mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-06 07:21:36 +01:00
Compare commits
9 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
71d11cfcd0 | ||
|
|
6aa3d386af | ||
|
|
7ac2e0f9de | ||
|
|
6f556bce70 | ||
|
|
a447c137fe | ||
|
|
47a385683c | ||
|
|
db48140f3a | ||
|
|
d7cae3b1fa | ||
|
|
7ae65a36a2 |
@@ -33,9 +33,6 @@ variables:
|
||||
description: "Define which cluster to use. Cluster must be defined in gitlab/environments.yaml of
|
||||
sovereign-workplace-env included above."
|
||||
value: "dev"
|
||||
BASE_DOMAIN:
|
||||
description: "Define the Cluster Base Domain."
|
||||
value: "souvap.cloud"
|
||||
MASTER_PASSWORD_WEB_VAR:
|
||||
description: "Optional: Provide a passphrase to be used for password generation."
|
||||
value: ""
|
||||
@@ -150,9 +147,6 @@ variables:
|
||||
UMS_TESTS_BRANCH:
|
||||
description: "Branch of E2E test suite of SouvAP Dev team"
|
||||
value: "main"
|
||||
# please use the following set of variables with normalized names:
|
||||
DOMAIN: "${NAMESPACE}.${CLUSTER}.${BASE_DOMAIN}"
|
||||
ISTIO_DOMAIN: "${NAMESPACE}.istio.${CLUSTER}.${BASE_DOMAIN}"
|
||||
|
||||
.deploy-common:
|
||||
cache: {}
|
||||
@@ -204,7 +198,6 @@ env-cleanup:
|
||||
env-start:
|
||||
environment:
|
||||
name: "${NAMESPACE}"
|
||||
url: "https://portal.${DOMAIN}"
|
||||
on_stop: "env-stop"
|
||||
extends: ".deploy-common"
|
||||
image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
|
||||
@@ -443,10 +436,6 @@ run-tests:
|
||||
extends: ".deploy-common"
|
||||
environment:
|
||||
name: "${NAMESPACE}"
|
||||
tags:
|
||||
- "docker"
|
||||
- "kubernetes"
|
||||
- "${CLUSTER}"
|
||||
stage: "tests"
|
||||
rules:
|
||||
- if: >
|
||||
@@ -503,10 +492,6 @@ run-souvap-dev-tests:
|
||||
extends: ".deploy-common"
|
||||
environment:
|
||||
name: "${NAMESPACE}"
|
||||
tags:
|
||||
- "docker"
|
||||
- "kubernetes"
|
||||
- "${CLUSTER}"
|
||||
stage: "tests"
|
||||
rules:
|
||||
- if: >
|
||||
@@ -570,7 +555,7 @@ generate-release-assets:
|
||||
- "./build_artefacts/image-index.json"
|
||||
tags: []
|
||||
variables:
|
||||
ASSET_GENERATOR_REPO_PATH: "bmi/souveraener_arbeitsplatz/tooling/opendesk-asset-generator"
|
||||
ASSET_GENERATOR_REPO_PATH: "bmi/opendesk/tooling/opendesk-asset-generator"
|
||||
|
||||
|
||||
# Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.
|
||||
|
||||
29
CHANGELOG.md
29
CHANGELOG.md
@@ -1,3 +1,32 @@
|
||||
## [0.5.47](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.46...v0.5.47) (2023-11-24)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **helmfile:** Rename absolute paths on OpenCoDE to new 'opendesk' base group name ([7ac2e0f](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/7ac2e0f9de2a8386a7f5809ba40db4ed7164a857))
|
||||
* **xwiki:** Enable the sync of user profile picture from LDAP ([6aa3d38](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6aa3d386afe8b3f22e47f9971fd719089006b54e))
|
||||
|
||||
## [0.5.46](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.45...v0.5.46) (2023-11-23)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **element:** Fix quotes in element chart ([a447c13](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a447c137fe58be343e7ada55afb7f6891a5cde74))
|
||||
|
||||
## [0.5.45](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.44...v0.5.45) (2023-11-22)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **open-xchange:** Add security context ([db48140](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/db48140f3ae6576b21e93ac0f10f40765efd608d))
|
||||
|
||||
## [0.5.44](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.43...v0.5.44) (2023-11-21)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **ci:** Remove default BASE_DOMAIN in .gitlab-ci.yml ([7ae65a3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7ae65a36a2777d249ba3784bf965da4c790a1b21))
|
||||
|
||||
## [0.5.43](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.42...v0.5.43) (2023-11-20)
|
||||
|
||||
|
||||
|
||||
@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
# Read me first
|
||||
|
||||
Please read the [project's overall CONTRIBUTING.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/CONTRIBUTING.md) first.
|
||||
Please read the [project's overall CONTRIBUTING.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/CONTRIBUTING.md) first.
|
||||
|
||||
# How to contribute?
|
||||
|
||||
|
||||
@@ -40,7 +40,7 @@ Basic knowledge of Kubernetes and Devops is required though.
|
||||
|
||||
# Active development notice
|
||||
openDesk will face breaking changes in the near future without upgrade paths before
|
||||
[technical release](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/releases
|
||||
[technical release](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases
|
||||
v1.0.0 is reached.
|
||||
|
||||
While most components support upgrades, major configuration or component changes may occur, therefore we recommend
|
||||
@@ -60,10 +60,10 @@ Of course, further development also includes enhancing the documentation.
|
||||
|
||||
We love to get feedback from you!
|
||||
Related to the deployment / contents of this repository,
|
||||
please use the [issues within this project](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/issues).
|
||||
please use the [issues within this project](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/issues).
|
||||
|
||||
If you want to address other topics, please check the section
|
||||
["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
|
||||
["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
|
||||
|
||||
# Requirements
|
||||
|
||||
@@ -86,7 +86,7 @@ If you want to address other topics, please check the section
|
||||
All technical releases are created using [Semantic Versioning](https://semver.org/lang/de/).
|
||||
|
||||
Gitlab provides an
|
||||
[overview on the releases](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/releases)
|
||||
[overview on the releases](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases)
|
||||
of this project.
|
||||
|
||||
The following release artefacts are provided beside the default source code assets:
|
||||
|
||||
@@ -18,13 +18,12 @@ The project includes a `.gitlab-ci.yml` that allows you to execute the deploymen
|
||||
|
||||
When starting the pipeline through the Gitlab UI, you will be queried for some variables plus the following ones:
|
||||
|
||||
- `BASE_DOMAIN`: The base domain the SWP will use. For example: `souvap.cloud`
|
||||
- `DOMAIN` = The domain to deploy to.
|
||||
- `ISTIO_DOMAIN` = istio.`DOMAIN`
|
||||
- `NAMESPACE`: Defines into which namespace of your K8s cluster the SWP will be installed
|
||||
- `MASTER_PASSWORD_WEB_VAR`: Overwrites value of `MASTER_PASSWORD`
|
||||
|
||||
Based on your input, the following variables will be set:
|
||||
- `DOMAIN` = `NAMESPACE`.`BASE_DOMAIN`
|
||||
- `ISTIO_DOMAIN` = istio.`DOMAIN`
|
||||
- `MASTER_PASSWORD` = `MASTER_PASSWORD_WEB_VAR`. If `MASTER_PASSWORD_WEB_VAR`
|
||||
is not set, the default for `MASTER_PASSWORD` will be used, unless you set
|
||||
`MASTER_PASSWORD` as a masked CI/CD variable in Gitlab to supersede the default.
|
||||
|
||||
@@ -50,30 +50,43 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
|
||||
This list gives you an overview of default security settings and if they comply with security standards:
|
||||
|
||||
|
||||
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|
||||
|-------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
|
||||
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
|
||||
| CryptPad | cryptpad | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 |
|
||||
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
|
||||
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
|
||||
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
|
||||
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
|
||||
| OpenProject | openproject | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|
||||
|--------------|----------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
|
||||
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
|
||||
| CryptPad | npm | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 |
|
||||
| Dovecot | dovecot | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`) | :white_check_mark: | :white_check_mark: | :x: | - | - | 1000 |
|
||||
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
|
||||
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
|
||||
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
|
||||
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
|
||||
| Open-Xchange | core-documentconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
|
||||
| | core-guidedtours | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-imageconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
|
||||
| | core-mw-default | :x: | :x: | :x: | :x: | :x: | :x: | - | - | - |
|
||||
| | core-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-ui-middleware | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-ui-middleware-updater | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-user-guide | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | gotenberg | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | guard-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | nextlcoud-integration-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | public-sector-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| OpenProject | openproject | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
|
||||
@@ -29,7 +29,7 @@ missingFileHandler: "Error"
|
||||
# - Installing all releases from root via helmfile apply
|
||||
# - Installing a single release from root via helmfile apply -f helmfile/apps/<app>/helmfile.yaml
|
||||
# - Installing a single release from app directory via helmfile apply
|
||||
# Issue: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/issues/2
|
||||
# Issue: https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/issues/2
|
||||
|
||||
environments:
|
||||
default:
|
||||
|
||||
@@ -33,7 +33,7 @@ repositories:
|
||||
releases:
|
||||
- name: "opendesk-element"
|
||||
chart: "opendesk-element-repo/opendesk-element"
|
||||
version: "2.5.0"
|
||||
version: "2.5.1"
|
||||
values:
|
||||
- "values-element.yaml"
|
||||
- "values-element.gotmpl"
|
||||
@@ -42,7 +42,7 @@ releases:
|
||||
|
||||
- name: "opendesk-well-known"
|
||||
chart: "opendesk-element-repo/opendesk-well-known"
|
||||
version: "2.5.0"
|
||||
version: "2.5.1"
|
||||
values:
|
||||
- "values-well-known.yaml"
|
||||
- "values-well-known.gotmpl"
|
||||
@@ -51,7 +51,7 @@ releases:
|
||||
|
||||
- name: "opendesk-synapse-web"
|
||||
chart: "opendesk-element-repo/opendesk-synapse-web"
|
||||
version: "2.5.0"
|
||||
version: "2.5.1"
|
||||
values:
|
||||
- "values-synapse-web.yaml"
|
||||
- "values-synapse-web.gotmpl"
|
||||
@@ -60,7 +60,7 @@ releases:
|
||||
|
||||
- name: "opendesk-synapse"
|
||||
chart: "opendesk-element-repo/opendesk-synapse"
|
||||
version: "2.5.0"
|
||||
version: "2.5.1"
|
||||
values:
|
||||
- "values-synapse.yaml"
|
||||
- "values-synapse.gotmpl"
|
||||
@@ -69,7 +69,7 @@ releases:
|
||||
|
||||
- name: "opendesk-matrix-user-verification-service-bootstrap"
|
||||
chart: "opendesk-element-repo/opendesk-synapse-create-account"
|
||||
version: "2.5.0"
|
||||
version: "2.5.1"
|
||||
values:
|
||||
- "values-matrix-user-verification-service-bootstrap.yaml"
|
||||
- "values-matrix-user-verification-service-bootstrap.gotmpl"
|
||||
@@ -78,7 +78,7 @@ releases:
|
||||
|
||||
- name: "opendesk-matrix-user-verification-service"
|
||||
chart: "opendesk-element-repo/opendesk-matrix-user-verification-service"
|
||||
version: "2.5.0"
|
||||
version: "2.5.1"
|
||||
values:
|
||||
- "values-matrix-user-verification-service.yaml"
|
||||
- "values-matrix-user-verification-service.gotmpl"
|
||||
@@ -114,7 +114,7 @@ releases:
|
||||
|
||||
- name: "matrix-neodatefix-bot-bootstrap"
|
||||
chart: "opendesk-element-repo/opendesk-synapse-create-account"
|
||||
version: "2.5.0"
|
||||
version: "2.5.1"
|
||||
values:
|
||||
- "values-matrix-neodatefix-bot-bootstrap.yaml"
|
||||
- "values-matrix-neodatefix-bot-bootstrap.gotmpl"
|
||||
|
||||
@@ -16,7 +16,7 @@ repositories:
|
||||
verify: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
# openDesk Keycloak Theme
|
||||
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-keycloak-theme
|
||||
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-keycloak-theme
|
||||
- name: "keycloak-theme-repo"
|
||||
oci: true
|
||||
url: >-
|
||||
|
||||
@@ -8,7 +8,7 @@ bases:
|
||||
repositories:
|
||||
# openDesk Keycloak Bootstrap
|
||||
# Source:
|
||||
# https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/sovereign-workplace-nextcloud-bootstrap
|
||||
# https://gitlab.opencode.de/bmi/opendesk/components/charts/sovereign-workplace-nextcloud-bootstrap
|
||||
- name: "opendesk-nextcloud-bootstrap-repo"
|
||||
oci: true
|
||||
# yamllint disable rule:line-length
|
||||
|
||||
@@ -7,7 +7,7 @@ bases:
|
||||
---
|
||||
repositories:
|
||||
# openDesk Dovecot
|
||||
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-dovecot
|
||||
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-dovecot
|
||||
- name: "opendesk-dovecot-repo"
|
||||
oci: true
|
||||
url: >-
|
||||
@@ -21,7 +21,7 @@ repositories:
|
||||
url: >-
|
||||
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "registry.open-xchange.com" }}
|
||||
# openDesk Open-Xchange Bootstrap
|
||||
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-open-xchange-bootstrap
|
||||
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap
|
||||
- name: "opendesk-open-xchange-bootstrap-repo"
|
||||
oci: true
|
||||
# yamllint disable rule:line-length
|
||||
@@ -35,7 +35,7 @@ repositories:
|
||||
releases:
|
||||
- name: "dovecot"
|
||||
chart: "opendesk-dovecot-repo/dovecot"
|
||||
version: "1.3.5"
|
||||
version: "1.3.6"
|
||||
values:
|
||||
- "values-dovecot.yaml"
|
||||
- "values-dovecot.gotmpl"
|
||||
|
||||
@@ -1,6 +1,24 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
add:
|
||||
- "CHOWN"
|
||||
- "DAC_OVERRIDE"
|
||||
- "KILL"
|
||||
- "NET_BIND_SERVICE"
|
||||
- "SETGID"
|
||||
- "SETUID"
|
||||
- "SYS_CHROOT"
|
||||
enabled: true
|
||||
readOnlyRootFilesystem: true
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
dovecot:
|
||||
ldap:
|
||||
enabled: true
|
||||
@@ -16,4 +34,8 @@ dovecot:
|
||||
enabled: true
|
||||
ssl: "no"
|
||||
host: "postfix:25"
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 1000
|
||||
...
|
||||
|
||||
@@ -14,6 +14,17 @@ appsuite:
|
||||
masterAdmin: "admin"
|
||||
gotenberg:
|
||||
enabled: true
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1001
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
features:
|
||||
status:
|
||||
# enable admin pack
|
||||
@@ -27,6 +38,7 @@ appsuite:
|
||||
open-xchange-authentication-oauth: "enabled"
|
||||
properties:
|
||||
com.openexchange.UIWebPath: "/appsuite/"
|
||||
com.openexchange.showAdmin: "false"
|
||||
# PDF Export
|
||||
com.openexchange.capability.mail_export_pdf: "true"
|
||||
com.openexchange.mail.exportpdf.gotenberg.enabled: "true"
|
||||
@@ -158,8 +170,23 @@ appsuite:
|
||||
mkdir -p /opt/open-xchange/guard-files
|
||||
chown open-xchange:open-xchange /opt/open-xchange/guard-files
|
||||
|
||||
# Security context for core-mw has no effect yet
|
||||
# podSecurityContext: {}
|
||||
# securityContext: {}
|
||||
|
||||
core-ui:
|
||||
enabled: true
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
core-ui-middleware:
|
||||
enabled: true
|
||||
@@ -170,15 +197,62 @@ appsuite:
|
||||
- "redis-master:6379"
|
||||
auth:
|
||||
enabled: true
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
core-guidedtours:
|
||||
enabled: true
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
guard-ui:
|
||||
enabled: true
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
core-cacheservice:
|
||||
enabled: false
|
||||
|
||||
core-user-guide:
|
||||
enabled: true
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
core-imageconverter:
|
||||
enabled: true
|
||||
@@ -188,6 +262,19 @@ appsuite:
|
||||
endpoint: "."
|
||||
accessKey: "."
|
||||
secretKey: "."
|
||||
podSecurityContext:
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 987
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
securityContext:
|
||||
# missing:
|
||||
# readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
|
||||
core-spellcheck:
|
||||
enabled: false
|
||||
@@ -198,6 +285,19 @@ appsuite:
|
||||
cache:
|
||||
remoteCache:
|
||||
enabled: false
|
||||
podSecurityContext:
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 987
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
securityContext:
|
||||
# missing:
|
||||
# readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
|
||||
core-documents-collaboration:
|
||||
enabled: false
|
||||
@@ -213,3 +313,30 @@ appsuite:
|
||||
enabled: false
|
||||
core-drive-help:
|
||||
enabled: false
|
||||
|
||||
nextcloud-integration-ui:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
public-sector-ui:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
...
|
||||
|
||||
@@ -16,7 +16,7 @@ externalDB:
|
||||
|
||||
customConfigs:
|
||||
"xwiki.cfg":
|
||||
"xwiki.superadminpassword": {{ .Values.secrets.xwiki.superadminpassword | quote }}
|
||||
xwiki.superadminpassword: {{ .Values.secrets.xwiki.superadminpassword | quote }}
|
||||
## LDAP Server configuration
|
||||
xwiki.authentication.ldap.server: {{ .Values.ldap.host | quote }}
|
||||
xwiki.authentication.ldap.port: 389
|
||||
@@ -25,6 +25,8 @@ customConfigs:
|
||||
xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki | quote }}
|
||||
## Base DN used for searching for users
|
||||
xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
|
||||
## Allow short update cycles of the LDAP group cache
|
||||
xwiki.authentication.ldap.groupcache_expiration: 300
|
||||
|
||||
"xwiki.properties":
|
||||
"oidc.endpoint.authorization": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/auth"
|
||||
|
||||
@@ -10,9 +10,9 @@ customConfigs:
|
||||
## Indicate the LDAP field defining the user UID
|
||||
xwiki.authentication.ldap.UID_attr: "uid"
|
||||
## Indicate the LDAP field defining the user profile picture
|
||||
# xwiki.authentication.ldap.photo_attribute: "jpegPhoto"
|
||||
xwiki.authentication.ldap.photo_attribute: "jpegPhoto"
|
||||
## Enable the synchronization of the LDAP profile picture
|
||||
# xwiki.authentication.ldap.update_photo: 1
|
||||
xwiki.authentication.ldap.update_photo: 1
|
||||
|
||||
xwiki.properties:
|
||||
oidc.scope: "openid,profile,email,address,phoenix"
|
||||
@@ -80,8 +80,10 @@ properties:
|
||||
"property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchDN":
|
||||
"dc=swp-ldap,dc=internal"
|
||||
## LDAP filter to only synchronize some groups
|
||||
# "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
|
||||
# "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
|
||||
"property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
|
||||
"(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
|
||||
"(objectClass=opendeskKnowledgemanagementGroup)"
|
||||
|
||||
securityContext:
|
||||
enabled: true
|
||||
|
||||
Reference in New Issue
Block a user