fixes
* **element:** Enables user directory search for all users ([8fafd90](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/8fafd906a3b0efa7e4164b357656d7903fc55371))
## [0.5.25](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.24...v0.5.25) (2023-11-01)
### Bug Fixes
* **cryptpad:** Add CryptPad to support editing of diagrams.net files from within Nextcloud ([ab6014f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ab6014f8c6285785be5c56cd656fe0636df4434c))
## [0.5.24](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.23...v0.5.24) (2023-11-01)
### Bug Fixes
* **collabora:** Update image to 23.05.5.3.1 ([38336d0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/38336d024033f4fe1a28b0f76f9c63ecdb076156))
## [0.5.23](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.22...v0.5.23) (2023-11-01)
### Bug Fixes
* **element:** Update Element Web to latest release ([b47de62](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b47de62f987e8778878fee55ecda3032beb55f3d))
## [0.5.22](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.21...v0.5.22) (2023-10-31)

3
COMPONENTS-SERVICE.md
View File

@@ -60,3 +60,6 @@ This service is used by
- Open-Xchange
## Objectstore - MinIO
This services is used by:
- OpenProject (attachment storage)

69
README.md
View File

@@ -6,11 +6,20 @@ SPDX-License-Identifier: Apache-2.0
[[_TOC_]]
# Disclaimer August 2023
# Disclaimer
The current state of the Sovereign Workplace contains components that are going to be
replaced. Like for example the UCS dev container monolith will be substituted by
multiple Univention Management Stack containers.
openDesk will face breaking changes in the near future without upgrade paths.
While most components support upgrades, major configuration or component changes
may occur, therefore we recommend always installing from scratch.
Components that are going to be replaced soon are:
- The UCS dev container monolith will be substituted by multiple Univention
Management Stack containers,
- the Nextcloud community container is going to be replaced by an openDesk
specific Nextcloud distroless container and
- Dovecot Community is going to be replaced by a Dovecot container tailored for the
needs of the public sector.
In the next months we not only expect upstream updates of the functional
components within their feature scope, but we are also going to address
@@ -19,8 +28,6 @@ operational issues like monitoring and network policies.
Of course, further development also includes enhancing the documentation.
The first release of the Sovereign Workplace is scheduled for December 2023.
Before that release there will be breaking changes in the deployment.
# The Sovereign Workplace (SWP)
@@ -209,6 +216,7 @@ subdirectory `/helmfile/apps/services`.
| ClamAV (Distributed) | `clamavDistributed.enabled` | `false` | Antivirus engine | Eval |
| ClamAV (Simple) | `clamavSimple.enabled` | `true` | Antivirus engine | Eval |
| Collabora | `collabora.enabled` | `true` | Weboffice | Functional |
| CryptPad | `cryptpad.enabled` | `true` | Weboffice | Functional |
| Dovecot | `dovecot.enabled` | `true` | Mail backend | Functional |
| Element | `element.enabled` | `true` | Secure communications platform | Functional |
| Intercom Service | `intercom.enabled` | `true` | Cross service data exchange | Functional |
@@ -216,6 +224,7 @@ subdirectory `/helmfile/apps/services`.
| Keycloak | `keycloak.enabled` | `true` | Identity Provider | Functional |
| MariaDB | `mariadb.enabled` | `true` | Database | Eval |
| Memcached | `memcached.enabled` | `true` | Cache Database | Eval |
| MinIO | `minio.enabled` | `true` | Object Storage | Eval |
| Nextcloud | `nextcloud.enabled` | `true` | File share | Functional |
| OpenProject | `openproject.enabled` | `true` | Project management | Functional |
| OX Appsuite | `oxAppsuite.enabled` | `true` | Groupware | Functional |
@@ -315,6 +324,7 @@ actual scalability of the components (see column `Scaling (verified)`).
| | `replicas.icap` | :white_check_mark: | :white_check_mark: |
| | `replicas.milter` | :white_check_mark: | :white_check_mark: |
| Collabora | `replicas.collabora` | :white_check_mark: | :gear: |
| CryptPad | `replicas.cryptpad` | :white_check_mark: | :gear: |
| Dovecot | `replicas.dovecot` | :x: | :gear: |
| Element | `replicas.element` | :white_check_mark: | :white_check_mark: |
| | `replicas.synapse` | :x: | :gear: |
@@ -376,6 +386,7 @@ This list gives you an overview of default security settings and if they comply
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
| CryptPad | cryptpad | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 |
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
@@ -407,6 +418,7 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
| bitnami-repo (openDesk build) | yes | :white_check_mark: |
| clamav-repo | yes | :white_check_mark: |
| collabora-online-repo | no | :x: |
| cryptpad-online-repo | no | :x: |
| intercom-service-repo | yes | :white_check_mark: |
| istio-resources-repo | yes | :white_check_mark: |
| jitsi-repo | yes | :white_check_mark: |
@@ -430,6 +442,50 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
| xwiki-repo | no | :x: |
## Monitoring
Together with
[kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack) into
you can monitor openDesk components with Prometheus and Grafana.
Before enabling the following options, you need to install the respective CRDs from the kube-prometheus-stack
repository.
### Metrics
To deploy podMonitor and serviceMonitor custom resources, enable it by:
```yaml
prometheus:
serviceMonitors:
enabled: true
podMonitors:
enabled: true
```
### Alerts
Some helm-charts provide a default set of prometheusRules for alerting, enable it by:
```yaml
prometheus:
prometheusRules:
enabled: true
```
### Dashboards for Grafana
To deploy optional ConfigMaps with Grafana dashboards, enable it by:
```yaml
grafana:
dashboards:
enabled: true
```
### Components
| Component | Metrics (pod- or serviceMonitor) | Alerts (prometheusRule) | Dashboard (Grafana) |
|:------------|-----------------------------------|-------------------------|---------------------|
| Collabora | :white_check_mark: | :white_check_mark: | :white_check_mark: |
# Component integration
## Functional use cases
@@ -516,6 +572,7 @@ flowchart TD
J[Jitsi]-->K
I[IntercomService]-->K
C[Collabora]-->N
R[CryptPad]-->N
F[Postfix]-->D
```

1
helmfile.yaml
View File

@@ -20,6 +20,7 @@ helmfiles:
- path: "helmfile/apps/openproject/helmfile.yaml"
- path: "helmfile/apps/xwiki/helmfile.yaml"
- path: "helmfile/apps/provisioning/helmfile.yaml"
- path: "helmfile/apps/openproject-bootstrap/helmfile.yaml"
missingFileHandler: "Error"

30
helmfile/apps/collabora/values.gotmpl
View File

@@ -5,24 +5,24 @@ SPDX-License-Identifier: Apache-2.0
---
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.collabora.repository }}"
tag: "{{ .Values.images.collabora.tag }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: {{ .Values.images.collabora.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
ingress:
enabled: {{ .Values.ingress.enabled }}
className: "{{ .Values.ingress.ingressClassName }}"
className: {{ .Values.ingress.ingressClassName | quote }}
hosts:
- host: "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
paths:
- path: "/"
pathType: "Prefix"
tls:
- secretName: "{{ .Values.ingress.tls.secretName }}"
- secretName: {{ .Values.ingress.tls.secretName | quote }}
hosts:
- "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
@@ -33,9 +33,27 @@ collabora:
aliasgroups:
- host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
replicaCount: {{ .Values.replicas.collabora }}
resources:
{{ .Values.resources.collabora | toYaml | nindent 2 }}
prometheus:
servicemonitor:
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
labels:
{{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
rules:
enabled: {{ .Values.prometheus.prometheusRules.enabled }}
additionalLabels:
{{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }}
grafana:
dashboards:
enabled: {{ .Values.grafana.dashboards.enabled }}
labels:
{{- toYaml .Values.grafana.dashboards.labels | nindent 6 }}
annotations:
{{- toYaml .Values.grafana.dashboards.annotations | nindent 6 }}
...

28
helmfile/apps/cryptpad/helmfile.yaml Normal file
View File

@@ -0,0 +1,28 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# CryptPad
# Source: https://github.com/cryptpad/helm
- name: "cryptpad-online-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://cryptpad.github.io/helm" }}
releases:
- name: "cryptpad"
chart: "cryptpad-online-repo/cryptpad"
version: "0.0.13"
values:
- "values.yaml"
- "values.gotmpl"
installed: {{ .Values.cryptpad.enabled }}
commonLabels:
deploy-stage: "component-1"
component: "cryptpad"
...

33
helmfile/apps/cryptpad/values.gotmpl Normal file
View File

@@ -0,0 +1,33 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.cryptpad.repository }}"
tag: {{ .Values.images.cryptpad.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
ingress:
enabled: {{ .Values.ingress.enabled }}
className: {{ .Values.ingress.ingressClassName | quote }}
hosts:
- host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
paths:
- path: "/"
pathType: "ImplementationSpecific"
tls:
- secretName: {{ .Values.ingress.tls.secretName | quote }}
hosts:
- "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
replicaCount: {{ .Values.replicas.cryptpad }}
resources:
{{ .Values.resources.cryptpad | toYaml | nindent 2 }}
...

47
helmfile/apps/cryptpad/values.yaml Normal file
View File

@@ -0,0 +1,47 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
# https://github.com/cryptpad/helm/blob/main/charts/cryptpad/README.md or
# https://github.com/cryptpad/helm/blob/main/charts/cryptpad/values.yaml
# Disable registration and access to unregistered users:
# (https://docs.cryptpad.org/en/admin_guide/customization.html#application-config)
application_config:
availablePadTypes:
- "diagram"
# Deactivating public access breaks nextcloud plugin!
# registeredOnlyTypes:
# - "diagram"
autoscaling:
enabled: false
enableEmbedding: true
fullnameOverride: "cryptpad"
persistence:
enabled: false
podSecurityContext:
fsGroup: 4001
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
# readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 4001
runAsGroup: 4001
serviceAccount:
create: true
workloadStateful: false
...

8
helmfile/apps/element/helmfile.yaml
View File

@@ -87,7 +87,7 @@ releases:
- name: "matrix-neoboard-widget"
chart: "opendesk-matrix-widgets-repo/matrix-neoboard-widget"
version: "3.1.0"
version: "3.2.0"
values:
- "values-matrix-neoboard-widget.yaml"
- "values-matrix-neoboard-widget.gotmpl"
@@ -96,7 +96,7 @@ releases:
- name: "matrix-neochoice-widget"
chart: "opendesk-matrix-widgets-repo/matrix-neochoice-widget"
version: "3.1.0"
version: "3.2.0"
values:
- "values-matrix-neochoice-widget.yaml"
- "values-matrix-neochoice-widget.gotmpl"
@@ -105,7 +105,7 @@ releases:
- name: "matrix-neodatefix-widget"
chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-widget"
version: "3.1.0"
version: "3.2.0"
values:
- "values-matrix-neodatefix-widget.yaml"
- "values-matrix-neodatefix-widget.gotmpl"
@@ -123,7 +123,7 @@ releases:
- name: "matrix-neodatefix-bot"
chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-bot"
version: "3.1.0"
version: "3.2.0"
values:
- "values-matrix-neodatefix-bot.yaml"
- "values-matrix-neodatefix-bot.gotmpl"

32
helmfile/apps/element/values-element.gotmpl
View File

@@ -4,8 +4,8 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
registry: "{{ .Values.global.imageRegistry }}"
domain: {{ .Values.global.domain | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
@@ -17,12 +17,16 @@ configuration:
"net.nordeck.element_web.module.opendesk":
config:
ics_navigation_json_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/navigation.json"
ics_silent_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/silent"
portal_logo_svg_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
portal_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/"
banner:
ics_navigation_json_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/navigation.json"
ics_silent_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/silent"
portal_logo_svg_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
portal_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/"
custom_css_variables:
--cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }}
widget_types:
- jitsi
- net.nordeck
"net.nordeck.element_web.module.widget_lifecycle":
widget_permissions:
@@ -103,18 +107,18 @@ configuration:
welcomeUserId: "@meetings-bot:{{ .Values.global.domain }}"
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.element.repository }}"
tag: "{{ .Values.images.element.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.element.repository | quote }}
tag: {{ .Values.images.element.tag | quote }}
ingress:
host: "{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}

18
helmfile/apps/element/values-matrix-neoboard-widget.gotmpl
View File

@@ -4,24 +4,24 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
imageRegistry: "{{ .Values.global.imageRegistry }}"
domain: {{ .Values.global.domain | quote }}
imageRegistry: {{ .Values.global.imageRegistry | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.matrixNeoBoardWidget.repository }}"
tag: "{{ .Values.images.matrixNeoBoardWidget.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
repository: {{ .Values.images.matrixNeoBoardWidget.repository | quote }}
tag: {{ .Values.images.matrixNeoBoardWidget.tag | quote }}
ingress:
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}

18
helmfile/apps/element/values-matrix-neochoice-widget.gotmpl
View File

@@ -4,24 +4,24 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
imageRegistry: "{{ .Values.global.imageRegistry }}"
domain: {{ .Values.global.domain | quote }}
imageRegistry: {{ .Values.global.imageRegistry | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.matrixNeoChoiceWidget.repository }}"
tag: "{{ .Values.images.matrixNeoChoiceWidget.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
repository: {{ .Values.images.matrixNeoChoiceWidget.repository | quote }}
tag: {{ .Values.images.matrixNeoChoiceWidget.tag | quote }}
ingress:
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}

10
helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.gotmpl
View File

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
imageRegistry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -16,8 +16,8 @@ configuration:
password: {{ .Values.secrets.matrixNeoDateFixBot.password | quote }}
image:
registry: "{{ .Values.global.imageRegistry }}"
url: "{{ .Values.images.synapseCreateUser.repository }}"
tag: "{{ .Values.images.synapseCreateUser.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
url: {{ .Values.images.synapseCreateUser.repository | quote }}
tag: {{ .Values.images.synapseCreateUser.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
...

22
helmfile/apps/element/values-matrix-neodatefix-bot.gotmpl
View File

@@ -4,8 +4,8 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
imageRegistry: "{{ .Values.global.imageRegistry }}"
domain: {{ .Values.global.domain | quote }}
imageRegistry: {{ .Values.global.imageRegistry | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
@@ -15,20 +15,20 @@ configuration:
openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.matrixNeoDateFixBot.repository }}"
tag: "{{ .Values.images.matrixNeoDateFixBot.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
repository: {{ .Values.images.matrixNeoDateFixBot.repository | quote }}
tag: {{ .Values.images.matrixNeoDateFixBot.tag | quote }}
ingress:
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
persistence:
size: "{{ .Values.persistence.size.matrixNeoDateFixBot }}"
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}

18
helmfile/apps/element/values-matrix-neodatefix-widget.gotmpl
View File

@@ -4,24 +4,24 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
imageRegistry: "{{ .Values.global.imageRegistry }}"
domain: {{ .Values.global.domain | quote }}
imageRegistry: {{ .Values.global.imageRegistry | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.matrixNeoDateFixWidget.repository }}"
tag: "{{ .Values.images.matrixNeoDateFixWidget.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
repository: {{ .Values.images.matrixNeoDateFixWidget.repository | quote }}
tag: {{ .Values.images.matrixNeoDateFixWidget.tag | quote }}
ingress:
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}

12
helmfile/apps/element/values-matrix-user-verification-service-bootstrap.gotmpl
View File

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
imageRegistry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -13,11 +13,11 @@ cleanup:
deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
configuration:
password: {{ .Values.secrets.matrixUserVerificationService.password }}
password: {{ .Values.secrets.matrixUserVerificationService.password | quote }}
image:
registry: "{{ .Values.global.imageRegistry }}"
url: "{{ .Values.images.synapseCreateUser.repository }}"
tag: "{{ .Values.images.synapseCreateUser.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
url: {{ .Values.images.synapseCreateUser.repository | quote }}
tag: {{ .Values.images.synapseCreateUser.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
...

10
helmfile/apps/element/values-matrix-user-verification-service.gotmpl
View File

@@ -4,17 +4,17 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
imageRegistry: "{{ .Values.global.imageRegistry }}"
domain: {{ .Values.global.domain | quote }}
imageRegistry: {{ .Values.global.imageRegistry | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.matrixUserVerificationService.repository }}"
tag: "{{ .Values.images.matrixUserVerificationService.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
replicaCount: {{ .Values.replicas.matrixUserVerificationService }}

20
helmfile/apps/element/values-synapse-web.gotmpl
View File

@@ -4,26 +4,26 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
registry: "{{ .Values.global.imageRegistry }}"
domain: {{ .Values.global.domain | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.synapseWeb.repository }}"
tag: "{{ .Values.images.synapseWeb.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.synapseWeb.repository | quote }}
tag: {{ .Values.images.synapseWeb.tag | quote }}
ingress:
host: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
replicaCount: {{ .Values.replicas.synapseWeb }}

42
helmfile/apps/element/values-synapse.gotmpl
View File

@@ -4,24 +4,24 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
registry: "{{ .Values.global.imageRegistry }}"
domain: {{ .Values.global.domain | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.synapse.repository }}"
tag: "{{ .Values.images.synapse.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.synapse.repository | quote }}
tag: {{ .Values.images.synapse.tag | quote }}
configuration:
database:
host: "{{ .Values.databases.synapse.host }}"
name: "{{ .Values.databases.synapse.name }}"
user: "{{ .Values.databases.synapse.username }}"
host: {{ .Values.databases.synapse.host | quote }}
name: {{ .Values.databases.synapse.name | quote }}
user: {{ .Values.databases.synapse.username | quote }}
password: {{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser | quote }}
homeserver:
@@ -37,32 +37,32 @@ configuration:
sender_localpart: intercom-service
oidc:
clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix }}
clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
turn:
sharedSecret: {{ .Values.turn.credentials }}
sharedSecret: {{ .Values.turn.credentials | quote }}
servers:
{{- if .Values.turn.tls.host }}
- server: {{ .Values.turn.tls.host }}
- server: {{ .Values.turn.tls.host | quote }}
port: {{ .Values.turn.tls.port }}
transport: {{ .Values.turn.transport }}
transport: {{ .Values.turn.transport | quote }}
{{- else if .Values.turn.server.host }}
- server: {{ .Values.turn.server.host }}
- server: {{ .Values.turn.server.host | quote }}
port: {{ .Values.turn.server.port }}
transport: {{ .Values.turn.transport }}
transport: {{ .Values.turn.transport | quote }}
{{- end }}
guestModule:
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.synapseGuestModule.repository }}"
tag: "{{ .Values.images.synapseGuestModule.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.synapseGuestModule.repository | quote }}
tag: {{ .Values.images.synapseGuestModule.tag | quote }}
persistence:
size: "{{ .Values.persistence.size.synapse }}"
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
size: {{ .Values.persistence.size.synapse | quote }}
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
replicaCount: {{ .Values.replicas.synapse }}

3
helmfile/apps/element/values-synapse.yaml
View File

@@ -3,6 +3,9 @@
---
configuration:
additionalConfiguration:
user_directory:
enabled: true
search_all_users: true
room_prejoin_state:
additional_event_types:
- "m.space.parent"

22
helmfile/apps/element/values-well-known.gotmpl
View File

@@ -4,26 +4,26 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
registry: "{{ .Values.global.imageRegistry }}"
domain: {{ .Values.global.domain | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.wellKnown.repository }}"
tag: "{{ .Values.images.wellKnown.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.wellKnown.repository | quote }}
tag: {{ .Values.images.wellKnown.tag | quote }}
ingress:
host: "{{ .Values.global.domain }}"
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
host: {{ .Values.global.domain | quote }}
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
replicaCount: {{ .Values.replicas.wellKnown }}

2
helmfile/apps/intercom-service/helmfile.yaml
View File

@@ -19,7 +19,7 @@ repositories:
releases:
- name: "intercom-service"
chart: "intercom-service-repo/intercom-service"
version: "2.0.0"
version: "2.0.1"
values:
- "values.gotmpl"
installed: {{ .Values.intercom.enabled }}

32
helmfile/apps/intercom-service/values.gotmpl
View File

@@ -4,46 +4,46 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
domain: "{{ .Values.global.domain }}"
imageRegistry: {{ .Values.global.imageRegistry | quote }}
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
ics:
secret: {{ .Values.secrets.intercom.secret }}
secret: {{ .Values.secrets.intercom.secret | quote }}
issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
originRegex: "{{ .Values.istio.domain }}|{{ .Values.global.domain }}"
default:
domain: "{{ .Values.global.domain }}"
domain: {{ .Values.global.domain | quote }}
oidc:
secret: {{ .Values.secrets.keycloak.clientSecret.intercom }}
secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
matrix:
asSecret: {{ .Values.secrets.intercom.synapseAsToken | quote }}
subdomain: {{ .Values.global.hosts.synapse }}
subdomain: {{ .Values.global.hosts.synapse | quote }}
serverName: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
nordeck:
subdomain: {{ .Values.global.hosts.matrixNeoDateFixBot }}
subdomain: {{ .Values.global.hosts.matrixNeoDateFixBot | quote }}
portal:
apiKey: {{ .Values.secrets.centralnavigation.apiKey }}
apiKey: {{ .Values.secrets.centralnavigation.apiKey | quote }}
redis:
host: {{ .Values.cache.intercomService.host }}
host: {{ .Values.cache.intercomService.host | quote }}
port: {{ .Values.cache.intercomService.port }}
password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }}
openxchange:
url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.intercom.repository }}"
tag: "{{ .Values.images.intercom.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
repository: {{ .Values.images.intercom.repository | quote }}
tag: {{ .Values.images.intercom.tag | quote }}
ingress:
host: "{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
...

74
helmfile/apps/jitsi/values-jitsi.gotmpl
View File

@@ -4,8 +4,8 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
registry: "{{ .Values.global.imageRegistry }}"
domain: {{ .Values.global.domain | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
@@ -15,13 +15,13 @@ cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.jitsiKeycloakAdapter.repository }}"
tag: "{{ .Values.images.jitsiKeycloakAdapter.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.jitsiKeycloakAdapter.repository | quote }}
tag: {{ .Values.images.jitsiKeycloakAdapter.tag | quote }}
settings:
jwtAppSecret: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
jwtAppSecret: {{ .Values.secrets.jitsi.jwtAppSecret | quote }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}
@@ -32,16 +32,16 @@ jitsi:
replicaCount: {{ .Values.replicas.jitsi }}
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jitsi.repository }}"
tag: "{{ .Values.images.jitsi.tag }}"
tag: {{ .Values.images.jitsi.tag | quote }}
ingress:
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
hosts:
- host: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
paths:
- "/"
tls:
- secretName: "{{ .Values.ingress.tls.secretName }}"
- secretName: {{ .Values.ingress.tls.secretName | quote }}
hosts:
- "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
extraEnvs:
@@ -51,10 +51,10 @@ jitsi:
prosody:
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.prosody.repository }}"
tag: "{{ .Values.images.prosody.tag }}"
tag: {{ .Values.images.prosody.tag | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
extraEnvs:
- name: "AUTH_TYPE"
@@ -62,74 +62,74 @@ jitsi:
- name: "JWT_APP_ID"
value: "myappid"
- name: "JWT_APP_SECRET"
value: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
value: {{ .Values.secrets.jitsi.jwtAppSecret | quote }}
- name: "MATRIX_UVS_SYNC_POWER_LEVELS"
value: "true"
- name: "MATRIX_UVS_URL"
value: "http://opendesk-matrix-user-verification-service.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}"
- name: TURNS_HOST
value: "{{ .Values.turn.tls.host }}"
value: {{ .Values.turn.tls.host | quote }}
- name: TURNS_PORT
value: "{{ .Values.turn.tls.port }}"
value: {{ .Values.turn.tls.port | quote }}
- name: TURN_HOST
value: "{{ .Values.turn.server.host }}"
value: {{ .Values.turn.server.host | quote }}
- name: TURN_PORT
value: "{{ .Values.turn.server.port }}"
value: {{ .Values.turn.server.port | quote }}
- name: TURN_TRANSPORT
value: "{{ .Values.turn.transport }}"
value: {{ .Values.turn.transport | quote }}
- name: TURN_CREDENTIALS
value: "{{ .Values.turn.credentials }}"
value: {{ .Values.turn.credentials | quote }}
resources:
{{ .Values.resources.prosody | toYaml | nindent 6 }}
persistence:
size: "{{ .Values.persistence.size.prosody }}"
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
size: {{ .Values.persistence.size.prosody | quote }}
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
jicofo:
replicaCount: {{ .Values.replicas.jicofo }}
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jicofo.repository }}"
tag: "{{ .Values.images.jicofo.tag }}"
tag: {{ .Values.images.jicofo.tag | quote }}
xmpp:
password: {{ .Values.secrets.jitsi.jicofoAuthPassword | quote }}
componentSecret: "{{ .Values.secrets.jitsi.jicofoComponentPassword }}"
componentSecret: {{ .Values.secrets.jitsi.jicofoComponentPassword | quote }}
resources:
{{ .Values.resources.jicofo | toYaml | nindent 6 }}
jvb:
replicaCount: {{ .Values.replicas.jvb }}
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jvb.repository }}"
tag: "{{ .Values.images.jvb.tag }}"
tag: {{ .Values.images.jvb.tag | quote }}
xmpp:
password: "{{ .Values.secrets.jitsi.jvbAuthPassword }}"
password: {{ .Values.secrets.jitsi.jvbAuthPassword | quote }}
resources:
{{ .Values.resources.jvb | toYaml | nindent 6 }}
service:
type: "{{ .Values.cluster.service.type }}"
type: {{ .Values.cluster.service.type | quote }}
jibri:
replicaCount: {{ .Values.replicas.jibri }}
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jibri.repository }}"
tag: "{{ .Values.images.jibri.tag }}"
tag: {{ .Values.images.jibri.tag | quote }}
recorder:
password: "{{ .Values.secrets.jitsi.jibriRecorderPassword }}"
password: {{ .Values.secrets.jitsi.jibriRecorderPassword | quote }}
xmpp:
password: "{{ .Values.secrets.jitsi.jibriXmppPassword }}"
password: {{ .Values.secrets.jitsi.jibriXmppPassword | quote }}
resources:
{{ .Values.resources.jibri | toYaml | nindent 6 }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
patchJVB:
configuration:
staticLoadbalancerIP: "{{ .Values.cluster.networking.ingressGatewayIP }}"
loadbalancerStatusField: "{{ .Values.cluster.networking.loadBalancerStatusField }}"
staticLoadbalancerIP: {{ .Values.cluster.networking.ingressGatewayIP | quote }}
loadbalancerStatusField: {{ .Values.cluster.networking.loadBalancerStatusField | quote }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.jitsiPatchJVB.repository }}"
tag: "{{ .Values.images.jitsiPatchJVB.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.jitsiPatchJVB.repository | quote }}
tag: {{ .Values.images.jitsiPatchJVB.tag | quote }}
replicaCount: {{ .Values.replicas.jitsiKeycloakAdapter }}
resources:

2
helmfile/apps/keycloak-bootstrap/helmfile.yaml
View File

@@ -21,7 +21,7 @@ repositories:
releases:
- name: "opendesk-keycloak-bootstrap"
chart: "opendesk-keycloak-bootstrap-repo/sovereign-workplace-keycloak-bootstrap"
version: "1.1.11"
version: "1.1.12"
values:
- "values-bootstrap.gotmpl"
- "values-bootstrap.yaml"

12
helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl
View File

@@ -4,10 +4,10 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
registry: "{{ .Values.global.imageRegistry }}"
registry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -20,10 +20,10 @@ config:
password: {{ .Values.secrets.keycloak.adminPassword | quote }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.keycloakBootstrap.repository }}"
tag: "{{ .Values.images.keycloakBootstrap.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.keycloakBootstrap.repository | quote }}
tag: {{ .Values.images.keycloakBootstrap.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.keycloakBootstrap | toYaml | nindent 2 }}

37
helmfile/apps/keycloak/values-extensions.gotmpl
View File

@@ -8,39 +8,38 @@ global:
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
postgresql:
connection:
host: "{{ .Values.databases.keycloakExtension.host }}"
port: "{{ .Values.databases.keycloakExtension.port }}"
host: {{ .Values.databases.keycloakExtension.host | quote }}
port: {{ .Values.databases.keycloakExtension.port }}
auth:
database: "{{ .Values.databases.keycloakExtension.name }}"
username: "{{ .Values.databases.keycloakExtension.username }}"
database: {{ .Values.databases.keycloakExtension.name | quote }}
username: {{ .Values.databases.keycloakExtension.username | quote }}
password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
handler:
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.keycloakExtensionHandler.repository }}"
tag: "{{ .Values.images.keycloakExtensionHandler.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.keycloakExtensionHandler.repository | quote }}
tag: {{ .Values.images.keycloakExtensionHandler.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
appConfig:
smtpPassword: {{ .Values.smtp.password | quote }}
smtpHost: "{{ .Values.smtp.host }}"
smtpUsername: "{{ .Values.smtp.username }}"
smtpHost: {{ .Values.smtp.host | quote }}
smtpUsername: {{ .Values.smtp.username | quote }}
mailFrom: "noreply@{{ .Values.global.domain }}"
resources:
{{ .Values.resources.keycloakExtension | toYaml | nindent 4 }}
proxy:
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.keycloakExtensionProxy.repository }}"
tag: "{{ .Values.images.keycloakExtensionProxy.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.keycloakExtensionProxy.repository | quote }}
tag: {{ .Values.images.keycloakExtensionProxy.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
ingress:
enabled: "{{ .Values.ingress.enabled }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
resources:
{{ .Values.resources.keycloakProxy | toYaml | nindent 4 }}
...

36
helmfile/apps/keycloak/values-keycloak.gotmpl
View File

@@ -4,22 +4,22 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
imageRegistry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.keycloak.repository }}"
tag: "{{ .Values.images.keycloak.tag }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.keycloak.repository | quote }}
tag: {{ .Values.images.keycloak.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
externalDatabase:
host: "{{ .Values.databases.keycloak.host }}"
host: {{ .Values.databases.keycloak.host | quote }}
port: {{ .Values.databases.keycloak.port }}
user: "{{ .Values.databases.keycloak.username }}"
database: "{{ .Values.databases.keycloak.name }}"
user: {{ .Values.databases.keycloak.username | quote }}
database: {{ .Values.databases.keycloak.name | quote }}
password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
auth:
@@ -34,7 +34,7 @@ keycloakConfigCli:
- name: "LDAP_USERS_DN"
value: "cn=users,dc=swp-ldap,dc=internal"
- name: "LDAP_SERVER_URL"
value: "univention-corporate-container"
value: {{ .Values.ldap.host | quote }}
- name: "IDENTIFIER"
value: "souvap"
- name: "THEME"
@@ -62,23 +62,23 @@ keycloakConfigCli:
- name: "INTERCOM_SERVICE_DOMAIN"
value: "{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
- name: "CLIENT_SECRET_INTERCOM_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.intercom }}
value: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
- name: "CLIENT_SECRET_MATRIX_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.matrix }}
value: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
- name: "CLIENT_SECRET_JITSI_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.jitsi }}
value: {{ .Values.secrets.keycloak.clientSecret.jitsi | quote }}
- name: "CLIENT_SECRET_NCOIDC_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.ncoidc }}
value: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
- name: "CLIENT_SECRET_OPENPROJECT_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.openproject }}
value: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
- name: "CLIENT_SECRET_XWIKI_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.xwiki }}
value: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
- name: "CLIENT_SECRET_AS8OIDC_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.as8oidc }}
value: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
- name: "KEYCLOAK_STORAGEPROVICER_UCSLDAP_NAME"
value: "storage_provider_ucsldap"
- name: "LDAPSEARCH_PASSWORD"
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak }}
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak | quote }}
- name: "LDAPSEARCH_USERNAME"
value: "ldapsearch_keycloak"
resources:

2
helmfile/apps/keycloak/values-theme.gotmpl
View File

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}

37
helmfile/apps/nextcloud/values-bootstrap.gotmpl
View File

@@ -4,11 +4,11 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
istioDomain: "{{ .Values.istio.domain }}"
domain: {{ .Values.global.domain | quote }}
istioDomain: {{ .Values.istio.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
registry: "{{ .Values.global.imageRegistry }}"
registry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -30,18 +30,19 @@ config:
password: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
database:
host: "{{ .Values.databases.nextcloud.host }}"
name: "{{ .Values.databases.nextcloud.name }}"
user: "{{ .Values.databases.nextcloud.username }}"
host: {{ .Values.databases.nextcloud.host | quote }}
name: {{ .Values.databases.nextcloud.name | quote }}
user: {{ .Values.databases.nextcloud.username | quote }}
password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
ldapSearch:
password: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud }}"
host: {{ .Values.ldap.host | quote }}
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud | quote }}
smtp:
host: "{{ .Values.smtp.host }}"
username: "{{ .Values.smtp.username }}"
password: "{{ .Values.smtp.password }}"
host: {{ .Values.smtp.host | quote }}
username: {{ .Values.smtp.username | quote }}
password: {{ .Values.smtp.password | quote }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
@@ -49,24 +50,24 @@ cleanup:
keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
image:
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.nextcloud.repository }}"
tag: "{{ .Values.images.nextcloud.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.nextcloud.repository | quote }}
tag: {{ .Values.images.nextcloud.tag | quote }}
persistence:
{{- if .Values.cluster.persistence.readWriteMany.enabled }}
accessModes:
- "ReadWriteMany"
storageClass: "{{ .Values.persistence.storageClassNames.RWX }}"
storageClass: {{ .Values.persistence.storageClassNames.RWX | quote }}
{{- else }}
accessModes:
- "ReadWriteOnce"
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
{{- end }}
size:
main: "{{ .Values.persistence.size.nextcloud.main }}"
data: "{{ .Values.persistence.size.nextcloud.data }}"
main: {{ .Values.persistence.size.nextcloud.main | quote }}
data: {{ .Values.persistence.size.nextcloud.data | quote }}
resources:
{{ .Values.resources.nextcloud | toYaml | nindent 2 }}

4
helmfile/apps/nextcloud/values-bootstrap.yaml
View File

@@ -11,6 +11,6 @@ config:
userOidc:
username: "ncoidc"
ldapSearch:
host: "univention-corporate-container"
cryptpad:
enabled: true
...

16
helmfile/apps/nextcloud/values-nextcloud.gotmpl
View File

@@ -8,9 +8,9 @@ nextcloud:
username: "nextcloud"
password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
externalDatabase:
database: "{{ .Values.databases.nextcloud.name }}"
user: "{{ .Values.databases.nextcloud.username }}"
host: "{{ .Values.databases.nextcloud.host }}"
database: {{ .Values.databases.nextcloud.name | quote }}
user: {{ .Values.databases.nextcloud.username | quote }}
host: {{ .Values.databases.nextcloud.host | quote }}
password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
extraEnv:
REDIS_HOST: {{ .Values.cache.nextcloud.host | quote }}
@@ -22,20 +22,20 @@ redis:
password: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
ingress:
enabled: {{ .Values.ingress.enabled }}
className: {{ .Values.ingress.ingressClassName }}
className: {{ .Values.ingress.ingressClassName | quote }}
tls:
- secretName: "{{ .Values.ingress.tls.secretName }}"
- secretName: {{ .Values.ingress.tls.secretName | quote }}
hosts:
- "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloud.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.nextcloud.tag }}"
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.nextcloud.tag | quote }}
pullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
metrics:
token: "{{ .Values.secrets.nextcloud.metricsToken }}"
token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
{{- if .Values.cluster.persistence.readWriteMany.enabled }}
replicaCount: {{ .Values.replicas.nextcloud }}

4
helmfile/apps/open-xchange/helmfile.yaml
View File

@@ -35,7 +35,7 @@ repositories:
releases:
- name: "dovecot"
chart: "opendesk-dovecot-repo/dovecot"
version: "1.3.1"
version: "1.3.4"
values:
- "values-dovecot.yaml"
- "values-dovecot.gotmpl"
@@ -44,7 +44,7 @@ releases:
- name: "open-xchange"
chart: "openxchange-repo/appsuite-public-sector/charts/appsuite-public-sector"
version: "2.0.4"
version: "2.1.1"
values:
- "values-openxchange.yaml"
- "values-openxchange.gotmpl"

25
helmfile/apps/open-xchange/values-dovecot.gotmpl
View File

@@ -4,30 +4,31 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
registry: "{{ .Values.global.imageRegistry }}"
url: "{{ .Values.images.dovecot.repository }}"
tag: "{{ .Values.images.dovecot.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
url: {{ .Values.images.dovecot.repository | quote }}
tag: {{ .Values.images.dovecot.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
dovecot:
mailDomain: "{{ .Values.global.domain }}"
mailDomain: {{ .Values.global.domain | quote }}
password: {{ .Values.secrets.dovecot.doveadm | quote }}
ldap:
dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
host: {{ .Values.ldap.host | quote }}
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
oidc:
introspectionURL: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token/introspect"
clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc }}
clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
clientID: "as8oidc"
loginTrustedNetworks: "{{ .Values.cluster.networking.cidr }}"
loginTrustedNetworks: {{ .Values.cluster.networking.cidr | quote }}
certificate:
secretName: "{{ .Values.ingress.tls.secretName }}"
secretName: {{ .Values.ingress.tls.secretName | quote }}
{{- if .Values.cluster.persistence.readWriteMany.enabled }}
replicaCount: {{ .Values.replicas.dovecot }}
@@ -37,15 +38,15 @@ replicaCount: 1
persistence:
{{- if .Values.cluster.persistence.readWriteMany.enabled }}
storageClassName: "{{ .Values.persistence.storageClassNames.RWX }}"
storageClassName: {{ .Values.persistence.storageClassNames.RWX | quote }}
accessModes:
- "ReadWriteMany"
{{- else }}
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
accessModes:
- "ReadWriteOnce"
{{- end }}
size: "{{ .Values.persistence.size.dovecot }}"
size: {{ .Values.persistence.size.dovecot | quote }}
resources:
{{ .Values.resources.dovecot | toYaml | nindent 2 }}

1
helmfile/apps/open-xchange/values-dovecot.yaml
View File

@@ -7,7 +7,6 @@ containerSecurityContext:
dovecot:
ldap:
enabled: true
host: "univention-corporate-container"
port: 389
base: "dc=swp-ldap,dc=internal"

10
helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl
View File

@@ -8,13 +8,13 @@ cleanup:
deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
image:
registry: "{{ .Values.global.imageRegistry }}"
url: "{{ .Values.images.openxchangeBootstrap.repository }}"
tag: "{{ .Values.images.openxchangeBootstrap.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
url: {{ .Values.images.openxchangeBootstrap.repository | quote }}
tag: {{ .Values.images.openxchangeBootstrap.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
...

4
helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl
View File

@@ -8,6 +8,10 @@ appsuite:
secretYAMLFiles:
ldap-client-config.yml:
contactsLdapClient:
pool:
host:
address: {{ .Values.ldap.host | quote }}
port: 389
auth:
adminDN:
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}

55
helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml
View File

@@ -6,7 +6,7 @@ appsuite:
properties:
# Enterprise contact picker
com.openexchange.contacts.ldap.accounts: "opendesk"
com.openexchange.contacts.ldap.accounts: "opendesk,other,functional"
com.openexchange.admin.bypassAccessCombinationChecks: "true"
ENABLE_INTERNAL_USER_EDIT: "false"
@@ -16,9 +16,6 @@ appsuite:
contactsLdapClient:
pool:
type: "simple"
host:
address: "univention-corporate-container"
port: 389
auth:
type: "adminDN"
adminDN:
@@ -153,7 +150,7 @@ appsuite:
# allows to sort the attributes lexicographically, either "ascending" or "descending".
dynamicAttributes:
attributeName: "o"
contactFilterTemplate: "(&(univentionObjectType=users/user)(o=[value]))"
contactFilterTemplate: "(&(univentionObjectType=users/user)(isOxUser=OK)(o=[value]))"
contactSearchScope: "sub"
# refreshInterval: 1h
refreshInterval: "5m"
@@ -174,6 +171,48 @@ appsuite:
- "Management"
- "Human Resources"
other:
name: "Other contacts"
ldapClientId: "contactsLdapClient"
mappings: "ucs"
folders:
mode: "static"
usedForSync:
protected: true
defaultValue: false
usedInPicker:
protected: false
defaultValue: true
shownInTree:
protected: false
defaultValue: true
static:
commonContactFilter: "(&(univentionObjectType=users/user)(isOxUser=OK)(!(o=*)))"
folders:
- name: "Ohne Organisation"
contactFilter: "(&(univentionObjectType=users/user)(isOxUser=OK)(!(o=*)))"
functional:
name: "Functional mailboxes"
ldapClientId: "contactsLdapClient"
mappings: "functional"
folders:
mode: "static"
usedForSync:
protected: true
defaultValue: false
usedInPicker:
protected: false
defaultValue: true
shownInTree:
protected: false
defaultValue: true
static:
commonContactFilter: "(univentionObjectType=oxmail/functional_account)"
folders:
- name: "Funktionale Postfächer"
contactFilter: "(univentionObjectType=oxmail/functional_account)"
contacts-provider-ldap-mappings.yml:
# Example definitions of contact property <-> LDAP attribute mappings.
#
@@ -347,3 +386,9 @@ appsuite:
# image_last_modified :
# Will be set automatically to "image/jpeg" if not defined.
# image1_content_type :
functional:
objectid: "mailPrimaryAddress"
displayname: "oxPersonal,cn,mailPrimaryAddress"
file_as: "oxPersonal,cn,mailPrimaryAddress"
email1: "mailPrimaryAddress"

117
helmfile/apps/open-xchange/values-openxchange.gotmpl
View File

@@ -4,13 +4,13 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
imageRegistry: {{ .Values.global.imageRegistry | quote }}
hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
mysql:
host: "{{ .Values.databases.oxAppsuite.host }}"
database: "{{ .Values.databases.oxAppsuite.name }}"
host: {{ .Values.databases.oxAppsuite.host | quote }}
database: {{ .Values.databases.oxAppsuite.name | quote }}
auth:
user: "{{ .Values.databases.oxAppsuite.username }}"
user: {{ .Values.databases.oxAppsuite.username | quote }}
password: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
rootPassword: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
@@ -19,22 +19,22 @@ istio:
nextcloud-integration-ui:
image:
repository: {{ .Values.images.openxchangeNextcloudIntegrationUI.repository }}
tag: {{ .Values.images.openxchangeNextcloudIntegrationUI.tag }}
repository: {{ .Values.images.openxchangeNextcloudIntegrationUI.repository | quote }}
tag: {{ .Values.images.openxchangeNextcloudIntegrationUI.tag | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
public-sector-ui:
image:
repository: {{ .Values.images.openxchangePublicSectorUI.repository }}
tag: {{ .Values.images.openxchangePublicSectorUI.tag }}
repository: {{ .Values.images.openxchangePublicSectorUI.repository | quote }}
tag: {{ .Values.images.openxchangePublicSectorUI.tag | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
appsuite:
istio:
@@ -56,12 +56,12 @@ appsuite:
gotenberg:
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
image:
repository: {{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGotenberg.repository }}
tag: {{ .Values.images.openxchangeGotenberg.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGotenberg.repository }}"
tag: {{ .Values.images.openxchangeGotenberg.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
properties:
"com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/certs"
"com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
@@ -83,19 +83,20 @@ appsuite:
propertiesFiles:
"/opt/open-xchange/etc/ldapauth.properties":
bindDNPassword: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal"
uiSettings:
"io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
"io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"
# Dynamic theme
io.ox/dynamic-theme//mainColor: "{{ .Values.theme.colors.primary }}"
io.ox/dynamic-theme//mainColor: {{ .Values.theme.colors.primary | quote }}
io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
io.ox/dynamic-theme//topbarBackground: "{{ .Values.theme.colors.white }}"
io.ox/dynamic-theme//topbarColor: "{{ .Values.theme.colors.black }}"
io.ox/dynamic-theme//listSelected: "{{ .Values.theme.colors.primary15 }}"
io.ox/dynamic-theme//listHover: "{{ .Values.theme.colors.secondaryGreyLight }}"
io.ox/dynamic-theme//folderBackground: "{{ .Values.theme.colors.white }}"
io.ox/dynamic-theme//folderSelected: "{{ .Values.theme.colors.primary15 }}"
io.ox/dynamic-theme//folderHover: "{{ .Values.theme.colors.secondaryGreyLight }}"
io.ox/dynamic-theme//topbarBackground: {{ .Values.theme.colors.white | quote }}
io.ox/dynamic-theme//topbarColor: {{ .Values.theme.colors.black | quote }}
io.ox/dynamic-theme//listSelected: {{ .Values.theme.colors.primary15 | quote }}
io.ox/dynamic-theme//listHover: {{ .Values.theme.colors.secondaryGreyLight | quote }}
io.ox/dynamic-theme//folderBackground: {{ .Values.theme.colors.white | quote }}
io.ox/dynamic-theme//folderSelected: {{ .Values.theme.colors.primary15 | quote }}
io.ox/dynamic-theme//folderHover: {{ .Values.theme.colors.secondaryGreyLight | quote }}
secretETCFiles:
# Format of the OX Guard master key:
# MC+base64(20 random bytes)
@@ -103,28 +104,31 @@ appsuite:
oxguardpass: |
{{ .Values.secrets.oxAppsuite.oxguardMC }}
{{ .Values.secrets.oxAppsuite.oxguardRC }}
redis:
auth:
password: {{ .Values.secrets.redis.password | quote }}
image:
repository: {{ .Values.images.openxchangeCoreMW.repository }}
tag: {{ .Values.images.openxchangeCoreMW.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
tag: {{ .Values.images.openxchangeCoreMW.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
update:
image:
repository: {{ .Values.images.openxchangeCoreMW.repository }}
tag: {{ .Values.images.openxchangeCoreMW.tag }}
repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
tag: {{ .Values.images.openxchangeCoreMW.tag | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
core-ui:
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
image:
repository: {{ .Values.images.openxchangeCoreUI.repository }}
tag: {{ .Values.images.openxchangeCoreUI.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: {{ .Values.images.openxchangeCoreUI.repository | quote }}
tag: {{ .Values.images.openxchangeCoreUI.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
core-ui-middleware:
ingress:
@@ -133,40 +137,55 @@ appsuite:
enabled: false
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
image:
repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository }}
tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository | quote }}
tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
redis:
auth:
password: {{ .Values.secrets.redis.password | quote }}
core-documentconverter:
image:
repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
resources:
{{- .Values.resources.oxDocumentConverter | toYaml | nindent 6 }}
core-guidedtours:
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
image:
repository: {{ .Values.images.openxchangeCoreGuidedtours.repository }}
tag: {{ .Values.images.openxchangeCoreGuidedtours.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: {{ .Values.images.openxchangeCoreGuidedtours.repository | quote }}
tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
core-imageconverter:
image:
repository: {{ .Values.images.openxchangeImageConverter.repository | quote }}
tag: {{ .Values.images.openxchangeImageConverter.tag | quote }}
guard-ui:
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
image:
repository: {{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}
tag: {{ .Values.images.openxchangeGuardUI.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}"
tag: {{ .Values.images.openxchangeGuardUI.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
core-user-guide:
image:
repository: {{ .Values.images.openxchangeCoreUserGuide.repository }}
tag: {{ .Values.images.openxchangeCoreUserGuide.tag }}
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: {{ .Values.images.openxchangeCoreUserGuide.repository | quote }}
tag: {{ .Values.images.openxchangeCoreUserGuide.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
...

48
helmfile/apps/open-xchange/values-openxchange.yaml
View File

@@ -6,6 +6,9 @@ appsuite:
ingressGateway:
name: "opendesk-gateway-istio-gateway"
switchboard:
enabled: false
core-mw:
enabled: true
masterAdmin: "admin"
@@ -63,6 +66,8 @@ appsuite:
com.openexchange.mail.filter.credentialSource: "mail"
com.openexchange.mail.filter.server: "dovecot"
com.openexchange.mail.filter.preferredSaslMech: "XOAUTH2"
# Dovecot
com.openexchange.imap.attachmentMarker.enabled: "true"
# Capabilities
# Old capability can be used to toggle all integrations with a single switch
com.openexchange.capability.public-sector: "true"
@@ -78,6 +83,7 @@ appsuite:
com.openexchange.capability.smime: "true"
com.openexchange.capability.share_links: "false"
com.openexchange.capability.invite_guests: "false"
com.openexchange.capability.document_preview: "true"
# Secondary Accounts
com.openexchange.mail.secondary.authType: "XOAUTH2"
com.openexchange.mail.transport.secondary.authType: "xoauth2"
@@ -89,6 +95,8 @@ appsuite:
com.openexchange.gdpr.dataexport.enabled: "false"
com.openexchange.gdpr.dataexport.active: "false"
# Guard
com.openexchange.guard.storage.file.fileStorageType: "file"
com.openexchange.guard.storage.file.uploadDirectory: "/opt/open-xchange/guard-files/"
com.openexchange.guard.guestSMTPServer: "postfix"
# S/MIME
# Usage (in browser console after login):
@@ -103,7 +111,6 @@ appsuite:
/opt/open-xchange/etc/system.properties:
SERVER_NAME: "oxserver"
/opt/open-xchange/etc/ldapauth.properties:
java.naming.provider.url: "ldap://univention-corporate-container:389/dc=swp-ldap,dc=internal"
bindOnly: "false"
bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
@@ -139,10 +146,31 @@ appsuite:
oidcLogin: true
oidcPath: "/oidc"
redis:
enabled: true
mode: "standalone"
hosts:
- "redis-master"
hooks:
beforeAppsuiteStart:
create-guard-dir.sh: |
mkdir -p /opt/open-xchange/guard-files
chown open-xchange:open-xchange /opt/open-xchange/guard-files
core-ui:
enabled: true
core-ui-middleware:
enabled: true
overrides: {}
redis:
mode: "standalone"
hosts:
- "redis-master:6379"
auth:
enabled: true
core-guidedtours:
enabled: true
guard-ui:
@@ -151,12 +179,26 @@ appsuite:
enabled: false
core-user-guide:
enabled: true
core-imageconverter:
enabled: false
enabled: true
objectCache:
s3ObjectStores:
- id: -1
endpoint: "."
accessKey: "."
secretKey: "."
core-spellcheck:
enabled: false
core-documentconverter:
enabled: false
enabled: true
documentConverter:
cache:
remoteCache:
enabled: false
core-documents-collaboration:
enabled: false
office-web:

36
helmfile/apps/openproject-bootstrap/helmfile.yaml Normal file
View File

@@ -0,0 +1,36 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# openDesk OpenProject Bootstrap
# Source: Set when repo is managed on Open CoDE
- name: "opendesk-openproject-bootstrap-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/opendesk-openproject-bootstrap" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
releases:
- name: "opendesk-openproject-bootstrap"
chart: "opendesk-openproject-bootstrap-repo/opendesk-openproject-bootstrap"
version: "1.2.1"
wait: true
waitForJobs: true
values:
- "values.yaml"
- "values.gotmpl"
installed: {{ .Values.openproject.enabled }}
timeout: 900
commonLabels:
deploy-stage: "component-2"
component: "opendesk-openproject-bootstrap"
...

34
helmfile/apps/openproject-bootstrap/values.gotmpl Normal file
View File

@@ -0,0 +1,34 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
registry: "{{ .Values.global.imageRegistry }}"
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: {{ .Values.global.imageRegistry }}
repository: "{{ .Values.images.openprojectBootstrap.repository }}"
tag: "{{ .Values.images.openprojectBootstrap.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
config:
openproject:
fileshareName: "Nextcloud at {{ .Values.global.domain }}"
admin:
username: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
password: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
nextcloud:
admin:
username: "nextcloud"
password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
...

25
helmfile/apps/openproject-bootstrap/values.yaml Normal file
View File

@@ -0,0 +1,25 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
job:
enabled: true
podSecurityContext:
enabled: true
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
...

2
helmfile/apps/openproject/helmfile.yaml
View File

@@ -16,7 +16,7 @@ repositories:
releases:
- name: "openproject"
chart: "openproject-repo/openproject"
version: "2.0.4"
version: "2.4.0"
wait: true
waitForJobs: true
values:

64
helmfile/apps/openproject/values.gotmpl
View File

@@ -8,34 +8,41 @@ global:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.openproject.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.openproject.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.openproject.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.openproject.tag | quote }}
initdb:
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.openprojectInitDb.repository }}"
tag: "{{ .Values.images.openprojectInitDb.tag }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
memcached:
connection:
host: "{{ .Values.cache.openproject.host }}"
host: {{ .Values.cache.openproject.host | quote }}
port: {{ .Values.cache.openproject.port }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.memcached.repository }}"
tag: "{{ .Values.images.memcached.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.memcached.repository | quote }}
tag: {{ .Values.images.memcached.tag | quote }}
postgresql:
auth:
password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser | quote }}
username: "{{ .Values.databases.openproject.username }}"
database: "{{ .Values.databases.openproject.name }}"
username: {{ .Values.databases.openproject.username | quote }}
database: {{ .Values.databases.openproject.name | quote }}
connection:
host: "{{ .Values.databases.openproject.host }}"
port: "{{ .Values.databases.openproject.port }}"
host: {{ .Values.databases.openproject.host | quote }}
port: {{ .Values.databases.openproject.port }}
openproject:
host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
# Will only be set on initial seed / installation
admin_user:
name: "OpenProject Interal Admin"
name: "OpenProject Internal Admin"
mail: "openproject-admin@swp-domain.internal"
password_reset: "false"
password: {{ .Values.secrets.openproject.adminPassword | quote }}
@@ -43,36 +50,39 @@ openproject:
ingress:
host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: "{{ .Values.ingress.tls.secretName }}"
secretName: {{ .Values.ingress.tls.secretName | quote }}
environment:
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: {{ .Values.secrets.keycloak.clientSecret.openproject }}
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
# Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }}
OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
OPENPROJECT_SMTP__DOMAIN: "{{ .Values.global.domain }}"
OPENPROJECT_SMTP__USER__NAME: "{{ .Values.smtp.username }}"
OPENPROJECT_SMTP__PASSWORD: "{{ .Values.smtp.password }}"
OPENPROJECT_SMTP__PORT: "{{ .Values.smtp.port }}"
OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.domain | quote }}
OPENPROJECT_SMTP__USER__NAME: {{ .Values.smtp.username | quote }}
OPENPROJECT_SMTP__PASSWORD: {{ .Values.smtp.password | quote }}
OPENPROJECT_SMTP__PORT: {{ .Values.smtp.port | quote }}
OPENPROJECT_SMTP__SSL: "false" # (default=false)
OPENPROJECT_SMTP__ADDRESS: "{{ .Values.smtp.host }}"
OPENPROJECT_SMTP__ADDRESS: {{ .Values.smtp.host | quote }}
OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}"
# Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject }}"
persistence:
size: "{{ .Values.persistence.size.openproject }}"
storageClassName: "{{ .Values.persistence.storageClassNames.RWX }}"
OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }}
OPENPROJECT_FOG_CREDENTIALS_HOST: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: "https://{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: {{ .Values.secrets.minio.openprojectUser | quote }}
replicaCount: {{ .Values.replicas.openproject }}
resources:
{{ .Values.resources.openproject | toYaml | nindent 2 }}
...

16
helmfile/apps/openproject/values.yaml
View File

@@ -37,8 +37,10 @@ securityContext:
readOnlyRootFilesystem: false
persistence:
accessModes:
- "ReadWriteMany"
enabled: false
s3:
enabled: true
# For more details and more options see
# https://www.openproject.org/docs/installation-and-operations/configuration/environment/
@@ -55,9 +57,6 @@ environment:
OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc"
# Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
OPENPROJECT_SEED_LDAP_OPENDESK_HOST: "univention-corporate-container"
OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"
@@ -74,5 +73,10 @@ environment:
"(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
# Details: https://www.openproject.org/docs/installation-and-operations/configuration/#attachments-storage
OPENPROJECT_ATTACHMENTS__STORAGE: "fog"
OPENPROJECT_FOG_DIRECTORY: "openproject"
OPENPROJECT_FOG_CREDENTIALS_PROVIDER: "AWS"
OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: "openproject_user"
...

16
helmfile/apps/provisioning/values-oxconnector.gotmpl
View File

@@ -4,21 +4,23 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.oxConnector.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.oxConnector.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.oxConnector.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.oxConnector.tag | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
persistence:
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
oxConnector:
domainName: "{{ .Values.global.domain }}"
domainName: {{ .Values.global.domain | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
notifierServer: {{ .Values.ldap.notifierHost | quote }}
#oxMasterAdmin: "(( .Values.appsuite.core-mw.masterAdmin ))"
oxMasterAdmin: "admin"
oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}

2
helmfile/apps/provisioning/values-oxconnector.yaml
View File

@@ -5,11 +5,9 @@ ingress:
enabled: false
oxConnector:
ldapHost: "univention-corporate-container"
# ldapHostIp: ""
ldapBaseDn: "dc=swp-ldap,dc=internal"
ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
notifierServer: "univention-corporate-container"
tlsMode: "off"
# current static password for UCC
ldapPassword: "ucctempldapstring"

13
helmfile/apps/services/helmfile.yaml
View File

@@ -95,7 +95,7 @@ releases:
installed: {{ .Values.memcached.enabled }}
- name: "postgresql"
chart: "postgresql-repo/postgresql"
version: "2.0.2"
version: "2.0.3"
values:
- "values-postgresql.yaml"
- "values-postgresql.gotmpl"
@@ -103,7 +103,7 @@ releases:
timeout: 900
- name: "mariadb"
chart: "mariadb-repo/mariadb"
version: "2.0.2"
version: "2.1.1"
values:
- "values-mariadb.yaml"
- "values-mariadb.gotmpl"
@@ -111,7 +111,7 @@ releases:
timeout: 900
- name: "postfix"
chart: "postfix-repo/postfix"
version: "2.0.3"
version: "2.0.4"
values:
- "values-postfix.yaml"
- "values-postfix.gotmpl"
@@ -137,6 +137,13 @@ releases:
- "values-istio-gateway.yaml"
- "values-istio-gateway.gotmpl"
installed: {{ .Values.istio.enabled }}
- name: "minio"
chart: "bitnami-repo/minio"
version: "12.8.19"
values:
- "values-minio.yaml"
- "values-minio.gotmpl"
installed: {{ .Values.minio.enabled }}
commonLabels:
deploy-stage: "services"

8
helmfile/apps/services/values-certificates.gotmpl
View File

@@ -4,19 +4,19 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
issuerRef:
name: "{{ .Values.certificate.issuerRef.name }}"
name: {{ .Values.certificate.issuerRef.name | quote }}
{{- if .Values.istio.enabled }}
istio:
enabled: {{ .Values.istio.enabled }}
domain: {{ .Values.istio.domain }}
domain: {{ .Values.istio.domain | quote }}
issuerRef:
name: "{{ .Values.istio.issuerRef.name }}"
name: {{ .Values.istio.issuerRef.name | quote }}
{{- end }}
cleanup:

36
helmfile/apps/services/values-clamav-distributed.gotmpl
View File

@@ -7,10 +7,10 @@ clamd:
podSecurityContext:
replicaCount: {{ .Values.replicas.clamd }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.clamd.repository }}"
tag: "{{ .Values.images.clamd.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.clamd.repository | quote }}
tag: {{ .Values.images.clamd.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.clamd | toYaml | nindent 4 }}
@@ -18,10 +18,10 @@ freshclam:
podSecurityContext:
replicaCount: {{ .Values.replicas.freshclam }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.freshclam.repository }}"
tag: "{{ .Values.images.freshclam.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.freshclam.repository | quote }}
tag: {{ .Values.images.freshclam.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.freshclam | toYaml | nindent 4 }}
@@ -32,10 +32,10 @@ global:
icap:
replicaCount: {{ .Values.replicas.icap }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.icap.repository }}"
tag: "{{ .Values.images.icap.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.icap.repository | quote }}
tag: {{ .Values.images.icap.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.icap | toYaml | nindent 4 }}
@@ -43,14 +43,14 @@ milter:
podSecurityContext:
replicaCount: {{ .Values.replicas.milter }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.milter.repository }}"
tag: "{{ .Values.images.milter.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.milter.repository | quote }}
tag: {{ .Values.images.milter.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.milter | toYaml | nindent 4 }}
persistence:
storageClass: "{{ .Values.persistence.storageClassNames.RWX }}"
size: "{{ .Values.persistence.size.clamav }}"
storageClass: {{ .Values.persistence.storageClassNames.RWX | quote }}
size: {{ .Values.persistence.size.clamav | quote }}
...

20
helmfile/apps/services/values-clamav-simple.gotmpl
View File

@@ -7,15 +7,15 @@ replicaCount: {{ .Values.replicas.clamav }}
image:
clamav:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.clamd.repository }}"
tag: "{{ .Values.images.clamd.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.clamd.repository | quote }}
tag: {{ .Values.images.clamd.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
icap:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.icap.repository }}"
tag: "{{ .Values.images.icap.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.icap.repository | quote }}
tag: {{ .Values.images.icap.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.clamd | toYaml | nindent 4 }}
@@ -25,6 +25,6 @@ global:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
persistence:
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.clamav }}"
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.clamav | quote }}
...

4
helmfile/apps/services/values-istio-gateway.gotmpl
View File

@@ -4,9 +4,9 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.istio.domain }}"
domain: {{ .Values.istio.domain | quote }}
hosts:
openxchange: "{{ .Values.global.hosts.openxchange }}"
openxchange: {{ .Values.global.hosts.openxchange | quote }}
tls:
secretName: "{{ .Values.istio.domain }}-tls"

12
helmfile/apps/services/values-mariadb.gotmpl
View File

@@ -4,14 +4,14 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
registry: "{{ .Values.global.imageRegistry }}"
registry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
repository: "{{ .Values.images.mariadb.repository }}"
tag: "{{ .Values.images.mariadb.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: {{ .Values.images.mariadb.repository | quote }}
tag: {{ .Values.images.mariadb.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
# Open-Xchange and XWiki require the permission to create database schemas, so they use the `root` account anyway.
# Please refer to `databases.yaml` for details.
@@ -35,8 +35,8 @@ mariadb:
rootPassword: {{ .Values.secrets.mariadb.rootPassword | quote }}
persistence:
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.mariadb }}"
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.mariadb | quote }}
resources:
{{ .Values.resources.mariadb | toYaml | nindent 2 }}

10
helmfile/apps/services/values-memcached.gotmpl
View File

@@ -4,15 +4,15 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
imageRegistry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.memcached.repository }}"
tag: "{{ .Values.images.memcached.tag }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.memcached.repository | quote }}
tag: {{ .Values.images.memcached.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.memcached | toYaml | nindent 2 }}

80
helmfile/apps/services/values-minio.gotmpl Normal file
View File

@@ -0,0 +1,80 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
registry: "{{ .Values.global.imageRegistry }}"
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.minio.repository }}"
tag: "{{ .Values.images.minio.tag }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
auth:
rootPassword: {{ .Values.secrets.minio.rootPassword | quote }}
statefulset:
replicaCount: {{ .Values.replicas.minioDistributed }}
resources:
{{ .Values.resources.minio | toYaml | nindent 2 }}
ingress:
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
hostname: "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
extraTls:
- hosts:
- "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
apiIngress:
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
hostname: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
extraTls:
- hosts:
- "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
metrics:
serviceMonitor:
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
prometheusRule:
enabled: {{ .Values.prometheus.prometheusRules.enabled }}
persistence:
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.minio }}"
provisioning:
users:
- username: "openproject_user"
password: {{ .Values.secrets.minio.openprojectUser | quote }}
disabled: false
policies:
- "openproject-bucket-policy"
setPolicies: true
- username: "openxchange_user"
password: {{ .Values.secrets.minio.openxchangeUser | quote }}
disabled: false
policies:
- "openxchange-bucket-policy"
setPolicies: true
- username: "ums_user"
password: {{ .Values.secrets.minio.umsUser | quote }}
disabled: false
policies:
- "ums-bucket-policy"
setPolicies: true
- username: "nextcloud_user"
password: {{ .Values.secrets.minio.nextcloudUser | quote }}
disabled: false
policies:
- "nextcloud-bucket-policy"
setPolicies: true
...

114
helmfile/apps/services/values-minio.yaml Normal file
View File

@@ -0,0 +1,114 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
mode: "standalone"
podSecurityContext:
enabled: true
fsGroup: 1000
containerSecurityContext:
enabled: true
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
runAsUser: 1000
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
ingress:
annotations:
nginx.org/websocket-services: "minio"
networkPolicy:
enabled: false
defaultBuckets: "openproject,openxchange,ums,nextcloud"
provisioning:
enabled: true
cleanupAfterFinished:
enabled: true
buckets:
- name: "openproject"
versioning: true
withLock: false
- name: "openxchange"
versioning: true
withLock: false
- name: "ums"
versioning: true
withLock: false
- name: "nextcloud"
versioning: true
withLock: false
policies:
- name: "openproject-bucket-policy"
statements:
- resources:
- "arn:aws:s3:::openproject"
effect: "Allow"
actions:
- "s3:*"
- resources:
- "arn:aws:s3:::openproject/*"
effect: "Allow"
actions:
- "s3:*"
- name: "openxchange-bucket-policy"
statements:
- resources:
- "arn:aws:s3:::openxchange"
effect: "Allow"
actions:
- "s3:*"
- resources:
- "arn:aws:s3:::openxchange/*"
effect: "Allow"
actions:
- "s3:*"
- name: "ums-bucket-policy"
statements:
- resources:
- "arn:aws:s3:::ums"
effect: "Allow"
actions:
- "s3:*"
- resources:
- "arn:aws:s3:::ums/*"
effect: "Allow"
actions:
- "s3:*"
- name: "nextcloud-bucket-policy"
statements:
- resources:
- "arn:aws:s3:::nextcloud"
effect: "Allow"
actions:
- "s3:*"
- resources:
- "arn:aws:s3:::nextcloud/*"
effect: "Allow"
actions:
- "s3:*"
livenessProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 10
readinessProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 10
startupProbe:
enabled: true
periodSeconds: 10
timeoutSeconds: 10
...

26
helmfile/apps/services/values-postfix.gotmpl
View File

@@ -4,28 +4,28 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
registry: {{ .Values.global.imageRegistry }}
registry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: {{ .Values.global.imageRegistry }}
repository: "{{ .Values.images.postfix.repository }}"
tag: "{{ .Values.images.postfix.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.postfix.repository | quote }}
tag: {{ .Values.images.postfix.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
certificate:
secretName: "{{ .Values.ingress.tls.secretName }}"
secretName: {{ .Values.ingress.tls.secretName | quote }}
postfix:
domain: "{{ .Values.global.domain }}"
virtualMailboxDomains: "{{ .Values.global.domain }}"
domain: {{ .Values.global.domain | quote }}
virtualMailboxDomains: {{ .Values.global.domain | quote }}
overrides:
- fileName: "sasl_passwd.map"
content:
- "{{ .Values.smtp.host }} {{ .Values.smtp.username }}:{{ .Values.smtp.password }}"
relayHost: "[{{ .Values.smtp.host }}]:587"
relayNets: {{ .Values.cluster.networking.cidr }}
- {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
relayHost: {{ printf "[%s]:587" .Values.smtp.host | quote }}
relayNets: {{ .Values.cluster.networking.cidr | quote}}
virtualTransport: "lmtps:dovecot:24"
smtpdSASLPath: "inet:dovecot:3659"
{{- if .Values.clamavDistributed.enabled }}
@@ -35,8 +35,8 @@ postfix:
{{- end }}
persistence:
size: "{{ .Values.persistence.size.postfix }}"
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
size: {{ .Values.persistence.size.postfix | quote }}
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote}}
replicaCount: {{ .Values.replicas.postfix }}

12
helmfile/apps/services/values-postgresql.gotmpl
View File

@@ -4,14 +4,14 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
registry: {{ .Values.global.imageRegistry }}
registry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
repository: "{{ .Values.images.postgresql.repository }}"
tag: "{{ .Values.images.postgresql.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: {{ .Values.images.postgresql.repository | quote }}
tag: {{ .Values.images.postgresql.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
job:
users:
@@ -39,8 +39,8 @@ job:
user: "notificationsapi_user"
persistence:
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.postgresql }}"
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.postgresql | quote }}
postgres:
password: {{ .Values.secrets.postgresql.postgresUser | quote }}

14
helmfile/apps/services/values-redis.gotmpl
View File

@@ -7,20 +7,20 @@ auth:
password: {{ .Values.secrets.redis.password | quote }}
global:
imageRegistry: "{{ .Values.global.imageRegistry }}"
imageRegistry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.redis.repository }}"
tag: "{{ .Values.images.redis.tag }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.redis.repository | quote }}
tag: {{ .Values.images.redis.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
master:
persistence:
size: "{{ .Values.persistence.size.redis }}"
size: {{ .Values.persistence.size.redis | quote }}
resources:
{{ .Values.resources.redis | toYaml | nindent 4 }}

24
helmfile/apps/univention-corporate-container/values.gotmpl
View File

@@ -4,36 +4,36 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
registry: "{{ .Values.global.imageRegistry }}"
registry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: "{{ .Values.global.imageRegistry }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
repository: "{{ .Values.images.univentionCorporateServer.repository }}"
tag: "{{ .Values.images.univentionCorporateServer.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
repository: {{ .Values.images.univentionCorporateServer.repository | quote }}
tag: {{ .Values.images.univentionCorporateServer.tag | quote }}
ingress:
host: "{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: "{{ .Values.ingress.tls.secretName }}"
secretName: {{ .Values.ingress.tls.secretName | quote }}
persistence:
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.univentionCorporateServer }}"
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionCorporateServer | quote }}
extraEnvVars:
- name: ISTIO_DOMAIN
value: {{ .Values.istio.domain }}
value: {{ .Values.istio.domain | quote }}
- name: CENTRALNAVIGATION_API_SECRET
value: {{ .Values.secrets.centralnavigation.apiKey }}
value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
- name: LDAPSEARCH_OX_USERNAME
value: "ldapsearch_ox"
- name: LDAPSEARCH_OX_PASSWORD

52
helmfile/apps/univention-management-stack/helmfile.yaml
View File

@@ -11,11 +11,29 @@ repositories:
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable" }}
# VMWare Bitnami
# Source: https://github.com/bitnami/charts/
- name: "bitnami-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
releases:
# TODO: Interim, until the UMS stack has a stack umbrella chart and provides a solution
# {{- if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}
- name: "ums-stack-gateway"
chart: "bitnami-repo/nginx"
version: "15.3.5"
values:
- "values-ums-stack-gateway.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
# {{- end }}
- name: "ums-store-dav"
chart: "ums-repo/store-dav"
version: "0.2.0"
version: "0.5.2"
values:
- "values-common.gotmpl"
- "values-common.yaml"
@@ -23,7 +41,7 @@ releases:
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-ldap-server"
chart: "ums-repo/ldap-server"
version: "0.1.0"
version: "0.4.1"
values:
- "values-common.gotmpl"
- "values-common.yaml"
@@ -31,7 +49,7 @@ releases:
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-ldap-notifier"
chart: "ums-repo/ldap-notifier"
version: "0.1.0"
version: "0.4.1"
values:
- "values-common.gotmpl"
- "values-common.yaml"
@@ -40,7 +58,7 @@ releases:
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-udm-rest-api"
chart: "ums-repo/udm-rest-api"
version: "0.1.0"
version: "0.3.2"
values:
- "values-common.gotmpl"
- "values-common.yaml"
@@ -48,7 +66,7 @@ releases:
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-stack-data-ums"
chart: "ums-repo/stack-data-ums"
version: "0.1.0"
version: "0.15.2"
values:
- "values-common.gotmpl"
- "values-common.yaml"
@@ -56,7 +74,7 @@ releases:
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-stack-data-swp"
chart: "ums-repo/stack-data-swp"
version: "0.1.0"
version: "0.15.2"
values:
- "values-common.gotmpl"
- "values-common.yaml"
@@ -64,7 +82,7 @@ releases:
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-portal-server"
chart: "ums-repo/portal-server"
version: "0.1.0"
version: "0.3.4"
values:
- "values-common.gotmpl"
- "values-common.yaml"
@@ -72,7 +90,7 @@ releases:
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-notifications-api"
chart: "ums-repo/notifications-api"
version: "0.1.0"
version: "0.3.4"
values:
- "values-common.gotmpl"
- "values-common.yaml"
@@ -81,7 +99,7 @@ releases:
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-portal-listener"
chart: "ums-repo/portal-listener"
version: "0.1.0"
version: "0.3.4"
values:
- "values-common.gotmpl"
- "values-common.yaml"
@@ -90,28 +108,36 @@ releases:
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-portal-frontend"
chart: "ums-repo/portal-frontend"
version: "0.1.0"
version: "0.3.4"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-portal-frontend.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-portal-frontend-custom"
# TODO: Replace with our own Nginx chart.
chart: "bitnami-repo/nginx"
version: "15.3.5"
values:
- "values-portal-frontend-custom.yaml"
- "values-portal-frontend-custom.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-umc-gateway"
chart: "ums-repo/umc-gateway"
version: "0.1.0"
version: "0.3.2"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-umc-gateway.gotmpl"
- "values-umc-gateway.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-umc-server"
chart: "ums-repo/umc-server"
version: "0.1.0"
version: "0.3.2"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-umc-server.gotmpl"
- "values-umc-server.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
commonLabels:

6
helmfile/apps/univention-management-stack/values-common.gotmpl
View File

@@ -3,12 +3,12 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
SPDX-License-Identifier: Apache-2.0
*/}}
---
ingress:
enabled: {{ .Values.ingress.enabled }}
enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
# The TLS configuration is on the "master" Ingress, see "portal-frontend"
enabled: false
secretName: ""
...

4
helmfile/apps/univention-management-stack/values-common.yaml
View File

@@ -1,6 +1,10 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
global:
configMapUcrDefaults: "ums-stack-data-ums-ucr"
configMapUcr: "ums-stack-data-swp-ucr"
configMapUcrForced: null
istio:
enabled: false

12
helmfile/apps/univention-management-stack/values-ldap-notifier.gotmpl
View File

@@ -3,18 +3,16 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsLdapNotifier.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsLdapNotifier.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsLdapNotifier.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsLdapNotifier.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsLdapNotifier | toYaml | nindent 2 }}
...

34
helmfile/apps/univention-management-stack/values-ldap-server.gotmpl
View File

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
ldapServer:
ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
ldapBaseDn: "dc=swp-ldap,dc=internal"
# TODO: Certificates handling
@@ -14,30 +14,34 @@ ldapServer:
# dhParam: ""
tlsMode: "off"
# TODO: SAML integration
# samlMetadataUrl: "http://localhost:8097/realms/ucs/protocol/saml/descriptor"
# samlMetadataUrlInternal: "http://keycloak.default/realms/ucs/protocol/saml/descriptor"
# serviceProviders: "http://localhost:8000/univention/saml/metadata,http://localhost:8000/auth/realms/ucs"
samlMetadataUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/saml/descriptor"
samlMetadataUrlInternal: null
serviceProviders: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/saml/metadata"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsLdapServer.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsLdapServer.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsLdapServer.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsLdapServer.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
waitForDependency:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsWaitForDependency.repository }}"
imagePullPolicy: "Always"
tag: "{{ .Values.images.umsWaitForDependency.tag }}"
# TODO: Pending upstream support, #199
persistence:
data:
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.univentionManagementStack.ldapServerData }}"
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
shared:
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.univentionManagementStack.ldapServerShared }}"
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
resources:
{{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}

10
helmfile/apps/univention-management-stack/values-notifications-api.gotmpl
View File

@@ -14,13 +14,13 @@ postgresql:
password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsNotificationsApi.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsNotificationsApi.tag }}"
registry: {{ .Values.global.imageRegistry }}
repository: {{ .Values.images.umsNotificationsApi.repository }}
pullPolicy: {{ .Values.global.imagePullPolicy }}
tag: {{ .Values.images.umsNotificationsApi.tag }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
resources:

53
helmfile/apps/univention-management-stack/values-portal-frontend-custom.gotmpl Normal file
View File

@@ -0,0 +1,53 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
ingress:
enabled: true
hostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
ingressClassName: "nginx"
annotations:
nginx.org/mergeable-ingress-type: "minion"
tls: false
pathType: Exact
path: /favicon.ico
extraPaths:
- pathType: Exact
path: /univention/portal/css/custom.css
backend:
service:
name: ums-portal-frontend-custom-nginx
port:
name: http
- pathType: Exact
path: /univention/portal/icons/logo.svg
backend:
service:
name: ums-portal-frontend-custom-nginx
port:
name: http
- pathType: Exact
path: /univention/portal/icons/logo_small_border.svg
backend:
service:
name: ums-portal-frontend-custom-nginx
port:
name: http
- pathType: Exact
path: /univention/portal/custom/portal_background_image.png
backend:
service:
name: ums-portal-frontend-custom-nginx
port:
name: http
- pathType: Exact
path: /univention/portal/custom/portal_background_image.svg
backend:
service:
name: ums-portal-frontend-custom-nginx
port:
name: http
...

33
helmfile/apps/univention-management-stack/values-portal-frontend-custom.yaml Normal file
View File

@@ -0,0 +1,33 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
service:
type: "ClusterIP"
extraVolumes:
- name: "opendesk-branding"
configMap:
name: "ums-stack-data-swp-branding"
extraVolumeMounts:
- name: "opendesk-branding"
mountPath: "/app/favicon.ico"
subPath: "favicon.ico"
- name: "opendesk-branding"
mountPath: "/app/univention/portal/css/custom.css"
subPath: "custom.css"
- name: "opendesk-branding"
mountPath: "/app/univention/portal/icons/logo.svg"
subPath: "logo.svg"
- name: "opendesk-branding"
mountPath: "/app/univention/portal/icons/logo_small_border.svg"
subPath: "logo_small_border.svg"
- name: "opendesk-branding"
mountPath: "/app/univention/portal/custom/portal_background_image.png"
subPath: "portal_background_image.png"
- name: "opendesk-branding"
mountPath: "/app/univention/portal/custom/portal_background_image.svg"
subPath: "portal_background_image.svg"
...

17
helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl
View File

@@ -3,29 +3,28 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsPortalFrontend.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsPortalFrontend.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsPortalFrontend.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsPortalFrontend.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
extraIngresses:
redirects:
enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
# The TLS configuration is on the "master" Ingress, see below.
tls:
enabled: false
master:
enabled: {{ .Values.ingress.enabled }}
enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: "{{ .Values.ingress.tls.secretName }}"
secretName: {{ .Values.ingress.tls.secretName | quote }}
resources:
{{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }}
...

27
helmfile/apps/univention-management-stack/values-portal-listener.gotmpl
View File

@@ -13,10 +13,10 @@ portalListener:
umcSessionUrl: "http://ums-umc-server/get/session-info"
ldapBaseDn: "dc=swp-ldap,dc=internal"
ldapHost: "ums-ldap-server"
ldapHost: "{{ .Values.ldap.host }}"
ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
notifierServer: "ums-ldap-notifier"
portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,dc=swp-ldap,dc=internal"
udmApiUrl: "http://ums-udm-rest-api/udm/"
@@ -25,30 +25,29 @@ portalListener:
tlsMode: "off"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsPortalListener.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsPortalListener.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsPortalListener.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsPortalListener.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
waitForDependency:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsWaitForDependency.repository }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
imagePullPolicy: "Always"
tag: "{{ .Values.images.umsWaitForDependency.tag }}"
tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
# TODO: Pending upstream support, #200
persistence:
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.univentionManagementStack.portalListener }}"
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }}
resources:
{{ .Values.resources.umsPortalListener | toYaml | nindent 2 }}
resourcesDependencyWaiter:
{{ .Values.resources.umsPortalListenerDependencies | toYaml | nindent 2 }}
...

12
helmfile/apps/univention-management-stack/values-portal-server.gotmpl
View File

@@ -7,20 +7,20 @@ portalServer:
adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
authMode: "saml"
environment: "staging"
editable: "true"
editable: "false"
logLevel: "DEBUG"
ucsInternalUrl: "http://portal-server:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}@ums-store-dav/portal-data"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsPortalServer.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsPortalServer.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsPortalServer.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsPortalServer.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
resources:

31
helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl
View File

@@ -4,33 +4,40 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
stackDataSwp:
udmApiUsername: "cn=admin"
udmApiUser: "cn=admin"
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
udmApiUrl: "http://ums-udm-rest-api/udm/"
loadDevData: true
stackDataContext:
ldapBase: "dc=swp-ldap,dc=internal"
ldapSearchUsers:
{{- range $k, $v := .Values.secrets.univentionCorporateServer.ldapSearch }}
- username: {{ printf "ldapsearch_%s" $k | quote }}
password: {{ $v | quote }}
lastname: {{ "LDAP-Search-User" }}
{{- end }}
externalDomainName: "{{ .Values.global.domain }}"
externalMailDomain: "{{ .Values.global.domain }}"
portalGroupwareLinkBase: "https://webmail.{{ .Values.istio.domain }}"
portalFileshareLinkBase: "https://fs.{{ .Values.global.domain }}"
portalRealtimeCollaborationLinkBase: "https://chat.{{ .Values.global.domain }}"
portalRealtimeVideoconferenceLinkBase: "https://meet.{{ .Values.global.domain }}"
portalManagementProjectLinkBase: "https://project.{{ .Values.global.domain }}"
portalManagementKnowledgeLinkBase: "https://wiki.{{ .Values.global.domain }}"
portalGroupwareLinkBase: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
portalFileshareLinkBase: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
portalRealtimeCollaborationLinkBase: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
portalRealtimeVideoconferenceLinkBase: "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
portalManagementProjectLinkBase: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
portalManagementKnowledgeLinkBase: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
oxDefaultContext: "10"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsDataLoader.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsDataLoader.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsDataLoader.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsDataLoader.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
resources:

26
helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl
View File

@@ -10,20 +10,34 @@ stackDataUms:
loadDevData: true
stackDataContext:
domainname: "{{ .Values.global.domain }}"
externalMailDomain: "{{ .Values.global.domain }}"
hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
ldapHost: "{{ .Values.ldap.host }}"
ldapBase: "dc=swp-ldap,dc=internal"
initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
# TODO: This should not be required, the machine account is not there
# ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
ldapHostDn: cn=admin,dc=swp-ldap,dc=internal
samlMetadataUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/saml/descriptor"
samlMetadataUrlInternal: null
samlSpServer: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
samlSchemes: "https"
ssoFqdn: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
initialPasswordAdministrator: "{{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword }}"
# The SWP configuration brings its own UMC policies.
installUmcPolicies: false
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsDataLoader.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsDataLoader.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsDataLoader.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsDataLoader.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
resources:

28
helmfile/apps/univention-management-stack/values-store-dav.gotmpl
View File

@@ -6,33 +6,33 @@ SPDX-License-Identifier: Apache-2.0
storeDav:
auth:
basicAuth:
portal-listener: "{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}"
portal-server: "{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}"
portal-listener: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener | quote }}
portal-server: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer | quote }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsStoreDav.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsStoreDav.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsStoreDav.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsStoreDav.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
configHtpasswd:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsConfigHtpasswd.repository }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsConfigHtpasswd.repository | quote }}
pullPolicy: "Always"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsConfigHtpasswd.tag }}"
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsConfigHtpasswd.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
# TODO: Pending upstream support, #201
persistence:
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.univentionManagementStack.storeDav }}"
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }}
resources:
{{ .Values.resources.umsStoreDav | toYaml | nindent 2 }}

27
helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl
View File

@@ -4,41 +4,26 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
udmRestApi:
apiLogLevel: "4"
authGroups:
dcBackup: "cn=DC Backup Hosts,cn=groups,dc=swp-ldap,dc=internal"
dcSlaves: "cn=DC Slave Hosts,cn=groups,dc=swp-ldap,dc=internal"
domainAdmins: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
ldapHost: "ums-ldap-server"
ldapBaseDn: "dc=swp-ldap,dc=internal"
# TODO: This should not be required, the machine account is not there
# ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
# TODO: Secret should be entered without b64enc
ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
# TODO: Secret should be entered without b64enc
machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
# TODO: why do we need this many subprocesses?
numberOfSubprocesses: 8
# TODO: Stub value currently
caCert: ""
# TODO: This should not be part of the udm-rest-api anymore
loadJoinData:
enabled: true
# TODO: configurable
tlsMode: "off"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsUdmRestApi.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsUdmRestApi.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsUdmRestApi.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsUdmRestApi.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsUdmRestApi | toYaml | nindent 2 }}
...

24
helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl
View File

@@ -4,18 +4,26 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
umcGateway:
domainname: "{{ .Values.global.domain }}"
hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
ssoFqdn: "localhost:8097"
extraVolumes:
- name: "entrypoint-swp-patches"
configMap:
name: "ums-stack-data-swp-umc-gateway-entrypoint"
defaultMode: 0555
extraVolumeMounts:
- name: "entrypoint-swp-patches"
mountPath: "/entrypoint.d/90-swp.sh"
subPath: "90-swp.sh"
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsUmcGateway.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsUmcGateway.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsUmcGateway.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsUmcGateway.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
resources:

18
helmfile/apps/univention-management-stack/values-umc-gateway.yaml
View File

@@ -1,18 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
umcGateway:
showCookieBanner: true
cookieBannerTitleDE: "Cookie Zustimmung"
cookieBannerTitleEN: "Cookie Consent"
cookieBannerTextDE: >-
Die Nutzung dieses Angebots ist nur möglich, wenn Cookies gespeichert und
verarbeitet werden können (essenzielle Cookies). Dafür benötigen wir Ihre
Zustimmung. Bitte akzeptieren Sie um fortzufahren oder schließen Sie die
Seite.
cookieBannerTextEN: >-
Usage of this site is only possible by storing and processing cookie
information (essential cookies). We require your consent. Please accept to
continue or close the page.
...

32
helmfile/apps/univention-management-stack/values-umc-server.gotmpl
View File

@@ -4,37 +4,19 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
umcServer:
domainname: "{{ .Values.global.domain }}"
hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
ldapHost: "ums-ldap-server"
ldapBaseDn: "dc=swp-ldap,dc=internal"
# TODO: This should not be required, the machine account is not there
# ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
ldapHostDn: cn=admin,dc=swp-ldap,dc=internal
enforceSessionCookie: "true"
# TODO: The keycloak integration is pending
samlEnabled: false
samlMetadataUrl: "http://localhost:8097/realms/ucs/protocol/saml/descriptor"
samlMetadataUrlInternal: "http://keycloak/realms/ucs/protocol/saml/descriptor"
samlSpServer: "localhost:8000"
samlSchemes: "http"
tlsMode: "off"
# TODO: Secret should be entered without b64enc
ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
# TODO: Secret should be entered without b64enc
machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsUmcServer.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: "{{ .Values.images.umsUmcServer.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsUmcServer.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsUmcServer.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
- name: {{ . | quote }}
{{- end }}
resources:

17
helmfile/apps/univention-management-stack/values-umc-server.yaml Normal file
View File

@@ -0,0 +1,17 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
umcServer:
certPemFile: "/var/secrets/ssl/tls.crt"
privateKeyFile: "/var/secrets/ssl/tls.key"
extraVolumes:
- name: "certificates"
secret:
secretName: "opendesk-certificates-tls"
extraVolumeMounts:
- name: "certificates"
mountPath: "/var/secrets/ssl"
...

173
helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl Normal file
View File

@@ -0,0 +1,173 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
ingress:
enabled: true
hostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
tls: false
extraTls:
- hosts:
- "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
service:
type: "ClusterIP"
# The content of the "serverBlock" does resemble the Ingress configuration of
# the UMS components. The "location" entries do intentionally reflect precisely
# the respective paths which are configured.
serverBlock: |
server {
listen 8080;
## portal-frontend
# The frontend does not own "/univention/portal", only these two bits
location = /univention/portal/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
location = /univention/portal/index.html {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
# The following prefixes are owned by the frontend
location /univention/portal/css/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/fonts/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/i18n/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/media/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/js/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/oidc/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
## frontend redirects
location = / {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention/ {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention/portal {
absolute_redirect off;
return 302 /univention/portal/;
}
## portal-server
location = /univention/portal/portal.json {
proxy_pass http://ums-portal-server:80;
}
location = /univention/portal/navigation.json {
proxy_pass http://ums-portal-server:80;
}
## store-dav
location /univention/portal/icons/entries/ {
rewrite ^/univention/portal(/icons/entries/.*)$ /portal-assets$1 break;
proxy_pass http://ums-store-dav:80;
}
location /univention/portal/icons/logos/ {
rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break;
proxy_pass http://ums-store-dav:80;
}
## udm-rest-api
location /univention/udm/ {
rewrite ^/univention(/udm/.*)$ $1 break;
proxy_pass http://ums-udm-rest-api:80;
proxy_set_header X-Forwarded-Host $host;
}
## umc-gateway
location = /univention/languages.json {
proxy_pass http://ums-umc-gateway:80;
}
location = /univention/meta.json {
proxy_pass http://ums-umc-gateway:80;
}
location = /univention/theme.css {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/js/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/login/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/management/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/themes/ {
proxy_pass http://ums-umc-gateway:80;
}
## umc-server
location = /univention/auth {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/logout/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/saml/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/get/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/set/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/command/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/upload/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
## notifications-api
location /univention/portal/notifications-api/ {
rewrite ^/univention/portal/notifications-api(/.*)$ $1 break;
proxy_pass http://ums-notifications-api:80;
}
}

44
helmfile/apps/xwiki/values.gotmpl
View File

@@ -5,50 +5,50 @@ SPDX-License-Identifier: Apache-2.0
---
image:
name: "{{ .Values.global.imageRegistry }}/{{ .Values.images.xwiki.repository }}"
tag: "{{ .Values.images.xwiki.tag }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: {{ .Values.images.xwiki.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
externalDB:
password: {{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword | quote }}
database: "{{ .Values.databases.xwiki.name }}"
user: "{{ .Values.databases.xwiki.username }}"
host: "{{ .Values.databases.xwiki.host }}"
database: {{ .Values.databases.xwiki.name | quote }}
user: {{ .Values.databases.xwiki.username | quote }}
host: {{ .Values.databases.xwiki.host | quote }}
customConfigs:
"xwiki.cfg":
"xwiki.superadminpassword": "{{ .Values.secrets.xwiki.superadminpassword }}"
"xwiki.superadminpassword": {{ .Values.secrets.xwiki.superadminpassword | quote }}
## LDAP Server configuration
# "xwiki.authentication.ldap.server": "univention-corporate-container"
# xwiki.authentication.ldap.port: 389
xwiki.authentication.ldap.server: {{ .Values.ldap.host | quote }}
xwiki.authentication.ldap.port: 389
## Authentication to the LDAP server
# xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"
# xwiki.authentication.ldap.bind_pass: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki }}"
xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"
xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki | quote }}
## Base DN used for searching for users
# xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
"xwiki.properties":
"oidc.endpoint.authorization": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/auth"
"oidc.endpoint.token": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token"
"oidc.endpoint.userinfo": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/userinfo"
"oidc.endpoint.logout": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
"oidc.secret": {{ .Values.secrets.keycloak.clientSecret.xwiki }}
"oidc.secret": {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
"url.trustedDomains": "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
"workplaceServices.navigationEndpoint": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
"workplaceServices.base": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
"workplaceServices.portalSecret": "{{ .Values.secrets.centralnavigation.apiKey }}"
"workplaceServices.portalSecret": {{ .Values.secrets.centralnavigation.apiKey | quote }}
properties:
"attachment:xwiki:FlamingoThemes.Iceberg@logo.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.logoHeaderSvg | b64enc }}"
"property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.brand-primary": "{{ .Values.theme.colors.primary }}"
"property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-bg": "{{ .Values.theme.colors.white }}"
"property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": "{{ .Values.theme.colors.secondaryGreyLight }}"
"property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.brand-primary": {{ .Values.theme.colors.primary | quote }}
"property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-bg": {{ .Values.theme.colors.white | quote }}
"property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": {{ .Values.theme.colors.secondaryGreyLight | quote }}
## Link LDAP users and users authenticated through OIDC
# "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
# "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
"property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
"property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
ingress:
enabled: {{ .Values.ingress.enabled }}
className: "{{ .Values.ingress.ingressClassName }}"
className: {{ .Values.ingress.ingressClassName | quote }}
annotations:
haproxy-ingress.github.io/headers: "X-Forwarded-Host {{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
hosts:
@@ -57,13 +57,13 @@ ingress:
- path: /
pathType: "ImplementationSpecific"
tls:
- secretName: "{{ .Values.ingress.tls.secretName }}"
- secretName: {{ .Values.ingress.tls.secretName | quote }}
hosts:
- "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
persistence:
size: "{{ .Values.persistence.size.xwiki }}"
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
size: {{ .Values.persistence.size.xwiki | quote }}
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
replicaCount: {{ .Values.replicas.xwiki }}

28
helmfile/apps/xwiki/values.yaml
View File

@@ -8,7 +8,7 @@ customConfigs:
xwiki.cfg:
xwiki.url.protocol: "https"
## Indicate the LDAP field defining the user UID
# xwiki.authentication.ldap.UID_attr: "uid"
xwiki.authentication.ldap.UID_attr: "uid"
## Indicate the LDAP field defining the user profile picture
# xwiki.authentication.ldap.photo_attribute: "jpegPhoto"
## Enable the synchronization of the LDAP profile picture
@@ -17,8 +17,8 @@ customConfigs:
xwiki.properties:
oidc.scope: "openid,profile,email,address,phoenix"
oidc.endpoint.userinfo.method: "GET"
oidc.user.nameFormater: "${oidc.user.phoenixusername._lowerCase}"
oidc.user.subjectFormater: "${oidc.user.subject}"
oidc.user.nameFormater: "${oidc.user.phoenixusername._clean._lowerCase}"
oidc.user.subjectFormater: "${oidc.user.phoenixusername._lowerCase}"
# yamllint disable-line rule:line-length
oidc.userinfoclaims: "xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype"
oidc.clientid: "xwiki"
@@ -67,21 +67,21 @@ properties:
"property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "oidc"
## Fields to search in when importing users from the administration UI (not completely in scope for now)
# "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapUserAttributes":
# "sn,givenname,uid"
"property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapUserAttributes":
"sn,givenname,uid"
## Restrict user import in the UI to global administrators
# "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.usersAllowedToImport": "globalAdmin"
"property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.usersAllowedToImport": "globalAdmin"
## Enable group and user synchronization
# "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupsUpdate": 1
# "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupImport": 1
# "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.forceXWikiUsersGroupMembershipUpdate":
# 1
"property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupsUpdate": 1
"property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupImport": 1
"property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.forceXWikiUsersGroupMembershipUpdate":
1
## Base DN under which groups should be searched for
# "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchDN":
# "dc=swp-ldap,dc=internal"
"property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchDN":
"dc=swp-ldap,dc=internal"
## LDAP filter to only synchronize some groups
# "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
# "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
"property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
"(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
securityContext:
enabled: true

10
helmfile/environments/default/_helper.gotmpl Normal file
View File

@@ -0,0 +1,10 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
## Define LDAP service (supports "ums_eval" from the CI pipeline)
ldap:
host: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-server" {{ else }} "univention-corporate-container" {{ end }}
notifierHost: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-notifier" {{ else }} "univention-corporate-container" {{ end }}
...

2
helmfile/environments/default/database.yaml
View File

@@ -27,7 +27,7 @@ databases:
password: ""
oxAppsuite:
host: "mariadb"
name: "CONFIGDB"
name: "configdb"
username: "root"
password: ""
synapse:

5
helmfile/environments/default/global.gotmpl
View File

@@ -9,10 +9,9 @@ global:
## Define host
#
domain: {{ env "DOMAIN" | default "souvap.cloud" }}
domain: {{ env "DOMAIN" | default "souvap.cloud" | quote }}
## Define docker registry address.
#
imageRegistry: {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "external-registry.souvap-univention.de/sovereign-workplace" }}
imageRegistry: {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "external-registry.souvap-univention.de/sovereign-workplace" | quote }}
...

5
helmfile/environments/default/global.yaml
View File

@@ -4,11 +4,11 @@
## The global properties are used to configure multiple charts at once.
#
global:
## Define ingress/virtualservice host.
#
hosts:
collabora: "collabora"
cryptpad: "cryptpad"
dimension: "integration"
element: "chat"
etherpad: "etherpad"
@@ -19,6 +19,8 @@ global:
matrixNeoChoiceWidget: "matrix-neochoice-widget"
matrixNeoDateFixBot: "matrix-neodatefix-bot"
matrixNeoDateFixWidget: "matrix-neodatefix-widget"
minioApi: "minio"
minioConsole: "minio-console"
nextcloud: "fs"
openproject: "project"
openxchange: "webmail"
@@ -29,7 +31,6 @@ global:
whiteboard: "whiteboard"
xwiki: "wiki"
## Define docker registry address.
#
imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"

121
helmfile/environments/default/images.yaml
View File

@@ -8,20 +8,32 @@ images:
# @supplier: "openDesk DevSecOps"
collabora:
repository: "souvap/tooling/images/collabora"
tag: "23.05.4.2.1@sha256:ee9ce83811700f1ff57e1218d22388dbaca96306df33f82aa14b334c5302285a"
tag: "23.05.5.3.1@sha256:496c913527ce83feb3fe2383d710851aa3781ffa56d200c75def74904d32adc3"
# @supplier: "Collabora"
cryptpad:
repository: "cryptpad/cryptpad"
tag: "opendesk-20231020@sha256:b0bfe09601d8c8064e1b174d21a225ddb10aaa4103892fdfdf3d216726c26dde"
# @supplier: "XWiki"
dovecot:
repository: "dovecot/dovecot"
tag: "2.3.20@sha256:96d414aa3f6978669b417f6468c16313a54ee6143a4846870e9f0eda280806e7"
# @supplier: "Open-Xchange"
element:
repository: "souvap/tooling/images/element-web"
tag: "1.4.0@sha256:81fd60c8feba4cfc65de3cf950d4b5ca724cabcc46da279edec74af192ecff00"
tag: "1.6.0@sha256:a71cbd75ee88471e3df59f26a2a37b9b8ff83d2f71f726053acd381ecd87e234"
# @supplier: "Element"
freshclam:
repository: "clamav/clamav"
tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
# @supplier: "openDesk DevSecOps"
icap:
repository: "souvap/tooling/images/c-icap"
tag: "0.5.10@sha256:cd665e77a42460bb1e6df4282bc1d8737be241fc9f4143d43509e31de3a7993d"
# @supplier: "openDesk DevSecOps"
intercom:
repository: "univention/intercom-service"
tag: "1.4-kubernetes@sha256:e4fa2e0df49595bf9ba5bf73e36a50e8f1b44334a1a326a43488b8f9c8bbcb9c"
# @supplier: "Univention"
jibri:
repository: "jitsi/jibri"
tag: "stable-8922@sha256:87aa176b44b745b13769f13b8e2d22ddd6f6ba624244d5354c8dd3664787e936"
@@ -46,14 +58,6 @@ images:
repository: "jitsi/jvb"
tag: "stable-8922@sha256:75dd613807e19cbbd440d071b60609fa9e4ee50a1396b14deb0ed779d882a554"
# @supplier: "Nordeck"
icap:
repository: "souvap/tooling/images/c-icap"
tag: "0.5.10@sha256:cd665e77a42460bb1e6df4282bc1d8737be241fc9f4143d43509e31de3a7993d"
# @supplier: "openDesk DevSecOps"
intercom:
repository: "univention/intercom-service"
tag: "1.4-kubernetes@sha256:e4fa2e0df49595bf9ba5bf73e36a50e8f1b44334a1a326a43488b8f9c8bbcb9c"
# @supplier: "Univention"
keycloak:
repository: "bitnami/keycloak"
tag: "19.0.3-debian-11-r22@sha256:4ac04104d20d4861ecca24ff2d07d71b34a98ee1148c6e6b6e7969a6b2ad085e"
@@ -66,7 +70,7 @@ images:
keycloakBootstrap:
repository: "souvap/tooling/images/ansible"
tag: "4.10.0@sha256:89d8212c20e03b0fd079e08afaf3247c1b96b380c4db1b572d68d0b4a6abc0ac"
# @supplier: "Univention"
# @supplier: "openDesk DevSecOps"
keycloakExtensionHandler:
repository: "souvap/tooling/images/keycloak-extensions/keycloak-handler"
tag: "latest@sha256:e67bdfc655e43b7fb83b025e13f949b04fdd98e089b33401275d03e340e03e2e"
@@ -86,7 +90,7 @@ images:
# @supplier: "Nordeck"
matrixNeoChoiceWidget:
repository: "nordeck/matrix-poll-widget"
tag: "1.2.0@sha256:0abcf7c368c91721413c96deaa1e87f095b6afbe864ea5f042c9a370c38fb07b"
tag: "1.3.0@sha256:19d2c8c7a15fe7d12c4a83a89310831da12323fd45ff0280cce808f1be0c7e0b"
# @supplier: "Nordeck"
matrixNeoDateFixBot:
repository: "nordeck/matrix-meetings-bot"
@@ -94,7 +98,7 @@ images:
# @supplier: "Nordeck"
matrixNeoDateFixWidget:
repository: "nordeck/matrix-meetings-widget"
tag: "1.5.2@sha256:cc9e2592c9159cc8f6bed96dae0be6e6fe599977dbef64cbdb1c1b84db85a2bb"
tag: "1.5.3@sha256:918b1eb28cefb08bfdaae57607f0889b454111f2ba80b5ec9bb3c750f8599913"
# @supplier: "Nordeck"
matrixUserVerificationService:
repository: "matrixdotorg/matrix-user-verification-service"
@@ -108,60 +112,79 @@ images:
repository: "clamav/clamav"
tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
# @supplier: "openDesk DevSecOps"
minio:
repository: "bitnami/minio"
tag: "2023@sha256:bced4f2f9fc48b755ebb3e1b35e76195a978d4331bf2d0c6699dab412d3c0be7"
# @supplier: "openDesk DevSecOps"
nextcloud:
repository: "nextcloud"
tag: "27.1.1-apache@sha256:47325758ffcd54563021e697905aaba6aac8c21bceefb245c67d40194813ce39"
# @supplier: "Nextcloud Community"
openproject:
repository: "openproject/open_desk"
tag: "dev@sha256:ca5b843fd7f0687617ce3038a52fd6ac73fb4e9db7b762b8ac7d5090f168f0b1"
tag: "dev@sha256:732b5d0efe9fc64fe411c9d8143ec3f4a3c731d03c0caddb5fa4c614ff426e8d"
# @supplier: "OpenProject"
openprojectInitDb:
repository: "postgres"
tag: "13@sha256:ced3ba927f4cf06e03eac7760f426a95367076fb31fe4e31b679f82d119a3519"
# @supplier: "OpenProject"
openprojectBootstrap:
repository: "souvap/tooling/images/opendesk-openproject-bootstrap"
tag: "1.1.1@sha256:09da76a9b645b3dbe5c181061f7829f82f239e7d17f7e115218a32870f7a955e"
# @supplier: "openDesk DevSecOps"
openxchangeBootstrap:
repository: "alpine/k8s"
tag: "1.26.8@sha256:acde24d2a8ebaafda76f464591a5ddc7d0acd08bb38b12560961c1b1c4fc85ec"
# @supplier: "Open-Xchange"
openxchangeCoreGuidedtours:
repository: "appsuite-public-sector/core-guidedtours"
tag: "8.5.1@sha256:469457562a378cca50460e08d9437a954fc6f19622f18128fa74979f7905ecd9"
tag: "8.6.0@sha256:6c20780f8c609636f2182c41709e2ee26586b4a23679fd13b15875a5f443445b"
# @supplier: "Open-Xchange"
openxchangeCoreMW:
repository: "appsuite-public-sector/middleware-public-sector"
tag: "8.16.60@sha256:269c5b72f380c49ba1888c4300c409745d2ce757ca0b269afe1e8ac9bb26f028"
tag: "8.19.33@sha256:369c44369d727e4172f10c25137dbb00d936d20dd844cdca3a34f7f31273ea05"
# @supplier: "Open-Xchange"
openxchangeCoreUI:
repository: "appsuite-public-sector/core-ui"
tag: "8.16.5@sha256:4f4dd4e36fb8a1b493c195e38e2f13b87c9582bfcdc3d23b646698fce2ffef8c"
tag: "8.19.0@sha256:7fdd73f78fd7094f2968f6fcaaae175e60824f9ef68f9e7e70418de6a2b623e9"
# @supplier: "Open-Xchange"
openxchangeCoreUIMiddleware:
repository: "appsuite-public-sector/core-ui-middleware"
tag: "1.8.4@sha256:c707fbd5496c894f201dab8f4e78aad98f1ad80c8058778f04dfa5e6e201ed64"
tag: "2.0.0@sha256:8082edf30498a3ac1715f2d9b3e406f240ea586e2616b97f40c207ef55dff11f"
# @supplier: "Open-Xchange"
openxchangeCoreUserGuide:
repository: "appsuite-public-sector/core-user-guide"
tag: "8.16.727397@sha256:5d8dbf9a91456dea59a235b495dcd002b971e2b23ef6c3a2ea5fd2071664e2a4"
tag: "8.19.771856@sha256:e00ed8f94c3c42cd288dd03f7fb18d228eb516b5e5ebd318825289b1c4ed17ab"
# @supplier: "Open-Xchange"
openxchangeGuardUI:
repository: "appsuite-public-sector/guard-ui"
tag: "4.0.6@sha256:7bb8fdf944228dd78a5c33bbd8d0019d5a9e4ce1c35bda674166f2febc5d9a02"
# @supplier: "Open-Xchange"
openxchangeNextcloudIntegrationUI:
repository: "appsuite-public-sector/nextcloud-integration-ui"
tag: "1.0.5@sha256:cad4ecba431f84b8627d2e541cfea773d5ef54b65d847fa8f7e3fd0d63156497"
# @supplier: "Open-Xchange"
openxchangePublicSectorUI:
repository: "appsuite-public-sector/public-sector-ui"
tag: "2.0.1@sha256:8df90f6dfb59008567d8ded0dbd17b8f92f409c78ba2cf4ab2a39e1b23e34d3b"
openxchangeDocumentConverter:
repository: "appsuite-public-sector/documentconverter"
tag: "8.19.32@sha256:82354e858b6aeeae7f0ebaf66ad106f8e9ae46e605e97bb1d2d14e6ce1c3d708"
# @supplier: "Open-Xchange"
openxchangeGotenberg:
repository: "appsuite-public-sector/3rdparty/gotenberg"
tag: "7.8.2@sha256:34af7b6d21c02b8183785177f5f3f1731633d72ec69e1f2ecdb8b43747887f62"
tag: "7.9.2@sha256:c97c1adb971d149222062ec46c5d749d710b38ad153c5c6ed954023e2401c9d0"
# @supplier: "Open-Xchange"
openxchangeGuardUI:
repository: "appsuite-public-sector/guard-ui"
tag: "4.0.7@sha256:8c9fa5d6aed055c0e84042ab28b3f0e9add94390362266ad440da4f90b8c93a8"
# @supplier: "Open-Xchange"
openxchangeImageConverter:
repository: "appsuite-public-sector/imageconverter"
tag: "8.19.33@sha256:9543c1409a129567bd6e4a657a353819842a4b1e1807ab86a1ea2e7f73f8c18e"
# @supplier: "Open-Xchange"
openxchangeNextcloudIntegrationUI:
repository: "appsuite-public-sector/nextcloud-integration-ui"
tag: "1.1.0@sha256:82cecb5adac63806ab41546e6b49090a93a5f4645750bb3967d87585b60df2e1"
# @supplier: "Open-Xchange"
openxchangePublicSectorUI:
repository: "appsuite-public-sector/public-sector-ui"
tag: "2.1.0@sha256:ed56730add8afdb08bef8b43a114aba406fd86d83c7fd7af93dc16bb002fa233"
# @supplier: "Open-Xchange"
oxConnector:
repository: "souvap/tooling/images/ox-connector/ox-connector-standalone"
tag:
"branch-jconde-listener-entrypoint-chaining\
@sha256:54748d49e37d52529d4a857ff834d1217bd2cb8c89c7eed25c0873159ed6853c"
# @supplier: "Univention"
repository: "souvap/tooling/images/ox-connector/ox-connector-standalone"
tag: "branch-jconde-listener-entrypoint-chaining\
@sha256:54748d49e37d52529d4a857ff834d1217bd2cb8c89c7eed25c0873159ed6853c"
postfix:
repository: "souvap/tooling/images/postfix"
tag: "1.0.0@sha256:69e0c53ade77ffb89673672f5c8183ec2edfc81d4e990aca3ec594f33c55a7ac"
@@ -201,67 +224,67 @@ images:
umsConfigHtpasswd:
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/config-htpasswd"
tag: "latest"
tag: "0.5.2"
# @supplier: "Univention"
umsDataLoader:
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/data-loader"
tag: "latest"
tag: "0.15.2"
# @supplier: "Univention"
umsLdapNotifier:
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/ldap-notifier"
tag: "latest"
tag: "0.4.1"
# @supplier: "Univention"
umsLdapServer:
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/ldap-server"
tag: "latest"
tag: "0.4.1"
# @supplier: "Univention"
umsNotificationsApi:
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/notifications-api"
tag: "latest"
tag: "0.3.4"
# @supplier: "Univention"
umsPortalListener:
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/portal-listener"
tag: "latest"
tag: "0.3.4"
# @supplier: "Univention"
umsPortalFrontend:
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/portal-frontend"
tag: "latest"
tag: "0.3.5"
# @supplier: "Univention"
umsPortalServer:
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/portal-server"
tag: "latest"
tag: "0.3.4"
# @supplier: "Univention"
umsWaitForDependency:
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/wait-for-dependency"
tag: "latest"
tag: "0.3.4"
# @supplier: "Univention"
umsStoreDav:
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/store-dav"
tag: "latest"
tag: "0.5.2"
# @supplier: "Univention"
umsUdmRestApi:
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/udm-rest-api"
tag: "latest"
tag: "0.3.2"
# @supplier: "Univention"
umsUmcGateway:
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/umc-gateway"
tag: "latest"
tag: "0.3.2"
# @supplier: "Univention"
umsUmcServer:
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/umc-server"
tag: "latest"
tag: "0.3.2"
# @supplier: "Univention"
wellKnown:
repository: "library/nginx"
@@ -269,6 +292,6 @@ images:
# @supplier: "Element"
xwiki:
repository: "xwikisas/swp/xwiki"
tag: "0.11-mariadb-jetty-alpine@sha256:a334e18d171458ed41ef356e82580561f48b0edf60b4979dc4ed9503eb497c59"
tag: "0.12-mariadb-jetty-alpine@sha256:c195d8baf38b6c6b0c533a3216e726cd863a6c2ba0e65f18036402592bb72896"
# @supplier: "XWiki"
...

2
helmfile/environments/default/istio.gotmpl
View File

@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0
---
istio:
enabled: true
domain: {{ env "ISTIO_DOMAIN" | default "souvap.cloud" }}
domain: {{ env "ISTIO_DOMAIN" | default "souvap.cloud" | quote }}
virtualService:
enabled: false
gateway:

25
helmfile/environments/default/monitoring.yaml Normal file
View File

@@ -0,0 +1,25 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
prometheus:
serviceMonitors:
enabled: false
labels:
release: "kube-prometheus-stack"
podMonitors:
enabled: false
labels:
release: "kube-prometheus-stack"
prometheusRules:
enabled: false
labels:
release: "kube-prometheus-stack"
grafana:
dashboards:
enabled: false
labels:
grafana_dashboard: "1"
annotations:
...

4
helmfile/environments/default/persistence.yaml
View File

@@ -10,10 +10,10 @@ persistence:
dovecot: "1Gi"
mariadb: "1Gi"
matrixNeoDateFixBot: "1Gi"
minio: "1Gi"
nextcloud:
main: "1.2Gi"
main: "2Gi"
data: "10Gi"
openproject: "1Gi"
postfix: "1Gi"
postgresql: "1Gi"
prosody: "1Gi"

2
helmfile/environments/default/replicas.yaml
View File

@@ -7,6 +7,7 @@ replicas:
# clamav-distributed
clamd: 1
collabora: 1
cryptpad: 1
dovecot: 1
element: 1
# clamav-distributed
@@ -26,6 +27,7 @@ replicas:
matrixUserVerificationService: 1
# clamav-distributed
milter: 1
minioDistributed: 4
nextcloud: 1
openproject: 1
postfix: 1

28
helmfile/environments/default/resources.yaml
View File

@@ -11,11 +11,18 @@ resources:
memory: "2Gi"
collabora:
limits:
cpu: 1
memory: "500Mi"
cpu: 4
memory: "4Gi"
requests:
cpu: 0.5
memory: "1Gi"
cryptpad:
limits:
cpu: 2
memory: "2Gi"
requests:
cpu: 0.1
memory: "16Mi"
memory: "512Mi"
dovecot:
limits:
cpu: 0.5
@@ -163,6 +170,13 @@ resources:
requests:
cpu: 0.1
memory: "2Gi"
minio:
limits:
cpu: 2
memory: "4Gi"
requests:
cpu: 0.25
memory: "1Gi"
nextcloud:
limits:
cpu: 2
@@ -184,6 +198,13 @@ resources:
requests:
cpu: 0.1
memory: "250Mi"
oxDocumentConverter:
limits:
cpu: 2
memory: "2Gi"
requests:
cpu: 0.25
memory: "1Gi"
postfix:
limits:
cpu: 0.5
@@ -338,5 +359,4 @@ resources:
requests:
cpu: 0.1
memory: "6Gi"
...

118
helmfile/environments/default/secrets.gotmpl
View File

@@ -5,84 +5,92 @@ SPDX-License-Identifier: Apache-2.0
---
secrets:
oxAppsuite:
adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "admin_password" | sha1sum) }}
cookieHashSalt: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "cookie_hash_salt" | sha1sum) }}
sessiondEncryptionKey: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "sessiond_encryptionkey" | sha1sum) }}
shareCryptKey: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_cryptkey" | sha1sum) }}
adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "admin_password" | sha1sum | quote }}
cookieHashSalt: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "cookie_hash_salt" | sha1sum | quote }}
sessiondEncryptionKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "sessiond_encryptionkey" | sha1sum | quote }}
shareCryptKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_cryptkey" | sha1sum | quote }}
oxguardMC: {{ printf "MC%s" (randAlphaNum 20 | b64enc) | quote }}
oxguardRC: {{ printf "RC%s" (randAlphaNum 20 | b64enc) | quote }}
univentionCorporateServer:
authSecret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "auth_secret" | sha1sum) }}
authSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "auth_secret" | sha1sum | quote }}
defaultAccounts:
userPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_password" | sha1sum) }}
adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_admin" | sha1sum) }}
userPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_password" | sha1sum | quote }}
adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_admin" | sha1sum | quote }}
ldapSearch:
keycloak: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_keycloak" | sha1sum) }}
nextcloud: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_nextcloud" | sha1sum) }}
dovecot: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_dovecot" | sha1sum) }}
ox: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_ox" | sha1sum) }}
openproject: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_openproject" | sha1sum) }}
xwiki: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_xwiki" | sha1sum) }}
keycloak: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_keycloak" | sha1sum | quote }}
nextcloud: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_nextcloud" | sha1sum | quote }}
dovecot: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_dovecot" | sha1sum | quote }}
ox: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_ox" | sha1sum | quote }}
openproject: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_openproject" | sha1sum | quote }}
xwiki: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_xwiki" | sha1sum | quote }}
univentionManagementStack:
ldapSecret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "ldap" | sha1sum) }}
ldapSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "ldap" | sha1sum | quote }}
defaultAccounts:
administratorPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "Administrator" "ums" | sha1sum) }}
administratorPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "Administrator" "ums" | sha1sum | quote }}
storeDavUsers:
portalServer: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum) }}
portalListener: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum) }}
portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }}
portalListener: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum | quote }}
postgresql:
postgresUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "postgres_user" | sha1sum) }}
keycloakUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum) }}
keycloakExtensionUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_extensions_user" | sha1sum) }}
matrixUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "matrix_user" | sha1sum) }}
openprojectUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "openproject_user" | sha1sum) }}
notificationsapiUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum) }}
postgresUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "postgres_user" | sha1sum | quote }}
keycloakUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum | quote }}
keycloakExtensionUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_extensions_user" | sha1sum | quote }}
matrixUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "matrix_user" | sha1sum | quote }}
openprojectUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "openproject_user" | sha1sum | quote }}
notificationsapiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }}
mariadb:
rootPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "root_password" | sha1sum) }}
xwikiUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "xwiki_user" | sha1sum) }}
openxchangeUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "openxchange_user" | sha1sum) }}
nextcloudUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "nextcloud_user" | sha1sum) }}
rootPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "root_password" | sha1sum | quote }}
xwikiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "xwiki_user" | sha1sum | quote }}
openxchangeUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "openxchange_user" | sha1sum | quote }}
nextcloudUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "nextcloud_user" | sha1sum | quote }}
minio:
rootPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "root_password" | sha1sum | quote) }}
openprojectUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "openproject_user" | sha1sum | quote) }}
openxchangeUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "openxchange_user" | sha1sum | quote) }}
umsUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "ums_user" | sha1sum | quote) }}
nextcloudUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "nextcloud_user" | sha1sum | quote) }}
keycloak:
adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "adminPassword" | sha1sum) }}
adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "adminPassword" | sha1sum | quote }}
clientSecret:
intercom: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "intercom_client_secret" | sha1sum) }}
matrix: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "matrix_client_secret" | sha1sum) }}
jitsi: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "jitsi_plain_client_secret" | sha1sum) }}
ncoidc: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "ncoidc_client_secret" | sha1sum) }}
openproject: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "openproject_client_secret" | sha1sum) }}
xwiki: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "xwiki_client_secret" | sha1sum) }}
as8oidc: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "as8oidc_client_secret" | sha1sum) }}
intercom: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "intercom_client_secret" | sha1sum | quote }}
matrix: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "matrix_client_secret" | sha1sum | quote }}
jitsi: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "jitsi_plain_client_secret" | sha1sum | quote }}
ncoidc: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "ncoidc_client_secret" | sha1sum | quote }}
openproject: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "openproject_client_secret" | sha1sum | quote }}
xwiki: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "xwiki_client_secret" | sha1sum | quote }}
as8oidc: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "as8oidc_client_secret" | sha1sum | quote }}
nextcloud:
adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "nextcloud_admin_user" | sha1sum) }}
metricsToken: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "metricsToken" | sha1sum) }}
adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "nextcloud_admin_user" | sha1sum | quote }}
metricsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "metricsToken" | sha1sum | quote }}
openproject:
adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_admin_user" | sha1sum) }}
adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_admin_user" | sha1sum | quote }}
apiAdminUsername: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_api_admin_username" | sha1sum | quote }}
apiAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_api_admin_password" | sha1sum | quote }}
collabora:
adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "collabora" "collabora_admin_user" | sha1sum) }}
adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "collabora" "collabora_admin_user" | sha1sum | quote }}
jitsi:
jwtAppSecret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jwtAppSecret" | sha1sum) }}
jibriRecorderPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jibriRecorderPassword" | sha1sum) }}
jibriXmppPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jibriXmppPassword" | sha1sum) }}
jicofoAuthPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoAuthPassword" | sha1sum) }}
jicofoComponentPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoComponentPassword" | sha1sum) }}
jvbAuthPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jvbAuthPassword" | sha1sum) }}
jwtAppSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jwtAppSecret" | sha1sum | quote }}
jibriRecorderPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jibriRecorderPassword" | sha1sum | quote }}
jibriXmppPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jibriXmppPassword" | sha1sum | quote }}
jicofoAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoAuthPassword" | sha1sum | quote }}
jicofoComponentPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoComponentPassword" | sha1sum | quote }}
jvbAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jvbAuthPassword" | sha1sum | quote }}
etherpad:
apiKey: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "etherpad" "apiKey" | sha1sum) }}
apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "etherpad" "apiKey" | sha1sum | quote }}
whiteboard:
apiKey: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "etherpad" "apiKey" | sha1sum) }}
apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "etherpad" "apiKey" | sha1sum | quote }}
centralnavigation:
apiKey: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "centralnavigation" "api_key" | sha1sum) }}
apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "centralnavigation" "api_key" | sha1sum | quote }}
redis:
password: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "redis" "password" | sha1sum) }}
password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "redis" "password" | sha1sum | quote }}
dovecot:
doveadm: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dovecot" "doveadm" | sha1sum) }}
doveadm: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dovecot" "doveadm" | sha1sum | quote }}
xwiki:
superadminpassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "xwiki" "superadminpassword" | sha1sum) }}
superadminpassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "xwiki" "superadminpassword" | sha1sum | quote }}
intercom:
secret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "intercom" "secret" | sha1sum) }}
synapseAsToken: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "intercom" "as_token" | sha1sum) }}
secret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "intercom" "secret" | sha1sum | quote }}
synapseAsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "intercom" "as_token" | sha1sum | quote }}
matrixNeoDateFixBot:
password: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-neodatefix-bot" "password" | sha1sum) }}
password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-neodatefix-bot" "password" | sha1sum | quote }}
matrixUserVerificationService:
password: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-user-verification-service" "password" | sha1sum) }}
password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-user-verification-service" "password" | sha1sum | quote }}
...

2
helmfile/environments/default/smtp.gotmpl
View File

@@ -7,5 +7,5 @@ smtp:
host: ""
port: 587
username: ""
password: "{{ env "SMTP_PASSWORD" }}"
password: {{ env "SMTP_PASSWORD" | quote }}
...

3
helmfile/environments/default/turn.gotmpl
View File

@@ -5,12 +5,11 @@ SPDX-License-Identifier: Apache-2.0
---
turn:
transport: "udp"
credentials: "{{ env "TURN_CREDENTIALS" }}"
credentials: {{ env "TURN_CREDENTIALS" | quote }}
server:
host: ""
port: "3478"
tls:
host: ""
port: "5349"
...

4
helmfile/environments/default/workplace.yaml
View File

@@ -9,6 +9,8 @@ clamavSimple:
enabled: true
collabora:
enabled: true
cryptpad:
enabled: true
dovecot:
enabled: true
element:
@@ -23,6 +25,8 @@ mariadb:
enabled: true
memcached:
enabled: true
minio:
enabled: true
nextcloud:
enabled: true
openproject: