mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-06 07:21:36 +01:00
Compare commits
22 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
812eb5a439 | ||
|
|
f86a74ba10 | ||
|
|
71d11cfcd0 | ||
|
|
6aa3d386af | ||
|
|
7ac2e0f9de | ||
|
|
6f556bce70 | ||
|
|
a447c137fe | ||
|
|
47a385683c | ||
|
|
db48140f3a | ||
|
|
d7cae3b1fa | ||
|
|
7ae65a36a2 | ||
|
|
01466947cc | ||
|
|
061e588da9 | ||
|
|
b460206bd4 | ||
|
|
ea14f953a4 | ||
|
|
feed270fd7 | ||
|
|
225398b5a6 | ||
|
|
cd0e94f96f | ||
|
|
767c382091 | ||
|
|
55f6ba21dc | ||
|
|
b3c4ec5165 | ||
|
|
e231e5749d |
@@ -33,9 +33,6 @@ variables:
|
||||
description: "Define which cluster to use. Cluster must be defined in gitlab/environments.yaml of
|
||||
sovereign-workplace-env included above."
|
||||
value: "dev"
|
||||
BASE_DOMAIN:
|
||||
description: "Define the Cluster Base Domain."
|
||||
value: "souvap.cloud"
|
||||
MASTER_PASSWORD_WEB_VAR:
|
||||
description: "Optional: Provide a passphrase to be used for password generation."
|
||||
value: ""
|
||||
@@ -150,9 +147,6 @@ variables:
|
||||
UMS_TESTS_BRANCH:
|
||||
description: "Branch of E2E test suite of SouvAP Dev team"
|
||||
value: "main"
|
||||
# please use the following set of variables with normalized names:
|
||||
DOMAIN: "${NAMESPACE}.${CLUSTER}.${BASE_DOMAIN}"
|
||||
ISTIO_DOMAIN: "${NAMESPACE}.istio.${CLUSTER}.${BASE_DOMAIN}"
|
||||
|
||||
.deploy-common:
|
||||
cache: {}
|
||||
@@ -204,7 +198,6 @@ env-cleanup:
|
||||
env-start:
|
||||
environment:
|
||||
name: "${NAMESPACE}"
|
||||
url: "https://portal.${DOMAIN}"
|
||||
on_stop: "env-stop"
|
||||
extends: ".deploy-common"
|
||||
image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
|
||||
@@ -443,10 +436,6 @@ run-tests:
|
||||
extends: ".deploy-common"
|
||||
environment:
|
||||
name: "${NAMESPACE}"
|
||||
tags:
|
||||
- "docker"
|
||||
- "kubernetes"
|
||||
- "${CLUSTER}"
|
||||
stage: "tests"
|
||||
rules:
|
||||
- if: >
|
||||
@@ -503,10 +492,6 @@ run-souvap-dev-tests:
|
||||
extends: ".deploy-common"
|
||||
environment:
|
||||
name: "${NAMESPACE}"
|
||||
tags:
|
||||
- "docker"
|
||||
- "kubernetes"
|
||||
- "${CLUSTER}"
|
||||
stage: "tests"
|
||||
rules:
|
||||
- if: >
|
||||
@@ -570,7 +555,7 @@ generate-release-assets:
|
||||
- "./build_artefacts/image-index.json"
|
||||
tags: []
|
||||
variables:
|
||||
ASSET_GENERATOR_REPO_PATH: "bmi/souveraener_arbeitsplatz/tooling/opendesk-asset-generator"
|
||||
ASSET_GENERATOR_REPO_PATH: "bmi/opendesk/tooling/opendesk-asset-generator"
|
||||
|
||||
|
||||
# Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.
|
||||
|
||||
72
CHANGELOG.md
72
CHANGELOG.md
@@ -1,3 +1,75 @@
|
||||
## [0.5.48](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.47...v0.5.48) (2023-11-24)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **services:** Update resource requests and remove cpu limits ([f86a74b](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/f86a74ba100c7f08f6538b58a713bbc87c00e814))
|
||||
|
||||
## [0.5.47](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.46...v0.5.47) (2023-11-24)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **helmfile:** Rename absolute paths on OpenCoDE to new 'opendesk' base group name ([7ac2e0f](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/7ac2e0f9de2a8386a7f5809ba40db4ed7164a857))
|
||||
* **xwiki:** Enable the sync of user profile picture from LDAP ([6aa3d38](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6aa3d386afe8b3f22e47f9971fd719089006b54e))
|
||||
|
||||
## [0.5.46](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.45...v0.5.46) (2023-11-23)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **element:** Fix quotes in element chart ([a447c13](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a447c137fe58be343e7ada55afb7f6891a5cde74))
|
||||
|
||||
## [0.5.45](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.44...v0.5.45) (2023-11-22)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **open-xchange:** Add security context ([db48140](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/db48140f3ae6576b21e93ac0f10f40765efd608d))
|
||||
|
||||
## [0.5.44](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.43...v0.5.44) (2023-11-21)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **ci:** Remove default BASE_DOMAIN in .gitlab-ci.yml ([7ae65a3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7ae65a36a2777d249ba3784bf965da4c790a1b21))
|
||||
|
||||
## [0.5.43](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.42...v0.5.43) (2023-11-20)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **univention-management-stack:** Update optional UMS preview state ([061e588](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/061e588da90e52b531df0688347675bf4dcb431e))
|
||||
|
||||
## [0.5.42](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.41...v0.5.42) (2023-11-20)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **nextcloud:** Add exporter and serviceMonitor ([feed270](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/feed270fd7949743e8f9974e7f147e89ab623347))
|
||||
* **nextcloud:** Bump openDesk bootstrap to 3.2.3 to support serverinfo token ([ea14f95](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ea14f953a4a54c01cc0d66db1bdb645ca4a661e5))
|
||||
|
||||
## [0.5.41](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.40...v0.5.41) (2023-11-16)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **helmfile:** Split README into docs ([cd0e94f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/cd0e94f96fa5b377ab382b6c7738ed279cb2a199))
|
||||
|
||||
## [0.5.40](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.39...v0.5.40) (2023-11-14)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **open-xchange:** Bump Dovecot and fix out-of-office replys ([55f6ba2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/55f6ba21dc9eab811ac501bf0e2b78d4ae772194))
|
||||
|
||||
## [0.5.39](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.38...v0.5.39) (2023-11-14)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **univention-management-stack:** Update optional UMS preview state ([e231e57](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e231e5749d3804f888ec23e12b58783856043219))
|
||||
|
||||
## [0.5.38](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.37...v0.5.38) (2023-11-13)
|
||||
|
||||
|
||||
|
||||
@@ -1,28 +0,0 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
**Content / Quick navigation**
|
||||
|
||||
[[_TOC_]]
|
||||
|
||||
# Functional Components
|
||||
|
||||
Functional components are the core of the SWP as they provide it's rich functionaly. We use the community versions of the named products. For production environments please use enterprise versions for support and scalabiliy reasons.
|
||||
|
||||
## Groupware - Open-Xchange AppSuite
|
||||
|
||||
## WebOffice - Collabora Development Edition
|
||||
|
||||
## File & Share - Nextcloud
|
||||
|
||||
## Kollaboration - Element
|
||||
|
||||
## Videokonferenzen - Jitsi
|
||||
|
||||
## Knowledge Management - XWiki
|
||||
|
||||
## Project Management - OpenProject
|
||||
|
||||
## Portal & IAM - Univention Corporate Services
|
||||
@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
# Read me first
|
||||
|
||||
Please read the [project's overall CONTRIBUTING.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/CONTRIBUTING.md) first.
|
||||
Please read the [project's overall CONTRIBUTING.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/CONTRIBUTING.md) first.
|
||||
|
||||
# How to contribute?
|
||||
|
||||
|
||||
671
README.md
671
README.md
@@ -2,634 +2,105 @@
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
**Content / Quick navigation**
|
||||
|
||||
[[_TOC_]]
|
||||
|
||||
|
||||
# Disclaimer
|
||||
openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the "Projektgruppe für
|
||||
Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
|
||||
|
||||
openDesk will face breaking changes in the near future without upgrade paths.
|
||||
It features:
|
||||
- Fully integrated Identity Management (Univention, Keycloak)
|
||||
- File storage (Nextcloud)
|
||||
- Weboffice (Collabora)
|
||||
- Videoconference (Jitsi)
|
||||
- Encrypted Chat (Synapse, Element)
|
||||
- Groupware (OX Appsuite)
|
||||
- Wiki (XWiki)
|
||||
- Notes and Diagrams (Cryptpad, Draw.io)
|
||||
|
||||
While most components support upgrades, major configuration or component changes
|
||||
may occur, therefore we recommend always installing from scratch.
|
||||
openDesk integrates these components and is working towards a seamless user experience.
|
||||
|
||||
While not all components are perfectly shaped for the execution inside containers, one of the project objectives is to
|
||||
align the applications with the best practises regarding container design and operations.
|
||||
|
||||
This documentation aims to give you all that is needed to set up your own instance of the openDesk.
|
||||
Basic knowledge of Kubernetes and Devops is required though.
|
||||
|
||||
<!-- TOC -->
|
||||
* [Active development notice](#active-development-notice)
|
||||
* [Feedback](#feedback)
|
||||
* [Requirements](#requirements)
|
||||
* [Getting started](#getting-started)
|
||||
* [Advanced customization](#advanced-customization)
|
||||
* [Releases](#releases)
|
||||
* [Components](#components)
|
||||
* [License](#license)
|
||||
* [Copyright](#copyright)
|
||||
<!-- TOC -->
|
||||
|
||||
# Active development notice
|
||||
openDesk will face breaking changes in the near future without upgrade paths before
|
||||
[technical release](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases
|
||||
v1.0.0 is reached.
|
||||
|
||||
While most components support upgrades, major configuration or component changes may occur, therefore we recommend
|
||||
at the moment always installing from scratch.
|
||||
|
||||
Components that are going to be replaced soon are:
|
||||
- The UCS dev container monolith will be substituted by multiple Univention
|
||||
Management Stack containers,
|
||||
- the Nextcloud community container is going to be replaced by an openDesk
|
||||
specific Nextcloud distroless container and
|
||||
- Dovecot Community is going to be replaced by a Dovecot container tailored for the
|
||||
needs of the public sector.
|
||||
- the UCS dev container monolith will be substituted by multiple Univention Management Stack containers,
|
||||
- the Nextcloud community container is going to be replaced by an openDesk specific Nextcloud distroless container and
|
||||
- Dovecot Community is going to be replaced by a Dovecot container tailored for the needs of the public sector.
|
||||
|
||||
In the next months we not only expect upstream updates of the functional
|
||||
components within their feature scope, but we are also going to address
|
||||
operational issues like monitoring and network policies.
|
||||
In the next months, we not only expect upstream updates of the functional components within their feature scope, but we
|
||||
are also going to address operational issues like monitoring and network policies.
|
||||
|
||||
Of course, further development also includes enhancing the documentation.
|
||||
|
||||
The first release of the Sovereign Workplace is scheduled for December 2023.
|
||||
# Feedback
|
||||
|
||||
# The Sovereign Workplace (SWP)
|
||||
|
||||
The Sovereign Workplace's runtime environment is [Kubernetes](https://kubernetes.io/), or "K8s" in
|
||||
short.
|
||||
|
||||
While not all components are still perfectly shaped for the execution inside
|
||||
containers, one of the projects objectives is it to align the applications
|
||||
with the best practises regarding container design and operations.
|
||||
|
||||
This documentation aims to give you all that is needed to set up your own
|
||||
instance of the Sovereign Workplace. Basic knowledge of Kubernetes and Devops is
|
||||
required though.
|
||||
|
||||
To have an overview of what can be found at Open CoDE and the basic components
|
||||
of the Sovereign Workplace, please check out the
|
||||
[OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md) in the [Info repository](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info).
|
||||
|
||||
We love to get feedback from you! Related to the deployment / contents of this
|
||||
repository please use the [issues within this project](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/issues).
|
||||
We love to get feedback from you!
|
||||
Related to the deployment / contents of this repository,
|
||||
please use the [issues within this project](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/issues).
|
||||
|
||||
If you want to address other topics, please check the section
|
||||
["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
|
||||
["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
|
||||
|
||||
# Requirements
|
||||
|
||||
⟶ Visit our detailed [Requirements](docs/requirements.md) overview.
|
||||
|
||||
# Getting started
|
||||
|
||||
⟶ Visit our detailed [Getting started](docs/getting-started.md) guide.
|
||||
|
||||
# Advanced customization
|
||||
|
||||
- [External services](docs/external-services.md)
|
||||
- [Security](docs/security.md)
|
||||
- [Scaling](docs/scaling.md)
|
||||
- [Monitoring](docs/monitoring.md)
|
||||
- [Theming](docs/theming.md)
|
||||
|
||||
# Releases
|
||||
|
||||
All technical releases are created using [Semantic Versioning](https://semver.org/lang/de/).
|
||||
|
||||
Gitlab provides an [overview on the releases](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/releases) of this project.
|
||||
Gitlab provides an
|
||||
[overview on the releases](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases)
|
||||
of this project.
|
||||
|
||||
The following release artefacts are provided beside the default source code assets:
|
||||
- `chart-index.json`: An overview of all Helm charts used by the release.
|
||||
- `image-index.json`: An overview of all container images used by the release.
|
||||
# Deployment
|
||||
|
||||
**Note for project members:** You can use the project's `dev` K8s cluster to set
|
||||
up your own instance for development purposes. Please see the project
|
||||
`sovereign-workplace-env` on the internal Gitlab for more details.
|
||||
# Components
|
||||
|
||||
## Prerequisites
|
||||
⟶ Visit our detailed [Component](docs/getting-started.md) docs.
|
||||
|
||||
### Mandatory technical prerequisites
|
||||
|
||||
These are the requirements of the Sovereign Workplace deployment:
|
||||
|
||||
- K8s cluster >= 1.24, [CNCF Certified Kubernetes Distro](https://www.cncf.io/certification/software-conformance/)
|
||||
- Domain and DNS Service
|
||||
- Ingress controller (supported are nginx-ingress, ingress-nginx, HAProxy)
|
||||
- [Helm](https://helm.sh/) >= v3.9.0
|
||||
- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v0.157.0**
|
||||
- [HelmDiff](https://github.com/databus23/helm-diff) >= 3.6.0
|
||||
- Volume provisioner supporting RWO (read-write-once)
|
||||
- Certificate handling with [cert-manager](https://cert-manager.io/)
|
||||
- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8, we are talking to Open-Xchange and will try to get rid of this dependency.
|
||||
|
||||
#### TLS Certificate
|
||||
|
||||
The setup will create a `cert-manager.io` Certificate resource.
|
||||
|
||||
You can set the ClusterIssuer via `certificate.issuerRef.name`
|
||||
|
||||
### Required input variables
|
||||
|
||||
You need to expose following environment variables in order to run the
|
||||
installation.
|
||||
|
||||
| name | default | description |
|
||||
|---------------------|-----------------------|---------------------------------------------------|
|
||||
| `DOMAIN` | `souvap.cloud` | External reachable domain |
|
||||
| `ISTIO_DOMAIN` | `istio.souvap.cloud` | External reachable domain for Istio Gateway |
|
||||
| `MASTER_PASSWORD` | `sovereign-workplace` | The password that seeds the autogenerated secrets |
|
||||
|
||||
Please ensure that you set the DNS records pointing to the loadbalancer/IP for
|
||||
`DOMAIN` and `ISTIO_DOMAIN`.
|
||||
|
||||
If you want inbound email you need to set the MX records that points to the
|
||||
public IP address of the Postfix-pods.
|
||||
|
||||
More details on DNS options including SPF/DKIM and autodiscovery options
|
||||
are to come...
|
||||
|
||||
### Optional or feature based prerequisites
|
||||
|
||||
All of these requirements are optional as long as you do not want to use the
|
||||
related feature.
|
||||
|
||||
| Feature | Component(s) | Requirement |
|
||||
|------------------------------|----------------|-----------------------------|
|
||||
| Component Scalability | Various[^1] | Read-Write-Many Provisioner |
|
||||
| Sending outbound emails | Various | SMTP relay/gateway |
|
||||
| S/MIME Support | OX AppSuite8 | PKI / CI |
|
||||
| Improved videoconferencing | Jitsi | STUN/TURN server |
|
||||
|
||||
## CI based deployment
|
||||
|
||||
The project includes a `.gitlab-ci.yml` that allows you to execute the
|
||||
deployment from a Gitlab instance of your choice.
|
||||
|
||||
Please ensure to provide the environment variables listed at
|
||||
[Required input variables](#required-input-variables).
|
||||
|
||||
When starting the pipeline through the Gitlab UI you will be queried for some
|
||||
of the variables plus the following ones:
|
||||
|
||||
- `BASE_DOMAIN`: The base domain the SWP will use. For example: `souvap.cloud`
|
||||
- `NAMESPACE`: Defines into which namespace of your K8s cluster the SWP will be installed
|
||||
- `MASTER_PASSWORD_WEB_VAR`: Overwrites value of `MASTER_PASSWORD`
|
||||
|
||||
Based on your input the following variables will be set:
|
||||
- `DOMAIN` = `NAMESPACE`.`BASE_DOMAIN`
|
||||
- `ISTIO_DOMAIN` = istio.`DOMAIN`
|
||||
- `MASTER_PASSWORD` = `MASTER_PASSWORD_WEB_VAR`. If `MASTER_PASSWORD_WEB_VAR`
|
||||
is not set, the default for `MASTER_PASSWORD` will be used, unless you set
|
||||
`MASTER_PASSWORD` as a masked CI/CD variable in Gitlab to supercede the default.
|
||||
|
||||
You might want to set credential variables in the Gitlab project at
|
||||
`Settings` > `CI/CD` > `Variables`.
|
||||
|
||||
## Local deployment
|
||||
|
||||
Please ensure to provide the environment variables listed at
|
||||
[Required input variables](#required-input-variables).
|
||||
Also, please read [Helmfile](#helmfile) a little below in case of a non default
|
||||
configuration.
|
||||
|
||||
Then go with
|
||||
|
||||
```shell
|
||||
helmfile apply -n <NAMESPACE>
|
||||
```
|
||||
|
||||
and wait a little. After the deployment is finished some bootstrapping is
|
||||
executed which might take some more minutes before you can log in your new
|
||||
instance.
|
||||
|
||||
Deployments can be removed with:
|
||||
|
||||
```shell
|
||||
helmfile destroy -n <NAMESPACE>
|
||||
```
|
||||
|
||||
## Offline deployment
|
||||
|
||||
Before executing a [local deployment](#local-deployment), you can set following
|
||||
environment variables to use your own container image and helm chart registry:
|
||||
|
||||
| name | description |
|
||||
|------------------------------|--------------------------------|
|
||||
| PRIVATE_CHART_REPOSITORY_URL | Your helm chart repository url |
|
||||
| PRIVATE_IMAGE_REGISTRY_URL | Your image registry url |
|
||||
|
||||
## Logging in
|
||||
|
||||
When successfully deployed the SWP, all K8s jobs from the deployment should be
|
||||
in the status `Succeeded` and all pods should be `Running`.
|
||||
|
||||
You should see the portal's login page at `https://portal.<DOMAIN>`.
|
||||
|
||||
Off the shelf you get two accounts with passwords you can look up in the
|
||||
`univention-corporate-container-*` pod environment. You can use a shell on that
|
||||
container or a `kubectl describe`-command to get the credentials.
|
||||
|
||||
| Username / Login | Password environment variable |
|
||||
|--------------------|--------------------------------|
|
||||
| default.user | DEFAULT_ACCOUNT_USER_PASSWORD |
|
||||
| default.admin | DEFAULT_ACCOUNT_ADMIN_PASSWORD |
|
||||
|
||||
If you do not see any tiles in the portal after the login you may want to wait a
|
||||
couple of minutes, as on the initial start some bootstrapping and cache building
|
||||
is done. This blocks the portal entries from showing up.
|
||||
|
||||
# Helmfile
|
||||
|
||||
## Custom Configuration
|
||||
|
||||
### Deployment selection
|
||||
|
||||
By default, all components are deployed. The components of type `Eval` are used
|
||||
for development and evaluation purposes only - they need to be replaced in
|
||||
production deployments. These components are grouped together in the
|
||||
subdirectory `/helmfile/apps/services`.
|
||||
|
||||
| Component | Name | Default | Description | Type |
|
||||
|-----------------------------|-------------------------------------|---------|--------------------------------|------------|
|
||||
| Certificates | `certificates.enabled` | `true` | TLS certificates | Eval |
|
||||
| ClamAV (Distributed) | `clamavDistributed.enabled` | `false` | Antivirus engine | Eval |
|
||||
| ClamAV (Simple) | `clamavSimple.enabled` | `true` | Antivirus engine | Eval |
|
||||
| Collabora | `collabora.enabled` | `true` | Weboffice | Functional |
|
||||
| CryptPad | `cryptpad.enabled` | `true` | Weboffice | Functional |
|
||||
| Dovecot | `dovecot.enabled` | `true` | Mail backend | Functional |
|
||||
| Element | `element.enabled` | `true` | Secure communications platform | Functional |
|
||||
| Intercom Service | `intercom.enabled` | `true` | Cross service data exchange | Functional |
|
||||
| Jitsi | `jitsi.enabled` | `true` | Videoconferencing | Functional |
|
||||
| Keycloak | `keycloak.enabled` | `true` | Identity Provider | Functional |
|
||||
| MariaDB | `mariadb.enabled` | `true` | Database | Eval |
|
||||
| Memcached | `memcached.enabled` | `true` | Cache Database | Eval |
|
||||
| MinIO | `minio.enabled` | `true` | Object Storage | Eval |
|
||||
| Nextcloud | `nextcloud.enabled` | `true` | File share | Functional |
|
||||
| OpenProject | `openproject.enabled` | `true` | Project management | Functional |
|
||||
| OX Appsuite | `oxAppsuite.enabled` | `true` | Groupware | Functional |
|
||||
| Provisioning | `oxConnector.enabled` | `true` | Backend provisioning | Functional |
|
||||
| Postfix | `postfix.enabled` | `true` | MTA | Eval |
|
||||
| PostgreSQL | `postgresql.enabled` | `true` | Database | Eval |
|
||||
| Redis | `redis.enabled` | `true` | Cache Database | Eval |
|
||||
| Univention Corporate Server | `univentionCorporateServer.enabled` | `true` | Identity Management & Portal | Functional |
|
||||
| Univention Management Stack | `univentionManagementStack.enabled` | `false` | Identity Management & Portal | Eval |
|
||||
| XWiki | `xwiki.enabled` | `true` | Knowledgebase | Functional |
|
||||
|
||||
|
||||
#### Cluster capabilities
|
||||
| Capability | Default | Options | Notes |
|
||||
|-------------------------------------|-----------------|-----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| `cluster.service.type` | `LoadBalancer` | `ClusterIP`, `NodePort`, `LoadBalancer` | External access to TCP/UDP services. [Additional Information](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) |
|
||||
| `cluster.persistence.readWriteMany` | `false` | `true`, `false` | Enable if ReadWriteMany (RWX) storage is available (f.e. CephFS, NFS, ...). |
|
||||
| `cluster.networking.domain` | `cluster.local` | | Kubernetes cluster domain. |
|
||||
| `cluster.networking.cidr` | `10.0.0.0/8` | | Kubernetes internal network |
|
||||
|
||||
|
||||
#### Databases
|
||||
|
||||
When deploying this suite to production, you need to configure the applications to use your production grade database
|
||||
service.
|
||||
|
||||
| Component | Name | Type | Parameter | Key | Default |
|
||||
|-------------|--------------------|------------|-----------|----------------------------------------|----------------------------|
|
||||
| Element | Synapse | PostgreSQL | | | |
|
||||
| | | | Name | `databases.synapse.name` | `matrix` |
|
||||
| | | | Host | `databases.synapse.host` | `postgresql` |
|
||||
| | | | Port | `databases.synapse.port` | `5432` |
|
||||
| | | | Username | `databases.synapse.username` | `matrix_user` |
|
||||
| | | | Password | `databases.synapse.password` | |
|
||||
| Keycloak | Keycloak | PostgreSQL | | | |
|
||||
| | | | Name | `databases.keycloak.name` | `keycloak` |
|
||||
| | | | Host | `databases.keycloak.host` | `postgresql` |
|
||||
| | | | Port | `databases.keycloak.port` | `5432` |
|
||||
| | | | Username | `databases.keycloak.username` | `keycloak_user` |
|
||||
| | | | Password | `databases.keycloak.password` | |
|
||||
| | Keycloak Extension | PostgreSQL | | | |
|
||||
| | | | Name | `databases.keycloakExtension.name` | `keycloak_extensions` |
|
||||
| | | | Host | `databases.keycloakExtension.host` | `postgresql` |
|
||||
| | | | Port | `databases.keycloakExtension.port` | `5432` |
|
||||
| | | | Username | `databases.keycloakExtension.username` | `keycloak_extensions_user` |
|
||||
| | | | Password | `databases.keycloakExtension.password` | |
|
||||
| Nextcloud | Nextcloud | MariaDB | | | |
|
||||
| | | | Name | `databases.nextcloud.name` | `nextcloud` |
|
||||
| | | | Host | `databases.nextcloud.host` | `mariadb` |
|
||||
| | | | Username | `databases.nextcloud.username` | `nextcloud_user` |
|
||||
| | | | Password | `databases.nextcloud.password` | |
|
||||
| OpenProject | Keycloak | PostgreSQL | | | |
|
||||
| | | | Name | `databases.openproject.name` | `openproject` |
|
||||
| | | | Host | `databases.openproject.host` | `postgresql` |
|
||||
| | | | Port | `databases.openproject.port` | `5432` |
|
||||
| | | | Username | `databases.openproject.username` | `openproject_user` |
|
||||
| | | | Password | `databases.openproject.password` | |
|
||||
| OX Appsuite | OX Appsuite | MariaDB | | | |
|
||||
| | | | Name | `databases.oxAppsuite.name` | `CONFIGDB` |
|
||||
| | | | Host | `databases.oxAppsuite.host` | `mariadb` |
|
||||
| | | | Username | `databases.oxAppsuite.username` | `root` |
|
||||
| | | | Password | `databases.oxAppsuite.password` | |
|
||||
| XWiki | XWiki | MariaDB | | | |
|
||||
| | | | Name | `databases.xwiki.name` | `xwiki` |
|
||||
| | | | Host | `databases.xwiki.host` | `mariadb` |
|
||||
| | | | Username | `databases.xwiki.username` | `xwiki_user` |
|
||||
| | | | Password | `databases.xwiki.password` | |
|
||||
|
||||
#### Cache
|
||||
|
||||
When deploying this suite to production, you need to configure the applications to use your production grade cache
|
||||
service.
|
||||
|
||||
| Component | Name | Type | Parameter | Key | Default |
|
||||
|------------------|------------------|-----------|-----------|------------------------------|------------------|
|
||||
| Intercom Service | Intercom Service | Redis | | | |
|
||||
| | | | Host | `cache.intercomService.host` | `redis-headless` |
|
||||
| | | | Port | `cache.intercomService.port` | `6379` |
|
||||
| Nextcloud | Nextcloud | Redis | | | |
|
||||
| | | | Host | `cache.nextcloud.host` | `redis-headless` |
|
||||
| | | | Port | `cache.nextcloud.port` | `6379` |
|
||||
| OpenProject | OpenProject | Memcached | | | |
|
||||
| | | | Host | `cache.openproject.host` | `memcached` |
|
||||
| | | | Port | `cache.openproject.port` | `11211` |
|
||||
|
||||
|
||||
### Scaling
|
||||
|
||||
The Replicas of components can be increased, while we still have to look in the
|
||||
actual scalability of the components (see column `Scaling (verified)`).
|
||||
|
||||
| Component | Name | Scaling (effective) | Scaling (verified) |
|
||||
|-------------|------------------------|:-------------------:|:------------------:|
|
||||
| ClamAV | `replicas.clamav` | :white_check_mark: | :white_check_mark: |
|
||||
| | `replicas.clamd` | :white_check_mark: | :white_check_mark: |
|
||||
| | `replicas.freshclam` | :x: | :x: |
|
||||
| | `replicas.icap` | :white_check_mark: | :white_check_mark: |
|
||||
| | `replicas.milter` | :white_check_mark: | :white_check_mark: |
|
||||
| Collabora | `replicas.collabora` | :white_check_mark: | :gear: |
|
||||
| CryptPad | `replicas.cryptpad` | :white_check_mark: | :gear: |
|
||||
| Dovecot | `replicas.dovecot` | :x: | :gear: |
|
||||
| Element | `replicas.element` | :white_check_mark: | :white_check_mark: |
|
||||
| | `replicas.synapse` | :x: | :gear: |
|
||||
| | `replicas.synapseWeb` | :white_check_mark: | :white_check_mark: |
|
||||
| | `replicas.wellKnown` | :white_check_mark: | :white_check_mark: |
|
||||
| Jitsi | `replicas.jibri` | :white_check_mark: | :gear: |
|
||||
| | `replicas.jicofo` | :white_check_mark: | :gear: |
|
||||
| | `replicas.jitsi ` | :white_check_mark: | :gear: |
|
||||
| | `replicas.jvb ` | :x: | :x: |
|
||||
| Keycloak | `replicas.keycloak` | :white_check_mark: | :gear: |
|
||||
| Nextcloud | `replicas.nextcloud` | :white_check_mark: | :gear: |
|
||||
| OpenProject | `replicas.openproject` | :white_check_mark: | :gear: |
|
||||
| Postfix | `replicas.postfix` | :x: | :gear: |
|
||||
| XWiki | `replicas.xwiki` | :white_check_mark: | :gear: |
|
||||
|
||||
|
||||
### Mail/SMTP configuration
|
||||
|
||||
To use the full potential of the openDesk, you need to set up a STMP Smarthost/Relay which allows to send emails from
|
||||
the whole subdomain.
|
||||
|
||||
```yaml
|
||||
smtp:
|
||||
host: # your SMTP host or IP-address
|
||||
username: # username/email for authentication
|
||||
password: # password for authentication, or via environment variable SMTP_PASSWORD
|
||||
```
|
||||
|
||||
### TURN configuration
|
||||
|
||||
Some components (Jitsi, Element) use for direct communication a TURN server.
|
||||
You can configure your own TURN server with these options:
|
||||
|
||||
```yaml
|
||||
turn:
|
||||
transport: # "udp" or "tcp"
|
||||
credentials: # turn credential string
|
||||
server: # configuration for unsecure connections
|
||||
host: # your TURN host or IP-address
|
||||
port: # server port
|
||||
tls: # configuration for secure connections
|
||||
host: # your TURN host or IP-address
|
||||
port: # server port
|
||||
```
|
||||
|
||||
## Security
|
||||
|
||||
This section summarizes various aspects of security and compliance aspects.
|
||||
|
||||
### Kubernetes Security Enforcements
|
||||
|
||||
This list gives you an overview of default security settings and if they comply with security standards:
|
||||
|
||||
|
||||
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|
||||
|-------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
|
||||
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
|
||||
| CryptPad | cryptpad | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 |
|
||||
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
|
||||
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
|
||||
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
|
||||
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
|
||||
| OpenProject | openproject | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
|
||||
|
||||
### Helm Chart Trust Chain
|
||||
|
||||
Helm Charts which are released via openDesk CI/CD process are always signed. The public GPG keys are present in
|
||||
`pubkey.gpg` file and are validated during helmfile installation.
|
||||
|
||||
| Repository | OCI | Verifiable |
|
||||
|--------------------------------------|:---:|:------------------:|
|
||||
| bitnami-repo (openDesk build) | yes | :white_check_mark: |
|
||||
| clamav-repo | yes | :white_check_mark: |
|
||||
| collabora-online-repo | no | :x: |
|
||||
| cryptpad-online-repo | no | :x: |
|
||||
| intercom-service-repo | yes | :white_check_mark: |
|
||||
| istio-resources-repo | yes | :white_check_mark: |
|
||||
| jitsi-repo | yes | :white_check_mark: |
|
||||
| keycloak-extensions-repo | no | :x: |
|
||||
| keycloak-theme-repo | yes | :white_check_mark: |
|
||||
| mariadb-repo | yes | :white_check_mark: |
|
||||
| nextcloud-repo | no | :x: |
|
||||
| opendesk-certificates-repo | yes | :white_check_mark: |
|
||||
| opendesk-dovecot-repo | yes | :white_check_mark: |
|
||||
| opendesk-element-repo | yes | :white_check_mark: |
|
||||
| opendesk-keycloak-bootstrap-repo | yes | :white_check_mark: |
|
||||
| opendesk-nextcloud-bootstrap-repo | yes | :white_check_mark: |
|
||||
| opendesk-open-xchange-bootstrap-repo | yes | :white_check_mark: |
|
||||
| openproject-repo | no | :x: |
|
||||
| openxchange-repo | yes | :x: |
|
||||
| ox-connector-repo | no | :x: |
|
||||
| postfix-repo | yes | :white_check_mark: |
|
||||
| postgresql-repo | yes | :white_check_mark: |
|
||||
| univention-corporate-container-repo | yes | :white_check_mark: |
|
||||
| ums-repo | no | :x: |
|
||||
| xwiki-repo | no | :x: |
|
||||
|
||||
|
||||
## Monitoring
|
||||
Together with
|
||||
[kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack) into
|
||||
you can monitor openDesk components with Prometheus and Grafana.
|
||||
|
||||
Before enabling the following options, you need to install the respective CRDs from the kube-prometheus-stack
|
||||
repository.
|
||||
|
||||
|
||||
### Metrics
|
||||
To deploy podMonitor and serviceMonitor custom resources, enable it by:
|
||||
|
||||
```yaml
|
||||
prometheus:
|
||||
serviceMonitors:
|
||||
enabled: true
|
||||
podMonitors:
|
||||
enabled: true
|
||||
```
|
||||
|
||||
### Alerts
|
||||
Some helm-charts provide a default set of prometheusRules for alerting, enable it by:
|
||||
|
||||
```yaml
|
||||
prometheus:
|
||||
prometheusRules:
|
||||
enabled: true
|
||||
```
|
||||
|
||||
### Dashboards for Grafana
|
||||
To deploy optional ConfigMaps with Grafana dashboards, enable it by:
|
||||
|
||||
```yaml
|
||||
grafana:
|
||||
dashboards:
|
||||
enabled: true
|
||||
```
|
||||
|
||||
### Components
|
||||
| Component | Metrics (pod- or serviceMonitor) | Alerts (prometheusRule) | Dashboard (Grafana) |
|
||||
|:------------|-----------------------------------|-------------------------|---------------------|
|
||||
| Collabora | :white_check_mark: | :white_check_mark: | :white_check_mark: |
|
||||
|
||||
|
||||
# Component integration
|
||||
|
||||
## Functional use cases
|
||||
|
||||
### Overview
|
||||
|
||||
Some use cases require inter component integration.
|
||||
|
||||
```mermaid
|
||||
flowchart TD
|
||||
OXAppSuiteFrontend-->|SilentLogin, Filepicker, CentralNavigation|IntercomService
|
||||
IntercomService-->|SilentLogin, TokenExchange|Keycloak
|
||||
IntercomService-->|Filepicker|Nextcloud
|
||||
IntercomService-->|CentralNavigation|Portal
|
||||
OXAppSuiteBackend-->|Filepicker|Nextcloud
|
||||
Nextcloud-->|CentralNavigation|Portal
|
||||
OpenProject-->|CentralNavigation|Portal
|
||||
XWiki-->|CentralNavigation|Portal
|
||||
Nextcloud-->|CentralContacts|OXAppSuiteBackend
|
||||
OXAppSuiteFrontend-->|Filepicker|OXAppSuiteBackend
|
||||
```
|
||||
|
||||
#### Intercom Service (ICS)
|
||||
|
||||
The UCS Intercom Service's role is to enable cross application integration based
|
||||
on browser interaction. Handling authentication when the frontend of an
|
||||
application is using the API from another application is often a challenge.
|
||||
For more details on the ICS please refer to its own [README.md](./helmfile/apps/intercom-service/README.md).
|
||||
|
||||
In order to establish a session with the Intercom Service, the application that
|
||||
wants to use the ICS must initiate a silent login.
|
||||
|
||||
Currently only OX AppSuite is using the frontend based integration, and
|
||||
therefore it is right now the only consumer of the ICS API.
|
||||
|
||||
### Filepicker
|
||||
|
||||
The Nextcloud filepicker which is integrated into the OX AppSuite allows you to
|
||||
add attachments or links to files from and saving attachments to Nextcloud.
|
||||
|
||||
The filepicker is using frontend and backend based integration. Frontend based
|
||||
integration means that OX AppSuite in the browser is communicating with ICS.
|
||||
While using backend based integration, OX AppSuite middleware is communicating
|
||||
with Nextcloud, which is especially used when adding a file to an email or
|
||||
storing a file into Nextcloud.
|
||||
|
||||
### Central Navigation
|
||||
|
||||
Central navigation is based on an API endpoint in the portal that provides the
|
||||
contents of the portal for a user in order to allow components to render the
|
||||
menu showing all available SWP applications for the user.
|
||||
|
||||
### (Read & write) Central contacts
|
||||
|
||||
Open-Xchange App Suite is used to manage contacts within the Sovereign
|
||||
Workplace. There is an API in the AppSuite that is being used by
|
||||
Nextcloud to lookup contacts as well as to create contacts. This is maybe done
|
||||
when a file is shared with a not yet available personal contact.
|
||||
|
||||
# Identity data flows
|
||||
|
||||
An overview of
|
||||
- components that consume the LDAP service. Mostly by using a dedicated LDAP search account.
|
||||
- components using Keycloak as identity provider. If not otherwise denoted based on the OAuth2 / OIDC flows.
|
||||
|
||||
Some components trust others to handle authentication for them.
|
||||
|
||||
```mermaid
|
||||
flowchart TD
|
||||
K[Keycloak]-->L[LDAP]
|
||||
N[Nextcloud]-->L
|
||||
A[OX AppSuite]-->L
|
||||
D[OX Dovecot]-->L
|
||||
P[Portal/Admin]-->L
|
||||
O[OpenProject]-->L
|
||||
X[XWiki]-->|in 2023|L
|
||||
A-->K
|
||||
N-->K
|
||||
D-->K
|
||||
O-->K
|
||||
X-->K
|
||||
P-->|SAML|K
|
||||
E[Element]-->K
|
||||
J[Jitsi]-->K
|
||||
I[IntercomService]-->K
|
||||
C[Collabora]-->N
|
||||
R[CryptPad]-->N
|
||||
F[Postfix]-->D
|
||||
```
|
||||
|
||||
# Provisioning
|
||||
|
||||
Currently active provisioning is only done for OX AppSuite. The OX-Connector
|
||||
synchronizes creates, modifies and deletes activities for the following objects
|
||||
to the OX AppSuite using the AppSuite's SOAP API:
|
||||
|
||||
- Contexts
|
||||
- Users
|
||||
- Groups
|
||||
- Functional Mailboxes
|
||||
- Resources
|
||||
|
||||
# Component specific documentation
|
||||
|
||||
We want to provide more information per component in separate, component
|
||||
specific `README.md` files. In order to establish a common view on the
|
||||
components we are going to cover various aspects:
|
||||
|
||||
- **Component overview**: Shall provide a quick introduction including the components prerequisites and subcomponents (f.e. pods).
|
||||
- **Resources**: Will contain a link to the components upstream documentation, the helm chart and image locations.
|
||||
- **Operational Capabilities**
|
||||
- **Install**: The components installs within the SWP.
|
||||
- **Restart**: Deleting and restarting pods works seamlessly.
|
||||
- **Update**: Redeploying the component with a different configuration works as expected. The component makes use of the updates configuration afterwards.
|
||||
- **Upgrade**: Component allows to upgrade existing deployments with more current versions of itself.
|
||||
- **Secrets**: The component uses K8s secrets.
|
||||
- **Logging**: Only logging to STDOUT, no logs inside the container.
|
||||
- **Monitoring**: Application provides based on kube-prometheus-stack CRD: ServiceMonitor and PrometheusRule. Optional: Grafana Dashboard.
|
||||
- **Scale**: If supported (as we use community products) the component should be manually scalable. Optional: Autoscaling.
|
||||
- **Network policies**: Deny by default, allow application related traffic.
|
||||
- **Uninstall**: Documented and working complete uninstallation of the component.
|
||||
- **Debugging**: Some helpful information when it comes to debugging a component, e.g. setting log level.
|
||||
|
||||
## Links to component README.mds
|
||||
|
||||
- [Intercom-Service](./helmfile/apps/intercom-service/README.md)
|
||||
|
||||
## Tests
|
||||
|
||||
The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project.
|
||||
The `DEPLOY_`-variables are used to determine which components should be tested.
|
||||
In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this gitlab project's CI variables
|
||||
that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
|
||||
`<domain of gitlab>/api/v4/projects/<id>`.
|
||||
|
||||
If the branch of the test pipeline is not `main` this can be set with the .gitlab-ci.yml variable
|
||||
`TESTS_BRANCH` while creating a new pipeline.
|
||||
|
||||
# License
|
||||
|
||||
This project uses the following license: Apache-2.0
|
||||
|
||||
# Copyright
|
||||
Copyright (C) 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
|
||||
# Footnotes
|
||||
|
||||
[^1] Required for scaling components Nextcloud, Dovecot and ClamAV Distributed.
|
||||
|
||||
43
docs/ci.md
Normal file
43
docs/ci.md
Normal file
@@ -0,0 +1,43 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
<h1>CI/CD</h1>
|
||||
|
||||
This page will cover openDesk automation via Gitlab CI.
|
||||
|
||||
<!-- TOC -->
|
||||
* [Deployment](#deployment)
|
||||
* [Tests](#tests)
|
||||
<!-- TOC -->
|
||||
|
||||
## Deployment
|
||||
|
||||
The project includes a `.gitlab-ci.yml` that allows you to execute the deployment from a Gitlab instance of your choice.
|
||||
|
||||
|
||||
When starting the pipeline through the Gitlab UI, you will be queried for some variables plus the following ones:
|
||||
|
||||
- `DOMAIN` = The domain to deploy to.
|
||||
- `ISTIO_DOMAIN` = istio.`DOMAIN`
|
||||
- `NAMESPACE`: Defines into which namespace of your K8s cluster the SWP will be installed
|
||||
- `MASTER_PASSWORD_WEB_VAR`: Overwrites value of `MASTER_PASSWORD`
|
||||
|
||||
Based on your input, the following variables will be set:
|
||||
- `MASTER_PASSWORD` = `MASTER_PASSWORD_WEB_VAR`. If `MASTER_PASSWORD_WEB_VAR`
|
||||
is not set, the default for `MASTER_PASSWORD` will be used, unless you set
|
||||
`MASTER_PASSWORD` as a masked CI/CD variable in Gitlab to supersede the default.
|
||||
|
||||
You might want to set credential variables in the Gitlab project at `Settings` > `CI/CD` > `Variables`.
|
||||
|
||||
|
||||
## Tests
|
||||
|
||||
The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project.
|
||||
The `DEPLOY_`-variables are used to determine which components should be tested.
|
||||
In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this gitlab project's CI variables
|
||||
that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
|
||||
`<domain of gitlab>/api/v4/projects/<id>`.
|
||||
|
||||
If the branch of the test pipeline is not `main` this can be set with the .gitlab-ci.yml variable
|
||||
`TESTS_BRANCH` while creating a new pipeline.
|
||||
178
docs/components.md
Normal file
178
docs/components.md
Normal file
@@ -0,0 +1,178 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
<h1>Components</h1>
|
||||
|
||||
This section covers the internal system requirements as well as external service requirements for productive use.
|
||||
|
||||
<!-- TOC -->
|
||||
* [Overview](#overview)
|
||||
* [Component integration](#component-integration)
|
||||
* [Intercom Service (ICS)](#intercom-service-ics)
|
||||
* [Filepicker](#filepicker)
|
||||
* [Central Navigation](#central-navigation)
|
||||
* [(Read & write) Central contacts](#read--write-central-contacts)
|
||||
* [OpenProject Filestore](#openproject-filestore)
|
||||
* [Identity data flows](#identity-data-flows)
|
||||
* [Provisioning](#provisioning)
|
||||
* [Component specific documentation](#component-specific-documentation)
|
||||
* [Links to component docs](#links-to-component-docs)
|
||||
<!-- TOC -->
|
||||
|
||||
## Overview
|
||||
|
||||
openDesk consists out of a variety of open-source projects. Here is a list with the description and type.
|
||||
|
||||
Components of type `Eval` are used for development and evaluation purposes only,
|
||||
they need to be replaced in production deployments.
|
||||
|
||||
| Component | Description | Type |
|
||||
|-----------------------------|--------------------------------|------------|
|
||||
| Certificates | TLS certificates | Eval |
|
||||
| ClamAV (Distributed) | Antivirus engine | Eval |
|
||||
| ClamAV (Simple) | Antivirus engine | Eval |
|
||||
| Collabora | Weboffice | Functional |
|
||||
| CryptPad | Weboffice | Functional |
|
||||
| Dovecot | Mail backend | Functional |
|
||||
| Element | Secure communications platform | Functional |
|
||||
| Intercom Service | Cross service data exchange | Functional |
|
||||
| Jitsi | Videoconferencing | Functional |
|
||||
| Keycloak | Identity Provider | Functional |
|
||||
| MariaDB | Database | Eval |
|
||||
| Memcached | Cache Database | Eval |
|
||||
| MinIO | Object Storage | Eval |
|
||||
| Nextcloud | File share | Functional |
|
||||
| OpenProject | Project management | Functional |
|
||||
| OX Appsuite | Groupware | Functional |
|
||||
| Provisioning | Backend provisioning | Functional |
|
||||
| Postfix | MTA | Eval |
|
||||
| PostgreSQL | Database | Eval |
|
||||
| Redis | Cache Database | Eval |
|
||||
| Univention Corporate Server | Identity Management & Portal | Functional |
|
||||
| Univention Management Stack | Identity Management & Portal | Eval |
|
||||
| XWiki | Knowledgebase | Functional |
|
||||
|
||||
## Component integration
|
||||
|
||||
Some use cases require inter component integration.
|
||||
|
||||
```mermaid
|
||||
flowchart TD
|
||||
OXAppSuiteFrontend-->|SilentLogin, Filepicker, CentralNavigation|IntercomService
|
||||
IntercomService-->|SilentLogin, TokenExchange|Keycloak
|
||||
IntercomService-->|Filepicker|Nextcloud
|
||||
IntercomService-->|CentralNavigation|Portal
|
||||
OXAppSuiteBackend-->|Filepicker|Nextcloud
|
||||
Nextcloud-->|CentralNavigation|Portal
|
||||
OpenProject-->|CentralNavigation|Portal
|
||||
XWiki-->|CentralNavigation|Portal
|
||||
Nextcloud-->|CentralContacts|OXAppSuiteBackend
|
||||
OXAppSuiteFrontend-->|Filepicker|OXAppSuiteBackend
|
||||
```
|
||||
|
||||
### Intercom Service (ICS)
|
||||
|
||||
The UCS Intercom Service's role is to enable cross-application integration based on browser interaction.
|
||||
Handling authentication when the frontend of an application is using the API from another application is often a
|
||||
challenge.
|
||||
For more details on the ICS please refer to its own [doc](./components/intercom-service.md).
|
||||
|
||||
To establish a session with the Intercom Service, the application that wants to use the ICS must initiate a silent
|
||||
login.
|
||||
|
||||
Currently only OX AppSuite is using the frontend-based integration, and therefore it is right now the only consumer of
|
||||
the ICS API.
|
||||
|
||||
### Filepicker
|
||||
|
||||
The Nextcloud filepicker which is integrated into the OX AppSuite allows you to add attachments or links to files from
|
||||
and saving attachments to Nextcloud.
|
||||
|
||||
The filepicker is using frontend and backend based integration.
|
||||
Frontend-based integration means that OX AppSuite in the browser is communicating with ICS.
|
||||
While using backend-based integration, OX AppSuite middleware is communicating with Nextcloud, which is especially used
|
||||
when adding a file to an email or storing a file into Nextcloud.
|
||||
|
||||
### Central Navigation
|
||||
|
||||
Central navigation is based on an API endpoint in the portal that provides the contents of the portal for a user to
|
||||
allow components to render the menu showing all available SWP applications for the user.
|
||||
|
||||
### (Read & write) Central contacts
|
||||
|
||||
Open-Xchange App Suite is used to manage contacts within openDesk. There is an API in the AppSuite that is being used by
|
||||
Nextcloud to lookup contacts as well as to create contacts. This is maybe done when a file is shared with a not yet
|
||||
available personal contact.
|
||||
|
||||
### OpenProject Filestore
|
||||
|
||||
By default, Nextcloud is a configured option for storing attachments in OpenProject.
|
||||
The Filestore can be enabled on a per-project level in OpenProject's project admin section.
|
||||
|
||||
|
||||
## Identity data flows
|
||||
|
||||
An overview of
|
||||
- components that consume the LDAP service. Mostly by using a dedicated LDAP search account.
|
||||
- components using Keycloak as identity provider. If not otherwise denoted based on the OAuth2 / OIDC flows.
|
||||
|
||||
Some components trust others to handle authentication for them.
|
||||
|
||||
```mermaid
|
||||
flowchart TD
|
||||
K[Keycloak]-->L[LDAP]
|
||||
N[Nextcloud]-->L
|
||||
O[OpenProject] --> L
|
||||
A[OX AppSuite]-->L
|
||||
D[OX Dovecot]-->L
|
||||
P[Portal/Admin]-->L
|
||||
X[XWiki]-->|in 2023|L
|
||||
A-->K
|
||||
N-->K
|
||||
D-->K
|
||||
O-->K
|
||||
X-->K
|
||||
P-->|SAML|K
|
||||
E[Element]-->K
|
||||
J[Jitsi]-->K
|
||||
I[IntercomService]-->K
|
||||
C[Collabora]-->N
|
||||
R[CryptPad]-->N
|
||||
F[Postfix]-->D
|
||||
```
|
||||
|
||||
## Provisioning
|
||||
|
||||
Currently, active provisioning is only done for OX AppSuite. The OX-Connector is synchronizing, creating, modifying and
|
||||
deleting activities for the following objects to the OX AppSuite using the AppSuite's SOAP API:
|
||||
|
||||
- Contexts
|
||||
- Users
|
||||
- Groups
|
||||
- Functional Mailboxes
|
||||
- Resources
|
||||
|
||||
## Component specific documentation
|
||||
|
||||
We want to provide more information per component in separate, component-specific markdown file.
|
||||
To establish a common view on the components, we are going to cover various aspects:
|
||||
|
||||
- **Component overview**: Shall provide a quick introduction including the components prerequisites and subcomponents (f.e. pods).
|
||||
- **Resources**: Will contain a link to the component upstream documentation, the helm chart and image locations.
|
||||
- **Operational Capabilities**
|
||||
- **Install**: The components install within the SWP.
|
||||
- **Restart**: Deleting and restarting pods works seamlessly.
|
||||
- **Update**: Redeploying the component with a different configuration works as expected. The component makes use of the updates configuration afterwards.
|
||||
- **Upgrade**: Component allows upgrading existing deployments with more current versions of itself.
|
||||
- **Secrets**: The component uses K8s secrets.
|
||||
- **Logging**: Only logging to STDOUT, no logs inside the container.
|
||||
- **Monitoring**: Application provides based on kube-prometheus-stack CRD: ServiceMonitor and PrometheusRule. Optional: Grafana Dashboard.
|
||||
- **Scale**: If supported (as we use community products) the component should be manually scalable. Optional: Autoscaling.
|
||||
- **Network policies**: Deny by default, allow application related traffic.
|
||||
- **Uninstall**: Documented and working complete uninstallation of the component.
|
||||
- **Debugging**: Some helpful information when it comes to debugging a component, e.g. setting log level.
|
||||
|
||||
## Links to component docs
|
||||
|
||||
- [Intercom-Service](./components/intercom-service.md)
|
||||
77
docs/external-services.md
Normal file
77
docs/external-services.md
Normal file
@@ -0,0 +1,77 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
|
||||
<h1>External services</h1>
|
||||
|
||||
This document will cover the additional configuration to use external services like databases, caches or buckets.
|
||||
|
||||
<!-- TOC -->
|
||||
* [Database](#database)
|
||||
* [Cache](#cache)
|
||||
<!-- TOC -->
|
||||
|
||||
## Database
|
||||
|
||||
When deploying this suite to production, you need to configure the applications to use your production grade database
|
||||
service.
|
||||
|
||||
| Component | Name | Type | Parameter | Key | Default |
|
||||
|-------------|--------------------|------------|-----------|----------------------------------------|----------------------------|
|
||||
| Element | Synapse | PostgreSQL | | | |
|
||||
| | | | Name | `databases.synapse.name` | `matrix` |
|
||||
| | | | Host | `databases.synapse.host` | `postgresql` |
|
||||
| | | | Port | `databases.synapse.port` | `5432` |
|
||||
| | | | Username | `databases.synapse.username` | `matrix_user` |
|
||||
| | | | Password | `databases.synapse.password` | |
|
||||
| Keycloak | Keycloak | PostgreSQL | | | |
|
||||
| | | | Name | `databases.keycloak.name` | `keycloak` |
|
||||
| | | | Host | `databases.keycloak.host` | `postgresql` |
|
||||
| | | | Port | `databases.keycloak.port` | `5432` |
|
||||
| | | | Username | `databases.keycloak.username` | `keycloak_user` |
|
||||
| | | | Password | `databases.keycloak.password` | |
|
||||
| | Keycloak Extension | PostgreSQL | | | |
|
||||
| | | | Name | `databases.keycloakExtension.name` | `keycloak_extensions` |
|
||||
| | | | Host | `databases.keycloakExtension.host` | `postgresql` |
|
||||
| | | | Port | `databases.keycloakExtension.port` | `5432` |
|
||||
| | | | Username | `databases.keycloakExtension.username` | `keycloak_extensions_user` |
|
||||
| | | | Password | `databases.keycloakExtension.password` | |
|
||||
| Nextcloud | Nextcloud | MariaDB | | | |
|
||||
| | | | Name | `databases.nextcloud.name` | `nextcloud` |
|
||||
| | | | Host | `databases.nextcloud.host` | `mariadb` |
|
||||
| | | | Username | `databases.nextcloud.username` | `nextcloud_user` |
|
||||
| | | | Password | `databases.nextcloud.password` | |
|
||||
| OpenProject | OpenProject | PostgreSQL | | | |
|
||||
| | | | Name | `databases.openproject.name` | `openproject` |
|
||||
| | | | Host | `databases.openproject.host` | `postgresql` |
|
||||
| | | | Port | `databases.openproject.port` | `5432` |
|
||||
| | | | Username | `databases.openproject.username` | `openproject_user` |
|
||||
| | | | Password | `databases.openproject.password` | |
|
||||
| OX Appsuite | OX Appsuite | MariaDB | | | |
|
||||
| | | | Name | `databases.oxAppsuite.name` | `CONFIGDB` |
|
||||
| | | | Host | `databases.oxAppsuite.host` | `mariadb` |
|
||||
| | | | Username | `databases.oxAppsuite.username` | `root` |
|
||||
| | | | Password | `databases.oxAppsuite.password` | |
|
||||
| XWiki | XWiki | MariaDB | | | |
|
||||
| | | | Name | `databases.xwiki.name` | `xwiki` |
|
||||
| | | | Host | `databases.xwiki.host` | `mariadb` |
|
||||
| | | | Username | `databases.xwiki.username` | `xwiki_user` |
|
||||
| | | | Password | `databases.xwiki.password` | |
|
||||
|
||||
## Cache
|
||||
|
||||
When deploying this suite to production, you need to configure the applications to use your production grade cache
|
||||
service.
|
||||
|
||||
| Component | Name | Type | Parameter | Key | Default |
|
||||
|------------------|------------------|-----------|-----------|------------------------------|------------------|
|
||||
| Intercom Service | Intercom Service | Redis | | | |
|
||||
| | | | Host | `cache.intercomService.host` | `redis-headless` |
|
||||
| | | | Port | `cache.intercomService.port` | `6379` |
|
||||
| Nextcloud | Nextcloud | Redis | | | |
|
||||
| | | | Host | `cache.nextcloud.host` | `redis-headless` |
|
||||
| | | | Port | `cache.nextcloud.port` | `6379` |
|
||||
| OpenProject | OpenProject | Memcached | | | |
|
||||
| | | | Host | `cache.openproject.host` | `memcached` |
|
||||
| | | | Port | `cache.openproject.port` | `11211` |
|
||||
412
docs/getting-started.md
Normal file
412
docs/getting-started.md
Normal file
@@ -0,0 +1,412 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
|
||||
<h1>Getting stated</h1>
|
||||
|
||||
This documentation should enable you to create your own evaluation instance of openDesk on your Kubernetes cluster.
|
||||
|
||||
<!-- TOC -->
|
||||
* [Requirements](#requirements)
|
||||
* [Customize environment](#customize-environment)
|
||||
* [Domain](#domain)
|
||||
* [Apps](#apps)
|
||||
* [Private OCI registry](#private-oci-registry)
|
||||
* [Private Helm registry](#private-helm-registry)
|
||||
* [Cluster capabilities](#cluster-capabilities)
|
||||
* [Service](#service)
|
||||
* [Networking](#networking)
|
||||
* [Ingress](#ingress)
|
||||
* [Container runtime](#container-runtime)
|
||||
* [Volumes](#volumes)
|
||||
* [Connectivity](#connectivity)
|
||||
* [Mail/SMTP configuration](#mailsmtp-configuration)
|
||||
* [TURN configuration](#turn-configuration)
|
||||
* [Certificate issuer](#certificate-issuer)
|
||||
* [Password seed](#password-seed)
|
||||
* [Install](#install)
|
||||
* [Install single app](#install-single-app)
|
||||
* [Install single release/chart](#install-single-releasechart)
|
||||
* [Access deployment](#access-deployment)
|
||||
* [Uninstall](#uninstall)
|
||||
<!-- TOC -->
|
||||
|
||||
Thanks for looking into the openDesk Getting started guide. This documents covers essentials configuration steps to
|
||||
deploy openDesk onto your kubernetes infrastructure.
|
||||
|
||||
## Requirements
|
||||
|
||||
Detailed system requirements are covered on [requirements](requirements.md) page.
|
||||
|
||||
## Customize environment
|
||||
|
||||
Before deploying openDesk, you have to configure the deployment to suit your environment.
|
||||
To keep your deployment up to date, we recommend customizing in `dev`, `test` or `prod` and not in `default` environment
|
||||
files.
|
||||
|
||||
> All configuration options and their default values can be found in files at `helmfile/environments/default/`
|
||||
|
||||
For the following guide, we will use `dev` as environment, where variables can be set in
|
||||
`helmfile/environments/dev/values.yaml`.
|
||||
|
||||
### Domain
|
||||
|
||||
The deployment is designed to deploy each app under a subdomains. For your convenience, we recommend to create a
|
||||
`*.domain.tld` A-Record to your cluster ingress controller, otherwise you need to create an A-Record for each subdomain.
|
||||
|
||||
A list of all subdomains can be found in `helmfile/environments/default/global.yaml`.
|
||||
|
||||
All subdomains can be customized. For example, _Nextcloud_ can be changed to `files.domain.tld` in `dev` environment:
|
||||
|
||||
```yaml
|
||||
global:
|
||||
hosts:
|
||||
nextcloud: "files"
|
||||
```
|
||||
|
||||
The domain have to be set either via `dev` environment
|
||||
|
||||
```yaml
|
||||
global:
|
||||
domain: "my.open.desk"
|
||||
istio:
|
||||
domain: "istio.my.open.desk"
|
||||
```
|
||||
|
||||
or via environment variable
|
||||
|
||||
```shell
|
||||
export DOMAIN=my.open.desk
|
||||
export ISTIO_DOMAIN=istio.my.open.desk
|
||||
```
|
||||
|
||||
When you configure each subdomain individually, you can set `global.domain` and `istio.domain` to the same value.
|
||||
|
||||
Istio is only used for Open-Xchange Appsuite 8, when you don't want to install it, you can disable Istio:
|
||||
|
||||
```yaml
|
||||
istio:
|
||||
enabled: false
|
||||
oxAppsuite:
|
||||
enabled: false
|
||||
```
|
||||
|
||||
### Apps
|
||||
|
||||
All available apps and their default value can be found in `helmfile/environments/default/workplace.yaml`.
|
||||
|
||||
| Component | Name | Default | Description |
|
||||
|-----------------------------|-------------------------------------|---------|--------------------------------|
|
||||
| Certificates | `certificates.enabled` | `true` | TLS certificates |
|
||||
| ClamAV (Distributed) | `clamavDistributed.enabled` | `false` | Antivirus engine |
|
||||
| ClamAV (Simple) | `clamavSimple.enabled` | `true` | Antivirus engine |
|
||||
| Collabora | `collabora.enabled` | `true` | Weboffice |
|
||||
| CryptPad | `cryptpad.enabled` | `true` | Weboffice |
|
||||
| Dovecot | `dovecot.enabled` | `true` | Mail backend |
|
||||
| Element | `element.enabled` | `true` | Secure communications platform |
|
||||
| Intercom Service | `intercom.enabled` | `true` | Cross service data exchange |
|
||||
| Jitsi | `jitsi.enabled` | `true` | Videoconferencing |
|
||||
| Keycloak | `keycloak.enabled` | `true` | Identity Provider |
|
||||
| MariaDB | `mariadb.enabled` | `true` | Database |
|
||||
| Memcached | `memcached.enabled` | `true` | Cache Database |
|
||||
| MinIO | `minio.enabled` | `true` | Object Storage |
|
||||
| Nextcloud | `nextcloud.enabled` | `true` | File share |
|
||||
| OpenProject | `openproject.enabled` | `true` | Project management |
|
||||
| OX Appsuite | `oxAppsuite.enabled` | `true` | Groupware |
|
||||
| Provisioning | `oxConnector.enabled` | `true` | Backend provisioning |
|
||||
| Postfix | `postfix.enabled` | `true` | MTA |
|
||||
| PostgreSQL | `postgresql.enabled` | `true` | Database |
|
||||
| Redis | `redis.enabled` | `true` | Cache Database |
|
||||
| Univention Corporate Server | `univentionCorporateServer.enabled` | `true` | Identity Management & Portal |
|
||||
| Univention Management Stack | `univentionManagementStack.enabled` | `false` | Identity Management & Portal |
|
||||
| XWiki | `xwiki.enabled` | `true` | Knowledgebase |
|
||||
|
||||
Exemplary, Jitsi can be disabled like:
|
||||
|
||||
```yaml
|
||||
jitsi:
|
||||
enabled: false
|
||||
```
|
||||
|
||||
### Private OCI registry
|
||||
|
||||
By default, all OCI artifacts are proxied via the project's container registry, which should get replaced soon by the
|
||||
OCI registries provided by Open CoDE.
|
||||
|
||||
You also can set your own registry by:
|
||||
|
||||
```yaml
|
||||
global:
|
||||
imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
|
||||
```
|
||||
|
||||
or via environments variable:
|
||||
|
||||
```shell
|
||||
export PRIVATE_IMAGE_REGISTRY_URL=external-registry.souvap-univention.de/sovereign-workplace
|
||||
```
|
||||
|
||||
If authentication is required, you can reference imagePullSecrets as following:
|
||||
```yaml
|
||||
global:
|
||||
imagePullSecrets:
|
||||
- "external-registry"
|
||||
```
|
||||
|
||||
### Private Helm registry
|
||||
|
||||
Some apps use Chart Museum style helm registries. You can use your own registry by setting this environment variable:
|
||||
|
||||
```shell
|
||||
export PRIVATE_CHART_REPOSITORY_URL=charts.open.desk
|
||||
```
|
||||
|
||||
### Cluster capabilities
|
||||
|
||||
#### Service
|
||||
|
||||
Some apps, like Jitsi or Dovecot, require HTTP and external TCP connections.
|
||||
These apps create a Kubernetes service object.
|
||||
You can configure, whether `NodePort` (for on-premise), `LoadBalancer` (for cloud) or `ClusterIP` (to disable) should be
|
||||
used:
|
||||
|
||||
```yaml
|
||||
cluster:
|
||||
service:
|
||||
type: "NodePort"
|
||||
```
|
||||
|
||||
#### Networking
|
||||
|
||||
If your cluster has not the default `cluster.local` domain configured, you need to provide the domain via:
|
||||
|
||||
```yaml
|
||||
cluster:
|
||||
networking:
|
||||
domain: "acme.internal"
|
||||
```
|
||||
|
||||
If your cluster has not the default `10.0.0.0/8` CIDR configured, you need to provide the CIDR via:
|
||||
|
||||
```yaml
|
||||
cluster:
|
||||
networking:
|
||||
cidr: "127.0.0.0/8"
|
||||
```
|
||||
|
||||
#### Ingress
|
||||
|
||||
By default, the `ingressClassName` is empty to choose your default ingress controller, you may want to customize it by
|
||||
setting:
|
||||
|
||||
```yaml
|
||||
ingress:
|
||||
ingressClassName: "cilium"
|
||||
```
|
||||
|
||||
#### Container runtime
|
||||
|
||||
Some apps require specific configuration for container runtimes. You can set your container runtime like `cri-o`,
|
||||
`containerd` or `docker` by:
|
||||
|
||||
```yaml
|
||||
cluster:
|
||||
container:
|
||||
engine: "containerd"
|
||||
```
|
||||
|
||||
#### Volumes
|
||||
|
||||
When your cluster has a `ReadWriteMany` volume provisioner, you can benefit from distributed or scaling of apps. By
|
||||
default, only `ReadWriteOnce` is enabled. To enable `ReadWriteMany` you can set:
|
||||
|
||||
```yaml
|
||||
cluster:
|
||||
persistence:
|
||||
readWriteMany: true
|
||||
```
|
||||
|
||||
The **StorageClass** can be set by:
|
||||
|
||||
```yaml
|
||||
persistence:
|
||||
storageClassNames:
|
||||
RWX: "my-read-write-many-class"
|
||||
RWO: "my-read-write-once-class"
|
||||
```
|
||||
|
||||
### Connectivity
|
||||
|
||||
#### Mail/SMTP configuration
|
||||
|
||||
To use the full potential of the openDesk, you need to set up an SMTP Smarthost/Relay which allows to send emails from
|
||||
the whole subdomain.
|
||||
|
||||
```yaml
|
||||
smtp:
|
||||
host: "mail.open.desk"
|
||||
username: "openDesk"
|
||||
password: "secret"
|
||||
```
|
||||
|
||||
#### TURN configuration
|
||||
|
||||
Some components (Jitsi, Element) use for direct communication a TURN server. You can configure your own TURN server with
|
||||
these options:
|
||||
|
||||
```yaml
|
||||
turn:
|
||||
transport: "udp" # or tcp
|
||||
credentials: "secret"
|
||||
server:
|
||||
host: "turn.open.desk"
|
||||
port: "3478"
|
||||
tls:
|
||||
host: "turns.open.desk"
|
||||
port: "5349"
|
||||
```
|
||||
|
||||
#### Certificate issuer
|
||||
|
||||
As mentioned in [requirements](requirements.md#certificate-management) you can provide your own valid certificate. A TLS
|
||||
secret with name `opendesk-certificates-tls` needs to be present in application namespace. For deployment, you can
|
||||
disable `Certificate` resource creation by:
|
||||
|
||||
```yaml
|
||||
certificates:
|
||||
enabled: false
|
||||
```
|
||||
|
||||
If you want to leverage the `cert-manager.io` to handle certificates, like `Let's encrypt`, you need to provide the
|
||||
configured cluster issuer:
|
||||
|
||||
```yaml
|
||||
certificate:
|
||||
issuerRef:
|
||||
name: "letsencrypt-prod"
|
||||
```
|
||||
|
||||
Additionally, it is possible to request wildcard certificates by:
|
||||
|
||||
```yaml
|
||||
certificate:
|
||||
wildcard: true
|
||||
```
|
||||
|
||||
### Password seed
|
||||
|
||||
All secrets are generated from a single master password via Master Password (algorithm).
|
||||
To prevent others from using your openDesk instance, we highly recommend setting an individual master password via:
|
||||
|
||||
```shell
|
||||
export MASTER_PASSWORD="openDesk"
|
||||
```
|
||||
|
||||
## Install
|
||||
|
||||
After setting your environment specific values in `dev` environment, you can start deployment by:
|
||||
|
||||
```shell
|
||||
helmfile apply -e dev -n <NAMESPACE> [-l <label>] [--suppress-diff]
|
||||
```
|
||||
|
||||
**Arguments:**
|
||||
|
||||
- `-e <env>`: Environment name out of `default`, `dev`, `test`, `prod`
|
||||
- `-n <namespace>`: Kubernetes namespace
|
||||
- `-l <label>`: Label selector
|
||||
- `--suppress-diff`: Disable diff printing
|
||||
|
||||
### Install single app
|
||||
|
||||
You can also install or upgrade only a single app like Collabora, either by label selector:
|
||||
|
||||
```shell
|
||||
helmfile apply -e dev -n <NAMESPACE> -l component=collabora
|
||||
```
|
||||
|
||||
or by switching into the apps' directory (faster):
|
||||
|
||||
```shell
|
||||
cd helmfile/apps/collabora
|
||||
helmfile apply -e dev -n <NAMESPACE>
|
||||
```
|
||||
|
||||
### Install single release/chart
|
||||
|
||||
Instead of iteration through all services, you can also deploy a single release like mariadb by:
|
||||
|
||||
```shell
|
||||
helmfile apply -e dev -n <NAMESPACE> -l name=mariadb
|
||||
```
|
||||
|
||||
## Access deployment
|
||||
|
||||
When all apps are successfully deployed and pod status' went to `Running` or `Succeeded`, you can navigate to
|
||||
|
||||
```text
|
||||
https://portal.domain.tld
|
||||
```
|
||||
|
||||
If you change the subdomain of `univentionCorporateServer` or `univentionManagementStack`, you need to replace `portal`
|
||||
by your specified subdomain.
|
||||
|
||||
**Credentials:**
|
||||
|
||||
```shell
|
||||
# Replace with your namespace
|
||||
NAMESPACE=your-namespace
|
||||
|
||||
# Get UCS container, which contains passwords as env var.
|
||||
CONTAINER=$(kubectl -n ${NAMESPACE} get po -l app.kubernetes.io/name=univention-corporate-container -o jsonpath='{.items[0].metadata.name}')
|
||||
# $ kubectl -n ${NAMESPACE} get po -l app.kubernetes.io/name=univention-corporate-container
|
||||
#
|
||||
# NAME READY STATUS RESTARTS AGE
|
||||
# univention-corporate-container-8665c6f8b7-nlhc6 1/1 Running 0 10m
|
||||
|
||||
|
||||
# Password of `default.user`
|
||||
kubectl -n ${NAMESPACE} get po ${CONTAINER} -o=jsonpath='{.spec.containers[0].env[?(@.name=="DEFAULT_ACCOUNT_USER_PASSWORD")].value}'
|
||||
# 40615..............................e9e2f
|
||||
|
||||
# Password of `default.admin`
|
||||
kubectl -n ${NAMESPACE} get po ${CONTAINER} -o=jsonpath='{.spec.containers[0].env[?(@.name=="DEFAULT_ACCOUNT_ADMIN_PASSWORD")].value}'
|
||||
# bdbbb..............................04db6
|
||||
```
|
||||
|
||||
Now you can log in with obtained credentials:
|
||||
|
||||
| Username | Password | Description |
|
||||
|-----------------|--------------------------------------------|------------------|
|
||||
| `default.user` | `40615..............................e9e2f` | Application user |
|
||||
| `default.admin` | `bdbbb..............................04db6` | Administrator |
|
||||
|
||||
## Uninstall
|
||||
|
||||
You can uninstall the deployment by:
|
||||
|
||||
```shell
|
||||
helmfile destroy -n <NAMESPACE>
|
||||
```
|
||||
|
||||
> **Note**
|
||||
> Not all Jobs, PersistentVolumeClaims or Certificates are deleted; you have to delete them manually
|
||||
|
||||
**'Sledgehammer destroy'** - for fast development turn-around times (at your own risk):
|
||||
|
||||
```shell
|
||||
NAMESPACE=your-namespace
|
||||
|
||||
# Uninstall all Helm charts
|
||||
for OPENDESK_RELEASE in $(helm ls -n ${NAMESPACE} -aq); do
|
||||
helm uninstall -n ${NAMESPACE} ${OPENDESK_RELEASE};
|
||||
done
|
||||
|
||||
# Delete leftover resources
|
||||
kubectl delete pvc --all --namespace ${NAMESPACE};
|
||||
kubectl delete jobs --all --namespace ${NAMESPACE};
|
||||
```
|
||||
|
||||
> **Warning**
|
||||
> Without specifying or empty `--namespace` flag, cluster-wide components get deleted!
|
||||
71
docs/monitoring.md
Normal file
71
docs/monitoring.md
Normal file
@@ -0,0 +1,71 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
|
||||
<h1>Monitoring</h1>
|
||||
|
||||
This document will cover how you can enable observability with Prometheus based monitoring and Grafana dashboards, as
|
||||
well as the overall status of monitoring integration.
|
||||
|
||||
<!-- TOC -->
|
||||
* [Technology](#technology)
|
||||
* [Defaults](#defaults)
|
||||
* [Metrics](#metrics)
|
||||
* [Alerts](#alerts)
|
||||
* [Dashboards for Grafana](#dashboards-for-grafana)
|
||||
* [Components](#components)
|
||||
<!-- TOC -->
|
||||
|
||||
## Technology
|
||||
|
||||
We provide integration into the Prometheus based monitoring.
|
||||
Together with
|
||||
[kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack) you
|
||||
easily leverage the full potential of open-source cloud-native observability stack.
|
||||
|
||||
Before enabling the following options, you need to install the respective CRDs from the kube-prometheus-stack
|
||||
repository or prometheus operator.
|
||||
|
||||
## Defaults
|
||||
|
||||
All configurable options and their defaults can be found in
|
||||
[`monitoring.yaml`](../helmfile/environments/default/monitoring.yaml).
|
||||
|
||||
## Metrics
|
||||
|
||||
To deploy podMonitor and serviceMonitor custom resources, enable it by:
|
||||
|
||||
```yaml
|
||||
prometheus:
|
||||
serviceMonitors:
|
||||
enabled: true
|
||||
podMonitors:
|
||||
enabled: true
|
||||
```
|
||||
|
||||
## Alerts
|
||||
|
||||
Some helm-charts provide a default set of prometheusRules for alerting, enable it by:
|
||||
|
||||
```yaml
|
||||
prometheus:
|
||||
prometheusRules:
|
||||
enabled: true
|
||||
```
|
||||
|
||||
## Dashboards for Grafana
|
||||
|
||||
To deploy optional ConfigMaps with Grafana dashboards, enable it by:
|
||||
|
||||
```yaml
|
||||
grafana:
|
||||
dashboards:
|
||||
enabled: true
|
||||
```
|
||||
|
||||
## Components
|
||||
| Component | Metrics (pod- or serviceMonitor) | Alerts (prometheusRule) | Dashboard (Grafana) |
|
||||
|:----------|-----------------------------------|-------------------------|---------------------|
|
||||
| Collabora | :white_check_mark: | :white_check_mark: | :white_check_mark: |
|
||||
| Nextcloud | :white_check_mark: | :x: | :x: |
|
||||
105
docs/requirements.md
Normal file
105
docs/requirements.md
Normal file
@@ -0,0 +1,105 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
<h1>Requirements</h1>
|
||||
|
||||
This section covers the internal system requirements as well as external service requirements for productive use.
|
||||
|
||||
<!-- TOC -->
|
||||
* [TL;DR;](#tldr)
|
||||
* [Hardware](#hardware)
|
||||
* [Kubernetes](#kubernetes)
|
||||
* [Ingress controller](#ingress-controller)
|
||||
* [Volume provisioner](#volume-provisioner)
|
||||
* [Certificate management](#certificate-management)
|
||||
* [External services](#external-services)
|
||||
* [Deployment](#deployment)
|
||||
<!-- TOC -->
|
||||
|
||||
## TL;DR;
|
||||
openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s) cluster.
|
||||
|
||||
- K8s cluster >= 1.24, [CNCF Certified Kubernetes Distro](https://www.cncf.io/certification/software-conformance/)
|
||||
- Domain and DNS Service
|
||||
- Ingress controller (supported are nginx-ingress, HAProxy)
|
||||
- [Helm](https://helm.sh/) >= v3.9.0
|
||||
- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v0.157.0**
|
||||
- [HelmDiff](https://github.com/databus23/helm-diff) >= 3.6.0
|
||||
- Volume provisioner supporting RWO (read-write-once)
|
||||
- Certificate handling with [cert-manager](https://cert-manager.io/)
|
||||
- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8
|
||||
|
||||
## Hardware
|
||||
|
||||
The following minimal requirements are thought for initial evaluation deployment:
|
||||
|
||||
| Spec | Value |
|
||||
|------|------------------------------------------------------|
|
||||
| CPU | 8 Cores of x64 or x86 CPU (ARM is not supported yet) |
|
||||
| RAM | 16 GB, recommended 32 GB |
|
||||
| Disk | HDD or SSD, >10 GB |
|
||||
|
||||
## Kubernetes
|
||||
|
||||
Any self-hosted or managed K8s cluster >= 1.24 listed in
|
||||
[CNCF Certified Kubernetes Distros](https://www.cncf.io/certification/software-conformance/) should be supported.
|
||||
|
||||
The deployment is tested against [kubespray](https://github.com/kubernetes-sigs/kubespray) based clusters.
|
||||
|
||||
> **Note:** The deployment is not tested against OpenShift.
|
||||
|
||||
## Ingress controller
|
||||
|
||||
The deployment is intended to use only over HTTPS via a configured FQDN, therefor it is required to have a proper
|
||||
configured ingress controller deployed.
|
||||
|
||||
**Maintained controllers:**
|
||||
- [NGINX Ingress Controller](https://github.com/nginxinc/kubernetes-ingress)
|
||||
- [HAProxy Kubernetes Ingress Controller](https://github.com/haproxytech/kubernetes-ingress)
|
||||
|
||||
**Community Supported:**
|
||||
- [Ingress NGINX Controller](https://github.com/kubernetes/ingress-nginx)
|
||||
|
||||
When you want to use Open-Xchange Appsuite 8, you need to deploy and configure additionally [Istio](https://istio.io/)
|
||||
|
||||
## Volume provisioner
|
||||
|
||||
Initial evaluation deployment requires a `ReadWriteOnce` volume provisioner. For local deployment a local- or hostPath-
|
||||
provisioner is sufficient.
|
||||
|
||||
> **Note:** Some components requiring a `ReadWriteMany` volume provisioner for distributed mode or scaling.
|
||||
|
||||
## Certificate management
|
||||
|
||||
This deployment leverages [cert-manager](https://cert-manager.io/) to generate valid certificates. This is **optional**,
|
||||
but a secret containing a valid TLS certificate is required.
|
||||
|
||||
Only `Certificate` resources will be deployed, the `cert-manager` including its CRD must be installed prior to this or
|
||||
openDesk certificate management disabled.
|
||||
|
||||
## External services
|
||||
|
||||
Evaluation the openDesk deployment does not require any external service to start, but features may be limited.
|
||||
|
||||
|
||||
| Group | Type | Version | Tested against |
|
||||
|----------|---------------------|---------|-----------------------|
|
||||
| Cache | Memached | `1.6.x` | Memached |
|
||||
| | Redis | `7.x.x` | Redis |
|
||||
| Database | MariaDB | `10.x` | MariaDB |
|
||||
| | PostgreSQL | `15.x` | PostgreSQL |
|
||||
| Mail | Mail Transfer Agent | | Postfix |
|
||||
| | PKI/CI (SMIME) | | |
|
||||
| Security | AntiVirus/ICAP | | ClamAV |
|
||||
| Storage | K8s ReadWriteOnce | | Ceph / Cloud specific |
|
||||
| | K8s ReadWriteMany | | Ceph / NFS |
|
||||
| | Object Storage | | MinIO |
|
||||
| Voice | TURN | | Coturn |
|
||||
|
||||
## Deployment
|
||||
|
||||
The deployment of each individual component is [Helm](https://helm.sh/) based. The 35+ Helm charts are configured and
|
||||
templated via [Helmfile](https://helmfile.readthedocs.io/en/latest/) to provide a streamlined deployment experience.
|
||||
|
||||
Helmfile requires [HelmDiff](https://github.com/databus23/helm-diff) to compare desired against deployed state.
|
||||
52
docs/scaling.md
Normal file
52
docs/scaling.md
Normal file
@@ -0,0 +1,52 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
|
||||
<h1>Scaling</h1>
|
||||
|
||||
This document should cover the abilities to scale apps.
|
||||
|
||||
<!-- TOC -->
|
||||
* [Replicas](#replicas)
|
||||
<!-- TOC -->
|
||||
|
||||
## Replicas
|
||||
|
||||
The Replicas can be increased of almost any component, but is only effective for high-availability or load-balancing for
|
||||
apps with a check-mark in `Scaling (effective)` column.
|
||||
|
||||
Verified positive effects are marke with a check-mark in `Scaling (verified)` column, apps which are not yet tested are
|
||||
marked with a gear.
|
||||
|
||||
|
||||
| Component | Name | Scaling (effective) | Scaling (verified) |
|
||||
|-------------|------------------------------------------|:-------------------:|:------------------:|
|
||||
| ClamAV | `replicas.clamav` | :white_check_mark: | :white_check_mark: |
|
||||
| | `replicas.clamd` | :white_check_mark: | :white_check_mark: |
|
||||
| | `replicas.freshclam` | :x: | :x: |
|
||||
| | `replicas.icap` | :white_check_mark: | :white_check_mark: |
|
||||
| | `replicas.milter` | :white_check_mark: | :white_check_mark: |
|
||||
| Collabora | `replicas.collabora` | :white_check_mark: | :gear: |
|
||||
| CryptPad | `replicas.cryptpad` | :white_check_mark: | :gear: |
|
||||
| Dovecot | `replicas.dovecot` | :x: | :gear: |
|
||||
| Element | `replicas.element` | :white_check_mark: | :white_check_mark: |
|
||||
| | `replicas.matrixNeoBoardWidget` | :white_check_mark: | :gear: |
|
||||
| | `replicas.matrixNeoChoiceWidget` | :white_check_mark: | :gear: |
|
||||
| | `replicas.matrixNeoDateFixBot` | :white_check_mark: | :gear: |
|
||||
| | `replicas.matrixNeoDateFixWidget` | :white_check_mark: | :gear: |
|
||||
| | `replicas.matrixUserVerificationService` | :white_check_mark: | :gear: |
|
||||
| | `replicas.synapse` | :x: | :gear: |
|
||||
| | `replicas.synapseWeb` | :white_check_mark: | :white_check_mark: |
|
||||
| | `replicas.wellKnown` | :white_check_mark: | :white_check_mark: |
|
||||
| Jitsi | `replicas.jibri` | :white_check_mark: | :gear: |
|
||||
| | `replicas.jicofo` | :white_check_mark: | :gear: |
|
||||
| | `replicas.jitsi ` | :white_check_mark: | :gear: |
|
||||
| | `replicas.jitsiKeycloakAdapter` | :white_check_mark: | :gear: |
|
||||
| | `replicas.jvb ` | :x: | :x: |
|
||||
| Keycloak | `replicas.keycloak` | :white_check_mark: | :gear: |
|
||||
| Minio | `replicas.minioDistributed` | :white_check_mark: | :white_check_mark: |
|
||||
| Nextcloud | `replicas.nextcloud` | :white_check_mark: | :gear: |
|
||||
| OpenProject | `replicas.openproject` | :white_check_mark: | :gear: |
|
||||
| Postfix | `replicas.postfix` | :x: | :gear: |
|
||||
| XWiki | `replicas.xwiki` | :white_check_mark: | :gear: |
|
||||
92
docs/security.md
Normal file
92
docs/security.md
Normal file
@@ -0,0 +1,92 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
|
||||
<h1>Security</h1>
|
||||
|
||||
This document should cover the current status of security measurements.
|
||||
|
||||
<!-- TOC -->
|
||||
* [Helm Chart Trust Chain](#helm-chart-trust-chain)
|
||||
* [Kubernetes Security Enforcements](#kubernetes-security-enforcements)
|
||||
<!-- TOC -->
|
||||
|
||||
## Helm Chart Trust Chain
|
||||
|
||||
Helm Charts which are released via openDesk CI/CD process are always signed. The public GPG keys are present in
|
||||
`pubkey.gpg` file and are validated during helmfile installation.
|
||||
|
||||
| Repository | OCI | Verifiable |
|
||||
|--------------------------------------|:---:|:------------------:|
|
||||
| bitnami-repo (openDesk build) | yes | :white_check_mark: |
|
||||
| clamav-repo | yes | :white_check_mark: |
|
||||
| collabora-online-repo | no | :x: |
|
||||
| cryptpad-online-repo | no | :x: |
|
||||
| intercom-service-repo | yes | :white_check_mark: |
|
||||
| istio-resources-repo | yes | :white_check_mark: |
|
||||
| jitsi-repo | yes | :white_check_mark: |
|
||||
| keycloak-extensions-repo | no | :x: |
|
||||
| keycloak-theme-repo | yes | :white_check_mark: |
|
||||
| mariadb-repo | yes | :white_check_mark: |
|
||||
| nextcloud-repo | no | :x: |
|
||||
| opendesk-certificates-repo | yes | :white_check_mark: |
|
||||
| opendesk-dovecot-repo | yes | :white_check_mark: |
|
||||
| opendesk-element-repo | yes | :white_check_mark: |
|
||||
| opendesk-keycloak-bootstrap-repo | yes | :white_check_mark: |
|
||||
| opendesk-nextcloud-bootstrap-repo | yes | :white_check_mark: |
|
||||
| opendesk-open-xchange-bootstrap-repo | yes | :white_check_mark: |
|
||||
| openproject-repo | no | :x: |
|
||||
| openxchange-repo | yes | :x: |
|
||||
| ox-connector-repo | no | :x: |
|
||||
| postfix-repo | yes | :white_check_mark: |
|
||||
| postgresql-repo | yes | :white_check_mark: |
|
||||
| univention-corporate-container-repo | yes | :white_check_mark: |
|
||||
| ums-repo | no | :x: |
|
||||
| xwiki-repo | no | :x: |
|
||||
|
||||
## Kubernetes Security Enforcements
|
||||
|
||||
This list gives you an overview of default security settings and if they comply with security standards:
|
||||
|
||||
|
||||
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|
||||
|--------------|----------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
|
||||
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
|
||||
| CryptPad | npm | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 |
|
||||
| Dovecot | dovecot | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`) | :white_check_mark: | :white_check_mark: | :x: | - | - | 1000 |
|
||||
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
|
||||
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
|
||||
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
|
||||
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
|
||||
| Open-Xchange | core-documentconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
|
||||
| | core-guidedtours | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-imageconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
|
||||
| | core-mw-default | :x: | :x: | :x: | :x: | :x: | :x: | - | - | - |
|
||||
| | core-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-ui-middleware | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-ui-middleware-updater | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-user-guide | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | gotenberg | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | guard-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | nextlcoud-integration-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | public-sector-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| OpenProject | openproject | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
59
docs/theming.md
Normal file
59
docs/theming.md
Normal file
@@ -0,0 +1,59 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
|
||||
<h1>Theming</h1>
|
||||
|
||||
This document will cover the theming and customization of your openDesk deployment.
|
||||
|
||||
<!-- TOC -->
|
||||
* [Strings and texts](#strings-and-texts)
|
||||
* [Colors](#colors)
|
||||
* [Images and Logos](#images-and-logos)
|
||||
* [Known limits](#known-limits)
|
||||
<!-- TOC -->
|
||||
|
||||
## Strings and texts
|
||||
|
||||
The deployment name can be changed by:
|
||||
|
||||
```yaml
|
||||
theme:
|
||||
texts:
|
||||
productName: "openDesk Cloud"
|
||||
```
|
||||
|
||||
## Colors
|
||||
|
||||
The primary color and their derivates with lesser opacity be customized by:
|
||||
|
||||
```yaml
|
||||
theme:
|
||||
colors:
|
||||
primary: "#5e27dd"
|
||||
primary65: "#9673e9"
|
||||
primary35: "#c7b3f3"
|
||||
primary15: "#e7dffa"
|
||||
```
|
||||
|
||||
## Images and Logos
|
||||
|
||||
You can customize the logo and favicon by providing SVG or icon as inline value:
|
||||
|
||||
```yaml
|
||||
theme:
|
||||
imagery:
|
||||
logoHeaderSvg: '<?xml version="1.0" encoding="UTF-8"?>...</svg>'
|
||||
logoHeaderSvgWhite: '<?xml version="1.0" encoding="UTF-8"?>...</svg>'
|
||||
logoPortalBackgroundSvg: '<?xml version="1.0" encoding="UTF-8"?>...</svg>'
|
||||
faviconIco: "..."
|
||||
```
|
||||
|
||||
## Known limits
|
||||
|
||||
Not all applications support theming. Known exceptions are:
|
||||
- Univention Corporate Container (should be superseded by the Univention Management Stack which has planned support
|
||||
for theming through the deployment).
|
||||
- OpenProject
|
||||
- Jitsi
|
||||
@@ -29,7 +29,7 @@ missingFileHandler: "Error"
|
||||
# - Installing all releases from root via helmfile apply
|
||||
# - Installing a single release from root via helmfile apply -f helmfile/apps/<app>/helmfile.yaml
|
||||
# - Installing a single release from app directory via helmfile apply
|
||||
# Issue: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/issues/2
|
||||
# Issue: https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/issues/2
|
||||
|
||||
environments:
|
||||
default:
|
||||
|
||||
@@ -33,7 +33,7 @@ repositories:
|
||||
releases:
|
||||
- name: "opendesk-element"
|
||||
chart: "opendesk-element-repo/opendesk-element"
|
||||
version: "2.5.0"
|
||||
version: "2.5.1"
|
||||
values:
|
||||
- "values-element.yaml"
|
||||
- "values-element.gotmpl"
|
||||
@@ -42,7 +42,7 @@ releases:
|
||||
|
||||
- name: "opendesk-well-known"
|
||||
chart: "opendesk-element-repo/opendesk-well-known"
|
||||
version: "2.5.0"
|
||||
version: "2.5.1"
|
||||
values:
|
||||
- "values-well-known.yaml"
|
||||
- "values-well-known.gotmpl"
|
||||
@@ -51,7 +51,7 @@ releases:
|
||||
|
||||
- name: "opendesk-synapse-web"
|
||||
chart: "opendesk-element-repo/opendesk-synapse-web"
|
||||
version: "2.5.0"
|
||||
version: "2.5.1"
|
||||
values:
|
||||
- "values-synapse-web.yaml"
|
||||
- "values-synapse-web.gotmpl"
|
||||
@@ -60,7 +60,7 @@ releases:
|
||||
|
||||
- name: "opendesk-synapse"
|
||||
chart: "opendesk-element-repo/opendesk-synapse"
|
||||
version: "2.5.0"
|
||||
version: "2.5.1"
|
||||
values:
|
||||
- "values-synapse.yaml"
|
||||
- "values-synapse.gotmpl"
|
||||
@@ -69,7 +69,7 @@ releases:
|
||||
|
||||
- name: "opendesk-matrix-user-verification-service-bootstrap"
|
||||
chart: "opendesk-element-repo/opendesk-synapse-create-account"
|
||||
version: "2.5.0"
|
||||
version: "2.5.1"
|
||||
values:
|
||||
- "values-matrix-user-verification-service-bootstrap.yaml"
|
||||
- "values-matrix-user-verification-service-bootstrap.gotmpl"
|
||||
@@ -78,7 +78,7 @@ releases:
|
||||
|
||||
- name: "opendesk-matrix-user-verification-service"
|
||||
chart: "opendesk-element-repo/opendesk-matrix-user-verification-service"
|
||||
version: "2.5.0"
|
||||
version: "2.5.1"
|
||||
values:
|
||||
- "values-matrix-user-verification-service.yaml"
|
||||
- "values-matrix-user-verification-service.gotmpl"
|
||||
@@ -114,7 +114,7 @@ releases:
|
||||
|
||||
- name: "matrix-neodatefix-bot-bootstrap"
|
||||
chart: "opendesk-element-repo/opendesk-synapse-create-account"
|
||||
version: "2.5.0"
|
||||
version: "2.5.1"
|
||||
values:
|
||||
- "values-matrix-neodatefix-bot-bootstrap.yaml"
|
||||
- "values-matrix-neodatefix-bot-bootstrap.gotmpl"
|
||||
|
||||
@@ -46,4 +46,7 @@ ingress:
|
||||
tls:
|
||||
enabled: {{ .Values.ingress.tls.enabled }}
|
||||
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.intercomService | toYaml | nindent 2 }}
|
||||
...
|
||||
|
||||
@@ -16,7 +16,7 @@ repositories:
|
||||
verify: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
# openDesk Keycloak Theme
|
||||
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-keycloak-theme
|
||||
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-keycloak-theme
|
||||
- name: "keycloak-theme-repo"
|
||||
oci: true
|
||||
url: >-
|
||||
|
||||
@@ -8,7 +8,7 @@ bases:
|
||||
repositories:
|
||||
# openDesk Keycloak Bootstrap
|
||||
# Source:
|
||||
# https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/sovereign-workplace-nextcloud-bootstrap
|
||||
# https://gitlab.opencode.de/bmi/opendesk/components/charts/sovereign-workplace-nextcloud-bootstrap
|
||||
- name: "opendesk-nextcloud-bootstrap-repo"
|
||||
oci: true
|
||||
# yamllint disable rule:line-length
|
||||
@@ -28,7 +28,7 @@ repositories:
|
||||
releases:
|
||||
- name: "opendesk-nextcloud-bootstrap"
|
||||
chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap"
|
||||
version: "3.2.2"
|
||||
version: "3.2.3"
|
||||
wait: true
|
||||
waitForJobs: true
|
||||
values:
|
||||
|
||||
@@ -39,6 +39,9 @@ config:
|
||||
host: {{ .Values.ldap.host | quote }}
|
||||
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud | quote }}
|
||||
|
||||
serverinfo:
|
||||
token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
|
||||
|
||||
smtp:
|
||||
host: {{ .Values.smtp.host | quote }}
|
||||
username: {{ .Values.smtp.username | quote }}
|
||||
|
||||
@@ -35,7 +35,22 @@ image:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
metrics:
|
||||
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
|
||||
https: true
|
||||
token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
|
||||
image:
|
||||
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloudExporter.repository }}"
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
tag: {{ .Values.images.nextcloudExporter.tag | quote }}
|
||||
pullSecrets:
|
||||
{{- toYaml .Values.global.imagePullSecrets | nindent 4 }}
|
||||
|
||||
serviceMonitor:
|
||||
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
|
||||
labels:
|
||||
{{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
|
||||
resources:
|
||||
{{ .Values.resources.nextcloudMetrics | toYaml | nindent 4 }}
|
||||
|
||||
{{- if .Values.cluster.persistence.readWriteMany.enabled }}
|
||||
replicaCount: {{ .Values.replicas.nextcloud }}
|
||||
|
||||
@@ -41,9 +41,6 @@ externalDatabase:
|
||||
# to the mariadb:
|
||||
type: "mysql"
|
||||
|
||||
metrics:
|
||||
enabled: false
|
||||
|
||||
nextcloud:
|
||||
configs:
|
||||
mimetypealiases.json: |-
|
||||
|
||||
@@ -7,7 +7,7 @@ bases:
|
||||
---
|
||||
repositories:
|
||||
# openDesk Dovecot
|
||||
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-dovecot
|
||||
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-dovecot
|
||||
- name: "opendesk-dovecot-repo"
|
||||
oci: true
|
||||
url: >-
|
||||
@@ -21,7 +21,7 @@ repositories:
|
||||
url: >-
|
||||
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "registry.open-xchange.com" }}
|
||||
# openDesk Open-Xchange Bootstrap
|
||||
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-open-xchange-bootstrap
|
||||
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap
|
||||
- name: "opendesk-open-xchange-bootstrap-repo"
|
||||
oci: true
|
||||
# yamllint disable rule:line-length
|
||||
@@ -35,7 +35,7 @@ repositories:
|
||||
releases:
|
||||
- name: "dovecot"
|
||||
chart: "opendesk-dovecot-repo/dovecot"
|
||||
version: "1.3.4"
|
||||
version: "1.3.6"
|
||||
values:
|
||||
- "values-dovecot.yaml"
|
||||
- "values-dovecot.gotmpl"
|
||||
|
||||
@@ -22,7 +22,8 @@ dovecot:
|
||||
host: {{ .Values.ldap.host | quote }}
|
||||
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
|
||||
oidc:
|
||||
introspectionURL: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token/introspect"
|
||||
introspectionHost: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
|
||||
introspectionPath: "/realms/souvap/protocol/openid-connect/token/introspect"
|
||||
clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
|
||||
clientID: "as8oidc"
|
||||
loginTrustedNetworks: {{ .Values.cluster.networking.cidr | quote }}
|
||||
|
||||
@@ -2,7 +2,22 @@
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
containerSecurityContext:
|
||||
readOnlyRootFilesystem: false
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
add:
|
||||
- "CHOWN"
|
||||
- "DAC_OVERRIDE"
|
||||
- "KILL"
|
||||
- "NET_BIND_SERVICE"
|
||||
- "SETGID"
|
||||
- "SETUID"
|
||||
- "SYS_CHROOT"
|
||||
enabled: true
|
||||
readOnlyRootFilesystem: true
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
dovecot:
|
||||
ldap:
|
||||
@@ -14,4 +29,13 @@ dovecot:
|
||||
enabled: true
|
||||
clientID: "as8oidc"
|
||||
usernameAttribute: "phoenixusername"
|
||||
|
||||
submission:
|
||||
enabled: true
|
||||
ssl: "no"
|
||||
host: "postfix:25"
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 1000
|
||||
...
|
||||
|
||||
@@ -25,6 +25,8 @@ nextcloud-integration-ui:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
resources:
|
||||
{{ .Values.resources.openxchangeNextcloudIntegrationUI | toYaml | nindent 4 }}
|
||||
|
||||
public-sector-ui:
|
||||
image:
|
||||
@@ -35,6 +37,8 @@ public-sector-ui:
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
resources:
|
||||
{{ .Values.resources.openxchangePublicSectorUI | toYaml | nindent 4 }}
|
||||
|
||||
appsuite:
|
||||
istio:
|
||||
@@ -62,6 +66,8 @@ appsuite:
|
||||
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGotenberg.repository }}"
|
||||
tag: {{ .Values.images.openxchangeGotenberg.tag | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
resources:
|
||||
{{ .Values.resources.openxchangeGotenberg | toYaml | nindent 8 }}
|
||||
properties:
|
||||
"com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/certs"
|
||||
"com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
|
||||
@@ -119,6 +125,8 @@ appsuite:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
resources:
|
||||
{{ .Values.resources.openxchangeCoreMW | toYaml | nindent 6 }}
|
||||
|
||||
core-ui:
|
||||
imagePullSecrets:
|
||||
@@ -129,6 +137,8 @@ appsuite:
|
||||
repository: {{ .Values.images.openxchangeCoreUI.repository | quote }}
|
||||
tag: {{ .Values.images.openxchangeCoreUI.tag | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
resources:
|
||||
{{ .Values.resources.openxchangeCoreUI | toYaml | nindent 6 }}
|
||||
|
||||
core-ui-middleware:
|
||||
ingress:
|
||||
@@ -146,13 +156,18 @@ appsuite:
|
||||
redis:
|
||||
auth:
|
||||
password: {{ .Values.secrets.redis.password | quote }}
|
||||
resources:
|
||||
{{ .Values.resources.openxchangeCoreUIMiddleware | toYaml | nindent 6 }}
|
||||
updater:
|
||||
resources:
|
||||
{{ .Values.resources.openxchangeCoreUIMiddlewareUpdater | toYaml | nindent 6 }}
|
||||
|
||||
core-documentconverter:
|
||||
image:
|
||||
repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
|
||||
tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
|
||||
resources:
|
||||
{{- .Values.resources.oxDocumentConverter | toYaml | nindent 6 }}
|
||||
{{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
|
||||
|
||||
core-guidedtours:
|
||||
imagePullSecrets:
|
||||
@@ -163,11 +178,15 @@ appsuite:
|
||||
repository: {{ .Values.images.openxchangeCoreGuidedtours.repository | quote }}
|
||||
tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
resources:
|
||||
{{- .Values.resources.openxchangeCoreGuidedtours | toYaml | nindent 6 }}
|
||||
|
||||
core-imageconverter:
|
||||
image:
|
||||
repository: {{ .Values.images.openxchangeImageConverter.repository | quote }}
|
||||
tag: {{ .Values.images.openxchangeImageConverter.tag | quote }}
|
||||
resources:
|
||||
{{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
|
||||
|
||||
guard-ui:
|
||||
imagePullSecrets:
|
||||
@@ -178,6 +197,8 @@ appsuite:
|
||||
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}"
|
||||
tag: {{ .Values.images.openxchangeGuardUI.tag | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
resources:
|
||||
{{- .Values.resources.openxchangeGuardUI | toYaml | nindent 6 }}
|
||||
|
||||
core-user-guide:
|
||||
image:
|
||||
@@ -188,4 +209,6 @@ appsuite:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
resources:
|
||||
{{- .Values.resources.openxchangeCoreUserGuide | toYaml | nindent 6 }}
|
||||
...
|
||||
|
||||
@@ -14,6 +14,17 @@ appsuite:
|
||||
masterAdmin: "admin"
|
||||
gotenberg:
|
||||
enabled: true
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1001
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
features:
|
||||
status:
|
||||
# enable admin pack
|
||||
@@ -27,6 +38,7 @@ appsuite:
|
||||
open-xchange-authentication-oauth: "enabled"
|
||||
properties:
|
||||
com.openexchange.UIWebPath: "/appsuite/"
|
||||
com.openexchange.showAdmin: "false"
|
||||
# PDF Export
|
||||
com.openexchange.capability.mail_export_pdf: "true"
|
||||
com.openexchange.mail.exportpdf.gotenberg.enabled: "true"
|
||||
@@ -158,8 +170,23 @@ appsuite:
|
||||
mkdir -p /opt/open-xchange/guard-files
|
||||
chown open-xchange:open-xchange /opt/open-xchange/guard-files
|
||||
|
||||
# Security context for core-mw has no effect yet
|
||||
# podSecurityContext: {}
|
||||
# securityContext: {}
|
||||
|
||||
core-ui:
|
||||
enabled: true
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
core-ui-middleware:
|
||||
enabled: true
|
||||
@@ -170,15 +197,62 @@ appsuite:
|
||||
- "redis-master:6379"
|
||||
auth:
|
||||
enabled: true
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
core-guidedtours:
|
||||
enabled: true
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
guard-ui:
|
||||
enabled: true
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
core-cacheservice:
|
||||
enabled: false
|
||||
|
||||
core-user-guide:
|
||||
enabled: true
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
core-imageconverter:
|
||||
enabled: true
|
||||
@@ -188,6 +262,19 @@ appsuite:
|
||||
endpoint: "."
|
||||
accessKey: "."
|
||||
secretKey: "."
|
||||
podSecurityContext:
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 987
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
securityContext:
|
||||
# missing:
|
||||
# readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
|
||||
core-spellcheck:
|
||||
enabled: false
|
||||
@@ -198,6 +285,19 @@ appsuite:
|
||||
cache:
|
||||
remoteCache:
|
||||
enabled: false
|
||||
podSecurityContext:
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 987
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
securityContext:
|
||||
# missing:
|
||||
# readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
|
||||
core-documents-collaboration:
|
||||
enabled: false
|
||||
@@ -213,3 +313,30 @@ appsuite:
|
||||
enabled: false
|
||||
core-drive-help:
|
||||
enabled: false
|
||||
|
||||
nextcloud-integration-ui:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
public-sector-ui:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
...
|
||||
|
||||
@@ -26,6 +26,7 @@ oxConnector:
|
||||
oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
|
||||
oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
|
||||
oxDefaultContext: "1"
|
||||
ldapPassword: {{ if eq .Values.ldap.host "univention-corporate-container" }} "ucctempldapstring" {{ else }} {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} {{ end }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.oxConnector | toYaml | nindent 2 }}
|
||||
|
||||
@@ -5,12 +5,9 @@ ingress:
|
||||
enabled: false
|
||||
|
||||
oxConnector:
|
||||
# ldapHostIp: ""
|
||||
ldapBaseDn: "dc=swp-ldap,dc=internal"
|
||||
ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
|
||||
tlsMode: "off"
|
||||
# current static password for UCC
|
||||
ldapPassword: "ucctempldapstring"
|
||||
caCert: "ucctempldapstring"
|
||||
debugLevel: "5"
|
||||
logLevel: "DEBUG"
|
||||
|
||||
@@ -41,15 +41,16 @@ releases:
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
- name: "ums-ldap-server"
|
||||
chart: "ums-repo/ldap-server"
|
||||
version: "0.4.1"
|
||||
version: "0.7.0"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
- "values-ldap-server.gotmpl"
|
||||
- "values-ldap-server.yaml"
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
- name: "ums-ldap-notifier"
|
||||
chart: "ums-repo/ldap-notifier"
|
||||
version: "0.4.1"
|
||||
version: "0.7.0"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
@@ -58,7 +59,7 @@ releases:
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
- name: "ums-udm-rest-api"
|
||||
chart: "ums-repo/udm-rest-api"
|
||||
version: "0.3.2"
|
||||
version: "0.3.5"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
@@ -66,7 +67,7 @@ releases:
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
- name: "ums-stack-data-ums"
|
||||
chart: "ums-repo/stack-data-ums"
|
||||
version: "0.15.2"
|
||||
version: "0.33.0"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
@@ -74,7 +75,7 @@ releases:
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
- name: "ums-stack-data-swp"
|
||||
chart: "ums-repo/stack-data-swp"
|
||||
version: "0.15.2"
|
||||
version: "0.33.0"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
@@ -82,7 +83,7 @@ releases:
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
- name: "ums-portal-server"
|
||||
chart: "ums-repo/portal-server"
|
||||
version: "0.3.4"
|
||||
version: "0.4.3"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
@@ -90,7 +91,7 @@ releases:
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
- name: "ums-notifications-api"
|
||||
chart: "ums-repo/notifications-api"
|
||||
version: "0.3.4"
|
||||
version: "0.4.3"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
@@ -99,7 +100,7 @@ releases:
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
- name: "ums-portal-listener"
|
||||
chart: "ums-repo/portal-listener"
|
||||
version: "0.3.4"
|
||||
version: "0.4.3"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
@@ -108,7 +109,7 @@ releases:
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
- name: "ums-portal-frontend"
|
||||
chart: "ums-repo/portal-frontend"
|
||||
version: "0.3.4"
|
||||
version: "0.4.3"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
@@ -124,7 +125,7 @@ releases:
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
- name: "ums-umc-gateway"
|
||||
chart: "ums-repo/umc-gateway"
|
||||
version: "0.3.2"
|
||||
version: "0.5.1"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
@@ -132,7 +133,7 @@ releases:
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
- name: "ums-umc-server"
|
||||
chart: "ums-repo/umc-server"
|
||||
version: "0.3.2"
|
||||
version: "0.5.1"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
|
||||
@@ -7,16 +7,13 @@ ldapServer:
|
||||
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
||||
ldapBaseDn: "dc=swp-ldap,dc=internal"
|
||||
|
||||
waitForSamlMetadata: true
|
||||
|
||||
# TODO: Certificates handling
|
||||
# caCert: ""
|
||||
# certPem: ""
|
||||
# privateKey: ""
|
||||
# dhParam: ""
|
||||
tlsMode: "off"
|
||||
|
||||
samlMetadataUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/saml/descriptor"
|
||||
samlMetadataUrlInternal: null
|
||||
serviceProviders: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/saml/metadata"
|
||||
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
|
||||
@@ -0,0 +1,30 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
|
||||
service:
|
||||
type: "ClusterIP"
|
||||
|
||||
extraVolumes:
|
||||
- name: "opendesk-schemas"
|
||||
configMap:
|
||||
name: "ums-stack-data-swp-schemas"
|
||||
|
||||
extraVolumeMounts:
|
||||
- name: "opendesk-schemas"
|
||||
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskFileshare.schema"
|
||||
subPath: "opendeskFileshare.schema"
|
||||
- name: "opendesk-schemas"
|
||||
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskKnowledgemanagement.schema"
|
||||
subPath: "opendeskKnowledgemanagement.schema"
|
||||
- name: "opendesk-schemas"
|
||||
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLearnmanagement.schema"
|
||||
subPath: "opendeskLearnmanagement.schema"
|
||||
- name: "opendesk-schemas"
|
||||
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLivecollaboration.schema"
|
||||
subPath: "opendeskLivecollaboration.schema"
|
||||
- name: "opendesk-schemas"
|
||||
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema"
|
||||
subPath: "opendeskProjectmanagement.schema"
|
||||
|
||||
...
|
||||
@@ -17,7 +17,7 @@ portalListener:
|
||||
ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
|
||||
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
||||
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
||||
notifierServer: "ums-ldap-notifier"
|
||||
notifierServer: {{ .Values.ldap.notifierHost | quote }}
|
||||
portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,dc=swp-ldap,dc=internal"
|
||||
udmApiUrl: "http://ums-udm-rest-api/udm/"
|
||||
udmApiUsername: "cn=admin"
|
||||
|
||||
@@ -12,6 +12,9 @@ portalServer:
|
||||
ucsInternalUrl: "http://portal-server:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}@ums-store-dav/portal-data"
|
||||
umcGetUrl: "http://ums-umc-server/get"
|
||||
umcSessionUrl: "http://ums-umc-server/get/session-info"
|
||||
centralNavigation:
|
||||
enabled: true
|
||||
authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
|
||||
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
|
||||
@@ -30,6 +30,9 @@ stackDataContext:
|
||||
|
||||
oxDefaultContext: "10"
|
||||
|
||||
userPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.userPassword | quote }}
|
||||
adminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
|
||||
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.umsDataLoader.repository | quote }}
|
||||
|
||||
@@ -19,11 +19,12 @@ stackDataContext:
|
||||
# ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
|
||||
ldapHostDn: cn=admin,dc=swp-ldap,dc=internal
|
||||
|
||||
samlMetadataUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/saml/descriptor"
|
||||
samlMetadataUrlInternal: null
|
||||
samlSpServer: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
|
||||
samlSchemes: "https"
|
||||
ssoFqdn: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
|
||||
idpSamlMetadataUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/saml/descriptor"
|
||||
idpSamlMetadataUrlInternal: null
|
||||
umcSamlSpFqdn: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
|
||||
umcSamlSchemes: "https"
|
||||
idpFqdn: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
|
||||
ldapSamlSpUrls: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/saml/metadata"
|
||||
|
||||
initialPasswordAdministrator: "{{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword }}"
|
||||
|
||||
|
||||
@@ -9,9 +9,22 @@ extraVolumes:
|
||||
- name: "certificates"
|
||||
secret:
|
||||
secretName: "opendesk-certificates-tls"
|
||||
- name: "entrypoint-swp-patches"
|
||||
configMap:
|
||||
name: "ums-stack-data-swp-umc-server-entrypoint"
|
||||
defaultMode: 0555
|
||||
- name: "self-service-emails"
|
||||
configMap:
|
||||
name: "ums-stack-data-swp-self-service-emails"
|
||||
defaultMode: 0444
|
||||
|
||||
extraVolumeMounts:
|
||||
- name: "certificates"
|
||||
mountPath: "/var/secrets/ssl"
|
||||
- name: "entrypoint-swp-patches"
|
||||
mountPath: "/entrypoint.d/90-customization.sh"
|
||||
subPath: "90-customization.sh"
|
||||
- name: "self-service-emails"
|
||||
mountPath: "/usr/share/univention-self-service/email_bodies"
|
||||
|
||||
...
|
||||
|
||||
@@ -16,7 +16,7 @@ externalDB:
|
||||
|
||||
customConfigs:
|
||||
"xwiki.cfg":
|
||||
"xwiki.superadminpassword": {{ .Values.secrets.xwiki.superadminpassword | quote }}
|
||||
xwiki.superadminpassword: {{ .Values.secrets.xwiki.superadminpassword | quote }}
|
||||
## LDAP Server configuration
|
||||
xwiki.authentication.ldap.server: {{ .Values.ldap.host | quote }}
|
||||
xwiki.authentication.ldap.port: 389
|
||||
@@ -25,6 +25,8 @@ customConfigs:
|
||||
xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki | quote }}
|
||||
## Base DN used for searching for users
|
||||
xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
|
||||
## Allow short update cycles of the LDAP group cache
|
||||
xwiki.authentication.ldap.groupcache_expiration: 300
|
||||
|
||||
"xwiki.properties":
|
||||
"oidc.endpoint.authorization": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/auth"
|
||||
|
||||
@@ -10,9 +10,9 @@ customConfigs:
|
||||
## Indicate the LDAP field defining the user UID
|
||||
xwiki.authentication.ldap.UID_attr: "uid"
|
||||
## Indicate the LDAP field defining the user profile picture
|
||||
# xwiki.authentication.ldap.photo_attribute: "jpegPhoto"
|
||||
xwiki.authentication.ldap.photo_attribute: "jpegPhoto"
|
||||
## Enable the synchronization of the LDAP profile picture
|
||||
# xwiki.authentication.ldap.update_photo: 1
|
||||
xwiki.authentication.ldap.update_photo: 1
|
||||
|
||||
xwiki.properties:
|
||||
oidc.scope: "openid,profile,email,address,phoenix"
|
||||
@@ -80,8 +80,10 @@ properties:
|
||||
"property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchDN":
|
||||
"dc=swp-ldap,dc=internal"
|
||||
## LDAP filter to only synchronize some groups
|
||||
# "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
|
||||
# "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
|
||||
"property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
|
||||
"(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
|
||||
"(objectClass=opendeskKnowledgemanagementGroup)"
|
||||
|
||||
securityContext:
|
||||
enabled: true
|
||||
|
||||
@@ -15,8 +15,8 @@ images:
|
||||
tag: "opendesk-20231020@sha256:b0bfe09601d8c8064e1b174d21a225ddb10aaa4103892fdfdf3d216726c26dde"
|
||||
# @supplier: "XWiki"
|
||||
dovecot:
|
||||
repository: "dovecot/dovecot"
|
||||
tag: "2.3.20@sha256:96d414aa3f6978669b417f6468c16313a54ee6143a4846870e9f0eda280806e7"
|
||||
repository: "souvap/tooling/images/dovecot-public-sector"
|
||||
tag: "2.3.21@sha256:c76965a84d1ca527f523404eb027119f6736b199c094e4671037cb345ecad3dc"
|
||||
# @supplier: "Open-Xchange"
|
||||
element:
|
||||
repository: "souvap/tooling/images/element-web"
|
||||
@@ -32,7 +32,7 @@ images:
|
||||
# @supplier: "openDesk DevSecOps"
|
||||
intercom:
|
||||
repository: "univention/intercom-service"
|
||||
tag: "1.4-kubernetes@sha256:e4fa2e0df49595bf9ba5bf73e36a50e8f1b44334a1a326a43488b8f9c8bbcb9c"
|
||||
tag: "1.6@sha256:f32c1e52fa132e9dc6973e9f8ed36a98c5c3e0bcd51c60f9a683e7e528dd2306"
|
||||
# @supplier: "Univention"
|
||||
jibri:
|
||||
repository: "jitsi/jibri"
|
||||
@@ -120,6 +120,10 @@ images:
|
||||
repository: "nextcloud"
|
||||
tag: "27.1.1-apache@sha256:47325758ffcd54563021e697905aaba6aac8c21bceefb245c67d40194813ce39"
|
||||
# @supplier: "Nextcloud Community"
|
||||
nextcloudExporter:
|
||||
repository: "xperimental/nextcloud-exporter"
|
||||
tag: "0.6.2@sha256:4ef2555e74ad1dd1b7b7b0680ce85f2b9333f2c2301756582ff04ae97adf796f"
|
||||
# @supplier: "openDesk DevSecOps"
|
||||
openproject:
|
||||
repository: "openproject/open_desk"
|
||||
tag: "dev@sha256:732b5d0efe9fc64fe411c9d8143ec3f4a3c731d03c0caddb5fa4c614ff426e8d"
|
||||
@@ -224,67 +228,67 @@ images:
|
||||
umsConfigHtpasswd:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/config-htpasswd"
|
||||
tag: "0.5.2"
|
||||
tag: "0.5.2@sha256:b63887af87ed4c496688d422a8881e806de4a2364eb07c7e24bb1635b539e7f3"
|
||||
# @supplier: "Univention"
|
||||
umsDataLoader:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/data-loader"
|
||||
tag: "0.15.2"
|
||||
tag: "0.33.0@sha256:2e9baf28cfe3eb6c740ce604d60ebc1ee6b3e0e2e8741730716a1c7375046039"
|
||||
# @supplier: "Univention"
|
||||
umsLdapNotifier:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/ldap-notifier"
|
||||
tag: "0.4.1"
|
||||
tag: "0.7.0@sha256:c5bd680dc85990aec2c3dde14f8e6b72f5a5d2d3c648bc434c57117836464faf"
|
||||
# @supplier: "Univention"
|
||||
umsLdapServer:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/ldap-server"
|
||||
tag: "0.4.1"
|
||||
tag: "0.7.0@sha256:a87b615fc97c574316f41e1e6dc9bef41d80583ba450aece9d9830bab4d5a09a"
|
||||
# @supplier: "Univention"
|
||||
umsNotificationsApi:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/notifications-api"
|
||||
tag: "0.3.4"
|
||||
tag: "0.4.4@sha256:630905fd503ea5f4b17ccd4adccd68c20b85405a7372e7c71ac2c88aa6e1e47c"
|
||||
# @supplier: "Univention"
|
||||
umsPortalListener:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/portal-listener"
|
||||
tag: "0.3.4"
|
||||
tag: "0.4.4@sha256:689065bad9ab735be1cfd12e519934616e8c049afee4f78c46b630ab7c1a7aef"
|
||||
# @supplier: "Univention"
|
||||
umsPortalFrontend:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/portal-frontend"
|
||||
tag: "0.3.5"
|
||||
tag: "0.4.4@sha256:b8955718ad4d2c973b4c1ee80867ac47c2d90e422234c7a2401b13ed606fd4d4"
|
||||
# @supplier: "Univention"
|
||||
umsPortalServer:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/portal-server"
|
||||
tag: "0.3.4"
|
||||
tag: "0.4.4@sha256:21d279ede3a7cbdaf3a5c4e83375bb389785db4f2569cfaf8362896a9b30e287"
|
||||
# @supplier: "Univention"
|
||||
umsWaitForDependency:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/wait-for-dependency"
|
||||
tag: "0.3.4"
|
||||
tag: "0.4.3@sha256:ff4b7f762860baa1415cfe9a24131cb28c2660a14058ca8a1e7a697468f72d69"
|
||||
# @supplier: "Univention"
|
||||
umsStoreDav:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/store-dav"
|
||||
tag: "0.5.2"
|
||||
tag: "0.5.2@sha256:a3cbb1df2024edf58aea029a280f660bcd2fb8e684eed638901f5d7cbf9db467"
|
||||
# @supplier: "Univention"
|
||||
umsUdmRestApi:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/udm-rest-api"
|
||||
tag: "0.3.2"
|
||||
tag: "0.3.5@sha256:1a434f9d5e4d15217d011c13d9f1694e8a12291e09a6d0802c1158f7e2c5e035"
|
||||
# @supplier: "Univention"
|
||||
umsUmcGateway:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/umc-gateway"
|
||||
tag: "0.3.2"
|
||||
tag: "0.5.1@sha256:9937efd54020e0782a26a1670d0cb8b29edbc802b1fd9eed5e308a594d4ce010"
|
||||
# @supplier: "Univention"
|
||||
umsUmcServer:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/umc-server"
|
||||
tag: "0.3.2"
|
||||
tag: "0.5.1@sha256:cfb626f8d0a949ce0ed36d7e01791006eae24d984573dfa3ed3f031808437da3"
|
||||
# @supplier: "Univention"
|
||||
wellKnown:
|
||||
repository: "library/nginx"
|
||||
|
||||
@@ -1,362 +1,455 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
# Some charts do not support null or ~ values, because they use their default values.
|
||||
# To not limit the CPU, we set all CPU limits to 99.
|
||||
resources:
|
||||
clamd:
|
||||
limits:
|
||||
cpu: 4
|
||||
cpu: 99
|
||||
memory: "4Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "2Gi"
|
||||
memory: "1.5Gi"
|
||||
collabora:
|
||||
limits:
|
||||
cpu: 4
|
||||
cpu: 99
|
||||
memory: "4Gi"
|
||||
requests:
|
||||
cpu: 0.5
|
||||
memory: "1Gi"
|
||||
memory: "512Mi"
|
||||
cryptpad:
|
||||
limits:
|
||||
cpu: 2
|
||||
cpu: 99
|
||||
memory: "2Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "512Mi"
|
||||
dovecot:
|
||||
limits:
|
||||
cpu: 0.5
|
||||
memory: "250Mi"
|
||||
cpu: 99
|
||||
memory: "256Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "100Mi"
|
||||
memory: "32Mi"
|
||||
element:
|
||||
limits:
|
||||
cpu: 1
|
||||
memory: "250Mi"
|
||||
cpu: 99
|
||||
memory: "256Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "50Mi"
|
||||
memory: "32Mi"
|
||||
freshclam:
|
||||
limits:
|
||||
cpu: 1
|
||||
cpu: 99
|
||||
memory: "1Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "100Mi"
|
||||
memory: "96Mi"
|
||||
icap:
|
||||
limits:
|
||||
cpu: 2
|
||||
cpu: 99
|
||||
memory: "128Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "16Mi"
|
||||
intercomService:
|
||||
limits:
|
||||
cpu: 99
|
||||
memory: "128Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "64Mi"
|
||||
jibri:
|
||||
limits:
|
||||
cpu: 1
|
||||
memory: "500Mi"
|
||||
cpu: 99
|
||||
memory: "768Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "125Mi"
|
||||
memory: "384Mi"
|
||||
jicofo:
|
||||
limits:
|
||||
cpu: 1
|
||||
memory: "500Mi"
|
||||
cpu: 99
|
||||
memory: "512Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "100Mi"
|
||||
memory: "256Mi"
|
||||
jitsi:
|
||||
limits:
|
||||
cpu: 1
|
||||
memory: "500Mi"
|
||||
cpu: 99
|
||||
memory: "512Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "100Mi"
|
||||
memory: "32Mi"
|
||||
jitsiKeycloakAdapter:
|
||||
limits:
|
||||
cpu: "100m"
|
||||
cpu: 99
|
||||
memory: "128Mi"
|
||||
requests:
|
||||
cpu: "10m"
|
||||
memory: "16Mi"
|
||||
memory: "48Mi"
|
||||
jvb:
|
||||
limits:
|
||||
cpu: 1
|
||||
memory: "500Mi"
|
||||
cpu: 99
|
||||
memory: "768Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "100Mi"
|
||||
memory: "384Mi"
|
||||
keycloak:
|
||||
limits:
|
||||
cpu: 2
|
||||
cpu: 99
|
||||
memory: "2Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "750Mi"
|
||||
memory: "512Mi"
|
||||
keycloakExtension:
|
||||
limits:
|
||||
cpu: 1
|
||||
memory: "500Mi"
|
||||
cpu: 99
|
||||
memory: "256Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "100Mi"
|
||||
memory: "48Mi"
|
||||
keycloakBootstrap:
|
||||
limits:
|
||||
cpu: 1
|
||||
memory: "500Mi"
|
||||
cpu: 99
|
||||
memory: "512Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "250Mi"
|
||||
memory: "256Mi"
|
||||
keycloakProxy:
|
||||
limits:
|
||||
cpu: 1
|
||||
memory: "500Mi"
|
||||
cpu: 99
|
||||
memory: "256Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "100Mi"
|
||||
memory: "48Mi"
|
||||
mariadb:
|
||||
limits:
|
||||
cpu: 2
|
||||
cpu: 99
|
||||
memory: "2Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "500Mi"
|
||||
memory: "384Mi"
|
||||
matrixNeoBoardWidget:
|
||||
limits:
|
||||
cpu: 1
|
||||
memory: "250Mi"
|
||||
cpu: 99
|
||||
memory: "128Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "50Mi"
|
||||
memory: "48Mi"
|
||||
matrixNeoChoiceWidget:
|
||||
limits:
|
||||
cpu: 1
|
||||
memory: "250Mi"
|
||||
cpu: 99
|
||||
memory: "256Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "50Mi"
|
||||
memory: "48Mi"
|
||||
matrixNeoDateFixBot:
|
||||
limits:
|
||||
cpu: 1
|
||||
memory: "500Mi"
|
||||
cpu: 99
|
||||
memory: "512Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "100Mi"
|
||||
memory: "128Mi"
|
||||
matrixNeoDateFixWidget:
|
||||
limits:
|
||||
cpu: 1
|
||||
memory: "250Mi"
|
||||
cpu: 99
|
||||
memory: "256Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "50Mi"
|
||||
memory: "48Mi"
|
||||
matrixUserVerificationService:
|
||||
limits:
|
||||
cpu: 1
|
||||
memory: "250Mi"
|
||||
cpu: 99
|
||||
memory: "256Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "50Mi"
|
||||
memory: "128Mi"
|
||||
memcached:
|
||||
limits:
|
||||
cpu: 1
|
||||
cpu: 99
|
||||
memory: "256Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "32Mi"
|
||||
milter:
|
||||
limits:
|
||||
cpu: 4
|
||||
memory: "4Gi"
|
||||
cpu: 99
|
||||
memory: "96Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "2Gi"
|
||||
memory: "16Mi"
|
||||
minio:
|
||||
limits:
|
||||
cpu: 2
|
||||
memory: "4Gi"
|
||||
cpu: 99
|
||||
memory: "2Gi"
|
||||
requests:
|
||||
cpu: 0.25
|
||||
memory: "1Gi"
|
||||
memory: "256Mi"
|
||||
nextcloud:
|
||||
limits:
|
||||
cpu: 2
|
||||
cpu: 99
|
||||
memory: "1Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "500Mi"
|
||||
memory: "512Mi"
|
||||
nextcloudMetrics:
|
||||
limits:
|
||||
cpu: 99
|
||||
memory: "128Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "32Mi"
|
||||
openproject:
|
||||
limits:
|
||||
cpu: 2
|
||||
cpu: 99
|
||||
memory: "1Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "250Mi"
|
||||
oxConnector:
|
||||
memory: "768Mi"
|
||||
openxchangeCoreDocumentConverter:
|
||||
limits:
|
||||
cpu: 2
|
||||
memory: "2Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "250Mi"
|
||||
oxDocumentConverter:
|
||||
limits:
|
||||
cpu: 2
|
||||
cpu: 99
|
||||
memory: "2Gi"
|
||||
requests:
|
||||
cpu: 0.25
|
||||
memory: "1Gi"
|
||||
memory: "1.25Gi"
|
||||
openxchangeCoreGuidedtours:
|
||||
limits:
|
||||
cpu: 99
|
||||
memory: "96Mi"
|
||||
requests:
|
||||
cpu: 0.01
|
||||
memory: "32Mi"
|
||||
openxchangeCoreImageConverter:
|
||||
limits:
|
||||
cpu: 99
|
||||
memory: "2Gi"
|
||||
requests:
|
||||
cpu: 0.5
|
||||
memory: "1.25Gi"
|
||||
openxchangeCoreMW:
|
||||
limits:
|
||||
cpu: 99
|
||||
memory: "8Gi"
|
||||
requests:
|
||||
cpu: 1
|
||||
memory: "1.25Gi"
|
||||
openxchangeCoreUI:
|
||||
limits:
|
||||
cpu: 99
|
||||
memory: "96Mi"
|
||||
requests:
|
||||
cpu: 0.01
|
||||
memory: "32Mi"
|
||||
openxchangeCoreUIMiddleware:
|
||||
limits:
|
||||
cpu: 99
|
||||
memory: "768Mi"
|
||||
requests:
|
||||
cpu: 0.5
|
||||
memory: "192Mi"
|
||||
openxchangeCoreUIMiddlewareUpdater:
|
||||
limits:
|
||||
cpu: 99
|
||||
memory: "768Mi"
|
||||
requests:
|
||||
cpu: 0.5
|
||||
memory: "192Mi"
|
||||
openxchangeCoreUserGuide:
|
||||
limits:
|
||||
cpu: 99
|
||||
memory: "96Mi"
|
||||
requests:
|
||||
cpu: 0.02
|
||||
memory: "32Mi"
|
||||
openxchangeGotenberg:
|
||||
limits:
|
||||
cpu: 99
|
||||
memory: "96Mi"
|
||||
requests:
|
||||
cpu: 0.05
|
||||
memory: "32Mi"
|
||||
openxchangeGuardUI:
|
||||
limits:
|
||||
cpu: 99
|
||||
memory: "96Mi"
|
||||
requests:
|
||||
cpu: 0.01
|
||||
memory: "32Mi"
|
||||
openxchangeNextcloudIntegrationUI:
|
||||
limits:
|
||||
cpu: 99
|
||||
memory: "96Mi"
|
||||
requests:
|
||||
cpu: 0.01
|
||||
memory: "32Mi"
|
||||
openxchangePublicSectorUI:
|
||||
limits:
|
||||
cpu: 99
|
||||
memory: "96Mi"
|
||||
requests:
|
||||
cpu: 0.01
|
||||
memory: "32Mi"
|
||||
oxConnector:
|
||||
limits:
|
||||
cpu: 99
|
||||
memory: "512Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "64Mi"
|
||||
postfix:
|
||||
limits:
|
||||
cpu: 0.5
|
||||
memory: "250Mi"
|
||||
cpu: 99
|
||||
memory: "128Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "100Mi"
|
||||
memory: "16Mi"
|
||||
postgresql:
|
||||
limits:
|
||||
cpu: 2
|
||||
cpu: 99
|
||||
memory: "1Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "250Mi"
|
||||
memory: "256Mi"
|
||||
prosody:
|
||||
limits:
|
||||
cpu: 1
|
||||
memory: "500Mi"
|
||||
cpu: 99
|
||||
memory: "512Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "100Mi"
|
||||
memory: "32Mi"
|
||||
redis:
|
||||
limits:
|
||||
cpu: 1
|
||||
memory: "500Mi"
|
||||
cpu: 99
|
||||
memory: "256Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "100Mi"
|
||||
memory: "32Mi"
|
||||
synapse:
|
||||
limits:
|
||||
cpu: 4
|
||||
cpu: 99
|
||||
memory: "4Gi"
|
||||
requests:
|
||||
cpu: 1
|
||||
memory: "2Gi"
|
||||
memory: "256Mi"
|
||||
synapseWeb:
|
||||
limits:
|
||||
cpu: 1
|
||||
memory: "250Mi"
|
||||
cpu: 99
|
||||
memory: "256Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "50Mi"
|
||||
memory: "64Mi"
|
||||
univentionCorporateServer:
|
||||
limits:
|
||||
cpu: 2
|
||||
cpu: 99
|
||||
memory: "4Gi"
|
||||
requests:
|
||||
cpu: 0.5
|
||||
memory: "1Gi"
|
||||
umsLdapNotifier:
|
||||
limits:
|
||||
cpu: 1
|
||||
cpu: 99
|
||||
memory: "1Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "250Mi"
|
||||
memory: "256Mi"
|
||||
umsLdapServer:
|
||||
limits:
|
||||
cpu: 1
|
||||
cpu: 99
|
||||
memory: "1Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "250Mi"
|
||||
memory: "256Mi"
|
||||
umsNotificationsApi:
|
||||
limits:
|
||||
cpu: 1
|
||||
cpu: 99
|
||||
memory: "1Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "250Mi"
|
||||
memory: "256Mi"
|
||||
umsPortalFrontend:
|
||||
limits:
|
||||
cpu: 1
|
||||
cpu: 99
|
||||
memory: "1Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "250Mi"
|
||||
memory: "256Mi"
|
||||
umsPortalListener:
|
||||
limits:
|
||||
cpu: 1
|
||||
cpu: 99
|
||||
memory: "1Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "250Mi"
|
||||
memory: "256Mi"
|
||||
umsPortalListenerDependencies:
|
||||
limits:
|
||||
cpu: 1
|
||||
cpu: 99
|
||||
memory: "1Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "250Mi"
|
||||
memory: "256Mi"
|
||||
umsPortalServer:
|
||||
limits:
|
||||
cpu: 1
|
||||
cpu: 99
|
||||
memory: "1Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "250Mi"
|
||||
memory: "256Mi"
|
||||
umsStackDataUms:
|
||||
limits:
|
||||
cpu: 1
|
||||
cpu: 99
|
||||
memory: "1Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "250Mi"
|
||||
memory: "256Mi"
|
||||
umsStackDataSwp:
|
||||
limits:
|
||||
cpu: 1
|
||||
cpu: 99
|
||||
memory: "1Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "250Mi"
|
||||
memory: "256Mi"
|
||||
umsStoreDav:
|
||||
limits:
|
||||
cpu: 1
|
||||
cpu: 99
|
||||
memory: "1Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "250Mi"
|
||||
memory: "256Mi"
|
||||
umsUdmRestApi:
|
||||
limits:
|
||||
cpu: 1
|
||||
cpu: 99
|
||||
memory: "1Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "250Mi"
|
||||
memory: "256Mi"
|
||||
umsUmcGateway:
|
||||
limits:
|
||||
cpu: 1
|
||||
cpu: 99
|
||||
memory: "1Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "250Mi"
|
||||
memory: "256Mi"
|
||||
umsUmcServer:
|
||||
limits:
|
||||
cpu: 1
|
||||
cpu: 99
|
||||
memory: "1Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "250Mi"
|
||||
memory: "256Mi"
|
||||
wellKnown:
|
||||
limits:
|
||||
cpu: 1
|
||||
memory: "250Mi"
|
||||
cpu: 99
|
||||
memory: "256Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "50Mi"
|
||||
memory: "32Mi"
|
||||
xwiki:
|
||||
limits:
|
||||
cpu: 2
|
||||
cpu: 99
|
||||
memory: "8Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "6Gi"
|
||||
memory: "1.5Gi"
|
||||
...
|
||||
|
||||
@@ -27,6 +27,8 @@ secrets:
|
||||
ldapSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "ldap" | sha1sum | quote }}
|
||||
defaultAccounts:
|
||||
administratorPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "Administrator" "ums" | sha1sum | quote }}
|
||||
userPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_password" | sha1sum | quote }}
|
||||
adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_admin" | sha1sum | quote }}
|
||||
storeDavUsers:
|
||||
portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }}
|
||||
portalListener: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum | quote }}
|
||||
|
||||
Reference in New Issue
Block a user