mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-06 15:31:38 +01:00
Compare commits
9 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
47a385683c | ||
|
|
db48140f3a | ||
|
|
d7cae3b1fa | ||
|
|
7ae65a36a2 | ||
|
|
01466947cc | ||
|
|
061e588da9 | ||
|
|
b460206bd4 | ||
|
|
ea14f953a4 | ||
|
|
feed270fd7 |
@@ -33,9 +33,6 @@ variables:
|
||||
description: "Define which cluster to use. Cluster must be defined in gitlab/environments.yaml of
|
||||
sovereign-workplace-env included above."
|
||||
value: "dev"
|
||||
BASE_DOMAIN:
|
||||
description: "Define the Cluster Base Domain."
|
||||
value: "souvap.cloud"
|
||||
MASTER_PASSWORD_WEB_VAR:
|
||||
description: "Optional: Provide a passphrase to be used for password generation."
|
||||
value: ""
|
||||
@@ -150,9 +147,6 @@ variables:
|
||||
UMS_TESTS_BRANCH:
|
||||
description: "Branch of E2E test suite of SouvAP Dev team"
|
||||
value: "main"
|
||||
# please use the following set of variables with normalized names:
|
||||
DOMAIN: "${NAMESPACE}.${CLUSTER}.${BASE_DOMAIN}"
|
||||
ISTIO_DOMAIN: "${NAMESPACE}.istio.${CLUSTER}.${BASE_DOMAIN}"
|
||||
|
||||
.deploy-common:
|
||||
cache: {}
|
||||
@@ -204,7 +198,6 @@ env-cleanup:
|
||||
env-start:
|
||||
environment:
|
||||
name: "${NAMESPACE}"
|
||||
url: "https://portal.${DOMAIN}"
|
||||
on_stop: "env-stop"
|
||||
extends: ".deploy-common"
|
||||
image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
|
||||
@@ -443,10 +436,6 @@ run-tests:
|
||||
extends: ".deploy-common"
|
||||
environment:
|
||||
name: "${NAMESPACE}"
|
||||
tags:
|
||||
- "docker"
|
||||
- "kubernetes"
|
||||
- "${CLUSTER}"
|
||||
stage: "tests"
|
||||
rules:
|
||||
- if: >
|
||||
@@ -503,10 +492,6 @@ run-souvap-dev-tests:
|
||||
extends: ".deploy-common"
|
||||
environment:
|
||||
name: "${NAMESPACE}"
|
||||
tags:
|
||||
- "docker"
|
||||
- "kubernetes"
|
||||
- "${CLUSTER}"
|
||||
stage: "tests"
|
||||
rules:
|
||||
- if: >
|
||||
|
||||
29
CHANGELOG.md
29
CHANGELOG.md
@@ -1,3 +1,32 @@
|
||||
## [0.5.45](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.44...v0.5.45) (2023-11-22)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **open-xchange:** Add security context ([db48140](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/db48140f3ae6576b21e93ac0f10f40765efd608d))
|
||||
|
||||
## [0.5.44](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.43...v0.5.44) (2023-11-21)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **ci:** Remove default BASE_DOMAIN in .gitlab-ci.yml ([7ae65a3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7ae65a36a2777d249ba3784bf965da4c790a1b21))
|
||||
|
||||
## [0.5.43](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.42...v0.5.43) (2023-11-20)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **univention-management-stack:** Update optional UMS preview state ([061e588](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/061e588da90e52b531df0688347675bf4dcb431e))
|
||||
|
||||
## [0.5.42](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.41...v0.5.42) (2023-11-20)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **nextcloud:** Add exporter and serviceMonitor ([feed270](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/feed270fd7949743e8f9974e7f147e89ab623347))
|
||||
* **nextcloud:** Bump openDesk bootstrap to 3.2.3 to support serverinfo token ([ea14f95](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ea14f953a4a54c01cc0d66db1bdb645ca4a661e5))
|
||||
|
||||
## [0.5.41](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.40...v0.5.41) (2023-11-16)
|
||||
|
||||
|
||||
|
||||
@@ -18,13 +18,12 @@ The project includes a `.gitlab-ci.yml` that allows you to execute the deploymen
|
||||
|
||||
When starting the pipeline through the Gitlab UI, you will be queried for some variables plus the following ones:
|
||||
|
||||
- `BASE_DOMAIN`: The base domain the SWP will use. For example: `souvap.cloud`
|
||||
- `DOMAIN` = The domain to deploy to.
|
||||
- `ISTIO_DOMAIN` = istio.`DOMAIN`
|
||||
- `NAMESPACE`: Defines into which namespace of your K8s cluster the SWP will be installed
|
||||
- `MASTER_PASSWORD_WEB_VAR`: Overwrites value of `MASTER_PASSWORD`
|
||||
|
||||
Based on your input, the following variables will be set:
|
||||
- `DOMAIN` = `NAMESPACE`.`BASE_DOMAIN`
|
||||
- `ISTIO_DOMAIN` = istio.`DOMAIN`
|
||||
- `MASTER_PASSWORD` = `MASTER_PASSWORD_WEB_VAR`. If `MASTER_PASSWORD_WEB_VAR`
|
||||
is not set, the default for `MASTER_PASSWORD` will be used, unless you set
|
||||
`MASTER_PASSWORD` as a masked CI/CD variable in Gitlab to supersede the default.
|
||||
|
||||
@@ -65,6 +65,7 @@ grafana:
|
||||
```
|
||||
|
||||
## Components
|
||||
| Component | Metrics (pod- or serviceMonitor) | Alerts (prometheusRule) | Dashboard (Grafana) |
|
||||
|:------------|-----------------------------------|-------------------------|---------------------|
|
||||
| Collabora | :white_check_mark: | :white_check_mark: | :white_check_mark: |
|
||||
| Component | Metrics (pod- or serviceMonitor) | Alerts (prometheusRule) | Dashboard (Grafana) |
|
||||
|:----------|-----------------------------------|-------------------------|---------------------|
|
||||
| Collabora | :white_check_mark: | :white_check_mark: | :white_check_mark: |
|
||||
| Nextcloud | :white_check_mark: | :x: | :x: |
|
||||
|
||||
@@ -50,30 +50,43 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
|
||||
This list gives you an overview of default security settings and if they comply with security standards:
|
||||
|
||||
|
||||
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|
||||
|-------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
|
||||
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
|
||||
| CryptPad | cryptpad | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 |
|
||||
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
|
||||
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
|
||||
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
|
||||
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
|
||||
| OpenProject | openproject | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|
||||
|--------------|----------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
|
||||
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
|
||||
| CryptPad | npm | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 |
|
||||
| Dovecot | dovecot | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`) | :white_check_mark: | :white_check_mark: | :x: | - | - | 1000 |
|
||||
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
|
||||
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
|
||||
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
|
||||
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
|
||||
| Open-Xchange | core-documentconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
|
||||
| | core-guidedtours | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-imageconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
|
||||
| | core-mw-default | :x: | :x: | :x: | :x: | :x: | :x: | - | - | - |
|
||||
| | core-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-ui-middleware | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-ui-middleware-updater | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-user-guide | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | gotenberg | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | guard-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | nextlcoud-integration-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | public-sector-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| OpenProject | openproject | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
|
||||
@@ -28,7 +28,7 @@ repositories:
|
||||
releases:
|
||||
- name: "opendesk-nextcloud-bootstrap"
|
||||
chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap"
|
||||
version: "3.2.2"
|
||||
version: "3.2.3"
|
||||
wait: true
|
||||
waitForJobs: true
|
||||
values:
|
||||
|
||||
@@ -39,6 +39,9 @@ config:
|
||||
host: {{ .Values.ldap.host | quote }}
|
||||
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud | quote }}
|
||||
|
||||
serverinfo:
|
||||
token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
|
||||
|
||||
smtp:
|
||||
host: {{ .Values.smtp.host | quote }}
|
||||
username: {{ .Values.smtp.username | quote }}
|
||||
|
||||
@@ -35,7 +35,20 @@ image:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
metrics:
|
||||
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
|
||||
https: true
|
||||
token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
|
||||
image:
|
||||
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloudExporter.repository }}"
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
tag: {{ .Values.images.nextcloudExporter.tag | quote }}
|
||||
pullSecrets:
|
||||
{{- toYaml .Values.global.imagePullSecrets | nindent 4 }}
|
||||
|
||||
serviceMonitor:
|
||||
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
|
||||
labels:
|
||||
{{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
|
||||
|
||||
{{- if .Values.cluster.persistence.readWriteMany.enabled }}
|
||||
replicaCount: {{ .Values.replicas.nextcloud }}
|
||||
|
||||
@@ -41,9 +41,6 @@ externalDatabase:
|
||||
# to the mariadb:
|
||||
type: "mysql"
|
||||
|
||||
metrics:
|
||||
enabled: false
|
||||
|
||||
nextcloud:
|
||||
configs:
|
||||
mimetypealiases.json: |-
|
||||
|
||||
@@ -1,6 +1,24 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
add:
|
||||
- "CHOWN"
|
||||
- "DAC_OVERRIDE"
|
||||
- "KILL"
|
||||
- "NET_BIND_SERVICE"
|
||||
- "SETGID"
|
||||
- "SETUID"
|
||||
- "SYS_CHROOT"
|
||||
enabled: true
|
||||
readOnlyRootFilesystem: true
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
dovecot:
|
||||
ldap:
|
||||
enabled: true
|
||||
@@ -16,4 +34,8 @@ dovecot:
|
||||
enabled: true
|
||||
ssl: "no"
|
||||
host: "postfix:25"
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 1000
|
||||
...
|
||||
|
||||
@@ -14,6 +14,17 @@ appsuite:
|
||||
masterAdmin: "admin"
|
||||
gotenberg:
|
||||
enabled: true
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1001
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
features:
|
||||
status:
|
||||
# enable admin pack
|
||||
@@ -27,6 +38,7 @@ appsuite:
|
||||
open-xchange-authentication-oauth: "enabled"
|
||||
properties:
|
||||
com.openexchange.UIWebPath: "/appsuite/"
|
||||
com.openexchange.showAdmin: "false"
|
||||
# PDF Export
|
||||
com.openexchange.capability.mail_export_pdf: "true"
|
||||
com.openexchange.mail.exportpdf.gotenberg.enabled: "true"
|
||||
@@ -158,8 +170,23 @@ appsuite:
|
||||
mkdir -p /opt/open-xchange/guard-files
|
||||
chown open-xchange:open-xchange /opt/open-xchange/guard-files
|
||||
|
||||
# Security context for core-mw has no effect yet
|
||||
# podSecurityContext: {}
|
||||
# securityContext: {}
|
||||
|
||||
core-ui:
|
||||
enabled: true
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
core-ui-middleware:
|
||||
enabled: true
|
||||
@@ -170,15 +197,62 @@ appsuite:
|
||||
- "redis-master:6379"
|
||||
auth:
|
||||
enabled: true
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
core-guidedtours:
|
||||
enabled: true
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
guard-ui:
|
||||
enabled: true
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
core-cacheservice:
|
||||
enabled: false
|
||||
|
||||
core-user-guide:
|
||||
enabled: true
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
core-imageconverter:
|
||||
enabled: true
|
||||
@@ -188,6 +262,19 @@ appsuite:
|
||||
endpoint: "."
|
||||
accessKey: "."
|
||||
secretKey: "."
|
||||
podSecurityContext:
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 987
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
securityContext:
|
||||
# missing:
|
||||
# readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
|
||||
core-spellcheck:
|
||||
enabled: false
|
||||
@@ -198,6 +285,19 @@ appsuite:
|
||||
cache:
|
||||
remoteCache:
|
||||
enabled: false
|
||||
podSecurityContext:
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 987
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
securityContext:
|
||||
# missing:
|
||||
# readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
|
||||
core-documents-collaboration:
|
||||
enabled: false
|
||||
@@ -213,3 +313,30 @@ appsuite:
|
||||
enabled: false
|
||||
core-drive-help:
|
||||
enabled: false
|
||||
|
||||
nextcloud-integration-ui:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
public-sector-ui:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
...
|
||||
|
||||
@@ -41,15 +41,16 @@ releases:
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
- name: "ums-ldap-server"
|
||||
chart: "ums-repo/ldap-server"
|
||||
version: "0.5.2"
|
||||
version: "0.7.0"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
- "values-ldap-server.gotmpl"
|
||||
- "values-ldap-server.yaml"
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
- name: "ums-ldap-notifier"
|
||||
chart: "ums-repo/ldap-notifier"
|
||||
version: "0.5.2"
|
||||
version: "0.7.0"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
@@ -58,7 +59,7 @@ releases:
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
- name: "ums-udm-rest-api"
|
||||
chart: "ums-repo/udm-rest-api"
|
||||
version: "0.3.3"
|
||||
version: "0.3.5"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
@@ -66,7 +67,7 @@ releases:
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
- name: "ums-stack-data-ums"
|
||||
chart: "ums-repo/stack-data-ums"
|
||||
version: "0.25.1"
|
||||
version: "0.33.0"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
@@ -74,7 +75,7 @@ releases:
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
- name: "ums-stack-data-swp"
|
||||
chart: "ums-repo/stack-data-swp"
|
||||
version: "0.25.1"
|
||||
version: "0.33.0"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
@@ -124,7 +125,7 @@ releases:
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
- name: "ums-umc-gateway"
|
||||
chart: "ums-repo/umc-gateway"
|
||||
version: "0.3.5"
|
||||
version: "0.5.1"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
@@ -132,7 +133,7 @@ releases:
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
- name: "ums-umc-server"
|
||||
chart: "ums-repo/umc-server"
|
||||
version: "0.3.5"
|
||||
version: "0.5.1"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
|
||||
@@ -0,0 +1,30 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
|
||||
service:
|
||||
type: "ClusterIP"
|
||||
|
||||
extraVolumes:
|
||||
- name: "opendesk-schemas"
|
||||
configMap:
|
||||
name: "ums-stack-data-swp-schemas"
|
||||
|
||||
extraVolumeMounts:
|
||||
- name: "opendesk-schemas"
|
||||
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskFileshare.schema"
|
||||
subPath: "opendeskFileshare.schema"
|
||||
- name: "opendesk-schemas"
|
||||
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskKnowledgemanagement.schema"
|
||||
subPath: "opendeskKnowledgemanagement.schema"
|
||||
- name: "opendesk-schemas"
|
||||
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLearnmanagement.schema"
|
||||
subPath: "opendeskLearnmanagement.schema"
|
||||
- name: "opendesk-schemas"
|
||||
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLivecollaboration.schema"
|
||||
subPath: "opendeskLivecollaboration.schema"
|
||||
- name: "opendesk-schemas"
|
||||
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema"
|
||||
subPath: "opendeskProjectmanagement.schema"
|
||||
|
||||
...
|
||||
@@ -17,7 +17,7 @@ portalListener:
|
||||
ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
|
||||
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
||||
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
||||
notifierServer: "ums-ldap-notifier"
|
||||
notifierServer: {{ .Values.ldap.notifierHost | quote }}
|
||||
portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,dc=swp-ldap,dc=internal"
|
||||
udmApiUrl: "http://ums-udm-rest-api/udm/"
|
||||
udmApiUsername: "cn=admin"
|
||||
|
||||
@@ -30,6 +30,9 @@ stackDataContext:
|
||||
|
||||
oxDefaultContext: "10"
|
||||
|
||||
userPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.userPassword | quote }}
|
||||
adminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
|
||||
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.umsDataLoader.repository | quote }}
|
||||
|
||||
@@ -9,9 +9,22 @@ extraVolumes:
|
||||
- name: "certificates"
|
||||
secret:
|
||||
secretName: "opendesk-certificates-tls"
|
||||
- name: "entrypoint-swp-patches"
|
||||
configMap:
|
||||
name: "ums-stack-data-swp-umc-server-entrypoint"
|
||||
defaultMode: 0555
|
||||
- name: "self-service-emails"
|
||||
configMap:
|
||||
name: "ums-stack-data-swp-self-service-emails"
|
||||
defaultMode: 0444
|
||||
|
||||
extraVolumeMounts:
|
||||
- name: "certificates"
|
||||
mountPath: "/var/secrets/ssl"
|
||||
- name: "entrypoint-swp-patches"
|
||||
mountPath: "/entrypoint.d/90-customization.sh"
|
||||
subPath: "90-customization.sh"
|
||||
- name: "self-service-emails"
|
||||
mountPath: "/usr/share/univention-self-service/email_bodies"
|
||||
|
||||
...
|
||||
|
||||
@@ -32,7 +32,7 @@ images:
|
||||
# @supplier: "openDesk DevSecOps"
|
||||
intercom:
|
||||
repository: "univention/intercom-service"
|
||||
tag: "1.4-kubernetes@sha256:e4fa2e0df49595bf9ba5bf73e36a50e8f1b44334a1a326a43488b8f9c8bbcb9c"
|
||||
tag: "1.6@sha256:f32c1e52fa132e9dc6973e9f8ed36a98c5c3e0bcd51c60f9a683e7e528dd2306"
|
||||
# @supplier: "Univention"
|
||||
jibri:
|
||||
repository: "jitsi/jibri"
|
||||
@@ -120,6 +120,10 @@ images:
|
||||
repository: "nextcloud"
|
||||
tag: "27.1.1-apache@sha256:47325758ffcd54563021e697905aaba6aac8c21bceefb245c67d40194813ce39"
|
||||
# @supplier: "Nextcloud Community"
|
||||
nextcloudExporter:
|
||||
repository: "xperimental/nextcloud-exporter"
|
||||
tag: "0.6.2@sha256:4ef2555e74ad1dd1b7b7b0680ce85f2b9333f2c2301756582ff04ae97adf796f"
|
||||
# @supplier: "openDesk DevSecOps"
|
||||
openproject:
|
||||
repository: "openproject/open_desk"
|
||||
tag: "dev@sha256:732b5d0efe9fc64fe411c9d8143ec3f4a3c731d03c0caddb5fa4c614ff426e8d"
|
||||
@@ -224,42 +228,42 @@ images:
|
||||
umsConfigHtpasswd:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/config-htpasswd"
|
||||
tag: "0.5.2@sha256:b713d22a9f2285aab7ff3b1db950002c9ae507ee0b8ba6c76c8a700299440b02"
|
||||
tag: "0.5.2@sha256:b63887af87ed4c496688d422a8881e806de4a2364eb07c7e24bb1635b539e7f3"
|
||||
# @supplier: "Univention"
|
||||
umsDataLoader:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/data-loader"
|
||||
tag: "0.25.1@sha256:4b5d621e7ee2ca9efd8755ccb287a6daeb05284c3c010e4b6c487d01e539c606"
|
||||
tag: "0.33.0@sha256:2e9baf28cfe3eb6c740ce604d60ebc1ee6b3e0e2e8741730716a1c7375046039"
|
||||
# @supplier: "Univention"
|
||||
umsLdapNotifier:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/ldap-notifier"
|
||||
tag: "0.5.2@sha256:693c170507dd420d9afa19a2128c85ffd1f231b1c13b149a46bb12a501a1136f"
|
||||
tag: "0.7.0@sha256:c5bd680dc85990aec2c3dde14f8e6b72f5a5d2d3c648bc434c57117836464faf"
|
||||
# @supplier: "Univention"
|
||||
umsLdapServer:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/ldap-server"
|
||||
tag: "0.5.2@sha256:e4b229b1879185e150e371242a90c9a8e1ebb0bc19076871554137cc354855cb"
|
||||
tag: "0.7.0@sha256:a87b615fc97c574316f41e1e6dc9bef41d80583ba450aece9d9830bab4d5a09a"
|
||||
# @supplier: "Univention"
|
||||
umsNotificationsApi:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/notifications-api"
|
||||
tag: "0.4.3@sha256:f0a95d96f4047b08db41b8878800f98e66a8fb2fc3c0f493130be314a3be0270"
|
||||
tag: "0.4.4@sha256:630905fd503ea5f4b17ccd4adccd68c20b85405a7372e7c71ac2c88aa6e1e47c"
|
||||
# @supplier: "Univention"
|
||||
umsPortalListener:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/portal-listener"
|
||||
tag: "0.4.3@sha256:a5454bfc113df95d1e71424765b6a0137e7468861cb3df3865136888d24ca7a0"
|
||||
tag: "0.4.4@sha256:689065bad9ab735be1cfd12e519934616e8c049afee4f78c46b630ab7c1a7aef"
|
||||
# @supplier: "Univention"
|
||||
umsPortalFrontend:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/portal-frontend"
|
||||
tag: "0.4.3@sha256:bfae4930c830185b0f64d6cd9bb479bdde8ac383a58f8f5948731ece9288ff4d"
|
||||
tag: "0.4.4@sha256:b8955718ad4d2c973b4c1ee80867ac47c2d90e422234c7a2401b13ed606fd4d4"
|
||||
# @supplier: "Univention"
|
||||
umsPortalServer:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/portal-server"
|
||||
tag: "0.4.3@sha256:3a906e38aaabf5e80457f1b572a4ee3676b90921ac9c0df9a64a177ee0d75cc9"
|
||||
tag: "0.4.4@sha256:21d279ede3a7cbdaf3a5c4e83375bb389785db4f2569cfaf8362896a9b30e287"
|
||||
# @supplier: "Univention"
|
||||
umsWaitForDependency:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
@@ -269,22 +273,22 @@ images:
|
||||
umsStoreDav:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/store-dav"
|
||||
tag: "0.5.2@sha256:e6d42110be74f171b62c8ba4752afd0af8119f0354783bf428eb2030f97be84a"
|
||||
tag: "0.5.2@sha256:a3cbb1df2024edf58aea029a280f660bcd2fb8e684eed638901f5d7cbf9db467"
|
||||
# @supplier: "Univention"
|
||||
umsUdmRestApi:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/udm-rest-api"
|
||||
tag: "0.3.3@sha256:3893d74b1e450e920a53788a8b86cafb4e811dbbae8734fd32d56718ccbb89c5"
|
||||
tag: "0.3.5@sha256:1a434f9d5e4d15217d011c13d9f1694e8a12291e09a6d0802c1158f7e2c5e035"
|
||||
# @supplier: "Univention"
|
||||
umsUmcGateway:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/umc-gateway"
|
||||
tag: "0.3.5@sha256:2e5ec7a33f0f9094143090c786b3fda632fe85b669b7fe3bb467ec96b4a76eff"
|
||||
tag: "0.5.1@sha256:9937efd54020e0782a26a1670d0cb8b29edbc802b1fd9eed5e308a594d4ce010"
|
||||
# @supplier: "Univention"
|
||||
umsUmcServer:
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/umc-server"
|
||||
tag: "0.3.5@sha256:fa95ab3a547807322e6d66da943292119b37229eccbb35b31217fe0f484c4798"
|
||||
tag: "0.5.1@sha256:cfb626f8d0a949ce0ed36d7e01791006eae24d984573dfa3ed3f031808437da3"
|
||||
# @supplier: "Univention"
|
||||
wellKnown:
|
||||
repository: "library/nginx"
|
||||
|
||||
@@ -27,6 +27,8 @@ secrets:
|
||||
ldapSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "ldap" | sha1sum | quote }}
|
||||
defaultAccounts:
|
||||
administratorPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "Administrator" "ums" | sha1sum | quote }}
|
||||
userPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_password" | sha1sum | quote }}
|
||||
adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_admin" | sha1sum | quote }}
|
||||
storeDavUsers:
|
||||
portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }}
|
||||
portalListener: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum | quote }}
|
||||
|
||||
Reference in New Issue
Block a user