sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 23:41:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: sheppy:v0.5.45
Branches Tags
sheppy:develop sheppy:renovate/univention sheppy:renovate/openxchange sheppy:trossner/gpg-keys sheppy:trossner/mail_doc sheppy:tkaltenbrunner/fix-milter sheppy:ntretkowski/intercom-update sheppy:b1-boekhorst/nc_testing_encryption_bfp_nginx sheppy:trossner/ox_deputy sheppy:kuntke/size-profiles sheppy:trossner/misc_1.11.0 sheppy:feat/openproject/bump-16-6-2 sheppy:renovate/opf-helm-charts-openproject-11.x sheppy:rohland/selfsigned sheppy:sschmidt/feat_update_otterize sheppy:sell/opendesk-exporter sheppy:trossner/coco-update sheppy:renovate/lasuite-impress-y-provider-4.x sheppy:renovate/opf-helm-charts-openproject-10.x sheppy:renovate/openproject sheppy:renovate/nordeck sheppy:renovate/element sheppy:renovate/collabora sheppy:lender/test-externalsecrets sheppy:rfischer/baseline_requirements_update_2025 sheppy:chore/kyverno-sec sheppy:sell/pythonic-charts-local sheppy:trossner/ox-jitsi sheppy:irondesk-preview sheppy:chore/open-xchange/update-8.43 sheppy:b1-boekhorst/nc_basicauth_testing sheppy:lluerenbaum/develop sheppy:rfischer/nc_sharereview_app sheppy:tkaltenbrunner/fix/new-element-chart sheppy:vpracht/demo sheppy:main sheppy:b1-boekhorst/nc_status_php sheppy:gaberb1/postfix-sasl-security-options sheppy:ntretkowski/nubus-v1.15.0 sheppy:ntretkowski/ox-connector-v0.32.2 sheppy:sschmidt/feat_add_otterize_chart sheppy:b1-boekhorst/nc_bfp sheppy:trossner/nc_31-0-9 sheppy:trossner/token_exchange sheppy:boekhorst/nc_31-0-10_testing sheppy:ntretkowski/nubus-v1.14.1 sheppy:tkaltenbrunner/fix/dovecot-migration sheppy:tkaltenbrunner/fix/dovecot-caches sheppy:tkaltenbrunner/fix/postfix-transport sheppy:chore/open-xchange/update-8.42 sheppy:dkaminski/ca_certs sheppy:dpapoutsis/bundled-keycloak-secrets sheppy:boekhorst/favicon_resize sheppy:irondesk sheppy:boekhorst/nc_31-0-9 sheppy:migration_test sheppy:sschmidt/fix_services_otterize_intents sheppy:mmeschter/nats-secrets-refactor sheppy:sccon_2025 sheppy:jtorres/ox-test sheppy:lender/feat-externalsecrets-xwiki sheppy:sschmidt/fix_nubus_opendesk_keycloak_bootstrap_annotation sheppy:ntretkowski/nubus-2fa-upgrade-fix sheppy:jlohmer/ox-connector-helm-unittests sheppy:mmeschter/develop sheppy:tkaltenbrunner/fix/ox-push-notification sheppy:cgarcia/develop sheppy:trossner/fix_storageclassnames sheppy:jconde/ox-groups-deletion sheppy:ntretkowski/nubus-v1.13.1 sheppy:jtorres/develop sheppy:tkaltenbrunner/fix/opendesk-impress-customization sheppy:jconde/develop sheppy:mgcm/test/mas-upstream sheppy:document-nordeck-widgets sheppy:trossner/upd_jitsi_10431 sheppy:chaack/feat_add_jitsi_patchJVB_backoffLimit sheppy:trossner/xwiki_solr_image sheppy:1.7+harbor-fixes sheppy:lender/feat-externalsecrets-notes sheppy:tkaltenbrunner/fix/dovecot-fts sheppy:lender/feat-externalsecrets-postfix-dovecot sheppy:heading-capitalization-harmonization sheppy:lender/feat-externalsecrets-minio sheppy:jconde/debug-no-portal-tiles sheppy:hermann/feat-support-nginx-security-defaults sheppy:jtorres/ox-connector-manager-tests sheppy:jtorres/1.12.0-kc-bootstrap sheppy:sell/prometheus-nats-exporter sheppy:jconde/ics-secret-refactor sheppy:tkaltenbrunner/fix/postfix-submissions sheppy:jconde/debug-ics-with-keycloak-26.3 sheppy:data_storage_doc sheppy:tkaltenbrunner/fix/coco-internal sheppy:sell/keycloak-metrics sheppy:jconde/ox-connector-fixes sheppy:jlohmer/ox-connector-test sheppy:gaberb1/wip-ci sheppy:weber/update-notes sheppy:lender/feat-externalsecrets-redis sheppy:lender/feat-externalsecrets-opendesk-services sheppy:lender/feat-externalsecrets-collabora sheppy:lender/feat-externalsecrets-cassandra sheppy:lender/feat-externalsecrets-nextcloud sheppy:lender/feat-externalsecrets-openproject-bootstrap sheppy:thollwed/doc-bawue-migration-dev sheppy:1.5+nats-fix sheppy:trossner/nc_31.0.5 sheppy:sell/nubus-liveness-customization sheppy:integration-opendesk-family sheppy:gsautner/fix_nc_custom_baseDn sheppy:tkaltenbrunner/fix/ox-external-secrets sheppy:tlatz/portal_update sheppy:jbornhold/tmp-portal-update sheppy:trossner/temp_kc26.2.2_preview sheppy:yschmidt/nubus-v1.9.1-twofa-helpdesk sheppy:mmoura/phone-dial-in sheppy:lender/feat-externalsecrets-mariadb sheppy:lender/feat-externalsecrets-postgresql sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap-1725.191 sheppy:ys/dev-helpdesk sheppy:tkaltenbrunner/fix/dovecot-acls sheppy:ox-vpracht/dovecot-conf sheppy:renovate/major-openproject sheppy:renovate/major-platform sheppy:renovate/lasuite-impress-y-provider-3.x sheppy:renovate/lasuite-impress-y-provider-2.x sheppy:renovate/xwiki sheppy:trossner/nc_notifypush sheppy:cnegrini/load sheppy:nic/feat/ZO-155_dialin_docs sheppy:feat/dovecot-config sheppy:yschmidt/s3-region-example sheppy:trossner/nubus_ox_consumer sheppy:yschmidt/s3-region-vars sheppy:jschulz/fix_nubus-consumer-pvc-size sheppy:el/t3chguy/element-web-modules sheppy:jahlers/2fa-helpdesk sheppy:trossner/notes_guest_access sheppy:thollwed/nubus-v1.6.0-integration sheppy:jschulz/fix_set_jitsi_element_antiaffinity sheppy:jbornhold/nubus-v1.6.0-s3-ingress sheppy:chore/open-xchange/release-8.34 sheppy:jconde/test-ox-packaging sheppy:jtorres/ox-extension-integration sheppy:jschulz/feat_helmfile-enable-intents sheppy:chore/openproject/15-3-changes sheppy:nc-main sheppy:fischer/review-apps sheppy:jconde/fix-intercom-element sheppy:trossner/nc_notify_push sheppy:docs/nubus-version sheppy:schneemann/ingress-nginx-max-version sheppy:jlohmer/configurable-udm-listener-password sheppy:jtorres/hotfix-ics-secret sheppy:jtorres/ics-redis-ssl sheppy:dkaminski/feat/annotations sheppy:trossner/fix/openproject sheppy:jconde/ox-connector-kyverno sheppy:jconde/ics-kyverno-changes sheppy:chore/open-xchange/bump-8-31 sheppy:mmoura/feat_test sheppy:dkaminski/fix/nubus-v0.72.0 sheppy:jconde/ics-filepicker-fix sheppy:trossner/update_migrs sheppy:nic/qa/develop sheppy:nic/fix/widgets-no-guests sheppy:uv-jconde/plain-nubus sheppy:nubus/main sheppy:uv-jbornhold/preview-fe sheppy:nic/fix/undo-439-add-widgets sheppy:jtorres/bump-0.60-cache-http sheppy:acaceres/develop sheppy:fix/trossner/dominiks_improvements sheppy:uv-jbornhold/plain-nubus-3 sheppy:nubus-update-2024-09-16-backup sheppy:trossner/nubus-update-2024-09-16-ldap-mig sheppy:nic/feat/matrix-neoboard-widget-1.19.1 sheppy:jconde/integrate-ox-connector sheppy:jbornhold/include-ldap-migration-script sheppy:acaceres/integrate-ox-connector sheppy:uv-jbornhold/plain-nubus-2 sheppy:jtorres/clients-fixup sheppy:jconde/system-information sheppy:jtorres/remove-admin-credentials sheppy:jbornhold/develop sheppy:chore/openproject/bump-14-5-0 sheppy:temp/trossner/kcupd-fr sheppy:nubus/fix-domain-configuration sheppy:uv-fix/default-service-loglevel sheppy:uv-jlohmer/consumer-race-condition sheppy:uv-jconde/umc-plain-login sheppy:uv-jconde/statefulset-keycloak sheppy:jlohmer/develop sheppy:fix/tkaltenbrunner/oxmonitoring sheppy:jtorres/udm-loader sheppy:nubus/tkintscher/fix-fsnotify-load sheppy:nubus/wip-jbornhold-test sheppy:jbornhold/small-fixes sheppy:nubus/jconde-test-users sheppy:feat/nubus-updates sheppy:uv-jlohmer/manual-deploy-jobs sheppy:uv-jtorres/login-tiles sheppy:uv-jbornhold/fix-e2e-test-configuration sheppy:uv-jlohmer/fix-feature-flag-typo sheppy:uv-jbornhold/fix-e2e-test-configuration-test sheppy:uv-acaceres/register-ox-connector sheppy:uv-jtorres/keycloak-upgrade sheppy:uv-jtorres/create-readonly-user sheppy:uv-acaceres/update-provisioning-and-stack-data sheppy:uv-jlohmer/selfservice-consumer sheppy:uv-jlohmer/provisioning-consumer-feature-flag sheppy:uv-jconde/test-email-e2e-tests sheppy:jlohmer/nubus-updates-provisioning sheppy:nubus/provisioning-consumer-integration sheppy:uv-dkaminski/cert-manager-support sheppy:uv-jbornhold/update-portal-frontend sheppy:uv-provisioning-consumer-integration sheppy:uv-jtorres/opendesk-udm-loader sheppy:uv-jtorres/ox-extensions-to-data-loader sheppy:uv-jbornhold/update-stack-data sheppy:uv-maildev-ci-setup sheppy:uv-jconde/umc-server-session-stickyness sheppy:uv-jbornhold/cleanup sheppy:uv-dtroeder/raise-helm-timeout sheppy:uv-dtroeder/prov-int-biscet sheppy:uv-spike-plain-nubus sheppy:jtorres/univention-keycloak-provisioning sheppy:fix/trossner/proxy_ips sheppy:uv-jlohmer/provisioning-consumer-integration sheppy:uv-jconde/menu-patches sheppy:jconde/use-nubus-umbrella sheppy:jconde/udm-rest-api-fix sheppy:sandersen/develop sheppy:b1-demo1 sheppy:jbornhold/tmp-test-od-main-0.9.0 sheppy:feat/use-nubus-umbrella-2 sheppy:OC000007901454-main-patch-76476 sheppy:jtorres/allow-theme-configuration sheppy:acaceres/debug-ox-error sheppy:101-add-configmap-checksum-check-to-postfix-helm-chart sheppy:trossner/fix/op_guests sheppy:renovate/platform sheppy:feat/ldap-scalability sheppy:jlohmer/split-provisioning-listener sheppy:feat/update-keycloak-related-charts sheppy:acaceres/update-selfservice-to-use-provisioning sheppy:feat/nubus-keycloak-extensions sheppy:feat/nubus-keycloak-bootstrap sheppy:feat/nubus-provisioning-with-selfservice sheppy:refactor/ums-umbrella-values sheppy:54-issue-with-invitation-password-reset-mails sheppy:nic/fix/ew-1.11.59-widget-sync sheppy:trossner/fix/renovate sheppy:nic/test/ew-1.11.59 sheppy:feat/mon-redis sheppy:feat/mon-jitsi sheppy:feat/mon-ox sheppy:feat/mon-xwiki sheppy:v0.5.74-patch1
sheppy:v1.10.0 sheppy:v1.9.0 sheppy:v1.8.0 sheppy:v1.7.1 sheppy:v1.7.0 sheppy:v1.6.0 sheppy:v1.5.0 sheppy:v1.4.1 sheppy:v1.4.0 sheppy:v1.3.2 sheppy:v1.3.1 sheppy:v1.3.0 sheppy:v1.2.1 sheppy:v1.2.0 sheppy:v1.1.2 sheppy:v1.1.1 sheppy:v1.1.0 sheppy:v1.0.0 sheppy:v0.9.0 sheppy:v0.8.1 sheppy:v0.8.0 sheppy:v0.7.1 sheppy:v0.7.0 sheppy:v0.6.0 sheppy:v0.5.81 sheppy:v0.5.80 sheppy:v0.5.79 sheppy:v0.5.78 sheppy:v0.5.74 sheppy:24.03 sheppy:v0.5.77 sheppy:v0.5.76 sheppy:v0.5.75 sheppy:v0.5.73 sheppy:v0.5.72 sheppy:v0.5.71 sheppy:v0.5.70 sheppy:v0.5.69 sheppy:v0.5.68 sheppy:v0.5.67 sheppy:v0.5.66 sheppy:v0.5.65 sheppy:v0.5.64 sheppy:v0.5.63 sheppy:v0.5.62 sheppy:v0.5.61 sheppy:v0.5.60 sheppy:v0.5.59 sheppy:v0.5.58 sheppy:v0.5.57 sheppy:v0.5.56 sheppy:v0.5.55 sheppy:v0.5.54 sheppy:v0.5.53 sheppy:v0.5.52 sheppy:v0.5.51 sheppy:v0.5.50 sheppy:v0.5.49 sheppy:v0.5.48 sheppy:v0.5.47 sheppy:v0.5.46 sheppy:v0.5.45 sheppy:v0.5.44 sheppy:v0.5.43 sheppy:v0.5.42 sheppy:v0.5.41 sheppy:v0.5.40 sheppy:v0.5.39 sheppy:v0.5.38 sheppy:23.12 sheppy:v0.5.37 sheppy:v0.5.36 sheppy:v0.5.35 sheppy:v0.5.34 sheppy:v0.5.33 sheppy:v0.5.32 sheppy:v0.5.31 sheppy:v0.5.30 sheppy:v0.5.29 sheppy:v0.5.28 sheppy:v0.5.27 sheppy:v0.5.26 sheppy:v0.5.25 sheppy:v0.5.24 sheppy:v0.5.23 sheppy:v0.5.22 sheppy:v0.5.21 sheppy:v0.5.20 sheppy:v0.5.19 sheppy:v0.5.18 sheppy:v0.5.17 sheppy:v0.5.16 sheppy:v0.5.15 sheppy:v0.5.14 sheppy:v0.5.13 sheppy:v0.5.12 sheppy:v0.5.11 sheppy:v0.5.10 sheppy:v0.5.9 sheppy:v0.5.8 sheppy:v0.5.7 sheppy:v0.5.6 sheppy:v0.5.5 sheppy:v0.5.4 sheppy:v0.5.3 sheppy:v0.5.2 sheppy:v0.5.1 sheppy:v0.5.0 sheppy:v0.4.9 sheppy:v0.4.8 sheppy:v0.4.7 sheppy:v0.4.6 sheppy:v0.4.5 sheppy:v0.4.4 sheppy:v0.4.3 sheppy:v0.4.2 sheppy:v0.4.1 sheppy:v0.4.0 sheppy:v0.3.2 sheppy:v0.3.1 sheppy:v0.3.0 sheppy:v0.2.10 sheppy:v0.2.9 sheppy:v0.2.8 sheppy:v0.2.7 sheppy:v0.2.6 sheppy:v0.2.5 sheppy:v0.2.4 sheppy:v0.2.3 sheppy:v0.2.2 sheppy:v0.2.1 sheppy:v0.2.0 sheppy:v0.1.2 sheppy:v0.1.1 sheppy:v0.1.0 sheppy:v0.0.6 sheppy:v0.0.5 sheppy:v0.0.4 sheppy:v0.0.3 sheppy:v0.0.2 sheppy:v0.0.1
...
compare: sheppy:v0.5.69
Branches Tags
sheppy:renovate/univention sheppy:renovate/openxchange sheppy:trossner/gpg-keys sheppy:trossner/mail_doc sheppy:tkaltenbrunner/fix-milter sheppy:ntretkowski/intercom-update sheppy:b1-boekhorst/nc_testing_encryption_bfp_nginx sheppy:trossner/ox_deputy sheppy:kuntke/size-profiles sheppy:trossner/misc_1.11.0 sheppy:feat/openproject/bump-16-6-2 sheppy:renovate/opf-helm-charts-openproject-11.x sheppy:rohland/selfsigned sheppy:sschmidt/feat_update_otterize sheppy:sell/opendesk-exporter sheppy:trossner/coco-update sheppy:renovate/lasuite-impress-y-provider-4.x sheppy:renovate/opf-helm-charts-openproject-10.x sheppy:renovate/openproject sheppy:renovate/nordeck sheppy:renovate/element sheppy:renovate/collabora sheppy:lender/test-externalsecrets sheppy:develop sheppy:rfischer/baseline_requirements_update_2025 sheppy:chore/kyverno-sec sheppy:sell/pythonic-charts-local sheppy:trossner/ox-jitsi sheppy:irondesk-preview sheppy:chore/open-xchange/update-8.43 sheppy:b1-boekhorst/nc_basicauth_testing sheppy:lluerenbaum/develop sheppy:rfischer/nc_sharereview_app sheppy:tkaltenbrunner/fix/new-element-chart sheppy:vpracht/demo sheppy:main sheppy:b1-boekhorst/nc_status_php sheppy:gaberb1/postfix-sasl-security-options sheppy:ntretkowski/nubus-v1.15.0 sheppy:ntretkowski/ox-connector-v0.32.2 sheppy:sschmidt/feat_add_otterize_chart sheppy:b1-boekhorst/nc_bfp sheppy:trossner/nc_31-0-9 sheppy:trossner/token_exchange sheppy:boekhorst/nc_31-0-10_testing sheppy:ntretkowski/nubus-v1.14.1 sheppy:tkaltenbrunner/fix/dovecot-migration sheppy:tkaltenbrunner/fix/dovecot-caches sheppy:tkaltenbrunner/fix/postfix-transport sheppy:chore/open-xchange/update-8.42 sheppy:dkaminski/ca_certs sheppy:dpapoutsis/bundled-keycloak-secrets sheppy:boekhorst/favicon_resize sheppy:irondesk sheppy:boekhorst/nc_31-0-9 sheppy:migration_test sheppy:sschmidt/fix_services_otterize_intents sheppy:mmeschter/nats-secrets-refactor sheppy:sccon_2025 sheppy:jtorres/ox-test sheppy:lender/feat-externalsecrets-xwiki sheppy:sschmidt/fix_nubus_opendesk_keycloak_bootstrap_annotation sheppy:ntretkowski/nubus-2fa-upgrade-fix sheppy:jlohmer/ox-connector-helm-unittests sheppy:mmeschter/develop sheppy:tkaltenbrunner/fix/ox-push-notification sheppy:cgarcia/develop sheppy:trossner/fix_storageclassnames sheppy:jconde/ox-groups-deletion sheppy:ntretkowski/nubus-v1.13.1 sheppy:jtorres/develop sheppy:tkaltenbrunner/fix/opendesk-impress-customization sheppy:jconde/develop sheppy:mgcm/test/mas-upstream sheppy:document-nordeck-widgets sheppy:trossner/upd_jitsi_10431 sheppy:chaack/feat_add_jitsi_patchJVB_backoffLimit sheppy:trossner/xwiki_solr_image sheppy:1.7+harbor-fixes sheppy:lender/feat-externalsecrets-notes sheppy:tkaltenbrunner/fix/dovecot-fts sheppy:lender/feat-externalsecrets-postfix-dovecot sheppy:heading-capitalization-harmonization sheppy:lender/feat-externalsecrets-minio sheppy:jconde/debug-no-portal-tiles sheppy:hermann/feat-support-nginx-security-defaults sheppy:jtorres/ox-connector-manager-tests sheppy:jtorres/1.12.0-kc-bootstrap sheppy:sell/prometheus-nats-exporter sheppy:jconde/ics-secret-refactor sheppy:tkaltenbrunner/fix/postfix-submissions sheppy:jconde/debug-ics-with-keycloak-26.3 sheppy:data_storage_doc sheppy:tkaltenbrunner/fix/coco-internal sheppy:sell/keycloak-metrics sheppy:jconde/ox-connector-fixes sheppy:jlohmer/ox-connector-test sheppy:gaberb1/wip-ci sheppy:weber/update-notes sheppy:lender/feat-externalsecrets-redis sheppy:lender/feat-externalsecrets-opendesk-services sheppy:lender/feat-externalsecrets-collabora sheppy:lender/feat-externalsecrets-cassandra sheppy:lender/feat-externalsecrets-nextcloud sheppy:lender/feat-externalsecrets-openproject-bootstrap sheppy:thollwed/doc-bawue-migration-dev sheppy:1.5+nats-fix sheppy:trossner/nc_31.0.5 sheppy:sell/nubus-liveness-customization sheppy:integration-opendesk-family sheppy:gsautner/fix_nc_custom_baseDn sheppy:tkaltenbrunner/fix/ox-external-secrets sheppy:tlatz/portal_update sheppy:jbornhold/tmp-portal-update sheppy:trossner/temp_kc26.2.2_preview sheppy:yschmidt/nubus-v1.9.1-twofa-helpdesk sheppy:mmoura/phone-dial-in sheppy:lender/feat-externalsecrets-mariadb sheppy:lender/feat-externalsecrets-postgresql sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap-1725.191 sheppy:ys/dev-helpdesk sheppy:tkaltenbrunner/fix/dovecot-acls sheppy:ox-vpracht/dovecot-conf sheppy:renovate/major-openproject sheppy:renovate/major-platform sheppy:renovate/lasuite-impress-y-provider-3.x sheppy:renovate/lasuite-impress-y-provider-2.x sheppy:renovate/xwiki sheppy:trossner/nc_notifypush sheppy:cnegrini/load sheppy:nic/feat/ZO-155_dialin_docs sheppy:feat/dovecot-config sheppy:yschmidt/s3-region-example sheppy:trossner/nubus_ox_consumer sheppy:yschmidt/s3-region-vars sheppy:jschulz/fix_nubus-consumer-pvc-size sheppy:el/t3chguy/element-web-modules sheppy:jahlers/2fa-helpdesk sheppy:trossner/notes_guest_access sheppy:thollwed/nubus-v1.6.0-integration sheppy:jschulz/fix_set_jitsi_element_antiaffinity sheppy:jbornhold/nubus-v1.6.0-s3-ingress sheppy:chore/open-xchange/release-8.34 sheppy:jconde/test-ox-packaging sheppy:jtorres/ox-extension-integration sheppy:jschulz/feat_helmfile-enable-intents sheppy:chore/openproject/15-3-changes sheppy:nc-main sheppy:fischer/review-apps sheppy:jconde/fix-intercom-element sheppy:trossner/nc_notify_push sheppy:docs/nubus-version sheppy:schneemann/ingress-nginx-max-version sheppy:jlohmer/configurable-udm-listener-password sheppy:jtorres/hotfix-ics-secret sheppy:jtorres/ics-redis-ssl sheppy:dkaminski/feat/annotations sheppy:trossner/fix/openproject sheppy:jconde/ox-connector-kyverno sheppy:jconde/ics-kyverno-changes sheppy:chore/open-xchange/bump-8-31 sheppy:mmoura/feat_test sheppy:dkaminski/fix/nubus-v0.72.0 sheppy:jconde/ics-filepicker-fix sheppy:trossner/update_migrs sheppy:nic/qa/develop sheppy:nic/fix/widgets-no-guests sheppy:uv-jconde/plain-nubus sheppy:nubus/main sheppy:uv-jbornhold/preview-fe sheppy:nic/fix/undo-439-add-widgets sheppy:jtorres/bump-0.60-cache-http sheppy:acaceres/develop sheppy:fix/trossner/dominiks_improvements sheppy:uv-jbornhold/plain-nubus-3 sheppy:nubus-update-2024-09-16-backup sheppy:trossner/nubus-update-2024-09-16-ldap-mig sheppy:nic/feat/matrix-neoboard-widget-1.19.1 sheppy:jconde/integrate-ox-connector sheppy:jbornhold/include-ldap-migration-script sheppy:acaceres/integrate-ox-connector sheppy:uv-jbornhold/plain-nubus-2 sheppy:jtorres/clients-fixup sheppy:jconde/system-information sheppy:jtorres/remove-admin-credentials sheppy:jbornhold/develop sheppy:chore/openproject/bump-14-5-0 sheppy:temp/trossner/kcupd-fr sheppy:nubus/fix-domain-configuration sheppy:uv-fix/default-service-loglevel sheppy:uv-jlohmer/consumer-race-condition sheppy:uv-jconde/umc-plain-login sheppy:uv-jconde/statefulset-keycloak sheppy:jlohmer/develop sheppy:fix/tkaltenbrunner/oxmonitoring sheppy:jtorres/udm-loader sheppy:nubus/tkintscher/fix-fsnotify-load sheppy:nubus/wip-jbornhold-test sheppy:jbornhold/small-fixes sheppy:nubus/jconde-test-users sheppy:feat/nubus-updates sheppy:uv-jlohmer/manual-deploy-jobs sheppy:uv-jtorres/login-tiles sheppy:uv-jbornhold/fix-e2e-test-configuration sheppy:uv-jlohmer/fix-feature-flag-typo sheppy:uv-jbornhold/fix-e2e-test-configuration-test sheppy:uv-acaceres/register-ox-connector sheppy:uv-jtorres/keycloak-upgrade sheppy:uv-jtorres/create-readonly-user sheppy:uv-acaceres/update-provisioning-and-stack-data sheppy:uv-jlohmer/selfservice-consumer sheppy:uv-jlohmer/provisioning-consumer-feature-flag sheppy:uv-jconde/test-email-e2e-tests sheppy:jlohmer/nubus-updates-provisioning sheppy:nubus/provisioning-consumer-integration sheppy:uv-dkaminski/cert-manager-support sheppy:uv-jbornhold/update-portal-frontend sheppy:uv-provisioning-consumer-integration sheppy:uv-jtorres/opendesk-udm-loader sheppy:uv-jtorres/ox-extensions-to-data-loader sheppy:uv-jbornhold/update-stack-data sheppy:uv-maildev-ci-setup sheppy:uv-jconde/umc-server-session-stickyness sheppy:uv-jbornhold/cleanup sheppy:uv-dtroeder/raise-helm-timeout sheppy:uv-dtroeder/prov-int-biscet sheppy:uv-spike-plain-nubus sheppy:jtorres/univention-keycloak-provisioning sheppy:fix/trossner/proxy_ips sheppy:uv-jlohmer/provisioning-consumer-integration sheppy:uv-jconde/menu-patches sheppy:jconde/use-nubus-umbrella sheppy:jconde/udm-rest-api-fix sheppy:sandersen/develop sheppy:b1-demo1 sheppy:jbornhold/tmp-test-od-main-0.9.0 sheppy:feat/use-nubus-umbrella-2 sheppy:OC000007901454-main-patch-76476 sheppy:jtorres/allow-theme-configuration sheppy:acaceres/debug-ox-error sheppy:101-add-configmap-checksum-check-to-postfix-helm-chart sheppy:trossner/fix/op_guests sheppy:renovate/platform sheppy:feat/ldap-scalability sheppy:jlohmer/split-provisioning-listener sheppy:feat/update-keycloak-related-charts sheppy:acaceres/update-selfservice-to-use-provisioning sheppy:feat/nubus-keycloak-extensions sheppy:feat/nubus-keycloak-bootstrap sheppy:feat/nubus-provisioning-with-selfservice sheppy:refactor/ums-umbrella-values sheppy:54-issue-with-invitation-password-reset-mails sheppy:nic/fix/ew-1.11.59-widget-sync sheppy:trossner/fix/renovate sheppy:nic/test/ew-1.11.59 sheppy:feat/mon-redis sheppy:feat/mon-jitsi sheppy:feat/mon-ox sheppy:feat/mon-xwiki sheppy:v0.5.74-patch1
sheppy:v1.10.0 sheppy:v1.9.0 sheppy:v1.8.0 sheppy:v1.7.1 sheppy:v1.7.0 sheppy:v1.6.0 sheppy:v1.5.0 sheppy:v1.4.1 sheppy:v1.4.0 sheppy:v1.3.2 sheppy:v1.3.1 sheppy:v1.3.0 sheppy:v1.2.1 sheppy:v1.2.0 sheppy:v1.1.2 sheppy:v1.1.1 sheppy:v1.1.0 sheppy:v1.0.0 sheppy:v0.9.0 sheppy:v0.8.1 sheppy:v0.8.0 sheppy:v0.7.1 sheppy:v0.7.0 sheppy:v0.6.0 sheppy:v0.5.81 sheppy:v0.5.80 sheppy:v0.5.79 sheppy:v0.5.78 sheppy:v0.5.74 sheppy:24.03 sheppy:v0.5.77 sheppy:v0.5.76 sheppy:v0.5.75 sheppy:v0.5.73 sheppy:v0.5.72 sheppy:v0.5.71 sheppy:v0.5.70 sheppy:v0.5.69 sheppy:v0.5.68 sheppy:v0.5.67 sheppy:v0.5.66 sheppy:v0.5.65 sheppy:v0.5.64 sheppy:v0.5.63 sheppy:v0.5.62 sheppy:v0.5.61 sheppy:v0.5.60 sheppy:v0.5.59 sheppy:v0.5.58 sheppy:v0.5.57 sheppy:v0.5.56 sheppy:v0.5.55 sheppy:v0.5.54 sheppy:v0.5.53 sheppy:v0.5.52 sheppy:v0.5.51 sheppy:v0.5.50 sheppy:v0.5.49 sheppy:v0.5.48 sheppy:v0.5.47 sheppy:v0.5.46 sheppy:v0.5.45 sheppy:v0.5.44 sheppy:v0.5.43 sheppy:v0.5.42 sheppy:v0.5.41 sheppy:v0.5.40 sheppy:v0.5.39 sheppy:v0.5.38 sheppy:23.12 sheppy:v0.5.37 sheppy:v0.5.36 sheppy:v0.5.35 sheppy:v0.5.34 sheppy:v0.5.33 sheppy:v0.5.32 sheppy:v0.5.31 sheppy:v0.5.30 sheppy:v0.5.29 sheppy:v0.5.28 sheppy:v0.5.27 sheppy:v0.5.26 sheppy:v0.5.25 sheppy:v0.5.24 sheppy:v0.5.23 sheppy:v0.5.22 sheppy:v0.5.21 sheppy:v0.5.20 sheppy:v0.5.19 sheppy:v0.5.18 sheppy:v0.5.17 sheppy:v0.5.16 sheppy:v0.5.15 sheppy:v0.5.14 sheppy:v0.5.13 sheppy:v0.5.12 sheppy:v0.5.11 sheppy:v0.5.10 sheppy:v0.5.9 sheppy:v0.5.8 sheppy:v0.5.7 sheppy:v0.5.6 sheppy:v0.5.5 sheppy:v0.5.4 sheppy:v0.5.3 sheppy:v0.5.2 sheppy:v0.5.1 sheppy:v0.5.0 sheppy:v0.4.9 sheppy:v0.4.8 sheppy:v0.4.7 sheppy:v0.4.6 sheppy:v0.4.5 sheppy:v0.4.4 sheppy:v0.4.3 sheppy:v0.4.2 sheppy:v0.4.1 sheppy:v0.4.0 sheppy:v0.3.2 sheppy:v0.3.1 sheppy:v0.3.0 sheppy:v0.2.10 sheppy:v0.2.9 sheppy:v0.2.8 sheppy:v0.2.7 sheppy:v0.2.6 sheppy:v0.2.5 sheppy:v0.2.4 sheppy:v0.2.3 sheppy:v0.2.2 sheppy:v0.2.1 sheppy:v0.2.0 sheppy:v0.1.2 sheppy:v0.1.1 sheppy:v0.1.0 sheppy:v0.0.6 sheppy:v0.0.5 sheppy:v0.0.4 sheppy:v0.0.3 sheppy:v0.0.2 sheppy:v0.0.1

73 Commits
v0.5.45 ... v0.5.69

Author SHA1 Message Date
opendesk
4b6a20faa4 chore(release): 0.5.69 [skip ci] 
## [0.5.69](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.68...v0.5.69) (2023-12-12)

### Bug Fixes

* **univention-management-stack:** Functional replacement for UCS container monolith, still optional. ([ce38714](ce38714a81))
 2023-12-12 21:01:26 +00:00
merge-request-bot
ce38714a81 fix(univention-management-stack): Functional replacement for UCS container monolith, still optional. 2023-12-12 19:31:27 +00:00
opendesk
37f1eb9794 chore(release): 0.5.68 [skip ci] 
## [0.5.68](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.67...v0.5.68) (2023-12-11)

### Bug Fixes

* **jitsi:** Disable IP Blacklist ([6a649cb](6a649cb7f0))
* **open-xchange:** Update to latest version ([db4bfa4](db4bfa4884))
 2023-12-11 18:01:31 +00:00
merge-request-bot
db4bfa4884 fix(open-xchange): Update to latest version 2023-12-11 16:56:36 +00:00
Dominik Kaminski
6a649cb7f0 fix(jitsi): Disable IP Blacklist 2023-12-11 17:00:06 +01:00
opendesk
b6ef559cde chore(release): 0.5.67 [skip ci] 
## [0.5.67](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.66...v0.5.67) (2023-12-11)

### Bug Fixes

* **services:** Use Charts from openCoDE registry ([cc0daa2](cc0daa2a22))
 2023-12-11 13:01:23 +00:00
Dominik Kaminski
cc0daa2a22 fix(services): Use Charts from openCoDE registry 2023-12-10 16:52:53 +01:00
opendesk
c69c62cd45 chore(release): 0.5.66 [skip ci] 
## [0.5.66](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.65...v0.5.66) (2023-12-08)

### Bug Fixes

* **element:** Update Element and Widgets ([6a26299](6a26299a75))
 2023-12-08 22:01:16 +00:00
merge-request-bot
6a26299a75 fix(element): Update Element and Widgets 2023-12-08 20:18:36 +00:00
opendesk
4101e91ae6 chore(release): 0.5.65 [skip ci] 
## [0.5.65](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.64...v0.5.65) (2023-12-08)

### Bug Fixes

* **univention-management-stack:** Bump OX Connector ([83192b7](83192b7834))
 2023-12-08 15:01:16 +00:00
Thorsten Roßner
83192b7834 fix(univention-management-stack): Bump OX Connector 2023-12-07 19:56:18 +01:00
opendesk
3b1091bb3e chore(release): 0.5.64 [skip ci] 
## [0.5.64](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.63...v0.5.64) (2023-12-06)

### Bug Fixes

* **openproject:** Switch to release container and set home url link ([e67ab8f](e67ab8f430))
 2023-12-06 19:01:06 +00:00
merge-request-bot
e67ab8f430 fix(openproject): Switch to release container and set home url link 2023-12-06 17:52:05 +00:00
opendesk
da731e7d5e chore(release): 0.5.63 [skip ci] 
## [0.5.63](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.62...v0.5.63) (2023-12-06)

### Bug Fixes

* **nextcloud:** Remove Talk folder ([0ea5856](0ea585633b))
 2023-12-06 11:13:39 +00:00
merge-request-bot
0ea585633b fix(nextcloud): Remove Talk folder 2023-12-06 11:10:39 +00:00
opendesk
fe40b7cfa1 chore(release): 0.5.62 [skip ci] 
## [0.5.62](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.61...v0.5.62) (2023-12-06)

### Bug Fixes

* **nextcloud:** Bump image to 27.1.4 and update Helm chart to configure "Shared_with_me" folder ([d04a603](d04a60349d))
* **univention-management-stack:** Update optional UMS preview state ([94ae3da](94ae3da78b))
 2023-12-06 09:10:05 +00:00
merge-request-bot
d04a60349d fix(nextcloud): Bump image to 27.1.4 and update Helm chart to configure "Shared_with_me" folder 2023-12-06 09:07:44 +00:00
merge-request-bot
94ae3da78b fix(univention-management-stack): Update optional UMS preview state 2023-12-05 20:27:57 +00:00
opendesk
3ca54159f7 chore(release): 0.5.61 [skip ci] 
## [0.5.61](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.60...v0.5.61) (2023-12-05)

### Bug Fixes

* **services:** Fix port declaration for Postfix ([bf5dcda](bf5dcda3b5))
 2023-12-05 15:13:35 +00:00
merge-request-bot
bf5dcda3b5 fix(services): Fix port declaration for Postfix 2023-12-05 15:11:22 +00:00
opendesk
08ca525d3e chore(release): 0.5.60 [skip ci] 
## [0.5.60](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.59...v0.5.60) (2023-12-05)

### Bug Fixes

* **ci:** Ensure release creation with artifacts ([dc7ce0b](dc7ce0bc4b))
 2023-12-05 13:11:56 +00:00
merge-request-bot
dc7ce0bc4b fix(ci): Ensure release creation with artifacts 2023-12-05 13:09:19 +00:00
opendesk
729a1ea849 chore(release): 0.5.59 [skip ci] 
## [0.5.59](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.58...v0.5.59) (2023-12-05)

### Bug Fixes

* **helmfile:** Add configurable objectstore ([3b5493d](3b5493d78d))
 2023-12-05 08:36:22 +00:00
Robin Rush
3b5493d78d fix(helmfile): Add configurable objectstore 2023-12-05 09:07:41 +01:00
opendesk
6711791009 chore(release): 0.5.58 [skip ci] 
## [0.5.58](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.57...v0.5.58) (2023-12-01)

### Bug Fixes

* **cryptpad:** Add websocket annotation ([c41643e](c41643ee3e))
* **openproject:** Add seederJob intent ([05cc82d](05cc82d7c5))
* **openproject:** Bump to 2.6.2 ([c8bc8b3](c8bc8b3172))
* **services:** Add NetworkPolicy section to docs/security.md ([24812b6](24812b667c))
* **services:** Add Otterize based security settings ([bec9a2d](bec9a2d46b))
* **univention-management-stack:** Add Otterize annotations for jobs ([2628a0e](2628a0e13e))
 2023-12-01 20:53:38 +00:00
Dominik Kaminski
c41643ee3e fix(cryptpad): Add websocket annotation 2023-12-01 20:50:08 +00:00
Dominik Kaminski
2628a0e13e fix(univention-management-stack): Add Otterize annotations for jobs 2023-12-01 20:50:08 +00:00
Dominik Kaminski
c8bc8b3172 fix(openproject): Bump to 2.6.2 2023-12-01 20:50:08 +00:00
Dominik Kaminski
24812b667c fix(services): Add NetworkPolicy section to docs/security.md 2023-12-01 20:50:08 +00:00
Dominik Kaminski
bec9a2d46b fix(services): Add Otterize based security settings 2023-12-01 20:50:08 +00:00
Dominik Kaminski
05cc82d7c5 fix(openproject): Add seederJob intent 2023-12-01 20:50:08 +00:00
opendesk
82be996d97 chore(release): 0.5.57 [skip ci] 
## [0.5.57](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.56...v0.5.57) (2023-12-01)

### Bug Fixes

* **helmfile:** Using correct private registry for  postfix helm-chart ([d367739](d367739248))
 2023-12-01 20:48:37 +00:00
Martin Müller
d367739248 fix(helmfile): Using correct private registry for postfix helm-chart 2023-12-01 15:20:25 +00:00
opendesk
ef870ae385 chore(release): 0.5.56 [skip ci] 
## [0.5.56](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.55...v0.5.56) (2023-11-30)

### Bug Fixes

* **element:** Raise treshold for login rate limit to avoid too early barrier hitting normal users ([466e741](466e741494))
 2023-11-30 15:33:14 +00:00
merge-request-bot
466e741494 fix(element): Raise treshold for login rate limit to avoid too early barrier hitting normal users 2023-11-30 15:31:25 +00:00
opendesk
00fafb6a1b chore(release): 0.5.55 [skip ci] 
## [0.5.55](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.54...v0.5.55) (2023-11-30)

### Bug Fixes

* **cryptpad:** Update Helm chart to enable readiness and liveness probes ([6d3e484](6d3e484855))
 2023-11-30 12:25:14 +00:00
merge-request-bot
6d3e484855 fix(cryptpad): Update Helm chart to enable readiness and liveness probes 2023-11-30 12:23:25 +00:00
opendesk
845a0a3189 chore(release): 0.5.54 [skip ci] 
## [0.5.54](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.53...v0.5.54) (2023-11-29)

### Bug Fixes

* **helmfile:** Add and document security context for components ([519db51](519db51be2))
 2023-11-29 19:52:12 +00:00
Thomas Kaltenbrunner
519db51be2 fix(helmfile): Add and document security context for components 2023-11-29 19:50:07 +00:00
opendesk
7ef3a10577 chore(release): 0.5.53 [skip ci] 
## [0.5.53](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.52...v0.5.53) (2023-11-29)

### Bug Fixes

* **univention-managemen-stack:** Integrate Attribute to Group Mapper into the containerized stack ([7bbab22](7bbab22939))
* **univention-management-stack:** Add Announcements icon into "umc-gateway" ([7a9ecf7](7a9ecf7b85))
* **univention-management-stack:** Add Announcements module into "umc-server" ([4c52a5a](4c52a5aaa8))
* **univention-management-stack:** Add branding related configuration to stack-gateway ([a5f263c](a5f263ce48))
* **univention-management-stack:** Apply styling ([b3d45c4](b3d45c45e1))
* **univention-management-stack:** Configure openDesk branding in frontend chart ([cbe8fb2](cbe8fb2d65))
* **univention-management-stack:** Document database of UMS Notifications API ([3cf348c](3cf348c7ae))
* **univention-management-stack:** Move static settings from gotmpl into yaml for umc-gateway ([b3ac0ae](b3ac0ae6d9))
* **univention-management-stack:** Quote all composed strings ([1c35ca6](1c35ca67ce))
* **univention-management-stack:** Remove frontend-custom ([8b6a4b2](8b6a4b2e88))
* **univention-management-stack:** Set SMTP host for self-service notifications ([0c7a77c](0c7a77c4b6))
* **univention-management-stack:** UMC uses external memcached ([211bee9](211bee94bb))
* **univention-management-stack:** Update ums-dependencies ([e0c6c14](e0c6c14dca))
* **univention-management-stack:** Update ums-dependencies ([c246edd](c246edd8f9))
* **univention-management-stack:** Update ums-dependencies ([86b4818](86b48188e1))
* **univention-management-stack:** Use "stack-gateway" in all deployments ([c19bca2](c19bca2be0))
 2023-11-29 17:59:12 +00:00
Johannes Bornhold
1c35ca67ce fix(univention-management-stack): Quote all composed strings 2023-11-29 13:41:14 +01:00
Johannes Bornhold
e0c6c14dca fix(univention-management-stack): Update ums-dependencies 2023-11-29 13:40:39 +01:00
Johannes Bornhold
3cf348c7ae fix(univention-management-stack): Document database of UMS Notifications API 2023-11-29 13:40:39 +01:00
Johannes Bornhold
b3d45c45e1 fix(univention-management-stack): Apply styling 2023-11-29 13:40:36 +01:00
Johannes Bornhold
c246edd8f9 fix(univention-management-stack): Update ums-dependencies 2023-11-29 13:39:14 +01:00
Johannes Bornhold
c19bca2be0 fix(univention-management-stack): Use "stack-gateway" in all deployments 2023-11-29 13:39:13 +01:00
Johannes Bornhold
a5f263ce48 fix(univention-management-stack): Add branding related configuration to stack-gateway 2023-11-29 13:37:36 +01:00
Johannes Bornhold
cbe8fb2d65 fix(univention-management-stack): Configure openDesk branding in frontend chart 2023-11-29 13:37:36 +01:00
Johannes Bornhold
8b6a4b2e88 fix(univention-management-stack): Remove frontend-custom 2023-11-29 13:37:33 +01:00
Thomas Kintscher
a61d00482f chore(univention-management-stack): Move static values of stack-data-swp to yaml file 2023-11-29 13:34:53 +01:00
Thomas Kintscher
0c7a77c4b6 fix(univention-management-stack): Set SMTP host for self-service notifications 2023-11-29 13:34:53 +01:00
Thomas Kintscher
211bee94bb fix(univention-management-stack): UMC uses external memcached 2023-11-29 13:34:52 +01:00
Johannes Bornhold
b3ac0ae6d9 fix(univention-management-stack): Move static settings from gotmpl into yaml for umc-gateway 2023-11-29 13:34:52 +01:00
Johannes Bornhold
4c52a5aaa8 fix(univention-management-stack): Add Announcements module into "umc-server" 2023-11-29 13:34:52 +01:00
Johannes Bornhold
7a9ecf7b85 fix(univention-management-stack): Add Announcements icon into "umc-gateway" 2023-11-29 13:34:52 +01:00
Johannes Bornhold
86b48188e1 fix(univention-management-stack): Update ums-dependencies 2023-11-29 13:34:52 +01:00
Johannes Lohmer
7bbab22939 fix(univention-managemen-stack): Integrate Attribute to Group Mapper into the containerized stack 2023-11-29 13:34:51 +01:00
opendesk
1343d6c93e chore(release): 0.5.52 [skip ci] 
## [0.5.52](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.51...v0.5.52) (2023-11-28)

### Bug Fixes

* **ci:** Open automatic MRs for new branches ([735fec3](735fec3b4c))
 2023-11-28 22:44:39 +00:00
Thomas Kaltenbrunner
735fec3b4c fix(ci): Open automatic MRs for new branches 2023-11-28 17:18:12 +01:00
opendesk
21b9d1d024 chore(release): 0.5.51 [skip ci] 
## [0.5.51](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.50...v0.5.51) (2023-11-28)

### Bug Fixes

* **nextcloud:** Bump chart to fix central navigation ([cac6abe](cac6abe251))
* **openproject:** Update container and prepare for OIDC based user admin role setting ([6dc92df](6dc92df2eb))
 2023-11-28 15:09:38 +00:00
Oliver Günther
6dc92df2eb fix(openproject): Update container and prepare for OIDC based user admin role setting 2023-11-28 15:07:54 +00:00
Thorsten Rossner
cac6abe251 fix(nextcloud): Bump chart to fix central navigation 2023-11-27 19:17:30 +00:00
opendesk
6c1664fc0d chore(release): 0.5.50 [skip ci] 
## [0.5.50](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.49...v0.5.50) (2023-11-27)

### Bug Fixes

* **ci:** Add metadata for renovate processing ([36aa3ed](36aa3ed7c9))
 2023-11-27 14:11:23 +00:00
Robin Rush
36aa3ed7c9 fix(ci): Add metadata for renovate processing 2023-11-27 14:11:43 +01:00
opendesk
23c46e7fe5 chore(release): 0.5.49 [skip ci] 
## [0.5.49](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.48...v0.5.49) (2023-11-27)

### Bug Fixes

* **nextcloud:** Bump image to incorporate fix for https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f962-hw26-g267 ([efbd814](efbd814968))
 2023-11-27 09:32:09 +00:00
Thorsten Rossner
efbd814968 fix(nextcloud): Bump image to incorporate fix for https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f962-hw26-g267 2023-11-27 09:30:10 +00:00
opendesk
812eb5a439 chore(release): 0.5.48 [skip ci] 
## [0.5.48](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.47...v0.5.48) (2023-11-24)

### Bug Fixes

* **services:** Update resource requests and remove cpu limits ([f86a74b](f86a74ba10))
 2023-11-24 17:10:40 +00:00
Dominik Kaminski
f86a74ba10 fix(services): Update resource requests and remove cpu limits 2023-11-24 17:06:46 +00:00
opendesk
71d11cfcd0 chore(release): 0.5.47 [skip ci] 
## [0.5.47](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.46...v0.5.47) (2023-11-24)

### Bug Fixes

* **helmfile:** Rename absolute paths on OpenCoDE to new 'opendesk' base group name ([7ac2e0f](7ac2e0f9de))
* **xwiki:** Enable the sync of user profile picture from LDAP ([6aa3d38](6aa3d386af))
 2023-11-24 16:50:40 +00:00
Thorsten Rossner
6aa3d386af fix(xwiki): Enable the sync of user profile picture from LDAP 2023-11-24 16:48:49 +00:00
Thorsten Rossner
7ac2e0f9de fix(helmfile): Rename absolute paths on OpenCoDE to new 'opendesk' base group name 2023-11-24 16:29:50 +00:00
openDesk
6f556bce70 chore(release): 0.5.46 [skip ci] 
## [0.5.46](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.45...v0.5.46) (2023-11-23)

### Bug Fixes

* **element:** Fix quotes in element chart ([a447c13](a447c137fe))
 2023-11-23 13:28:52 +00:00
Thomas Kaltenbrunner
a447c137fe fix(element): Fix quotes in element chart 2023-11-23 13:27:11 +00:00
89 changed files with 3089 additions and 903 deletions
Expand all files Collapse all files

6
.gitlab-ci.yml
View File

@@ -5,6 +5,7 @@ include:
- project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
ref: "main"
file:
- "ci/common/automr.yml"
- "ci/common/lint.yml"
- "ci/release-automation/semantic-release.yml"
- project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
@@ -14,6 +15,7 @@ include:
stages:
- ".pre"
- "automr"
- "lint"
- "env-cleanup"
- "env"
@@ -555,7 +557,7 @@ generate-release-assets:
- "./build_artefacts/image-index.json"
tags: []
variables:
ASSET_GENERATOR_REPO_PATH: "bmi/souveraener_arbeitsplatz/tooling/opendesk-asset-generator"
ASSET_GENERATOR_REPO_PATH: "bmi/opendesk/tooling/opendesk-asset-generator"
# Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.
@@ -618,4 +620,6 @@ release:
}
EOF
- "semantic-release"
needs:
- "generate-release-assets"
...

192
CHANGELOG.md
View File

@@ -1,3 +1,195 @@
## [0.5.69](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.68...v0.5.69) (2023-12-12)
### Bug Fixes
* **univention-management-stack:** Functional replacement for UCS container monolith, still optional. ([ce38714](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/ce38714a81ea3b0e1377e6ea2d640fb65f317396))
## [0.5.68](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.67...v0.5.68) (2023-12-11)
### Bug Fixes
* **jitsi:** Disable IP Blacklist ([6a649cb](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6a649cb7f0d04736ccabcd27c035ef6d051f6fd5))
* **open-xchange:** Update to latest version ([db4bfa4](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/db4bfa488401f10bad111ce03c20a60473c64837))
## [0.5.67](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.66...v0.5.67) (2023-12-11)
### Bug Fixes
* **services:** Use Charts from openCoDE registry ([cc0daa2](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/cc0daa2a22837c00583038ffd9df7e669004e84e))
## [0.5.66](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.65...v0.5.66) (2023-12-08)
### Bug Fixes
* **element:** Update Element and Widgets ([6a26299](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6a26299a7507ae749ffcf25288d2cf5b24d220db))
## [0.5.65](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.64...v0.5.65) (2023-12-08)
### Bug Fixes
* **univention-management-stack:** Bump OX Connector ([83192b7](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/83192b78345c62465e2979195d9a1c882ddbf0ea))
## [0.5.64](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.63...v0.5.64) (2023-12-06)
### Bug Fixes
* **openproject:** Switch to release container and set home url link ([e67ab8f](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/e67ab8f4304a525b50a3a723c86d1e610313c594))
## [0.5.63](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.62...v0.5.63) (2023-12-06)
### Bug Fixes
* **nextcloud:** Remove Talk folder ([0ea5856](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/0ea585633b4bf72fe180ca744cc99d9e9f84998f))
## [0.5.62](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.61...v0.5.62) (2023-12-06)
### Bug Fixes
* **nextcloud:** Bump image to 27.1.4 and update Helm chart to configure "Shared_with_me" folder ([d04a603](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/d04a60349dbbff2d64ca2b36b9c44b75526bf859))
* **univention-management-stack:** Update optional UMS preview state ([94ae3da](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/94ae3da78bd79c61fd7a22db5a541d473eea6a2e))
## [0.5.61](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.60...v0.5.61) (2023-12-05)
### Bug Fixes
* **services:** Fix port declaration for Postfix ([bf5dcda](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/bf5dcda3b59e1dc98cbee7e67f50a960d344b8e0))
## [0.5.60](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.59...v0.5.60) (2023-12-05)
### Bug Fixes
* **ci:** Ensure release creation with artifacts ([dc7ce0b](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/dc7ce0bc4b9501b63274f68352e6d9e76b5424e8))
## [0.5.59](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.58...v0.5.59) (2023-12-05)
### Bug Fixes
* **helmfile:** Add configurable objectstore ([3b5493d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/3b5493d78dc027cd1f3206b26cf347dc6ce6e265))
## [0.5.58](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.57...v0.5.58) (2023-12-01)
### Bug Fixes
* **cryptpad:** Add websocket annotation ([c41643e](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c41643ee3e5610ef27a63a0355804159030a7452))
* **openproject:** Add seederJob intent ([05cc82d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/05cc82d7c5c5f93fb5de7df555a22e8e90279621))
* **openproject:** Bump to 2.6.2 ([c8bc8b3](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c8bc8b3172cfef3396379e3969dc087d67a228ee))
* **services:** Add NetworkPolicy section to docs/security.md ([24812b6](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/24812b667cded720a0ac09b8b3eb89df39b02afb))
* **services:** Add Otterize based security settings ([bec9a2d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/bec9a2d46b2b563b7001ed8c6625c10111d5f151))
* **univention-management-stack:** Add Otterize annotations for jobs ([2628a0e](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/2628a0e13e5957475ce81b12d4230400c9ffeafe))
## [0.5.57](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.56...v0.5.57) (2023-12-01)
### Bug Fixes
* **helmfile:** Using correct private registry for postfix helm-chart ([d367739](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/d367739248ed43b3bad6a00b059b2c949dde4cb7))
## [0.5.56](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.55...v0.5.56) (2023-11-30)
### Bug Fixes
* **element:** Raise treshold for login rate limit to avoid too early barrier hitting normal users ([466e741](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/466e7414942837fdb1aecabfb08eae49f9dab272))
## [0.5.55](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.54...v0.5.55) (2023-11-30)
### Bug Fixes
* **cryptpad:** Update Helm chart to enable readiness and liveness probes ([6d3e484](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6d3e484855540569be53130e133e0821a04b2ca5))
## [0.5.54](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.53...v0.5.54) (2023-11-29)
### Bug Fixes
* **helmfile:** Add and document security context for components ([519db51](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/519db51be2be3ce292a88965ac0ec049b4c8bb8e))
## [0.5.53](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.52...v0.5.53) (2023-11-29)
### Bug Fixes
* **univention-managemen-stack:** Integrate Attribute to Group Mapper into the containerized stack ([7bbab22](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/7bbab229396075c7d10f94f42bef14551faefe26))
* **univention-management-stack:** Add Announcements icon into "umc-gateway" ([7a9ecf7](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/7a9ecf7b8595edf0949d9c200d01b3409f25b9a7))
* **univention-management-stack:** Add Announcements module into "umc-server" ([4c52a5a](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/4c52a5aaa83ffb6f4c49faa039c94cb1855987bb))
* **univention-management-stack:** Add branding related configuration to stack-gateway ([a5f263c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/a5f263ce489f88b90cf1151de249f36616a51632))
* **univention-management-stack:** Apply styling ([b3d45c4](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/b3d45c45e1b754e14ab0519efcb6b6a359f0ad1e))
* **univention-management-stack:** Configure openDesk branding in frontend chart ([cbe8fb2](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/cbe8fb2d65e6ce73f9da95ef9b0ed3ffbb16d367))
* **univention-management-stack:** Document database of UMS Notifications API ([3cf348c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/3cf348c7ae8f438daf3e64addbf839230816f3d2))
* **univention-management-stack:** Move static settings from gotmpl into yaml for umc-gateway ([b3ac0ae](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/b3ac0ae6d91a058265fcd26c6653bb8a13d3e780))
* **univention-management-stack:** Quote all composed strings ([1c35ca6](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/1c35ca67ce0673e1b2f9a350bd07c82c22a05354))
* **univention-management-stack:** Remove frontend-custom ([8b6a4b2](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/8b6a4b2e88e8be1d299af91ed1ffff4405db88e6))
* **univention-management-stack:** Set SMTP host for self-service notifications ([0c7a77c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/0c7a77c4b6f20c6d83e977dabfc4e555b652f6ac))
* **univention-management-stack:** UMC uses external memcached ([211bee9](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/211bee94bb7675860f867f0335fec9f14fc96875))
* **univention-management-stack:** Update ums-dependencies ([e0c6c14](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/e0c6c14dcaefc0755495270bbf45898721e27985))
* **univention-management-stack:** Update ums-dependencies ([c246edd](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c246edd8f9753e37bc9c32683faf41f5b46d7675))
* **univention-management-stack:** Update ums-dependencies ([86b4818](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/86b48188e160c1f7d15f2c33f1f3cd0cc0e68bf2))
* **univention-management-stack:** Use "stack-gateway" in all deployments ([c19bca2](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c19bca2be0d14750bbef661e45c5c424f7da8e77))
## [0.5.52](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.51...v0.5.52) (2023-11-28)
### Bug Fixes
* **ci:** Open automatic MRs for new branches ([735fec3](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/735fec3b4ccd33ba63e5fa6482526efb6853c64a))
## [0.5.51](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.50...v0.5.51) (2023-11-28)
### Bug Fixes
* **nextcloud:** Bump chart to fix central navigation ([cac6abe](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/cac6abe2510b6793963633077543684a6a4e7cbc))
* **openproject:** Update container and prepare for OIDC based user admin role setting ([6dc92df](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6dc92df2ebcae435e3b3609cc163dc6c33fb1b83))
## [0.5.50](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.49...v0.5.50) (2023-11-27)
### Bug Fixes
* **ci:** Add metadata for renovate processing ([36aa3ed](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/36aa3ed7c9f9a6d0ffe23dc3ca2174d5f2741dfa))
## [0.5.49](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.48...v0.5.49) (2023-11-27)
### Bug Fixes
* **nextcloud:** Bump image to incorporate fix for https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f962-hw26-g267 ([efbd814](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/efbd81496868c5d4274f09805a1e771f47d548be))
## [0.5.48](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.47...v0.5.48) (2023-11-24)
### Bug Fixes
* **services:** Update resource requests and remove cpu limits ([f86a74b](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/f86a74ba100c7f08f6538b58a713bbc87c00e814))
## [0.5.47](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.46...v0.5.47) (2023-11-24)
### Bug Fixes
* **helmfile:** Rename absolute paths on OpenCoDE to new 'opendesk' base group name ([7ac2e0f](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/7ac2e0f9de2a8386a7f5809ba40db4ed7164a857))
* **xwiki:** Enable the sync of user profile picture from LDAP ([6aa3d38](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6aa3d386afe8b3f22e47f9971fd719089006b54e))
## [0.5.46](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.45...v0.5.46) (2023-11-23)
### Bug Fixes
* **element:** Fix quotes in element chart ([a447c13](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a447c137fe58be343e7ada55afb7f6891a5cde74))
## [0.5.45](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.44...v0.5.45) (2023-11-22)

2
CONTRIBUTING.md
View File

@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0
# Read me first
Please read the [project's overall CONTRIBUTING.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/CONTRIBUTING.md) first.
Please read the [project's overall CONTRIBUTING.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/CONTRIBUTING.md) first.
# How to contribute?

17
README.md
View File

@@ -9,14 +9,15 @@ openDesk is a Kubernetes based, open-source and cloud-native digital workplace s
Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
It features:
- Fully integrated Identity Management (Univention, Keycloak)
- Fully integrated Identity Management (Univention)
- File storage (Nextcloud)
- Weboffice (Collabora)
- Videoconference (Jitsi)
- Encrypted Chat (Synapse, Element)
- Videoconference (Nordeck w/ Jitsi)
- Chat and Collaboration (Element w/ Nordeck)
- Groupware (OX Appsuite)
- Wiki (XWiki)
- Notes and Diagrams (Cryptpad, Draw.io)
- Project Management (OpenProject)
- Notes and Diagrams (Cryptpad)
openDesk integrates these components and is working towards a seamless user experience.
@@ -40,7 +41,7 @@ Basic knowledge of Kubernetes and Devops is required though.
# Active development notice
openDesk will face breaking changes in the near future without upgrade paths before
[technical release](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/releases
[technical release](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases)
v1.0.0 is reached.
While most components support upgrades, major configuration or component changes may occur, therefore we recommend
@@ -60,10 +61,10 @@ Of course, further development also includes enhancing the documentation.
We love to get feedback from you!
Related to the deployment / contents of this repository,
please use the [issues within this project](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/issues).
please use the [issues within this project](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/issues).
If you want to address other topics, please check the section
["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
# Requirements
@@ -86,7 +87,7 @@ If you want to address other topics, please check the section
All technical releases are created using [Semantic Versioning](https://semver.org/lang/de/).
Gitlab provides an
[overview on the releases](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/releases)
[overview on the releases](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases)
of this project.
The following release artefacts are provided beside the default source code assets:

35
docs/external-services.md
View File

@@ -9,6 +9,7 @@ This document will cover the additional configuration to use external services l
<!-- TOC -->
* [Database](#database)
* [Objectstore](#objectstore)
* [Cache](#cache)
<!-- TOC -->
@@ -18,7 +19,7 @@ When deploying this suite to production, you need to configure the applications
service.
| Component | Name | Type | Parameter | Key | Default |
|-------------|--------------------|------------|-----------|----------------------------------------|----------------------------|
|-------------|--------------------|------------|-----------|------------------------------------------|----------------------------|
| Element | Synapse | PostgreSQL | | | |
| | | | Name | `databases.synapse.name` | `matrix` |
| | | | Host | `databases.synapse.host` | `postgresql` |
@@ -37,6 +38,18 @@ service.
| | | | Port | `databases.keycloakExtension.port` | `5432` |
| | | | Username | `databases.keycloakExtension.username` | `keycloak_extensions_user` |
| | | | Password | `databases.keycloakExtension.password` | |
| UMS | Notifications API | PostgreSQL | | | |
| | | | Name | `databases.umsNotificationsApi.name` | `notificationsapi` |
| | | | Host | `databases.umsNotificationsApi.host` | `postgresql` |
| | | | Port | `databases.umsNotificationsApi.port` | `5432` |
| | | | Username | `databases.umsNotificationsApi.username` | `notificationsapi_user` |
| | | | Password | `databases.umsNotificationsApi.password` | |
| | Self Service | PostgreSQL | | | |
| | | | Name | `databases.umsSelfservice.name` | `selfservice` |
| | | | Host | `databases.umsSelfservice.host` | `postgresql` |
| | | | Port | `databases.umsSelfservice.port` | `5432` |
| | | | Username | `databases.umsSelfservice.username` | `selfservice_user` |
| | | | Password | `databases.umsSelfservice.password` | |
| Nextcloud | Nextcloud | MariaDB | | | |
| | | | Name | `databases.nextcloud.name` | `nextcloud` |
| | | | Host | `databases.nextcloud.host` | `mariadb` |
@@ -59,6 +72,23 @@ service.
| | | | Username | `databases.xwiki.username` | `xwiki_user` |
| | | | Password | `databases.xwiki.password` | |
## Objectstore
When deploying this suite to production, you need to configure the applications to use your production grade objectstore
service.
| Component | Name | Parameter | Key | Default |
|-------------|-------------|-----------------|------------------------------------------|--------------------|
| OpenProject | OpenProject | | | |
| | | Backend | `objectstores.openproject.backend` | `minio` |
| | | Bucket | `objectstores.openproject.bucket` | `openproject` |
| | | Endpoint | `objectstores.openproject.endpoint` | |
| | | Provider | `objectstores.openproject.provider` | `AWS` |
| | | Region | `objectstores.openproject.region` | |
| | | Secret | `objectstores.openproject.secret` | |
| | | Username | `objectstores.openproject.username` | `openproject_user` |
| | | Use IAM profile | `objectstores.openproject.useIAMProfile` | |
## Cache
When deploying this suite to production, you need to configure the applications to use your production grade cache
@@ -75,3 +105,6 @@ service.
| OpenProject | OpenProject | Memcached | | | |
| | | | Host | `cache.openproject.host` | `memcached` |
| | | | Port | `cache.openproject.port` | `11211` |
| UMS | Self Service | Memcached | | | |
| | | | Host | `cache.umsSelfservice.host` | `memcached` |
| | | | Port | `cache.umsSelfservice.port` | `11211` |

32
docs/getting-started.md
View File

@@ -12,7 +12,7 @@ This documentation should enable you to create your own evaluation instance of o
* [Customize environment](#customize-environment)
* [Domain](#domain)
* [Apps](#apps)
* [Private OCI registry](#private-oci-registry)
* [Private Image registry](#private-image-registry)
* [Private Helm registry](#private-helm-registry)
* [Cluster capabilities](#cluster-capabilities)
* [Service](#service)
@@ -129,9 +129,9 @@ jitsi:
enabled: false
```
### Private OCI registry
### Private Image registry
By default, all OCI artifacts are proxied via the project's container registry, which should get replaced soon by the
By default, all OCI artifacts are proxied via the project's image registry, which should get replaced soon by the
OCI registries provided by Open CoDE.
You also can set your own registry by:
@@ -156,12 +156,32 @@ global:
### Private Helm registry
Some apps use Chart Museum style helm registries. You can use your own registry by setting this environment variable:
Some apps use OCI style registry and some use Helm chart museum style registries.
In `helmfile/environments/default/charts.yaml` you can find all helm charts used and modify their registry, repository
or version.
```shell
export PRIVATE_CHART_REPOSITORY_URL=charts.open.desk
As an example, you can also use helmfile methods to use just a single environment variable to set registry and
authentication for all OCI helm charts.
```yaml
charts:
certificates:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
```
There is a full example including http and OCI style registries in `examples/private-helm-registry.yaml.gotmpl`.
The following environment variables have to be exposed when using the example:
| Environment variable | Description |
|-------------------------------------|--------------------------------------------------------------------------------------------|
| `OD_PRIVATE_HELM_OCI_REGISTRY` | Registry for OCI hosted helm charts, example: `external-registry.souvap-univention.de` |
| `OD_PRIVATE_HELM_HTTP_REGISTRY` | Registry URI for http hosted helm charts, `https://external-registry.souvap-univention.de` |
| `OD_PRIVATE_HELM_REGISTRY_USERNAME` | Username |
| `OD_PRIVATE_HELM_REGISTRY_PASSWORD` | Password |
### Cluster capabilities
#### Service

39
docs/security.md
View File

@@ -10,6 +10,7 @@ This document should cover the current status of security measurements.
<!-- TOC -->
* [Helm Chart Trust Chain](#helm-chart-trust-chain)
* [Kubernetes Security Enforcements](#kubernetes-security-enforcements)
* [NetworkPolicies](#networkpolicies)
<!-- TOC -->
## Helm Chart Trust Chain
@@ -36,7 +37,7 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
| opendesk-keycloak-bootstrap-repo | yes | :white_check_mark: |
| opendesk-nextcloud-bootstrap-repo | yes | :white_check_mark: |
| opendesk-open-xchange-bootstrap-repo | yes | :white_check_mark: |
| openproject-repo | no | :x: |
| openproject-repo | yes | :white_check_mark: |
| openxchange-repo | yes | :x: |
| ox-connector-repo | no | :x: |
| postfix-repo | yes | :white_check_mark: |
@@ -51,18 +52,19 @@ This list gives you an overview of default security settings and if they comply
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|--------------|----------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
|-----------------|--------------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
| CryptPad | npm | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 |
| Dovecot | dovecot | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`) | :white_check_mark: | :white_check_mark: | :x: | - | - | 1000 |
| Dovecot | dovecot | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `KILL`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`) | :white_check_mark: | :white_check_mark: | :x: | - | - | 1000 |
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| IntercomService | intercom-service | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
@@ -75,7 +77,10 @@ This list gives you an overview of default security settings and if they comply
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
| Minio | minio | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
| Nextcloud | nextcloud | :x: | :white_check_mark: | :x: (`NET_BIND_SERVICE`, `SETGID`, `SETUID`) | :white_check_mark: | :x: | :x: | - | - | 33 |
| | nextcloud-cron | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | 33 |
| | opendesk-nextcloud-bootstrap | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | 33 |
| Open-Xchange | core-documentconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
| | core-guidedtours | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | core-imageconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
@@ -88,5 +93,29 @@ This list gives you an overview of default security settings and if they comply
| | guard-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | nextlcoud-integration-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | public-sector-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| OpenProject | openproject | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | - |
| OpenProject | openproject | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| Redis | redis | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 0 | 1001 |
| UCC | univention-corporate-container | :x: | :x: | :x: | :x: | :x: | :x: | - | - | - |
| XWiki | xwiki | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 101 |
| | xwiki initContainers | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
## NetworkPolicies
Kubernetes NetworkPolicies are an important measure to secure your kubernetes apps and clusters.
When applied, they restrict the traffic to your services.
This protects other deployments in your cluster or other services in your deployment to get compromised when one
component is compromised.
We ship a default set of Otterize ClientIntents via
[Otterize intents operator](https://github.com/otterize/intents-operator) which translates intent-based access control
(IBAC) into kubernetes native NetworkPolicies.
This requires the Otterize intents operator to be installed.
```yaml
security:
otterizeIntents:
enabled: true
```

266
examples/private-helm-registry.yaml.gotmpl Normal file
View File

@@ -0,0 +1,266 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
charts:
certificates:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
clamav:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
clamavSimple:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
collabora:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
cryptpad:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
dovecot:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
element:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
elementWellKnown:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
intercomService:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
istioResources:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
jitsi:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
keycloak:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
keycloakBootstrap:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
keycloakExtensions:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
keycloakTheme:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
mariadb:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
matrixNeoboardWidget:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
matrixNeochoiseWidget:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
matrixNeodatefixBot:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
matrixNeodatefixWidget:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
matrixUserVerificationService:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
memcached:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
minio:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
nextcloud:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
nextcloudBootstrap:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
nginx:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
openproject:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
openprojectBootstrap:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
openXchangeAppSuite:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
openXchangeAppSuiteBootstrap:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
otterize:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
oxConnector:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
postfix:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
postgresql:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
redis:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
synapse:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
synapseCreateAccount:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
synapseWeb:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsLdapNotifier:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsLdapServer:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsNotificationsApi:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsPortalFrontend:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsPortalListener:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsPortalServer:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsStackDataSwp:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsStackDataUms:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsStoreDav:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsUdmRestApi:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsUmcGateway:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsUmcServer:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
univentionCorporateServer:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
xwiki:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
...

2
helmfile.yaml
View File

@@ -29,7 +29,7 @@ missingFileHandler: "Error"
# - Installing all releases from root via helmfile apply
# - Installing a single release from root via helmfile apply -f helmfile/apps/<app>/helmfile.yaml
# - Installing a single release from app directory via helmfile apply
# Issue: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/issues/2
# Issue: https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/issues/2
environments:
default:

11
helmfile/apps/collabora/helmfile.yaml
View File

@@ -3,20 +3,19 @@
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# Collabora Online
# Source: https://github.com/CollaboraOnline/online
- name: "collabora-online-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://collaboraonline.github.io/online" }}
username: "{{ .Values.charts.collabora.username }}"
password: {{ .Values.charts.collabora.password | quote }}
url: "{{ .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}"
releases:
- name: "collabora-online"
chart: "collabora-online-repo/collabora-online"
version: "1.0.2"
chart: "collabora-online-repo/{{ .Values.charts.collabora.name }}"
version: "{{ .Values.charts.collabora.version }}"
values:
- "values.yaml"
- "values.gotmpl"

13
helmfile/apps/cryptpad/helmfile.yaml
View File

@@ -3,20 +3,19 @@
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# CryptPad
# Source: https://github.com/cryptpad/helm
- name: "cryptpad-online-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://cryptpad.github.io/helm" }}
- name: "cryptpad-repo"
username: "{{ .Values.charts.cryptpad.username }}"
password: {{ .Values.charts.cryptpad.password | quote }}
url: "{{ .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
releases:
- name: "cryptpad"
chart: "cryptpad-online-repo/cryptpad"
version: "0.0.13"
chart: "cryptpad-repo/{{ .Values.charts.cryptpad.name }}"
version: "{{ .Values.charts.cryptpad.version }}"
values:
- "values.yaml"
- "values.gotmpl"

4
helmfile/apps/cryptpad/values.yaml
View File

@@ -22,6 +22,10 @@ enableEmbedding: true
fullnameOverride: "cryptpad"
ingress:
annotations:
nginx.org/websocket-services: "cryptpad"
persistence:
enabled: false

127
helmfile/apps/element/helmfile.yaml
View File

@@ -3,37 +3,90 @@
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# openDesk Element
# Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/sovereign-workplace-element
- name: "opendesk-element-repo"
- name: "element-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.element.verify }}
username: "{{ .Values.charts.element.username }}"
password: {{ .Values.charts.element.password | quote }}
url: "{{ .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
- name: "element-well-known-repo"
oci: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.element.verify }}
username: "{{ .Values.charts.elementWellKnown.username }}"
password: {{ .Values.charts.elementWellKnown.password | quote }}
url: "{{ .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
- name: "synapse-web-repo"
oci: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.element.verify }}
username: "{{ .Values.charts.synapseWeb.username }}"
password: {{ .Values.charts.synapseWeb.password | quote }}
url: "{{ .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
- name: "synapse-repo"
oci: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.element.verify }}
username: "{{ .Values.charts.synapse.username }}"
password: {{ .Values.charts.synapse.password | quote }}
url: "{{ .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
- name: "synapse-create-account-repo"
oci: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.element.verify }}
username: "{{ .Values.charts.synapseCreateAccount.username }}"
password: {{ .Values.charts.synapseCreateAccount.password | quote }}
url: "{{ .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
# openDesk Matrix Widgets
# Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/opendesk-matrix-widgets
- name: "opendesk-matrix-widgets-repo"
- name: "matrix-user-verification-service-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/opendesk-matrix-widgets" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.matrixUserVerificationService.verify }}
username: "{{ .Values.charts.matrixUserVerificationService.username }}"
password: {{ .Values.charts.matrixUserVerificationService.password | quote }}
url: "{{ .Values.charts.matrixUserVerificationService.registry }}/\
{{ .Values.charts.matrixUserVerificationService.repository }}"
- name: "matrix-neoboard-widget-repo"
oci: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
username: "{{ .Values.charts.matrixNeoboardWidget.username }}"
password: {{ .Values.charts.matrixNeoboardWidget.password | quote }}
url: "{{ .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
- name: "matrix-neochoice-widget-repo"
oci: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
username: "{{ .Values.charts.matrixNeoboardWidget.username }}"
password: {{ .Values.charts.matrixNeoboardWidget.password | quote }}
url: "{{ .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
- name: "matrix-neodatefix-widget-repo"
oci: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.matrixNeodatefixWidget.verify }}
username: "{{ .Values.charts.matrixNeodatefixWidget.username }}"
password: {{ .Values.charts.matrixNeodatefixWidget.password | quote }}
url: "{{ .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
- name: "matrix-neodatefix-bot-repo"
oci: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.matrixNeodatefixBot.verify }}
username: "{{ .Values.charts.matrixNeodatefixBot.username }}"
password: {{ .Values.charts.matrixNeodatefixBot.password | quote }}
url: "{{ .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
releases:
- name: "opendesk-element"
chart: "opendesk-element-repo/opendesk-element"
version: "2.5.0"
chart: "element-repo/{{ .Values.charts.element.name }}"
version: "{{ .Values.charts.element.version }}"
values:
- "values-element.yaml"
- "values-element.gotmpl"
@@ -41,8 +94,8 @@ releases:
timeout: 900
- name: "opendesk-well-known"
chart: "opendesk-element-repo/opendesk-well-known"
version: "2.5.0"
chart: "element-well-known-repo/{{ .Values.charts.elementWellKnown.name }}"
version: "{{ .Values.charts.elementWellKnown.version }}"
values:
- "values-well-known.yaml"
- "values-well-known.gotmpl"
@@ -50,8 +103,8 @@ releases:
timeout: 900
- name: "opendesk-synapse-web"
chart: "opendesk-element-repo/opendesk-synapse-web"
version: "2.5.0"
chart: "synapse-web-repo/{{ .Values.charts.synapseWeb.name }}"
version: "{{ .Values.charts.synapseWeb.version }}"
values:
- "values-synapse-web.yaml"
- "values-synapse-web.gotmpl"
@@ -59,8 +112,8 @@ releases:
timeout: 900
- name: "opendesk-synapse"
chart: "opendesk-element-repo/opendesk-synapse"
version: "2.5.0"
chart: "synapse-repo/{{ .Values.charts.synapse.name }}"
version: "{{ .Values.charts.synapse.version }}"
values:
- "values-synapse.yaml"
- "values-synapse.gotmpl"
@@ -68,8 +121,8 @@ releases:
timeout: 900
- name: "opendesk-matrix-user-verification-service-bootstrap"
chart: "opendesk-element-repo/opendesk-synapse-create-account"
version: "2.5.0"
chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
version: "{{ .Values.charts.synapseCreateAccount.version }}"
values:
- "values-matrix-user-verification-service-bootstrap.yaml"
- "values-matrix-user-verification-service-bootstrap.gotmpl"
@@ -77,8 +130,8 @@ releases:
timeout: 900
- name: "opendesk-matrix-user-verification-service"
chart: "opendesk-element-repo/opendesk-matrix-user-verification-service"
version: "2.5.0"
chart: "matrix-user-verification-service-repo/{{ .Values.charts.matrixUserVerificationService.name }}"
version: "{{ .Values.charts.matrixUserVerificationService.version }}"
values:
- "values-matrix-user-verification-service.yaml"
- "values-matrix-user-verification-service.gotmpl"
@@ -86,8 +139,8 @@ releases:
timeout: 900
- name: "matrix-neoboard-widget"
chart: "opendesk-matrix-widgets-repo/matrix-neoboard-widget"
version: "3.2.0"
chart: "matrix-neoboard-widget-repo/{{ .Values.charts.matrixNeoboardWidget.name }}"
version: "{{ .Values.charts.matrixNeoboardWidget.version }}"
values:
- "values-matrix-neoboard-widget.yaml"
- "values-matrix-neoboard-widget.gotmpl"
@@ -95,8 +148,8 @@ releases:
timeout: 900
- name: "matrix-neochoice-widget"
chart: "opendesk-matrix-widgets-repo/matrix-neochoice-widget"
version: "3.2.0"
chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiseWidget.name }}"
version: "{{ .Values.charts.matrixNeochoiseWidget.version }}"
values:
- "values-matrix-neochoice-widget.yaml"
- "values-matrix-neochoice-widget.gotmpl"
@@ -104,8 +157,8 @@ releases:
timeout: 900
- name: "matrix-neodatefix-widget"
chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-widget"
version: "3.2.0"
chart: "matrix-neodatefix-widget-repo/{{ .Values.charts.matrixNeodatefixWidget.name }}"
version: "{{ .Values.charts.matrixNeodatefixWidget.version }}"
values:
- "values-matrix-neodatefix-widget.yaml"
- "values-matrix-neodatefix-widget.gotmpl"
@@ -113,8 +166,8 @@ releases:
timeout: 900
- name: "matrix-neodatefix-bot-bootstrap"
chart: "opendesk-element-repo/opendesk-synapse-create-account"
version: "2.5.0"
chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
version: "{{ .Values.charts.synapseCreateAccount.version }}"
values:
- "values-matrix-neodatefix-bot-bootstrap.yaml"
- "values-matrix-neodatefix-bot-bootstrap.gotmpl"
@@ -122,8 +175,8 @@ releases:
timeout: 900
- name: "matrix-neodatefix-bot"
chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-bot"
version: "3.2.0"
chart: "matrix-neodatefix-bot-repo/{{ .Values.charts.matrixNeodatefixBot.name }}"
version: "{{ .Values.charts.matrixNeodatefixBot.version }}"
values:
- "values-matrix-neodatefix-bot.yaml"
- "values-matrix-neodatefix-bot.gotmpl"

2
helmfile/apps/element/values-matrix-user-verification-service.yaml
View File

@@ -22,6 +22,8 @@ extraEnvVars:
secretKeyRef:
name: "opendesk-matrix-user-verification-service-account"
key: "access_token"
- name: "UVS_DISABLE_IP_BLACKLIST"
value: "true"
podSecurityContext:
enabled: true

10
helmfile/apps/element/values-synapse.yaml
View File

@@ -11,6 +11,16 @@ configuration:
- "m.space.parent"
- "net.nordeck.meetings.metadata"
- "m.room.power_levels"
# When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
# interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
# https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
rc_login:
account:
per_second: 2
burst_count: 8
address:
per_second: 2
burst_count: 12
homeserver:
guestModule:

14
helmfile/apps/intercom-service/helmfile.yaml
View File

@@ -3,24 +3,24 @@
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# Intercom Service
# Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
- name: "intercom-service-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/intercom-service" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.intercomService.verify }}
username: "{{ .Values.charts.intercomService.username }}"
password: {{ .Values.charts.intercomService.password | quote }}
url: "{{ .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
releases:
- name: "intercom-service"
chart: "intercom-service-repo/intercom-service"
version: "2.0.1"
chart: "intercom-service-repo/{{ .Values.charts.intercomService.name }}"
version: "{{ .Values.charts.intercomService.version }}"
values:
- "values.yaml"
- "values.gotmpl"
installed: {{ .Values.intercom.enabled }}

3
helmfile/apps/intercom-service/values.gotmpl
View File

@@ -46,4 +46,7 @@ ingress:
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
resources:
{{ .Values.resources.intercomService | toYaml | nindent 2 }}
...

21
helmfile/apps/intercom-service/values.yaml Normal file
View File

@@ -0,0 +1,21 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
podSecurityContext:
enabled: true
fsGroup: 1000
fsGroupChangePolicy: "Always"
...

13
helmfile/apps/jitsi/helmfile.yaml
View File

@@ -3,23 +3,22 @@
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# openDesk Jitsi
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-jitsi
- name: "jitsi-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
"external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-jitsi" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.jitsi.verify }}
username: "{{ .Values.charts.jitsi.username }}"
password: {{ .Values.charts.jitsi.password | quote }}
url: "{{ .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
releases:
- name: "jitsi"
chart: "jitsi-repo/sovereign-workplace-jitsi"
version: "1.7.1"
chart: "jitsi-repo/{{ .Values.charts.jitsi.name }}"
version: "{{ .Values.charts.jitsi.version }}"
values:
- "values-jitsi.gotmpl"
installed: {{ .Values.jitsi.enabled }}

2
helmfile/apps/jitsi/values-jitsi.gotmpl
View File

@@ -60,7 +60,7 @@ jitsi:
- name: "AUTH_TYPE"
value: "hybrid_matrix_token"
- name: "JWT_APP_ID"
value: "myappid"
value: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
- name: "JWT_APP_SECRET"
value: {{ .Values.secrets.jitsi.jwtAppSecret | quote }}
- name: "MATRIX_UVS_SYNC_POWER_LEVELS"

15
helmfile/apps/keycloak-bootstrap/helmfile.yaml
View File

@@ -3,25 +3,22 @@
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# openDesk Keycloak Bootstrap
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-keycloak-bootstrap
- name: "opendesk-keycloak-bootstrap-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-keycloak-bootstrap" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.keycloakBootstrap.verify }}
username: "{{ .Values.charts.keycloakBootstrap.username }}"
password: {{ .Values.charts.keycloakBootstrap.password | quote }}
url: "{{ .Values.charts.keycloakBootstrap.registry }}/{{ .Values.charts.keycloakBootstrap.repository }}"
releases:
- name: "opendesk-keycloak-bootstrap"
chart: "opendesk-keycloak-bootstrap-repo/sovereign-workplace-keycloak-bootstrap"
version: "1.1.12"
chart: "opendesk-keycloak-bootstrap-repo/{{ .Values.charts.keycloakBootstrap.name }}"
version: "{{ .Values.charts.keycloakBootstrap.version }}"
values:
- "values-bootstrap.gotmpl"
- "values-bootstrap.yaml"

4
helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl
View File

@@ -27,4 +27,8 @@ image:
resources:
{{ .Values.resources.keycloakBootstrap | toYaml | nindent 2 }}
additionalAnnotations:
annotations:
intents.otterize.com/service-name: "keycloak-bootstrap"
...

43
helmfile/apps/keycloak/helmfile.yaml
View File

@@ -3,52 +3,55 @@
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# VMWare Bitnami
# Source: https://github.com/bitnami/charts/
- name: "bitnami-repo"
- name: "keycloak-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.keycloak.verify }}
username: "{{ .Values.charts.keycloak.username }}"
password: {{ .Values.charts.keycloak.password | quote }}
url: "{{ .Values.charts.keycloak.registry }}/{{ .Values.charts.keycloak.repository }}"
# openDesk Keycloak Theme
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-keycloak-theme
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-keycloak-theme
- name: "keycloak-theme-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/keycloak-theme" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.keycloakTheme.verify }}
username: "{{ .Values.charts.keycloakTheme.username }}"
password: {{ .Values.charts.keycloakTheme.password | quote }}
url: "{{ .Values.charts.keycloakTheme.registry }}/{{ .Values.charts.keycloakTheme.repository }}"
# openDesk Keycloak Extensions
- name: "keycloak-extensions-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable" }}
username: "{{ .Values.charts.keycloakExtensions.username }}"
password: {{ .Values.charts.keycloakExtensions.password | quote }}
url: "{{ .Values.charts.keycloakExtensions.registry }}/{{ .Values.charts.keycloakExtensions.repository }}"
releases:
- name: "keycloak-theme"
chart: "keycloak-theme-repo/opendesk-keycloak-theme"
version: "2.0.0"
chart: "keycloak-theme-repo/{{ .Values.charts.keycloakTheme.name }}"
version: "{{ .Values.charts.keycloakTheme.version }}"
values:
- "values-theme.gotmpl"
installed: {{ .Values.keycloak.enabled }}
- name: "keycloak"
chart: "bitnami-repo/keycloak"
version: "12.1.5"
chart: "keycloak-repo/{{ .Values.charts.keycloak.name }}"
version: "{{ .Values.charts.keycloak.version }}"
values:
- "values-keycloak.gotmpl"
- "values-keycloak.yaml"
- "values-keycloak-idp.yaml"
wait: true
installed: {{ .Values.keycloak.enabled }}
- name: "keycloak-extensions"
chart: "keycloak-extensions-repo/keycloak-extensions"
version: "0.1.0"
chart: "keycloak-extensions-repo/{{ .Values.charts.keycloakExtensions.name }}"
version: "{{ .Values.charts.keycloakExtensions.version }}"
needs:
- "keycloak"
values:

1
helmfile/apps/keycloak/values-extensions.gotmpl
View File

@@ -23,6 +23,7 @@ handler:
appConfig:
smtpPassword: {{ .Values.smtp.password | quote }}
smtpHost: {{ .Values.smtp.host | quote }}
smtpPort: {{ .Values.smtp.port | quote }}
smtpUsername: {{ .Values.smtp.username | quote }}
mailFrom: "noreply@{{ .Values.global.domain }}"
resources:

30
helmfile/apps/nextcloud/helmfile.yaml
View File

@@ -3,32 +3,30 @@
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# openDesk Keycloak Bootstrap
# Source:
# https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/sovereign-workplace-nextcloud-bootstrap
- name: "opendesk-nextcloud-bootstrap-repo"
# https://gitlab.opencode.de/bmi/opendesk/components/charts/sovereign-workplace-nextcloud-bootstrap
- name: "nextcloud-bootstrap-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
"external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.nextcloudBootstrap.verify }}
username: "{{ .Values.charts.nextcloudBootstrap.username }}"
password: {{ .Values.charts.nextcloudBootstrap.password | quote }}
url: "{{ .Values.charts.nextcloudBootstrap.registry }}/{{ .Values.charts.nextcloudBootstrap.repository }}"
# Nextcloud
# Source: https://github.com/nextcloud/helm/
- name: "nextcloud-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://nextcloud.github.io/helm/" }}
username: "{{ .Values.charts.nextcloud.username }}"
password: {{ .Values.charts.nextcloud.password | quote }}
url: "{{ .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
releases:
- name: "opendesk-nextcloud-bootstrap"
chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap"
version: "3.2.3"
chart: "nextcloud-bootstrap-repo/{{ .Values.charts.nextcloudBootstrap.name }}"
version: "{{ .Values.charts.nextcloudBootstrap.version }}"
wait: true
waitForJobs: true
values:
@@ -38,8 +36,8 @@ releases:
timeout: 900
- name: "nextcloud"
chart: "nextcloud-repo/nextcloud"
version: "3.5.19"
chart: "nextcloud-repo/{{ .Values.charts.nextcloud.name }}"
version: "{{ .Values.charts.nextcloud.version }}"
needs:
- "opendesk-nextcloud-bootstrap"
values:

1
helmfile/apps/nextcloud/values-bootstrap.gotmpl
View File

@@ -44,6 +44,7 @@ config:
smtp:
host: {{ .Values.smtp.host | quote }}
port: {{ .Values.smtp.port | quote }}
username: {{ .Values.smtp.username | quote }}
password: {{ .Values.smtp.password | quote }}

15
helmfile/apps/nextcloud/values-bootstrap.yaml
View File

@@ -10,7 +10,22 @@ config:
username: "phoenixusername"
userOidc:
username: "ncoidc"
userIdAttribute: "entryuuid"
realm: "souvap"
cryptpad:
enabled: true
containerSecurityContext:
allowPrivilegeEscalation: false
enabled: true
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsNonRoot: false
podSecurityContext:
enabled: true
fsGroup: 33
fsGroupChangePolicy: "Always"
...

2
helmfile/apps/nextcloud/values-nextcloud.gotmpl
View File

@@ -49,6 +49,8 @@ metrics:
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
labels:
{{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
resources:
{{ .Values.resources.nextcloudMetrics | toYaml | nindent 4 }}
{{- if .Values.cluster.persistence.readWriteMany.enabled }}
replicaCount: {{ .Values.replicas.nextcloud }}

19
helmfile/apps/nextcloud/values-nextcloud.yaml
View File

@@ -20,6 +20,11 @@ cronjob:
- >
sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f
\/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
ingress:
annotations:
@@ -52,6 +57,20 @@ nextcloud:
{
"drawio": ["application/x-drawio"]
}
podSecurityContext:
fsGroup: 33
seccompProfile:
type: "RuntimeDefault"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "NET_BIND_SERVICE"
- "SETGID"
- "SETUID"
# this is not documented but can be found in values.yaml
service:

49
helmfile/apps/open-xchange/helmfile.yaml
View File

@@ -3,39 +3,40 @@
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# openDesk Dovecot
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-dovecot
- name: "opendesk-dovecot-repo"
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-dovecot
- name: "dovecot-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
"external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/dovecot" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.dovecot.verify }}
username: "{{ .Values.charts.dovecot.username }}"
password: {{ .Values.charts.dovecot.password | quote }}
url: "{{ .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
# Open-Xchange
- name: "openxchange-repo"
- name: "open-xchange-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "registry.open-xchange.com" }}
username: "{{ .Values.charts.openXchangeAppSuite.username }}"
password: {{ .Values.charts.openXchangeAppSuite.password | quote }}
url: "{{ .Values.charts.openXchangeAppSuite.registry }}/{{ .Values.charts.openXchangeAppSuite.repository }}"
# openDesk Open-Xchange Bootstrap
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-open-xchange-bootstrap
- name: "opendesk-open-xchange-bootstrap-repo"
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap
- name: "open-xchange-bootstrap-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
"external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-open-xchange-bootstrap" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.openXchangeAppSuiteBootstrap.verify }}
username: "{{ .Values.charts.openXchangeAppSuiteBootstrap.username }}"
password: {{ .Values.charts.openXchangeAppSuiteBootstrap.password | quote }}
url: "{{ .Values.charts.openXchangeAppSuiteBootstrap.registry }}/\
{{ .Values.charts.openXchangeAppSuiteBootstrap.repository }}"
releases:
- name: "dovecot"
chart: "opendesk-dovecot-repo/dovecot"
version: "1.3.5"
chart: "dovecot-repo/{{ .Values.charts.dovecot.name }}"
version: "{{ .Values.charts.dovecot.version }}"
values:
- "values-dovecot.yaml"
- "values-dovecot.gotmpl"
@@ -43,8 +44,8 @@ releases:
timeout: 900
- name: "open-xchange"
chart: "openxchange-repo/appsuite-public-sector/charts/appsuite-public-sector"
version: "2.1.1"
chart: "open-xchange-repo/{{ .Values.charts.openXchangeAppSuite.name }}"
version: "{{ .Values.charts.openXchangeAppSuite.version }}"
values:
- "values-openxchange.yaml"
- "values-openxchange.gotmpl"
@@ -54,8 +55,8 @@ releases:
timeout: 900
- name: "opendesk-open-xchange-bootstrap"
chart: "opendesk-open-xchange-bootstrap-repo/sovereign-workplace-open-xchange-bootstrap"
version: "1.3.1"
chart: "open-xchange-bootstrap-repo/{{ .Values.charts.openXchangeAppSuiteBootstrap.name }}"
version: "{{ .Values.charts.openXchangeAppSuiteBootstrap.version }}"
values:
- "values-openxchange-bootstrap.gotmpl"
installed: {{ .Values.oxAppsuite.enabled }}

25
helmfile/apps/open-xchange/values-openxchange.gotmpl
View File

@@ -25,6 +25,8 @@ nextcloud-integration-ui:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.openxchangeNextcloudIntegrationUI | toYaml | nindent 4 }}
public-sector-ui:
image:
@@ -35,6 +37,8 @@ public-sector-ui:
- name: {{ . | quote }}
{{- end }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.openxchangePublicSectorUI | toYaml | nindent 4 }}
appsuite:
istio:
@@ -62,6 +66,8 @@ appsuite:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGotenberg.repository }}"
tag: {{ .Values.images.openxchangeGotenberg.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.openxchangeGotenberg | toYaml | nindent 8 }}
properties:
"com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/certs"
"com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
@@ -119,6 +125,8 @@ appsuite:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.openxchangeCoreMW | toYaml | nindent 6 }}
core-ui:
imagePullSecrets:
@@ -129,6 +137,8 @@ appsuite:
repository: {{ .Values.images.openxchangeCoreUI.repository | quote }}
tag: {{ .Values.images.openxchangeCoreUI.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.openxchangeCoreUI | toYaml | nindent 6 }}
core-ui-middleware:
ingress:
@@ -146,13 +156,18 @@ appsuite:
redis:
auth:
password: {{ .Values.secrets.redis.password | quote }}
resources:
{{ .Values.resources.openxchangeCoreUIMiddleware | toYaml | nindent 6 }}
updater:
resources:
{{ .Values.resources.openxchangeCoreUIMiddlewareUpdater | toYaml | nindent 6 }}
core-documentconverter:
image:
repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
resources:
{{- .Values.resources.oxDocumentConverter | toYaml | nindent 6 }}
{{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
core-guidedtours:
imagePullSecrets:
@@ -163,11 +178,15 @@ appsuite:
repository: {{ .Values.images.openxchangeCoreGuidedtours.repository | quote }}
tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{- .Values.resources.openxchangeCoreGuidedtours | toYaml | nindent 6 }}
core-imageconverter:
image:
repository: {{ .Values.images.openxchangeImageConverter.repository | quote }}
tag: {{ .Values.images.openxchangeImageConverter.tag | quote }}
resources:
{{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
guard-ui:
imagePullSecrets:
@@ -178,6 +197,8 @@ appsuite:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}"
tag: {{ .Values.images.openxchangeGuardUI.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{- .Values.resources.openxchangeGuardUI | toYaml | nindent 6 }}
core-user-guide:
image:
@@ -188,4 +209,6 @@ appsuite:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{- .Values.resources.openxchangeCoreUserGuide | toYaml | nindent 6 }}
...

3
helmfile/apps/open-xchange/values-openxchange.yaml
View File

@@ -150,6 +150,9 @@ appsuite:
io.ox/core//coloredIcons: "false"
# Mail templates
io.ox/core//features/templates: "true"
# Contact Collector
io.ox/mail//contactCollectOnMailTransport: "true"
# io.ox/mail//contactCollectOnMailAccess: "true"
asConfig:
default:

17
helmfile/apps/openproject-bootstrap/helmfile.yaml
View File

@@ -3,25 +3,22 @@
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# openDesk OpenProject Bootstrap
# Source: Set when repo is managed on Open CoDE
- name: "opendesk-openproject-bootstrap-repo"
- name: "openproject-bootstrap-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/opendesk-openproject-bootstrap" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.openprojectBootstrap.verify }}
username: "{{ .Values.charts.openprojectBootstrap.username }}"
password: {{ .Values.charts.openprojectBootstrap.password | quote }}
url: "{{ .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
releases:
- name: "opendesk-openproject-bootstrap"
chart: "opendesk-openproject-bootstrap-repo/opendesk-openproject-bootstrap"
version: "1.2.1"
chart: "openproject-bootstrap-repo/{{ .Values.charts.openprojectBootstrap.name }}"
version: "{{ .Values.charts.openprojectBootstrap.version }}"
wait: true
waitForJobs: true
values:

14
helmfile/apps/openproject/helmfile.yaml
View File

@@ -3,20 +3,22 @@
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# OpenProject
# Source: https://github.com/opf/helm-charts
- name: "openproject-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://charts.openproject.org" }}
oci: true
keyring: "../../files/gpg-pubkeys/openproject-com.gpg"
verify: {{ .Values.charts.openproject.verify }}
username: "{{ .Values.charts.openproject.username }}"
password: {{ .Values.charts.openproject.password | quote }}
url: "{{ .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
releases:
- name: "openproject"
chart: "openproject-repo/openproject"
version: "2.4.0"
chart: "openproject-repo/{{ .Values.charts.openproject.name }}"
version: "{{ .Values.charts.openproject.version }}"
wait: true
waitForJobs: true
values:

14
helmfile/apps/openproject/values.gotmpl
View File

@@ -77,9 +77,17 @@ environment:
OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}"
# Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }}
OPENPROJECT_FOG_CREDENTIALS_HOST: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: "https://{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: {{ .Values.secrets.minio.openprojectUser | quote }}
{{ if ne .Values.objectstores.openproject.backend "aws" }}
OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
{{ end }}
OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: {{ .Values.objectstores.openproject.username | quote }}
OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: {{ .Values.objectstores.openproject.secret | default .Values.secrets.minio.openprojectUser | quote }}
OPENPROJECT_FOG_CREDENTIALS_PROVIDER: {{ .Values.objectstores.openproject.provider | default "AWS" | quote }}
OPENPROJECT_FOG_CREDENTIALS_REGION: {{ .Values.objectstores.openproject.region | quote }}
OPENPROJECT_FOG_DIRECTORY: {{ .Values.objectstores.openproject.bucket | quote }}
OPENPROJECT_FOG_CREDENTIALS_USE__IAM__PROFILE: {{ .Values.objectstores.openproject.useIAMProfile | default "false" | quote }}
OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
replicaCount: {{ .Values.replicas.openproject }}

21
helmfile/apps/openproject/values.yaml
View File

@@ -30,11 +30,18 @@ openproject:
# seed will only be executed on initial installation
seed_locale: "de"
securityContext:
containerSecurityContext:
enabled: true
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
readOnlyRootFilesystem: true
runAsNonRoot: true
persistence:
enabled: false
@@ -75,8 +82,12 @@ environment:
OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
# Details: https://www.openproject.org/docs/installation-and-operations/configuration/#attachments-storage
OPENPROJECT_ATTACHMENTS__STORAGE: "fog"
OPENPROJECT_FOG_DIRECTORY: "openproject"
OPENPROJECT_FOG_CREDENTIALS_PROVIDER: "AWS"
OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: "openproject_user"
# Define an admin mapping from the claim
# The attribute mapping cannot currently be defined in the value
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_ADMIN: "openproject_admin"
seederJob:
annotations:
intents.otterize.com/service-name: "openproject-seeder"
...

11
helmfile/apps/provisioning/helmfile.yaml
View File

@@ -3,19 +3,18 @@
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# OX Connector
- name: "ox-connector-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable" }}
username: "{{ .Values.charts.oxConnector.username }}"
password: {{ .Values.charts.oxConnector.password | quote }}
url: "{{ .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
releases:
- name: "ox-connector"
chart: "ox-connector-repo/ox-connector"
version: "0.1.0-pre-jconde-listener-entrypoint-chaining"
chart: "ox-connector-repo/{{ .Values.charts.oxConnector.name }}"
version: "{{ .Values.charts.oxConnector.version }}"
values:
- "values-oxconnector.yaml"
- "values-oxconnector.gotmpl"

161
helmfile/apps/services/helmfile.yaml
View File

@@ -3,143 +3,194 @@
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# openDesk Otterize
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-otterize
- name: "otterize-repo"
oci: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.otterize.verify }}
username: "{{ .Values.charts.otterize.username }}"
password: {{ .Values.charts.otterize.password | quote }}
url: "{{ .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
# openDesk Certificates
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-certificates
- name: "opendesk-certificates-repo"
- name: "certificates-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-certificates" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.certificates.verify }}
username: "{{ .Values.charts.certificates.username }}"
password: {{ .Values.charts.certificates.password | quote }}
url: "{{ .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
# openDesk PostgreSQL
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postgresql
- name: "postgresql-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postgresql" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.postgresql.verify }}
username: "{{ .Values.charts.postgresql.username }}"
password: {{ .Values.charts.postgresql.password | quote }}
url: "{{ .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
# openDesk MariaDB
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-mariadb
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-mariadb
- name: "mariadb-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/mariadb" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.mariadb.verify }}
username: "{{ .Values.charts.mariadb.username }}"
password: {{ .Values.charts.mariadb.password | quote }}
url: "{{ .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
# openDesk Postfix
# https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postfix
- name: "postfix-repo"
oci: true
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postfix" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.postfix.verify }}
username: "{{ .Values.charts.postfix.username }}"
password: {{ .Values.charts.postfix.password | quote }}
url: "{{ .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
# openDesk Istio Resources
# https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-istio-resources
- name: "istio-resources-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/istio-ressources" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.istioResources.verify }}
username: "{{ .Values.charts.istioResources.username }}"
password: {{ .Values.charts.istioResources.password | quote }}
url: "{{ .Values.charts.istioResources.registry }}/{{ .Values.charts.istioResources.repository }}"
# openDesk ClamAV
# https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-clamav
- name: "clamav-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/clamav" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.clamav.verify }}
username: "{{ .Values.charts.clamav.username }}"
password: {{ .Values.charts.clamav.password | quote }}
url: "{{ .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
- name: "clamav-simple-repo"
oci: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.clamavSimple.verify }}
username: "{{ .Values.charts.clamavSimple.username }}"
password: {{ .Values.charts.clamavSimple.password | quote }}
url: "{{ .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
# VMWare Bitnami
# Source: https://github.com/bitnami/charts/
- name: "bitnami-repo"
- name: "memcached-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.memcached.verify }}
username: "{{ .Values.charts.memcached.username }}"
password: {{ .Values.charts.memcached.password | quote }}
url: "{{ .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
- name: "redis-repo"
oci: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.redis.verify }}
username: "{{ .Values.charts.redis.username }}"
password: {{ .Values.charts.redis.password | quote }}
url: "{{ .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
- name: "minio-repo"
oci: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.minio.verify }}
username: "{{ .Values.charts.minio.username }}"
password: {{ .Values.charts.minio.password | quote }}
url: "{{ .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
releases:
- name: "opendesk-otterize"
chart: "otterize-repo/{{ .Values.charts.otterize.name }}"
version: "{{ .Values.charts.otterize.version }}"
values:
- "values-otterize.gotmpl"
installed: {{ .Values.security.otterizeIntents.enabled }}
- name: "opendesk-certificates"
chart: "opendesk-certificates-repo/opendesk-certificates"
version: "2.1.0"
chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
version: "{{ .Values.charts.certificates.version }}"
values:
- "values-certificates.gotmpl"
installed: {{ .Values.certificates.enabled }}
- name: "redis"
chart: "bitnami-repo/redis"
version: "18.1.2"
chart: "redis-repo/{{ .Values.charts.redis.name }}"
version: "{{ .Values.charts.redis.version }}"
values:
- "values-redis.gotmpl"
- "values-redis.yaml"
installed: {{ .Values.redis.enabled }}
- name: "memcached"
chart: "bitnami-repo/memcached"
version: "6.6.2"
chart: "memcached-repo/{{ .Values.charts.memcached.name }}"
version: "{{ .Values.charts.memcached.version }}"
values:
- "values-memcached.yaml"
- "values-memcached.gotmpl"
installed: {{ .Values.memcached.enabled }}
- name: "postgresql"
chart: "postgresql-repo/postgresql"
version: "2.0.3"
chart: "postgresql-repo/{{ .Values.charts.postgresql.name }}"
version: "{{ .Values.charts.postgresql.version }}"
values:
- "values-postgresql.yaml"
- "values-postgresql.gotmpl"
installed: {{ .Values.postgresql.enabled }}
timeout: 900
- name: "mariadb"
chart: "mariadb-repo/mariadb"
version: "2.1.1"
chart: "mariadb-repo/{{ .Values.charts.mariadb.name }}"
version: "{{ .Values.charts.mariadb.version }}"
values:
- "values-mariadb.yaml"
- "values-mariadb.gotmpl"
installed: {{ .Values.mariadb.enabled }}
timeout: 900
- name: "postfix"
chart: "postfix-repo/postfix"
version: "2.0.4"
chart: "postfix-repo/{{ .Values.charts.postfix.name }}"
version: "{{ .Values.charts.postfix.version }}"
values:
- "values-postfix.yaml"
- "values-postfix.gotmpl"
installed: {{ .Values.postfix.enabled }}
- name: "clamav"
chart: "clamav-repo/opendesk-clamav"
version: "4.0.0"
chart: "clamav-repo/{{ .Values.charts.clamav.name }}"
version: "{{ .Values.charts.clamav.version }}"
values:
- "values-clamav-distributed.yaml"
- "values-clamav-distributed.gotmpl"
installed: {{ .Values.clamavDistributed.enabled }}
- name: "clamav-simple"
chart: "clamav-repo/clamav-simple"
version: "4.0.0"
chart: "clamav-simple-repo/{{ .Values.charts.clamavSimple.name }}"
version: "{{ .Values.charts.clamavSimple.version }}"
values:
- "values-clamav-simple.yaml"
- "values-clamav-simple.gotmpl"
installed: {{ .Values.clamavSimple.enabled }}
- name: "opendesk-gateway"
chart: "istio-resources-repo/istio-gateway"
version: "2.0.0"
chart: "istio-resources-repo/{{ .Values.charts.istioResources.name }}"
version: "{{ .Values.charts.istioResources.version }}"
values:
- "values-istio-gateway.yaml"
- "values-istio-gateway.gotmpl"
installed: {{ .Values.istio.enabled }}
- name: "minio"
chart: "bitnami-repo/minio"
version: "12.8.19"
chart: "minio-repo/{{ .Values.charts.minio.name }}"
version: "{{ .Values.charts.minio.version }}"
values:
- "values-minio.yaml"
- "values-minio.gotmpl"

3
helmfile/apps/services/values-mariadb.gotmpl
View File

@@ -8,6 +8,9 @@ global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
image:
repository: {{ .Values.images.mariadb.repository | quote }}
tag: {{ .Values.images.mariadb.tag | quote }}

56
helmfile/apps/services/values-otterize.gotmpl Normal file
View File

@@ -0,0 +1,56 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
apps:
clamavDistributed:
enabled: {{ .Values.clamavDistributed.enabled }}
clamavSimple:
enabled: {{ .Values.clamavSimple.enabled }}
collabora:
enabled: {{ .Values.collabora.enabled }}
cryptpad:
enabled: {{ .Values.cryptpad.enabled }}
dovecot:
enabled: {{ .Values.dovecot.enabled }}
element:
enabled: {{ .Values.element.enabled }}
intercom:
enabled: {{ .Values.intercom.enabled }}
jitsi:
enabled: {{ .Values.jitsi.enabled }}
keycloak:
enabled: {{ .Values.keycloak.enabled }}
mariadb:
enabled: {{ .Values.mariadb.enabled }}
memcached:
enabled: {{ .Values.memcached.enabled }}
minio:
enabled: {{ .Values.minio.enabled }}
nextcloud:
enabled: {{ .Values.nextcloud.enabled }}
openproject:
enabled: {{ .Values.openproject.enabled }}
oxAppsuite:
enabled: {{ .Values.oxAppsuite.enabled }}
oxConnector:
enabled: {{ .Values.oxConnector.enabled }}
postfix:
enabled: {{ .Values.postfix.enabled }}
postgresql:
enabled: {{ .Values.postgresql.enabled }}
redis:
enabled: {{ .Values.redis.enabled }}
univentionCorporateServer:
enabled: {{ .Values.univentionCorporateServer.enabled }}
univentionManagementStack:
enabled: {{ .Values.univentionManagementStack.enabled }}
xwiki:
enabled: {{ .Values.xwiki.enabled }}
extraApps:
clusterPostfix:
enabled: {{ .Values.security.clusterPostfix.enabled }}
namespace: {{ .Values.security.clusterPostfix.namespace }}
...

2
helmfile/apps/services/values-postfix.gotmpl
View File

@@ -24,7 +24,7 @@ postfix:
- fileName: "sasl_passwd.map"
content:
- {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
relayHost: {{ printf "[%s]:587" .Values.smtp.host | quote }}
relayHost: {{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}
relayNets: {{ .Values.cluster.networking.cidr | quote}}
virtualTransport: "lmtps:dovecot:24"
smtpdSASLPath: "inet:dovecot:3659"

6
helmfile/apps/services/values-postgresql.gotmpl
View File

@@ -24,7 +24,9 @@ job:
- username: "matrix_user"
password: {{ .Values.secrets.postgresql.matrixUser | quote }}
- username: "notificationsapi_user"
password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
password: {{ .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
- username: "selfservice_user"
password: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
databases:
- name: "keycloak"
user: "keycloak_user"
@@ -37,6 +39,8 @@ job:
additionalParams: "ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0"
- name: "notificationsapi"
user: "notificationsapi_user"
- name: "selfservice"
user: "selfservice_user"
persistence:
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}

16
helmfile/apps/univention-corporate-container/helmfile.yaml
View File

@@ -3,24 +3,22 @@
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# openDesk Univention Corporate Server (as eval Container)
- name: "univention-corporate-container-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
"external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/univention-corporate-container" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.univentionCorporateServer.verify }}
username: "{{ .Values.charts.univentionCorporateServer.username }}"
password: {{ .Values.charts.univentionCorporateServer.password | quote }}
url: "{{ .Values.charts.univentionCorporateServer.registry }}/\
{{ .Values.charts.univentionCorporateServer.repository }}"
releases:
- name: "univention-corporate-container"
chart: "univention-corporate-container-repo/univention-corporate-container"
version: "1.0.10"
chart: "univention-corporate-container-repo/{{ .Values.charts.univentionCorporateServer.name }}"
version: "{{ .Values.charts.univentionCorporateServer.version }}"
values:
- "values.yaml"
- "values.gotmpl"

103
helmfile/apps/univention-management-stack/helmfile.yaml
View File

@@ -3,7 +3,6 @@
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# Univention Management Stack
@@ -13,127 +12,135 @@ repositories:
default "https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable" }}
# VMWare Bitnami
# Source: https://github.com/bitnami/charts/
- name: "bitnami-repo"
- name: "nginx-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.nginx.verify }}
username: "{{ .Values.charts.nginx.username }}"
password: {{ .Values.charts.nginx.password | quote }}
url: "{{ .Values.charts.nginx.registry }}/{{ .Values.charts.nginx.repository }}"
releases:
# TODO: Interim, until the UMS stack has a stack umbrella chart and provides a solution
# {{- if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}
- name: "ums-stack-gateway"
chart: "bitnami-repo/nginx"
version: "15.3.5"
chart: "nginx-repo/{{ .Values.charts.nginx.name }}"
version: "{{ .Values.charts.nginx.version }}"
values:
- "values-ums-stack-gateway.gotmpl"
- "values-ums-stack-gateway.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
# {{- end }}
- name: "ums-store-dav"
chart: "ums-repo/store-dav"
version: "0.5.2"
chart: "ums-repo/{{ .Values.charts.umsStoreDav.name }}"
version: "{{ .Values.charts.umsStoreDav.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-store-dav.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-ldap-server"
chart: "ums-repo/ldap-server"
version: "0.7.0"
chart: "ums-repo/{{ .Values.charts.umsLdapServer.name }}"
version: "{{ .Values.charts.umsLdapServer.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-ldap-server.gotmpl"
- "values-ldap-server.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-ldap-notifier"
chart: "ums-repo/ldap-notifier"
version: "0.7.0"
chart: "ums-repo/{{ .Values.charts.umsLdapNotifier.name }}"
version: "{{ .Values.charts.umsLdapNotifier.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-ldap-notifier.gotmpl"
- "values-ldap-notifier.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-udm-rest-api"
chart: "ums-repo/udm-rest-api"
version: "0.3.5"
chart: "ums-repo/{{ .Values.charts.umsUdmRestApi.name }}"
version: "{{ .Values.charts.umsUdmRestApi.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-udm-rest-api.gotmpl"
- "values-udm-rest-api.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-stack-data-ums"
chart: "ums-repo/stack-data-ums"
version: "0.33.0"
chart: "ums-repo/{{ .Values.charts.umsStackDataUms.name }}"
version: "{{ .Values.charts.umsStackDataUms.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-stack-data-ums.gotmpl"
- "values-stack-data-ums.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-stack-data-swp"
chart: "ums-repo/stack-data-swp"
version: "0.33.0"
chart: "ums-repo/{{ .Values.charts.umsStackDataSwp.name }}"
version: "{{ .Values.charts.umsStackDataSwp.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-stack-data-swp.gotmpl"
- "values-stack-data-swp.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-portal-server"
chart: "ums-repo/portal-server"
version: "0.4.3"
chart: "ums-repo/{{ .Values.charts.umsPortalServer.name }}"
version: "{{ .Values.charts.umsPortalServer.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-portal-server.gotmpl"
- "values-portal-server.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-notifications-api"
chart: "ums-repo/notifications-api"
version: "0.4.3"
chart: "ums-repo/{{ .Values.charts.umsNotificationsApi.name }}"
version: "{{ .Values.charts.umsNotificationsApi.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-notifications-api.gotmpl"
- "values-notifications-api.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-portal-listener"
chart: "ums-repo/portal-listener"
version: "0.4.3"
chart: "ums-repo/{{ .Values.charts.umsPortalListener.name }}"
version: "{{ .Values.charts.umsPortalListener.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-portal-listener.gotmpl"
- "values-portal-listener.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-portal-frontend"
chart: "ums-repo/portal-frontend"
version: "0.4.3"
chart: "ums-repo/{{ .Values.charts.umsPortalFrontend.name }}"
version: "{{ .Values.charts.umsPortalFrontend.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-portal-frontend.gotmpl"
- "values-portal-frontend.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-portal-frontend-custom"
# TODO: Replace with our own Nginx chart.
chart: "bitnami-repo/nginx"
version: "15.3.5"
values:
- "values-portal-frontend-custom.yaml"
- "values-portal-frontend-custom.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-umc-gateway"
chart: "ums-repo/umc-gateway"
version: "0.5.1"
chart: "ums-repo/{{ .Values.charts.umsUmcGateway.name }}"
version: "{{ .Values.charts.umsUmcGateway.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-umc-gateway.gotmpl"
- "values-umc-gateway.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-umc-server"
chart: "ums-repo/umc-server"
version: "0.5.1"
chart: "ums-repo/{{ .Values.charts.umsUmcServer.name }}"
version: "{{ .Values.charts.umsUmcServer.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
@@ -141,6 +148,16 @@ releases:
- "values-umc-server.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-selfservice-listener"
chart: "ums-repo/{{ .Values.charts.umsSelfserviceListener.name }}"
version: "{{ .Values.charts.umsSelfserviceListener.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-selfservice-listener.gotmpl"
- "values-selfservice-listener.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
commonLabels:
deploy-stage: "component-1"
component: "univention-management-stack"

8
helmfile/apps/univention-management-stack/values-common.gotmpl
View File

@@ -4,11 +4,7 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
ingress:
enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
# The TLS configuration is on the "master" Ingress, see "portal-frontend"
enabled: false
secretName: ""
...

13
helmfile/apps/univention-management-stack/values-common.yaml
View File

@@ -6,5 +6,18 @@ global:
configMapUcr: "ums-stack-data-swp-ucr"
configMapUcrForced: null
ingress:
# Intentionally not using the Ingress configuration of the UMS stack at the
# moment, since it does depend on rewriting capabilities of the ingress
# controller. Those are encapsulated into the release "stack-gateway" so that
# the compatibility with all ingress controllers is increased.
enabled: false
tls:
# The TLS configuration is on the "master" Ingress, see "portal-frontend"
enabled: false
secretName: ""
istio:
enabled: false
...

19
helmfile/apps/univention-management-stack/values-ldap-server.gotmpl
View File

@@ -5,15 +5,7 @@ SPDX-License-Identifier: Apache-2.0
---
ldapServer:
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
ldapBaseDn: "dc=swp-ldap,dc=internal"
waitForSamlMetadata: true
# TODO: Certificates handling
# caCert: ""
# certPem: ""
# privateKey: ""
# dhParam: ""
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
image:
registry: {{ .Values.global.imageRegistry | quote }}
@@ -26,12 +18,11 @@ image:
{{- end }}
waitForDependency:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.umsWaitForDependency.repository }}"
imagePullPolicy: "Always"
tag: "{{ .Values.images.umsWaitForDependency.tag }}"
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
# TODO: Pending upstream support, #199
persistence:
data:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}

3
helmfile/apps/univention-management-stack/values-ldap-server.yaml
View File

@@ -2,6 +2,9 @@
# SPDX-License-Identifier: Apache-2.0
---
ldapServer:
waitForSamlMetadata: true
service:
type: "ClusterIP"

10
helmfile/apps/univention-management-stack/values-notifications-api.gotmpl
View File

@@ -6,12 +6,12 @@ SPDX-License-Identifier: Apache-2.0
postgresql:
bundled: false
connection:
host: "postgresql"
port: 5432
host: {{ .Values.databases.umsNotificationsApi.host | quote }}
port: {{ .Values.databases.umsNotificationsApi.port | quote }}
auth:
username: "notificationsapi_user"
database: "notificationsapi"
password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
username: {{ .Values.databases.umsNotificationsApi.username | quote }}
database: {{ .Values.databases.umsNotificationsApi.name | quote }}
password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
image:
registry: {{ .Values.global.imageRegistry }}

53
helmfile/apps/univention-management-stack/values-portal-frontend-custom.gotmpl
View File

@@ -1,53 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
ingress:
enabled: true
hostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
ingressClassName: "nginx"
annotations:
nginx.org/mergeable-ingress-type: "minion"
tls: false
pathType: Exact
path: /favicon.ico
extraPaths:
- pathType: Exact
path: /univention/portal/css/custom.css
backend:
service:
name: ums-portal-frontend-custom-nginx
port:
name: http
- pathType: Exact
path: /univention/portal/icons/logo.svg
backend:
service:
name: ums-portal-frontend-custom-nginx
port:
name: http
- pathType: Exact
path: /univention/portal/icons/logo_small_border.svg
backend:
service:
name: ums-portal-frontend-custom-nginx
port:
name: http
- pathType: Exact
path: /univention/portal/custom/portal_background_image.png
backend:
service:
name: ums-portal-frontend-custom-nginx
port:
name: http
- pathType: Exact
path: /univention/portal/custom/portal_background_image.svg
backend:
service:
name: ums-portal-frontend-custom-nginx
port:
name: http
...

33
helmfile/apps/univention-management-stack/values-portal-frontend-custom.yaml
View File

@@ -1,33 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
service:
type: "ClusterIP"
extraVolumes:
- name: "opendesk-branding"
configMap:
name: "ums-stack-data-swp-branding"
extraVolumeMounts:
- name: "opendesk-branding"
mountPath: "/app/favicon.ico"
subPath: "favicon.ico"
- name: "opendesk-branding"
mountPath: "/app/univention/portal/css/custom.css"
subPath: "custom.css"
- name: "opendesk-branding"
mountPath: "/app/univention/portal/icons/logo.svg"
subPath: "logo.svg"
- name: "opendesk-branding"
mountPath: "/app/univention/portal/icons/logo_small_border.svg"
subPath: "logo_small_border.svg"
- name: "opendesk-branding"
mountPath: "/app/univention/portal/custom/portal_background_image.png"
subPath: "portal_background_image.png"
- name: "opendesk-branding"
mountPath: "/app/univention/portal/custom/portal_background_image.svg"
subPath: "portal_background_image.svg"
...

6
helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl
View File

@@ -14,13 +14,7 @@ image:
{{- end }}
extraIngresses:
redirects:
enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
# The TLS configuration is on the "master" Ingress, see below.
tls:
enabled: false
master:
enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}

73
helmfile/apps/univention-management-stack/values-portal-frontend.yaml Normal file
View File

@@ -0,0 +1,73 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
extraIngresses:
redirects:
# Using "stack-gateway" currently.
enabled: false
# The TLS configuration is on the "master" Ingress, see below.
tls:
enabled: false
master:
# Using "stack-gateway" currently.
enabled: false
# See "extraVolumeMounts" below
custom-favicon:
# Using "stack-gateway" at the moment
enabled: false
annotations:
nginx.org/mergeable-ingress-type: "minion"
paths:
- pathType: "Exact"
path: "/favicon.ico"
tls: {}
# See "extraVolumeMounts" below
custom-branding:
# Using "stack-gateway" at the moment
enabled: false
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
rewrite ^/univention/portal(/.*)$ $1 break;
nginx.org/location-snippets: |
rewrite ^/univention/portal(/.*)$ $1 break;
nginx.org/mergeable-ingress-type: "minion"
paths:
# This relies on the correct implementation of the matching for paths of
# type "Prefix" since "/univention/portal/icons/entries/" is owned by
# store-dav.
# See: https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches
- pathType: "Prefix"
path: "/univention/portal/icons/"
- pathType: "Prefix"
path: "/univention/portal/custom/"
tls: {}
extraVolumes:
- name: "opendesk-branding"
configMap:
name: "ums-stack-data-swp-branding"
extraVolumeMounts:
- name: "opendesk-branding"
mountPath: "/var/www/html/favicon.ico"
subPath: "favicon.ico"
- name: "opendesk-branding"
mountPath: "/var/www/html/css/custom.css"
subPath: "custom.css"
- name: "opendesk-branding"
mountPath: "/var/www/html/icons/logo.svg"
subPath: "logo.svg"
- name: "opendesk-branding"
mountPath: "/var/www/html/icons/logo_small_border.svg"
subPath: "logo_small_border.svg"
- name: "opendesk-branding"
mountPath: "/var/www/html/custom/portal_background_image.png"
subPath: "portal_background_image.png"
- name: "opendesk-branding"
mountPath: "/var/www/html/custom/portal_background_image.svg"
subPath: "portal_background_image.svg"
...

22
helmfile/apps/univention-management-stack/values-portal-listener.gotmpl
View File

@@ -4,25 +4,20 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
portalListener:
adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
environment: "staging"
debugLevel: "4"
assetsRoot: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-assets/"
ucsInternalUrl: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-data/"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
assetsRoot: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-assets/" | quote }}
ucsInternalUrl: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-data" | quote }}
ldapBaseDn: "dc=swp-ldap,dc=internal"
ldapHost: "{{ .Values.ldap.host }}"
ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
notifierServer: {{ .Values.ldap.notifierHost | quote }}
portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,dc=swp-ldap,dc=internal"
portalDefaultDn: {{ printf "%s,%s" "cn=domain,cn=portal,cn=portals,cn=univention" .Values.ldap.baseDn | quote }}
udmApiUrl: "http://ums-udm-rest-api/udm/"
udmApiUsername: "cn=admin"
tlsMode: "off"
image:
registry: {{ .Values.global.imageRegistry | quote }}
@@ -37,10 +32,9 @@ image:
waitForDependency:
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
imagePullPolicy: "Always"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
# TODO: Pending upstream support, #200
persistence:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }}

8
helmfile/apps/univention-management-stack/values-portal-listener.yaml
View File

@@ -2,6 +2,14 @@
# SPDX-License-Identifier: Apache-2.0
---
portalListener:
debugLevel: "4"
tlsMode: "off"
udmApiUrl: "http://ums-udm-rest-api/udm/"
udmApiUsername: "cn=admin"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
store-dav:
bundled: false

11
helmfile/apps/univention-management-stack/values-portal-server.gotmpl
View File

@@ -4,16 +4,9 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
portalServer:
adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
authMode: "saml"
environment: "staging"
editable: "false"
logLevel: "DEBUG"
ucsInternalUrl: "http://portal-server:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}@ums-store-dav/portal-data"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
ucsInternalUrl: {{ printf "%s%s%s" "http://portal-server:" .Values.secrets.univentionManagementStack.storeDavUsers.portalServer "@ums-store-dav/portal-data" | quote }}
centralNavigation:
enabled: true
authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
image:

14
helmfile/apps/univention-management-stack/values-portal-server.yaml Normal file
View File

@@ -0,0 +1,14 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
portalServer:
authMode: "saml"
editable: "false"
logLevel: "DEBUG"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
centralNavigation:
enabled: true
...

48
helmfile/apps/univention-management-stack/values-selfservice-listener.gotmpl Normal file
View File

@@ -0,0 +1,48 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
selfserviceListener:
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
notifierServer: {{ .Values.ldap.notifierHost | quote }}
umcAdminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
image:
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
selfserviceListener:
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsSelfserviceListener.repository | quote }}
tag: {{ .Values.images.umsSelfserviceListener.tag | quote }}
selfserviceInvitation:
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsSelfserviceInvitation.repository | quote }}
tag: {{ .Values.images.umsSelfserviceInvitation.tag | quote }}
waitForDependency:
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
persistence:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.selfserviceListener | quote }}
resources:
{{ .Values.resources.umsSelfserviceListener | toYaml | nindent 2 }}
resourcesDependencyWaiter:
{{ .Values.resources.umsSelfserviceListenerDependencies | toYaml | nindent 2 }}
...

11
helmfile/apps/univention-management-stack/values-selfservice-listener.yaml Normal file
View File

@@ -0,0 +1,11 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
selfserviceListener:
debugLevel: "4"
tlsMode: "off"
umcServerUrl: "http://ums-umc-server"
umcAdminUser: "default.admin"
...

32
helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl
View File

@@ -4,31 +4,29 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
stackDataSwp:
udmApiUser: "cn=admin"
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
udmApiUrl: "http://ums-udm-rest-api/udm/"
loadDevData: true
stackDataContext:
ldapBase: "dc=swp-ldap,dc=internal"
ldapSearchUsers:
{{- range $k, $v := .Values.secrets.univentionCorporateServer.ldapSearch }}
- username: {{ printf "ldapsearch_%s" $k | quote }}
password: {{ $v | quote }}
lastname: {{ "LDAP-Search-User" }}
{{- range $username, $password := .Values.secrets.univentionCorporateServer.ldapSearch }}
- username: {{ printf "ldapsearch_%s" $username | quote }}
password: {{ $password | quote }}
lastname: "LDAP-Search-User"
{{- end }}
externalDomainName: "{{ .Values.global.domain }}"
externalMailDomain: "{{ .Values.global.domain }}"
externalDomainName: {{ .Values.global.domain | quote }}
externalMailDomain: {{ .Values.global.domain | quote }}
portalGroupwareLinkBase: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
portalFileshareLinkBase: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
portalRealtimeCollaborationLinkBase: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
portalRealtimeVideoconferenceLinkBase: "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
portalManagementProjectLinkBase: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
portalManagementKnowledgeLinkBase: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.istio.domain | quote }}
portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain | quote }}
portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain | quote }}
portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain | quote }}
portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain | quote }}
portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain | quote }}
oxDefaultContext: "10"
smtpHost: {{ .Values.smtp.host | quote }}
smtpPort: {{ .Values.smtp.port | quote }}
smtpUser: {{ .Values.smtp.username | quote }}
userPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.userPassword | quote }}
adminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}

16
helmfile/apps/univention-management-stack/values-stack-data-swp.yaml Normal file
View File

@@ -0,0 +1,16 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
stackDataSwp:
udmApiUser: "cn=admin"
udmApiUrl: "http://ums-udm-rest-api/udm/"
loadDevData: true
stackDataContext:
ldapBase: "dc=swp-ldap,dc=internal"
oxDefaultContext: "10"
smtpStartTls: true
additionalAnnotations:
intents.otterize.com/service-name: "ums-stack-data-swp"
...

32
helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl
View File

@@ -4,32 +4,22 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
stackDataUms:
udmApiUser: "cn=admin"
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
udmApiUrl: "http://ums-udm-rest-api/udm/"
loadDevData: true
stackDataContext:
domainname: "{{ .Values.global.domain }}"
externalMailDomain: "{{ .Values.global.domain }}"
hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
ldapHost: "{{ .Values.ldap.host }}"
ldapBase: "dc=swp-ldap,dc=internal"
# TODO: This should not be required, the machine account is not there
# ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
ldapHostDn: cn=admin,dc=swp-ldap,dc=internal
domainname: {{ .Values.global.domain | quote }}
externalMailDomain: {{ .Values.global.domain | quote }}
hostname: {{ .Values.global.hosts.univentionManagementStack | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
ldapBase: {{ .Values.ldap.baseDn | quote }}
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
idpSamlMetadataUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/saml/descriptor"
idpSamlMetadataUrlInternal: null
umcSamlSpFqdn: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
umcSamlSchemes: "https"
idpFqdn: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
ldapSamlSpUrls: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/saml/metadata"
idpSamlMetadataUrl: {{ printf "https://%s.%s%s" .Values.global.hosts.keycloak .Values.global.domain "/realms/souvap/protocol/saml/descriptor" | quote }}
umcSamlSpFqdn: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
idpFqdn: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
initialPasswordAdministrator: "{{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword }}"
# The SWP configuration brings its own UMC policies.
installUmcPolicies: false
initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
image:
registry: {{ .Values.global.imageRegistry | quote }}

17
helmfile/apps/univention-management-stack/values-stack-data-ums.yaml Normal file
View File

@@ -0,0 +1,17 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
stackDataUms:
loadDevData: true
udmApiUrl: "http://ums-udm-rest-api/udm/"
udmApiUser: "cn=admin"
stackDataContext:
idpSamlMetadataUrlInternal: null
umcSamlSchemes: "https"
# The openDesk configuration brings its own UMC policies.
installUmcPolicies: false
additionalAnnotations:
intents.otterize.com/service-name: "ums-stack-data-ums"
...

2
helmfile/apps/univention-management-stack/values-store-dav.gotmpl
View File

@@ -21,7 +21,6 @@ image:
configHtpasswd:
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsConfigHtpasswd.repository | quote }}
pullPolicy: "Always"
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsConfigHtpasswd.tag | quote }}
pullSecrets:
@@ -29,7 +28,6 @@ image:
- name: {{ . | quote }}
{{- end }}
# TODO: Pending upstream support, #201
persistence:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }}

7
helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl
View File

@@ -7,12 +7,7 @@ udmRestApi:
# TODO: Secret should be entered without b64enc
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
# TODO: Secret should be entered without b64enc
machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
# TODO: Stub value currently
caCert: ""
# TODO: This should not be part of the udm-rest-api anymore
loadJoinData:
enabled: true
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
image:
registry: {{ .Values.global.imageRegistry | quote }}

21
helmfile/apps/univention-management-stack/values-udm-rest-api.yaml Normal file
View File

@@ -0,0 +1,21 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
udmRestApi:
# TODO: Stub value currently
caCert: ""
extraVolumes:
- name: "attribute-to-group-mapper-hook"
configMap:
name: "ums-stack-data-swp-attribute-to-group-mapper-hook"
extraVolumeMounts:
- name: "attribute-to-group-mapper-hook"
mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py"
subPath: "AttributeToGroupMapper.py"
- name: "attribute-to-group-mapper-hook"
mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
subPath: "flag_to_group_mapping.json"
...

13
helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl
View File

@@ -3,19 +3,6 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
SPDX-License-Identifier: Apache-2.0
*/}}
---
umcGateway:
extraVolumes:
- name: "entrypoint-swp-patches"
configMap:
name: "ums-stack-data-swp-umc-gateway-entrypoint"
defaultMode: 0555
extraVolumeMounts:
- name: "entrypoint-swp-patches"
mountPath: "/entrypoint.d/90-swp.sh"
subPath: "90-swp.sh"
image:
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsUmcGateway.repository | quote }}

23
helmfile/apps/univention-management-stack/values-umc-gateway.yaml Normal file
View File

@@ -0,0 +1,23 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
extraVolumes:
- name: "entrypoint-swp-patches"
configMap:
name: "ums-stack-data-swp-umc-gateway-entrypoint"
defaultMode: 0555
- name: "announcements-customization"
configMap:
name: "ums-stack-data-swp-umc-server-announcements"
defaultMode: 0444
extraVolumeMounts:
- name: "entrypoint-swp-patches"
mountPath: "/entrypoint.d/90-swp.sh"
subPath: "90-swp.sh"
- name: "announcements-customization"
mountPath:
"/usr/share/univention-management-console-frontend/js/dijit/themes\
/umc/icons/16x16/udm-portals-announcement.png"
subPath: "udm-portals-announcement.png"
...

15
helmfile/apps/univention-management-stack/values-umc-server.gotmpl
View File

@@ -9,6 +9,21 @@ umcServer:
# TODO: Secret should be entered without b64enc
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
smtpSecret: {{ .Values.smtp.password | quote }}
postgresql:
connection:
host: {{ .Values.databases.umsSelfservice.host | quote }}
port: {{ .Values.databases.umsSelfservice.port | quote }}
auth:
username: {{ .Values.databases.umsSelfservice.username | quote }}
database: {{ .Values.databases.umsSelfservice.name | quote }}
password: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
postgresPassword: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
memcached:
server: {{ .Values.cache.umsSelfservice.host | quote }}
image:
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsUmcServer.repository | quote }}

24
helmfile/apps/univention-management-stack/values-umc-server.yaml
View File

@@ -17,6 +17,13 @@ extraVolumes:
configMap:
name: "ums-stack-data-swp-self-service-emails"
defaultMode: 0444
- name: "attribute-to-group-mapper-hook"
configMap:
name: "ums-stack-data-swp-attribute-to-group-mapper-hook"
- name: "announcements-customization"
configMap:
name: "ums-stack-data-swp-umc-server-announcements"
defaultMode: 0444
extraVolumeMounts:
- name: "certificates"
@@ -26,5 +33,22 @@ extraVolumeMounts:
subPath: "90-customization.sh"
- name: "self-service-emails"
mountPath: "/usr/share/univention-self-service/email_bodies"
- name: "attribute-to-group-mapper-hook"
mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py"
subPath: "AttributeToGroupMapper.py"
- name: "attribute-to-group-mapper-hook"
mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
subPath: "flag_to_group_mapping.json"
- name: "announcements-customization"
mountPath: "/usr/share/univention-management-console/modules/udm-portals-announcement.xml"
subPath: "udm-portals-announcement.xml"
postgresql:
bundled: false
memcached:
bundled: false
auth:
username: null
password: null
...

172
helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl
View File

@@ -3,171 +3,11 @@
---
ingress:
enabled: true
hostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
tls: false
enabled: {{ .Values.ingress.enabled }}
hostname: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
extraTls:
- hosts:
- "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
service:
type: "ClusterIP"
# The content of the "serverBlock" does resemble the Ingress configuration of
# the UMS components. The "location" entries do intentionally reflect precisely
# the respective paths which are configured.
serverBlock: |
server {
listen 8080;
## portal-frontend
# The frontend does not own "/univention/portal", only these two bits
location = /univention/portal/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
location = /univention/portal/index.html {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
# The following prefixes are owned by the frontend
location /univention/portal/css/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/fonts/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/i18n/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/media/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/js/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/oidc/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
## frontend redirects
location = / {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention/ {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention/portal {
absolute_redirect off;
return 302 /univention/portal/;
}
## portal-server
location = /univention/portal/portal.json {
proxy_pass http://ums-portal-server:80;
}
location = /univention/portal/navigation.json {
proxy_pass http://ums-portal-server:80;
}
## store-dav
location /univention/portal/icons/entries/ {
rewrite ^/univention/portal(/icons/entries/.*)$ /portal-assets$1 break;
proxy_pass http://ums-store-dav:80;
}
location /univention/portal/icons/logos/ {
rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break;
proxy_pass http://ums-store-dav:80;
}
## udm-rest-api
location /univention/udm/ {
rewrite ^/univention(/udm/.*)$ $1 break;
proxy_pass http://ums-udm-rest-api:80;
proxy_set_header X-Forwarded-Host $host;
}
## umc-gateway
location = /univention/languages.json {
proxy_pass http://ums-umc-gateway:80;
}
location = /univention/meta.json {
proxy_pass http://ums-umc-gateway:80;
}
location = /univention/theme.css {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/js/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/login/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/management/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/themes/ {
proxy_pass http://ums-umc-gateway:80;
}
## umc-server
location = /univention/auth {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/logout/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/saml/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/get/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/set/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/command/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/upload/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
## notifications-api
location /univention/portal/notifications-api/ {
rewrite ^/univention/portal/notifications-api(/.*)$ $1 break;
proxy_pass http://ums-notifications-api:80;
}
}
- {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
...

241
helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml Normal file
View File

@@ -0,0 +1,241 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
ingress:
annotations:
# Ensure that the ingress controller can handle responses with plenty of
# headers. This is a requirement from the UDM Rest API.
nginx.org/proxy-buffer-size: "64k"
nginx.org/proxy-buffers: "4 128k"
tls: false
service:
type: "ClusterIP"
fullnameOverride: "ums-stack-gateway"
# The content of the "serverBlock" does resemble the Ingress configuration of
# the UMS components. The "location" entries do intentionally reflect precisely
# the respective paths which are configured.
serverBlock: |
server {
listen 8080;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_x_forwarded_host;
proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
## portal-frontend
# The frontend does not own "/univention/portal" nor
# "/univention/selfservice", only these two bits
location = /univention/portal/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
location = /univention/portal/index.html {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
location = /univention/selfservice/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
# The following prefixes are owned by the frontend
location /univention/portal/css/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/fonts/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/i18n/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/media/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/js/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/oidc/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/css/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/fonts/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/i18n/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/media/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/js/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/oidc/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
## frontend redirects
location = / {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention/ {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention/portal {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention/selfservice {
absolute_redirect off;
return 302 /univention/selfservice/;
}
## portal-server
location = /univention/portal/portal.json {
proxy_pass http://ums-portal-server:80;
}
location = /univention/selfservice/portal.json {
proxy_pass http://ums-portal-server:80;
}
location = /univention/portal/navigation.json {
proxy_pass http://ums-portal-server:80;
}
## store-dav
location /univention/portal/icons/entries/ {
rewrite ^/univention/portal(/icons/entries/.*)$ /portal-assets$1 break;
proxy_pass http://ums-store-dav:80;
}
location /univention/portal/icons/logos/ {
rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break;
proxy_pass http://ums-store-dav:80;
}
location /univention/selfservice/icons/entries/ {
rewrite ^/univention/selfservice(/icons/entries/.*)$ /portal-assets$1 break;
proxy_pass http://ums-store-dav:80;
}
location /univention/selfservice/icons/logos/ {
rewrite ^/univention/selfservice(/icons/logos/.*)$ /portal-assets$1 break;
proxy_pass http://ums-store-dav:80;
}
## udm-rest-api
location /univention/udm/ {
# The UDM Rest API does return on some endpoints a lot of headers
proxy_busy_buffers_size 128k;
proxy_buffers 4 128k;
proxy_buffer_size 64k;
rewrite ^/univention(/udm/.*)$ $1 break;
proxy_pass http://ums-udm-rest-api:80;
}
## umc-gateway
location = /univention/languages.json {
proxy_pass http://ums-umc-gateway:80;
}
location = /univention/meta.json {
proxy_pass http://ums-umc-gateway:80;
}
location = /univention/theme.css {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/js/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/login/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/management/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/themes/ {
proxy_pass http://ums-umc-gateway:80;
}
## umc-server
location = /univention/auth {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/logout {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/saml {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/get {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/set {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/command {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/upload {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
## notifications-api
location /univention/portal/notifications-api/ {
rewrite ^/univention/portal/notifications-api(/.*)$ $1 break;
proxy_pass http://ums-notifications-api:80;
}
## openDesk branding
location = /favicon.ico {
proxy_pass http://ums-portal-frontend:80/;
}
location /univention/portal/custom/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
location /univention/portal/icons/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
}
...

11
helmfile/apps/xwiki/helmfile.yaml
View File

@@ -3,20 +3,19 @@
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# XWiki
# Source: https://github.com/xwiki-contrib/xwiki-helm
- name: "xwiki-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://xwiki-contrib.github.io/xwiki-helm" }}
username: "{{ .Values.charts.xwiki.username }}"
password: {{ .Values.charts.xwiki.password | quote }}
url: "{{ .Values.charts.xwiki.registry }}/{{ .Values.charts.xwiki.repository }}"
releases:
- name: "xwiki"
chart: "xwiki-repo/xwiki"
version: "1.2.3"
chart: "xwiki-repo/{{ .Values.charts.xwiki.name }}"
version: "{{ .Values.charts.xwiki.version }}"
wait: true
values:
- "values.yaml"

4
helmfile/apps/xwiki/values.gotmpl
View File

@@ -16,7 +16,7 @@ externalDB:
customConfigs:
"xwiki.cfg":
"xwiki.superadminpassword": {{ .Values.secrets.xwiki.superadminpassword | quote }}
xwiki.superadminpassword: {{ .Values.secrets.xwiki.superadminpassword | quote }}
## LDAP Server configuration
xwiki.authentication.ldap.server: {{ .Values.ldap.host | quote }}
xwiki.authentication.ldap.port: 389
@@ -25,6 +25,8 @@ customConfigs:
xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki | quote }}
## Base DN used for searching for users
xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
## Allow short update cycles of the LDAP group cache
xwiki.authentication.ldap.groupcache_expiration: 300
"xwiki.properties":
"oidc.endpoint.authorization": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/auth"

18
helmfile/apps/xwiki/values.yaml
View File

@@ -2,7 +2,14 @@
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
enabled: true
runAsUser: 100
runAsGroup: 101
runAsNonRoot: true
capabilities:
drop:
- "ALL"
customConfigs:
xwiki.cfg:
@@ -10,9 +17,9 @@ customConfigs:
## Indicate the LDAP field defining the user UID
xwiki.authentication.ldap.UID_attr: "uid"
## Indicate the LDAP field defining the user profile picture
# xwiki.authentication.ldap.photo_attribute: "jpegPhoto"
xwiki.authentication.ldap.photo_attribute: "jpegPhoto"
## Enable the synchronization of the LDAP profile picture
# xwiki.authentication.ldap.update_photo: 1
xwiki.authentication.ldap.update_photo: 1
xwiki.properties:
oidc.scope: "openid,profile,email,address,phoenix"
@@ -80,11 +87,16 @@ properties:
"property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchDN":
"dc=swp-ldap,dc=internal"
## LDAP filter to only synchronize some groups
# "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
# "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
"property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
"(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
"(objectClass=opendeskKnowledgemanagementGroup)"
securityContext:
enabled: true
fsGroup: 101
seccompProfile:
type: "RuntimeDefault"
service:
externalPort: 80

1
helmfile/environments/default/_helper.gotmpl
View File

@@ -7,4 +7,5 @@ SPDX-License-Identifier: Apache-2.0
ldap:
host: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-server" {{ else }} "univention-corporate-container" {{ end }}
notifierHost: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-notifier" {{ else }} "univention-corporate-container" {{ end }}
baseDn: "dc=swp-ldap,dc=internal"
...

3
helmfile/environments/default/cache.yaml
View File

@@ -13,4 +13,7 @@ cache:
openproject:
host: "memcached"
port: 11211
umsSelfservice:
host: "memcached"
port: 11211
...

727
helmfile/environments/default/charts.yaml Normal file
View File

@@ -0,0 +1,727 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
charts:
certificates:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/sovereign-workplace-certificates/opendesk-certificates
# dataSource=docker
# dependencyType=service
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-certificates"
name: "opendesk-certificates"
version: "2.1.0"
verify: true
username: ~
password: ~
clamav:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/clamav/opendesk-clamav
# dataSource=docker
# dependencyType=service
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/clamav"
name: "opendesk-clamav"
version: "4.0.0"
verify: true
username: ~
password: ~
clamavSimple:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/clamav/clamav-simple
# dataSource=docker
# dependencyType=service
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/clamav"
name: "clamav-simple"
version: "4.0.0"
verify: true
username: ~
password: ~
collabora:
# renovate:
# registryUrl=https://collaboraonline.github.io/online
# packageName=collabora-online
# dataSource=helm
# dependencyType=vendor
registry: "https://collaboraonline.github.io"
repository: "online"
name: "collabora-online"
version: "1.0.2"
username: ~
password: ~
cryptpad:
# renovate:
# registryUrl=https://cryptpad.github.io/helm
# packageName=cryptpad
# dataSource=helm
# dependencyType=vendor
registry: "https://cryptpad.github.io"
repository: "helm"
name: "cryptpad"
version: "0.0.14"
username: ~
password: ~
dovecot:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/dovecot/dovecot
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/dovecot"
name: "dovecot"
version: "1.3.6"
verify: true
username: ~
password: ~
element:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-element
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element"
name: "opendesk-element"
version: "2.6.0"
verify: true
username: ~
password: ~
elementWellKnown:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-well-known
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element"
name: "opendesk-well-known"
version: "2.6.0"
verify: true
username: ~
password: ~
intercomService:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/intercom-service/intercom-service
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/intercom-service"
name: "intercom-service"
version: "2.0.1"
verify: true
username: ~
password: ~
istioResources:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/istio-ressources/istio-gateway
# dataSource=docker
# dependencyType=service
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/istio-ressources"
name: "istio-gateway"
version: "2.0.0"
verify: true
username: ~
password: ~
jitsi:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/sovereign-workplace-jitsi/sovereign-workplace-jitsi
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-jitsi"
name: "sovereign-workplace-jitsi"
version: "1.7.2"
verify: true
username: ~
password: ~
keycloak:
# renovate:
# registryUrl=https://registry-1.docker.io
# packageName=bitnamicharts/keycloak
# dataSource=docker
# dependencyType=service
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/bitnami-charts"
name: "keycloak"
version: "12.1.5"
verify: true
username: ~
password: ~
keycloakBootstrap:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/sovereign-workplace-keycloak-bootstrap/sovereign-workplace-keycloak-bootstrap
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-keycloak-bootstrap"
name: "sovereign-workplace-keycloak-bootstrap"
version: "1.1.12"
verify: true
username: ~
password: ~
keycloakExtensions:
# renovate:
# registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable
# packageName=keycloak-extensions
# dataSource=helm
# dependencyType=vendor
registry: "https://gitlab.souvap-univention.de"
repository: "api/v4/projects/77/packages/helm/stable"
name: "keycloak-extensions"
version: "0.1.0"
username: ~
password: ~
keycloakTheme:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/keycloak-theme/opendesk-keycloak-theme
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/keycloak-theme"
name: "opendesk-keycloak-theme"
version: "2.0.0"
verify: true
username: ~
password: ~
mariadb:
# renovate:
# registryUrl=https://registry.opencode.de
# packageName=bmi/opendesk/components/charts/opendesk-mariadb/mariadb
# dataSource=docker
# dependencyType=service
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/charts/opendesk-mariadb"
name: "mariadb"
version: "2.2.0"
verify: true
username: ~
password: ~
matrixNeoboardWidget:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/opendesk-matrix-widgets/matrix-neoboard-widget
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/opendesk-matrix-widgets"
name: "matrix-neoboard-widget"
version: "3.3.0"
verify: true
username: ~
password: ~
matrixNeochoiseWidget:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/opendesk-matrix-widgets/matrix-neochoice-widget
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/opendesk-matrix-widgets"
name: "matrix-neochoice-widget"
version: "3.3.0"
verify: true
username: ~
password: ~
matrixNeodatefixBot:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/opendesk-matrix-widgets/matrix-neodatefix-bot
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/opendesk-matrix-widgets"
name: "matrix-neodatefix-bot"
version: "3.3.0"
verify: true
username: ~
password: ~
matrixNeodatefixWidget:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/opendesk-matrix-widgets/matrix-neodatefix-widget
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/opendesk-matrix-widgets"
name: "matrix-neodatefix-widget"
version: "3.3.0"
verify: true
username: ~
password: ~
matrixUserVerificationService:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-matrix-user-verification-service
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element"
name: "opendesk-matrix-user-verification-service"
version: "2.6.0"
verify: true
username: ~
password: ~
memcached:
# renovate:
# registryUrl=https://registry-1.docker.io
# packageName=bitnamicharts/memcached
# dataSource=docker
# dependencyType=service
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/bitnami-charts"
name: "memcached"
version: "6.6.2"
verify: true
username: ~
password: ~
minio:
# renovate:
# registryUrl=https://registry-1.docker.io
# packageName=bitnamicharts/minio
# dataSource=docker
# dependencyType=service
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/bitnami-charts"
name: "minio"
version: "12.8.19"
verify: true
username: ~
password: ~
nextcloud:
# renovate:
# registryUrl=https://nextcloud.github.io/helm
# packageName=nextcloud
# dataSource=helm
# dependencyType=vendor
registry: "https://nextcloud.github.io"
repository: "helm"
name: "nextcloud"
version: "3.5.19"
username: ~
password: ~
nextcloudBootstrap:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap/opendesk-nextcloud-bootstrap
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap"
name: "opendesk-nextcloud-bootstrap"
version: "3.2.6"
verify: true
username: ~
password: ~
nginx:
# renovate:
# registryUrl=https://registry-1.docker.io
# packageName=bitnamicharts/nginx
# dataSource=docker
# dependencyType=service
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/bitnami-charts"
name: "nginx"
version: "15.3.5"
verify: true
username: ~
password: ~
openproject:
# renovate:
# registryUrl=https://ghcr.io
# packageName=opf/helm-charts/openproject
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/opf/helm-charts"
name: "openproject"
version: "3.0.2"
verify: true
username: ~
password: ~
openprojectBootstrap:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/opendesk-openproject-bootstrap/opendesk-openproject-bootstrap
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/opendesk-openproject-bootstrap"
name: "opendesk-openproject-bootstrap"
version: "1.2.1"
verify: true
username: ~
password: ~
openXchangeAppSuite:
# renovate:
# registryUrl=https://registry.open-xchange.com
# packageName=appsuite-public-sector/charts/appsuite-public-sector
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/appsuite-public-sector/charts"
name: "appsuite-public-sector"
version: "2.2.34"
username: ~
password: ~
openXchangeAppSuiteBootstrap:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/sovereign-workplace-open-xchange-bootstrap/sovereign-workplace-open-xchange-bootstrap
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-open-xchange-bootstrap"
name: "sovereign-workplace-open-xchange-bootstrap"
version: "1.3.1"
verify: true
username: ~
password: ~
otterize:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/opendesk-otterize/opendesk-otterize
# dataSource=docker
# dependencyType=service
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/opendesk-otterize"
name: "opendesk-otterize"
version: "1.1.5"
verify: true
username: ~
password: ~
oxConnector:
# renovate:
# registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable
# packageName=ox-connector
# dataSource=helm
# dependencyType=vendor
registry: "https://gitlab.souvap-univention.de"
repository: "api/v4/projects/128/packages/helm/stable"
name: "ox-connector"
version: "0.1.0-pre-jconde-listener-entrypoint-chaining"
username: ~
password: ~
postfix:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/postfix/postfix
# dataSource=docker
# dependencyType=service
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/postfix"
name: "postfix"
version: "2.0.4"
verify: true
username: ~
password: ~
postgresql:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/postgresql/postgresql
# dataSource=docker
# dependencyType=service
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/postgresql"
name: "postgresql"
version: "2.0.3"
verify: true
username: ~
password: ~
redis:
# renovate:
# registryUrl=https://registry-1.docker.io
# packageName=bitnamicharts/redis
# dataSource=docker
# dependencyType=service
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/bitnami-charts"
name: "redis"
version: "18.1.2"
verify: true
username: ~
password: ~
synapse:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-synapse
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element"
name: "opendesk-synapse"
version: "2.6.0"
verify: true
username: ~
password: ~
synapseCreateAccount:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-synapse-create-account
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element"
name: "opendesk-synapse-create-account"
version: "2.6.0"
verify: true
username: ~
password: ~
synapseWeb:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-synapse-web
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element"
name: "opendesk-synapse-web"
version: "2.6.0"
verify: true
username: ~
password: ~
umsLdapNotifier:
# renovate:
# registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
# packageName=ldap-notifier
# dataSource=helm
# dependencyType=vendor
registry: "gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable"
name: "ldap-notifier"
version: "0.7.0"
username: ~
password: ~
umsLdapServer:
# renovate:
# registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
# packageName=ldap-server
# dataSource=helm
# dependencyType=vendor
registry: "gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable"
name: "ldap-server"
version: "0.7.0"
username: ~
password: ~
umsNotificationsApi:
# renovate:
# registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
# packageName=notifications-api
# dataSource=helm
# dependencyType=vendor
registry: "gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable"
name: "notifications-api"
version: "0.9.1"
username: ~
password: ~
umsPortalFrontend:
# renovate:
# registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
# packageName=portal-frontend
# dataSource=helm
# dependencyType=vendor
registry: "gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable"
name: "portal-frontend"
version: "0.9.1"
username: ~
password: ~
umsPortalListener:
# renovate:
# registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
# packageName=portal-listener
# dataSource=helm
# dependencyType=vendor
registry: "gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable"
name: "portal-listener"
version: "0.9.1"
username: ~
password: ~
umsPortalServer:
# renovate:
# registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
# packageName=portal-server
# dataSource=helm
# dependencyType=vendor
registry: "gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable"
name: "portal-server"
version: "0.9.1"
username: ~
password: ~
umsSelfserviceListener:
# renovate:
# registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
# packageName=umc-server
# dataSource=helm
# dependencyType=vendor
registry: "gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable"
name: "selfservice-listener"
version: "0.2.0"
username: ~
password: ~
umsStackDataSwp:
# renovate:
# registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
# packageName=stack-data-swp
# dataSource=helm
# dependencyType=vendor
registry: "gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable"
name: "stack-data-swp"
version: "0.39.3"
username: ~
password: ~
umsStackDataUms:
# renovate:
# registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
# packageName=stack-data-ums
# dataSource=helm
# dependencyType=vendor
registry: "gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable"
name: "stack-data-ums"
version: "0.39.3"
username: ~
password: ~
umsStoreDav:
# renovate:
# registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
# packageName=store-dav
# dataSource=helm
# dependencyType=vendor
registry: "gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable"
name: "store-dav"
version: "0.9.1"
username: ~
password: ~
umsUdmRestApi:
# renovate:
# registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
# packageName=udm-rest-api
# dataSource=helm
# dependencyType=vendor
registry: "gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable"
name: "udm-rest-api"
version: "0.4.1"
username: ~
password: ~
umsUmcGateway:
# renovate:
# registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
# packageName=umc-gateway
# dataSource=helm
# dependencyType=vendor
registry: "gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable"
name: "umc-gateway"
version: "0.6.2"
username: ~
password: ~
umsUmcServer:
# renovate:
# registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
# packageName=umc-server
# dataSource=helm
# dependencyType=vendor
registry: "gitlab.souvap-univention.de"
repository: "api/v4/projects/155/packages/helm/stable"
name: "umc-server"
version: "0.6.2"
username: ~
password: ~
univentionCorporateServer:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/univention-corporate-container/univention-corporate-container
# dataSource=docker
# dependencyType=vendor
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/univention-corporate-container"
name: "univention-corporate-container"
version: "1.0.10"
verify: true
username: ~
password: ~
xwiki:
# renovate:
# registryUrl=https://xwiki-contrib.github.io/xwiki-helm
# packageName=xwiki
# dataSource=helm
# dependencyType=vendor
registry: "https://xwiki-contrib.github.io"
repository: "xwiki-helm"
name: "xwiki"
version: "1.2.3"
verify: true
username: ~
password: ~
...

12
helmfile/environments/default/database.yaml
View File

@@ -36,6 +36,18 @@ databases:
username: "matrix_user"
password: ""
port: 5432
umsNotificationsApi:
name: "notificationsapi"
host: "postgresql"
port: 5432
username: "notificationsapi_user"
password: ""
umsSelfservice:
name: "selfservice"
host: "postgresql"
port: 5432
username: "selfservice_user"
password: ""
xwiki:
name: "xwiki"
host: "mariadb"

283
helmfile/environments/default/images.yaml
View File

@@ -3,298 +3,523 @@
---
images:
clamd:
# renovate:
# registryUrl=https://docker.io
# dependencyType=service
repository: "clamav/clamav"
tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
# @supplier: "openDesk DevSecOps"
collabora:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
repository: "souvap/tooling/images/collabora"
tag: "23.05.5.4.1@sha256:ff48ec379f0d63e50b7714d1fa0f8f8de4247595dfa78754c44786a79c4968e4"
# @supplier: "Collabora"
cryptpad:
# renovate:
# registryUrl=https://docker.io
# dependencyType=vendor
repository: "cryptpad/cryptpad"
tag: "opendesk-20231020@sha256:b0bfe09601d8c8064e1b174d21a225ddb10aaa4103892fdfdf3d216726c26dde"
# @supplier: "XWiki"
dovecot:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
repository: "souvap/tooling/images/dovecot-public-sector"
tag: "2.3.21@sha256:c76965a84d1ca527f523404eb027119f6736b199c094e4671037cb345ecad3dc"
# @supplier: "Open-Xchange"
element:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
repository: "souvap/tooling/images/element-web"
tag: "1.6.0@sha256:a71cbd75ee88471e3df59f26a2a37b9b8ff83d2f71f726053acd381ecd87e234"
tag: "1.7.0@sha256:b8b59aff8ed3eb07dc22cec123a2d04acaf435f5637148698183773a695444c2"
# @supplier: "Element"
freshclam:
# renovate:
# registryUrl=https://docker.io
# dependencyType=service
repository: "clamav/clamav"
tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
# @supplier: "openDesk DevSecOps"
icap:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=service
repository: "souvap/tooling/images/c-icap"
tag: "0.5.10@sha256:cd665e77a42460bb1e6df4282bc1d8737be241fc9f4143d43509e31de3a7993d"
# @supplier: "openDesk DevSecOps"
intercom:
# renovate:
# registryUrl=https://quay.io
# dependencyType=vendor
repository: "univention/intercom-service"
tag: "1.6@sha256:f32c1e52fa132e9dc6973e9f8ed36a98c5c3e0bcd51c60f9a683e7e528dd2306"
# @supplier: "Univention"
jibri:
# renovate:
# registryUrl=https://docker.io
# dependencyType=vendor
repository: "jitsi/jibri"
tag: "stable-8922@sha256:87aa176b44b745b13769f13b8e2d22ddd6f6ba624244d5354c8dd3664787e936"
# @supplier: "Nordeck"
jicofo:
# renovate:
# registryUrl=https://docker.io
# dependencyType=vendor
repository: "jitsi/jicofo"
tag: "stable-8922@sha256:820fcd4b072b29f42c1c37389fbefda1065f1e9654694941485dc08123c8a93b"
# @supplier: "Nordeck"
jitsi:
# renovate:
# registryUrl=https://docker.io
# dependencyType=vendor
repository: "jitsi/web"
tag: "stable-8922@sha256:24bd4179998fe01ace1be74e53fea5308f4d91722953bb4334611e6886753f46"
# @supplier: "Nordeck"
jitsiKeycloakAdapter:
# renovate:
# registryUrl=https://ghcr.io
# dependencyType=vendor
repository: "nordeck/jitsi-keycloak-adapter"
tag: "v20230906@sha256:54d45ee1a1205f98641810ffb171bd92e6478e2957a349ee4ff599359239fbf2"
# @supplier: "Nordeck"
jitsiPatchJVB:
# renovate:
# registryUrl=https://docker.io
# dependencyType=vendor
repository: "bitnami/kubectl"
tag: "1.26.8@sha256:c6902a1fdce0a24c9f93ac8d1f317039b206a4b307d8fc76cab4a92911345757"
# @supplier: "Nordeck"
jvb:
# renovate:
# registryUrl=https://docker.io
# dependencyType=vendor
repository: "jitsi/jvb"
tag: "stable-8922@sha256:75dd613807e19cbbd440d071b60609fa9e4ee50a1396b14deb0ed779d882a554"
# @supplier: "Nordeck"
keycloak:
# renovate:
# registryUrl=https://docker.io
# dependencyType=vendor
repository: "bitnami/keycloak"
tag: "19.0.3-debian-11-r22@sha256:4ac04104d20d4861ecca24ff2d07d71b34a98ee1148c6e6b6e7969a6b2ad085e"
# @supplier: "Univention"
keycloakUnivention:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/keycloak-app-on-use-base-manpub-tr"
tag: "latest"
# @supplier: "Univention"
keycloakBootstrap:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=service
repository: "souvap/tooling/images/ansible"
tag: "4.10.0@sha256:89d8212c20e03b0fd079e08afaf3247c1b96b380c4db1b572d68d0b4a6abc0ac"
# @supplier: "openDesk DevSecOps"
keycloakExtensionHandler:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
repository: "souvap/tooling/images/keycloak-extensions/keycloak-handler"
tag: "latest@sha256:e67bdfc655e43b7fb83b025e13f949b04fdd98e089b33401275d03e340e03e2e"
# @supplier: "Univention"
keycloakExtensionProxy:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
repository: "souvap/tooling/images/keycloak-extensions/keycloak-proxy"
tag: "latest@sha256:57026fb4ba7d4579461e7ddd4b1b8ce9585d1cac4adbe64040f5e1063c80a6ba"
# @supplier: "Univention"
mariadb:
# renovate:
# registryUrl=https://docker.io
# dependencyType=service
repository: "mariadb"
# For upgrades at least confirm compatibility of target version with OX (regarding AS Guard)
tag: "10.5@sha256:aa1ccc18000c32d1f39ac0b055117b27bffd93e622ec961d682de40fe2a1a95f"
# @supplier: "openDesk DevSecOps"
matrixNeoBoardWidget:
# renovate:
# registryUrl=https://ghcr.io
# dependencyType=vendor
repository: "nordeck/matrix-neoboard-widget"
tag: "1.0.0@sha256:584b9c18ea3dfd4b7f1e73f3e114bc1dcd5731b400a8d037576bf2a797c8b086"
tag: "1.4.0@sha256:da04d6c3c3e07ec1fcb6ecec245adc48897f107a2ab84c39d8924de951744d9f"
# @supplier: "Nordeck"
matrixNeoChoiceWidget:
# renovate:
# registryUrl=https://ghcr.io
# dependencyType=vendor
repository: "nordeck/matrix-poll-widget"
tag: "1.3.0@sha256:19d2c8c7a15fe7d12c4a83a89310831da12323fd45ff0280cce808f1be0c7e0b"
tag: "1.3.1@sha256:ba7a0bcbcf278df523cef8d230dc44f31ef86f8aefe6dbea7d832b7234ff5c7a"
# @supplier: "Nordeck"
matrixNeoDateFixBot:
# renovate:
# registryUrl=https://ghcr.io
# dependencyType=vendor
repository: "nordeck/matrix-meetings-bot"
tag: "2.4.2@sha256:f5b3362560255470076f3e6c95a0dd93a8f781398afb992c1e1212764fa87297"
tag: "2.5.0@sha256:6ea92f7e48cd71ce2c552cb5222a1d4b3696136e61045bce8456bc52ce02b9c8"
# @supplier: "Nordeck"
matrixNeoDateFixWidget:
# renovate:
# registryUrl=https://ghcr.io
# dependencyType=vendor
repository: "nordeck/matrix-meetings-widget"
tag: "1.5.3@sha256:918b1eb28cefb08bfdaae57607f0889b454111f2ba80b5ec9bb3c750f8599913"
# @supplier: "Nordeck"
matrixUserVerificationService:
# renovate:
# registryUrl=https://docker.io
# dependencyType=vendor
repository: "matrixdotorg/matrix-user-verification-service"
tag: "v3.0.0@sha256:25e685d595785e2a72e75a525dac78cf8c782445454f8ac090d3702431c38008"
# @supplier: "Element"
memcached:
# renovate:
# registryUrl=https://docker.io
# dependencyType=service
repository: "bitnami/memcached"
tag: "1.6.21-debian-11-r107@sha256:247ec29efd6030960047a623aef025021154662edf6b6d6e88c97936f164d99d"
# @supplier: "openDesk DevSecOps"
milter:
# renovate:
# registryUrl=https://docker.io
# dependencyType=service
repository: "clamav/clamav"
tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
# @supplier: "openDesk DevSecOps"
minio:
# renovate:
# registryUrl=https://docker.io
# dependencyType=service
repository: "bitnami/minio"
tag: "2023@sha256:bced4f2f9fc48b755ebb3e1b35e76195a978d4331bf2d0c6699dab412d3c0be7"
# @supplier: "openDesk DevSecOps"
nextcloud:
# renovate:
# registryUrl=https://docker.io
# dependencyType=vendor
repository: "nextcloud"
tag: "27.1.1-apache@sha256:47325758ffcd54563021e697905aaba6aac8c21bceefb245c67d40194813ce39"
tag: "27.1.4-apache@sha256:bd277bec9a8cf7cc009865e15410c05e0f66ccb6269ed96841cc95dd37c214fe"
# @supplier: "Nextcloud Community"
nextcloudExporter:
# renovate:
# registryUrl=https://docker.io
# dependencyType=vendor
repository: "xperimental/nextcloud-exporter"
tag: "0.6.2@sha256:4ef2555e74ad1dd1b7b7b0680ce85f2b9333f2c2301756582ff04ae97adf796f"
# @supplier: "openDesk DevSecOps"
openproject:
# renovate:
# registryUrl=https://docker.io
# dependencyType=vendor
repository: "openproject/open_desk"
tag: "dev@sha256:732b5d0efe9fc64fe411c9d8143ec3f4a3c731d03c0caddb5fa4c614ff426e8d"
tag: "release-13.1@sha256:b1e6d55d913bb2dfc34caae364c54ff524c0676a74da1c036d0e64557ef42795"
# @supplier: "OpenProject"
openprojectInitDb:
# renovate:
# registryUrl=https://docker.io
# dependencyType=vendor
repository: "postgres"
tag: "13@sha256:ced3ba927f4cf06e03eac7760f426a95367076fb31fe4e31b679f82d119a3519"
# @supplier: "OpenProject"
openprojectBootstrap:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=service
repository: "souvap/tooling/images/opendesk-openproject-bootstrap"
tag: "1.1.1@sha256:09da76a9b645b3dbe5c181061f7829f82f239e7d17f7e115218a32870f7a955e"
# @supplier: "openDesk DevSecOps"
openxchangeBootstrap:
# renovate:
# registryUrl=https://docker.io
# dependencyType=vendor
repository: "alpine/k8s"
tag: "1.26.8@sha256:acde24d2a8ebaafda76f464591a5ddc7d0acd08bb38b12560961c1b1c4fc85ec"
# @supplier: "Open-Xchange"
openxchangeCoreGuidedtours:
# renovate:
# registryUrl=https://registry.open-xchange.com
# dependencyType=vendor
repository: "appsuite-public-sector/core-guidedtours"
tag: "8.6.0@sha256:6c20780f8c609636f2182c41709e2ee26586b4a23679fd13b15875a5f443445b"
# @supplier: "Open-Xchange"
openxchangeCoreMW:
# renovate:
# registryUrl=https://registry.open-xchange.com
# dependencyType=vendor
repository: "appsuite-public-sector/middleware-public-sector"
tag: "8.19.33@sha256:369c44369d727e4172f10c25137dbb00d936d20dd844cdca3a34f7f31273ea05"
tag: "8.20.51@sha256:4a9cc9d6745b09a9ace2475fbbacfeff2ca66db02b6314eb8e035f28e28574a8"
# @supplier: "Open-Xchange"
openxchangeCoreUI:
# renovate:
# registryUrl=https://registry.open-xchange.com
# dependencyType=vendor
repository: "appsuite-public-sector/core-ui"
tag: "8.19.0@sha256:7fdd73f78fd7094f2968f6fcaaae175e60824f9ef68f9e7e70418de6a2b623e9"
tag: "8.20.1@sha256:a8bdf83b1179ca9126bcd4e5301b818aafec5e8ac6ff25914603d74a137b65dc"
# @supplier: "Open-Xchange"
openxchangeCoreUIMiddleware:
# renovate:
# registryUrl=https://registry.open-xchange.com
# dependencyType=vendor
repository: "appsuite-public-sector/core-ui-middleware"
tag: "2.0.0@sha256:8082edf30498a3ac1715f2d9b3e406f240ea586e2616b97f40c207ef55dff11f"
# @supplier: "Open-Xchange"
openxchangeCoreUserGuide:
# renovate:
# registryUrl=https://registry.open-xchange.com
# dependencyType=vendor
repository: "appsuite-public-sector/core-user-guide"
tag: "8.19.771856@sha256:e00ed8f94c3c42cd288dd03f7fb18d228eb516b5e5ebd318825289b1c4ed17ab"
tag: "8.20.799279@sha256:075c917a7e5ebfe57c07c3c21485ee672554616252d5c57f829f443ca987e75b"
# @supplier: "Open-Xchange"
openxchangeDocumentConverter:
# renovate:
# registryUrl=https://registry.open-xchange.com
# dependencyType=vendor
repository: "appsuite-public-sector/documentconverter"
tag: "8.19.32@sha256:82354e858b6aeeae7f0ebaf66ad106f8e9ae46e605e97bb1d2d14e6ce1c3d708"
tag: "8.20.50@sha256:bd11b4e5a62377aab79ebc0ebbe8da0bf54d42ce9a8ae64db0c84608570edf9f"
# @supplier: "Open-Xchange"
openxchangeGotenberg:
# renovate:
# registryUrl=https://registry.open-xchange.com
# dependencyType=vendor
repository: "appsuite-public-sector/3rdparty/gotenberg"
tag: "7.9.2@sha256:c97c1adb971d149222062ec46c5d749d710b38ad153c5c6ed954023e2401c9d0"
# @supplier: "Open-Xchange"
openxchangeGuardUI:
# renovate:
# registryUrl=https://registry.open-xchange.com
# dependencyType=vendor
repository: "appsuite-public-sector/guard-ui"
tag: "4.0.7@sha256:8c9fa5d6aed055c0e84042ab28b3f0e9add94390362266ad440da4f90b8c93a8"
# @supplier: "Open-Xchange"
openxchangeImageConverter:
# renovate:
# registryUrl=https://registry.open-xchange.com
# dependencyType=vendor
repository: "appsuite-public-sector/imageconverter"
tag: "8.19.33@sha256:9543c1409a129567bd6e4a657a353819842a4b1e1807ab86a1ea2e7f73f8c18e"
tag: "8.20.50@sha256:590a8a4c583057f6bb071247c2f8b8566c79d5d219482dcaa452b30c944c876b"
# @supplier: "Open-Xchange"
openxchangeNextcloudIntegrationUI:
# renovate:
# registryUrl=https://registry.open-xchange.com
# dependencyType=vendor
repository: "appsuite-public-sector/nextcloud-integration-ui"
tag: "1.1.0@sha256:82cecb5adac63806ab41546e6b49090a93a5f4645750bb3967d87585b60df2e1"
tag: "1.2.0@sha256:3d0ef11196f7544a01539e6790e4402ad69e2a501312eb7c7bb128c6563d0a8d"
# @supplier: "Open-Xchange"
openxchangePublicSectorUI:
# renovate:
# registryUrl=https://registry.open-xchange.com
# dependencyType=vendor
repository: "appsuite-public-sector/public-sector-ui"
tag: "2.1.0@sha256:ed56730add8afdb08bef8b43a114aba406fd86d83c7fd7af93dc16bb002fa233"
tag: "2.2.0@sha256:3f8c62c139c27569e6b7d38321268e7cc291caa4ea1ea03180c8ce5499edd6d5"
# @supplier: "Open-Xchange"
oxConnector:
# @supplier: "Univention"
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
repository: "souvap/tooling/images/ox-connector/ox-connector-standalone"
tag: "branch-jconde-listener-entrypoint-chaining\
@sha256:54748d49e37d52529d4a857ff834d1217bd2cb8c89c7eed25c0873159ed6853c"
tag: "0.3.4@sha256:db95466170613db46222e63aa0f69de9e60d08c6a409e27905ce5389e4b19074"
# @supplier: "Univention"
postfix:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=service
repository: "souvap/tooling/images/postfix"
tag: "1.0.0@sha256:69e0c53ade77ffb89673672f5c8183ec2edfc81d4e990aca3ec594f33c55a7ac"
# @supplier: "openDesk DevSecOps"
postgresql:
# renovate:
# registryUrl=https://docker.io
# dependencyType=service
repository: "postgres"
tag: "15.4-alpine3.18@sha256:f36c528a2dc8747ea40b4cb8578da69fa75c5063fd6a71dcea3e3b2a6404ff7b"
# @supplier: "openDesk DevSecOps"
prosody:
# renovate:
# registryUrl=https://docker.io
# dependencyType=vendor
repository: "jitsi/prosody"
tag: "stable-8922@sha256:243547f24ae7d686d1f0c18ee230cf93119a66f095dda282bacbf45d4bb69f77"
# @supplier: "Nordeck"
redis:
# renovate:
# registryUrl=https://docker.io
# dependencyType=service
repository: "bitnami/redis"
tag: "7.2.1-debian-11-r5@sha256:e664fa63dfe88cd099180c32f2c9a109a958f053b75d195beb48b06ffd8a0b5b"
# @supplier: "openDesk DevSecOps"
synapse:
# renovate:
# registryUrl=https://docker.io
# dependencyType=vendor
repository: "matrixdotorg/synapse"
tag: "v1.91.2@sha256:1d19508db417bb2b911c8e086bd3dc3b719ee75c6f6194d58af59b4c32b11322"
# @supplier: "Element"
synapseCreateUser:
# renovate:
# registryUrl=https://docker.io
# dependencyType=vendor
repository: "alpine/k8s"
tag: "1.26.8@sha256:acde24d2a8ebaafda76f464591a5ddc7d0acd08bb38b12560961c1b1c4fc85ec"
# @supplier: "Nordeck"
synapseGuestModule:
# renovate:
# registryUrl=https://ghcr.io
# dependencyType=vendor
repository: "nordeck/synapse-guest-module"
tag: "1.0.0@sha256:e9c736d84a77df93b2dbe3e3afa7b0ca3efcbc4457677adaac5df3cc79a85923"
# @supplier: "Nordeck"
synapseWeb:
# renovate:
# registryUrl=https://docker.io
# dependencyType=vendor
repository: "rapidfort/haproxy-official"
tag: "2.6.6-bullseye@sha256:bf22cfb1301aae433213f5f8c687bc5d9ecc6b86daf1084be5f7a339bd27cadd"
# @supplier: "Element"
univentionCorporateServer:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
repository: "souvap/tooling/images/univention-corporate-server-swp/ucs"
tag: "20230829T094822@sha256:6415847851ee3b474cea756212698f4a110fbbde74882e22da92500a6358a4f8"
# @supplier: "Univention"
umsConfigHtpasswd:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/config-htpasswd"
tag: "0.5.2@sha256:b63887af87ed4c496688d422a8881e806de4a2364eb07c7e24bb1635b539e7f3"
tag: "0.9.1@sha256:5694da729235371d93b1c7f14c00720657b34d6425f232426a1848b69f97ab15"
# @supplier: "Univention"
umsDataLoader:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/data-loader"
tag: "0.33.0@sha256:2e9baf28cfe3eb6c740ce604d60ebc1ee6b3e0e2e8741730716a1c7375046039"
tag: "0.39.3@sha256:f2968f98cf4f7cb4fd44339422c2d06ee590c61780ea88728af685719b497a9f"
# @supplier: "Univention"
umsLdapNotifier:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/ldap-notifier"
tag: "0.7.0@sha256:c5bd680dc85990aec2c3dde14f8e6b72f5a5d2d3c648bc434c57117836464faf"
tag: "0.7.0@sha256:ae9acf8f1a5e28645edea62a25040b6dd77bb1c8773964f0cb0e885397586bbe"
# @supplier: "Univention"
umsLdapServer:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/ldap-server"
tag: "0.7.0@sha256:a87b615fc97c574316f41e1e6dc9bef41d80583ba450aece9d9830bab4d5a09a"
tag: "0.7.0@sha256:a637f8d11c3a17d18b8f4dfce252fd55150188ea16ed3b1605a779b7ff535f3e"
# @supplier: "Univention"
umsNotificationsApi:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/notifications-api"
tag: "0.4.4@sha256:630905fd503ea5f4b17ccd4adccd68c20b85405a7372e7c71ac2c88aa6e1e47c"
tag: "0.9.1@sha256:86f86119292ccda53d77db010ceac9217a2552145fad8d20e876002f74c3a187"
# @supplier: "Univention"
umsPortalListener:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/portal-listener"
tag: "0.4.4@sha256:689065bad9ab735be1cfd12e519934616e8c049afee4f78c46b630ab7c1a7aef"
tag: "0.9.1@sha256:615a587717934153179c138d3598841922e3a658e5e891347f21ecbe5c8387ae"
# @supplier: "Univention"
umsPortalFrontend:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/portal-frontend"
tag: "0.4.4@sha256:b8955718ad4d2c973b4c1ee80867ac47c2d90e422234c7a2401b13ed606fd4d4"
tag: "0.9.1@sha256:c0984b246692d58b3fbecac487d3737e9b4f62181666f1abfa2401d1a3a72267"
# @supplier: "Univention"
umsPortalServer:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/portal-server"
tag: "0.4.4@sha256:21d279ede3a7cbdaf3a5c4e83375bb389785db4f2569cfaf8362896a9b30e287"
tag: "0.9.1@sha256:f608986d8b072a143260531b6e3fcb08d18c88bc444b968c0713737769fd1292"
# @supplier: "Univention"
umsWaitForDependency:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/wait-for-dependency"
tag: "0.4.3@sha256:ff4b7f762860baa1415cfe9a24131cb28c2660a14058ca8a1e7a697468f72d69"
tag: "0.9.1@sha256:22e57dca261dad12e046a827914bb888f49fd6bb61f50ad5023b53dade4eda33"
# @supplier: "Univention"
umsStoreDav:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/store-dav"
tag: "0.5.2@sha256:a3cbb1df2024edf58aea029a280f660bcd2fb8e684eed638901f5d7cbf9db467"
tag: "0.9.1@sha256:82b6b5e7c20793b2a6000a1ceddd3e4b3d085bf75999e9ff9814e7224d1de629"
# @supplier: "Univention"
umsUdmRestApi:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/udm-rest-api"
tag: "0.3.5@sha256:1a434f9d5e4d15217d011c13d9f1694e8a12291e09a6d0802c1158f7e2c5e035"
tag: "0.4.1@sha256:4b264251e9e1f2933be86051964d6113011379af107cc95dca53c1eff4c1e709"
# @supplier: "Univention"
umsUmcGateway:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/umc-gateway"
tag: "0.5.1@sha256:9937efd54020e0782a26a1670d0cb8b29edbc802b1fd9eed5e308a594d4ce010"
tag: "0.6.2@sha256:326ced2ffd5cffa7591f23f5b0e2fe313a5aa0984d1537c3464df042d93b341c"
# @supplier: "Univention"
umsUmcServer:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/umc-server"
tag: "0.5.1@sha256:cfb626f8d0a949ce0ed36d7e01791006eae24d984573dfa3ed3f031808437da3"
tag: "0.6.2@sha256:e2694fbc1b8f3027ae48f329e034431e06648028ca9c928b464db66a9fd080fb"
# @supplier: "Univention"
umsSelfserviceListener:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/selfservice-listener"
tag: "0.3.0@sha256:919c4cbef3c4920fe661f5d69de7258135096b673a26370a0cbd98d244a20752"
# @supplier: "Univention"
umsSelfserviceInvitation:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# dependencyType=vendor
# This is a preview and not part of the standard deployment.
repository: "souvap/tooling/images/univention/selfservice-invitation"
tag: "0.3.0@sha256:225ce06e2859586d4c0fa1933d687df370d170b71b62cfd1e46992b44e880b08"
# @supplier: "Univention"
wellKnown:
# renovate:
# registryUrl=https://docker.io
# dependencyType=vendor
repository: "library/nginx"
tag: "1.25.2-bookworm@sha256:9504f3f64a3f16f0eaf9adca3542ff8b2a6880e6abfb13e478cca23f6380080a"
# @supplier: "Element"
xwiki:
# renovate:
# registryUrl=https://git.xwikisas.com:5050
# dependencyType=vendor
repository: "xwikisas/swp/xwiki"
tag: "0.12-mariadb-jetty-alpine@sha256:c195d8baf38b6c6b0c533a3216e726cd863a6c2ba0e65f18036402592bb72896"
# @supplier: "XWiki"

16
helmfile/environments/default/objectstore.gotmpl Normal file
View File

@@ -0,0 +1,16 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
objectstores:
openproject:
backend: "minio"
bucket: "openproject"
endpoint: ""
provider: "AWS"
region: ""
secret: ""
username: "openproject_user"
useIAMProfile: ""
...

1
helmfile/environments/default/persistence.yaml
View File

@@ -24,6 +24,7 @@ persistence:
ldapServerData: "1Gi"
ldapServerShared: "1Gi"
portalListener: "1Gi"
selfserviceListener: "1Gi"
storeDav: "1Gi"
xwiki: "1Gi"
...

358
helmfile/environments/default/resources.yaml
View File

@@ -1,362 +1,470 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
# Some charts do not support null or ~ values, because they use their default values.
# To not limit the CPU, we set all CPU limits to 99.
resources:
clamd:
limits:
cpu: 4
cpu: 99
memory: "4Gi"
requests:
cpu: 0.1
memory: "2Gi"
memory: "1.5Gi"
collabora:
limits:
cpu: 4
cpu: 99
memory: "4Gi"
requests:
cpu: 0.5
memory: "1Gi"
memory: "512Mi"
cryptpad:
limits:
cpu: 2
cpu: 99
memory: "2Gi"
requests:
cpu: 0.1
memory: "512Mi"
dovecot:
limits:
cpu: 0.5
memory: "250Mi"
cpu: 99
memory: "256Mi"
requests:
cpu: 0.1
memory: "100Mi"
memory: "32Mi"
element:
limits:
cpu: 1
memory: "250Mi"
cpu: 99
memory: "256Mi"
requests:
cpu: 0.1
memory: "50Mi"
memory: "32Mi"
freshclam:
limits:
cpu: 1
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "100Mi"
memory: "96Mi"
icap:
limits:
cpu: 2
cpu: 99
memory: "128Mi"
requests:
cpu: 0.1
memory: "16Mi"
intercomService:
limits:
cpu: 99
memory: "128Mi"
requests:
cpu: 0.1
memory: "64Mi"
jibri:
limits:
cpu: 1
memory: "500Mi"
cpu: 99
memory: "768Mi"
requests:
cpu: 0.1
memory: "125Mi"
memory: "384Mi"
jicofo:
limits:
cpu: 1
memory: "500Mi"
cpu: 99
memory: "512Mi"
requests:
cpu: 0.1
memory: "100Mi"
memory: "256Mi"
jitsi:
limits:
cpu: 1
memory: "500Mi"
cpu: 99
memory: "512Mi"
requests:
cpu: 0.1
memory: "100Mi"
memory: "32Mi"
jitsiKeycloakAdapter:
limits:
cpu: "100m"
cpu: 99
memory: "128Mi"
requests:
cpu: "10m"
memory: "16Mi"
memory: "48Mi"
jvb:
limits:
cpu: 1
memory: "500Mi"
cpu: 99
memory: "768Mi"
requests:
cpu: 0.1
memory: "100Mi"
memory: "384Mi"
keycloak:
limits:
cpu: 2
cpu: 99
memory: "2Gi"
requests:
cpu: 0.1
memory: "750Mi"
memory: "512Mi"
keycloakExtension:
limits:
cpu: 1
memory: "500Mi"
cpu: 99
memory: "256Mi"
requests:
cpu: 0.1
memory: "100Mi"
memory: "48Mi"
keycloakBootstrap:
limits:
cpu: 1
memory: "500Mi"
cpu: 99
memory: "512Mi"
requests:
cpu: 0.1
memory: "250Mi"
memory: "256Mi"
keycloakProxy:
limits:
cpu: 1
memory: "500Mi"
cpu: 99
memory: "256Mi"
requests:
cpu: 0.1
memory: "100Mi"
memory: "48Mi"
mariadb:
limits:
cpu: 2
cpu: 99
memory: "2Gi"
requests:
cpu: 0.1
memory: "500Mi"
memory: "384Mi"
matrixNeoBoardWidget:
limits:
cpu: 1
memory: "250Mi"
cpu: 99
memory: "128Mi"
requests:
cpu: 0.1
memory: "50Mi"
memory: "48Mi"
matrixNeoChoiceWidget:
limits:
cpu: 1
memory: "250Mi"
cpu: 99
memory: "256Mi"
requests:
cpu: 0.1
memory: "50Mi"
memory: "48Mi"
matrixNeoDateFixBot:
limits:
cpu: 1
memory: "500Mi"
cpu: 99
memory: "512Mi"
requests:
cpu: 0.1
memory: "100Mi"
memory: "128Mi"
matrixNeoDateFixWidget:
limits:
cpu: 1
memory: "250Mi"
cpu: 99
memory: "256Mi"
requests:
cpu: 0.1
memory: "50Mi"
memory: "48Mi"
matrixUserVerificationService:
limits:
cpu: 1
memory: "250Mi"
cpu: 99
memory: "256Mi"
requests:
cpu: 0.1
memory: "50Mi"
memory: "128Mi"
memcached:
limits:
cpu: 1
cpu: 99
memory: "256Mi"
requests:
cpu: 0.1
memory: "32Mi"
milter:
limits:
cpu: 4
memory: "4Gi"
cpu: 99
memory: "96Mi"
requests:
cpu: 0.1
memory: "2Gi"
memory: "16Mi"
minio:
limits:
cpu: 2
memory: "4Gi"
cpu: 99
memory: "2Gi"
requests:
cpu: 0.25
memory: "1Gi"
memory: "256Mi"
nextcloud:
limits:
cpu: 2
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "500Mi"
memory: "512Mi"
nextcloudMetrics:
limits:
cpu: 99
memory: "128Mi"
requests:
cpu: 0.1
memory: "32Mi"
openproject:
limits:
cpu: 2
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "250Mi"
oxConnector:
memory: "768Mi"
openxchangeCoreDocumentConverter:
limits:
cpu: 2
memory: "2Gi"
requests:
cpu: 0.1
memory: "250Mi"
oxDocumentConverter:
limits:
cpu: 2
cpu: 99
memory: "2Gi"
requests:
cpu: 0.25
memory: "1Gi"
memory: "1.25Gi"
openxchangeCoreGuidedtours:
limits:
cpu: 99
memory: "96Mi"
requests:
cpu: 0.01
memory: "32Mi"
openxchangeCoreImageConverter:
limits:
cpu: 99
memory: "2Gi"
requests:
cpu: 0.5
memory: "1.25Gi"
openxchangeCoreMW:
limits:
cpu: 99
memory: "8Gi"
requests:
cpu: 1
memory: "1.25Gi"
openxchangeCoreUI:
limits:
cpu: 99
memory: "96Mi"
requests:
cpu: 0.01
memory: "32Mi"
openxchangeCoreUIMiddleware:
limits:
cpu: 99
memory: "768Mi"
requests:
cpu: 0.5
memory: "192Mi"
openxchangeCoreUIMiddlewareUpdater:
limits:
cpu: 99
memory: "768Mi"
requests:
cpu: 0.5
memory: "192Mi"
openxchangeCoreUserGuide:
limits:
cpu: 99
memory: "96Mi"
requests:
cpu: 0.02
memory: "32Mi"
openxchangeGotenberg:
limits:
cpu: 99
memory: "96Mi"
requests:
cpu: 0.05
memory: "32Mi"
openxchangeGuardUI:
limits:
cpu: 99
memory: "96Mi"
requests:
cpu: 0.01
memory: "32Mi"
openxchangeNextcloudIntegrationUI:
limits:
cpu: 99
memory: "96Mi"
requests:
cpu: 0.01
memory: "32Mi"
openxchangePublicSectorUI:
limits:
cpu: 99
memory: "96Mi"
requests:
cpu: 0.01
memory: "32Mi"
oxConnector:
limits:
cpu: 99
memory: "512Mi"
requests:
cpu: 0.1
memory: "64Mi"
postfix:
limits:
cpu: 0.5
memory: "250Mi"
cpu: 99
memory: "128Mi"
requests:
cpu: 0.1
memory: "100Mi"
memory: "16Mi"
postgresql:
limits:
cpu: 2
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "250Mi"
memory: "256Mi"
prosody:
limits:
cpu: 1
memory: "500Mi"
cpu: 99
memory: "512Mi"
requests:
cpu: 0.1
memory: "100Mi"
memory: "32Mi"
redis:
limits:
cpu: 1
memory: "500Mi"
cpu: 99
memory: "256Mi"
requests:
cpu: 0.1
memory: "100Mi"
memory: "32Mi"
synapse:
limits:
cpu: 4
cpu: 99
memory: "4Gi"
requests:
cpu: 1
memory: "2Gi"
memory: "256Mi"
synapseWeb:
limits:
cpu: 1
memory: "250Mi"
cpu: 99
memory: "256Mi"
requests:
cpu: 0.1
memory: "50Mi"
memory: "64Mi"
univentionCorporateServer:
limits:
cpu: 2
cpu: 99
memory: "4Gi"
requests:
cpu: 0.5
memory: "1Gi"
umsLdapNotifier:
limits:
cpu: 1
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "250Mi"
memory: "256Mi"
umsLdapServer:
limits:
cpu: 1
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "250Mi"
memory: "256Mi"
umsNotificationsApi:
limits:
cpu: 1
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "250Mi"
memory: "256Mi"
umsPortalFrontend:
limits:
cpu: 1
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "250Mi"
memory: "256Mi"
umsPortalListener:
limits:
cpu: 1
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "250Mi"
memory: "256Mi"
umsPortalListenerDependencies:
limits:
cpu: 1
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "250Mi"
memory: "256Mi"
umsPortalServer:
limits:
cpu: 1
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "250Mi"
memory: "256Mi"
umsSelfserviceListener:
limits:
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "256Mi"
umsSelfserviceListenerDependencies:
limits:
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "256Mi"
umsStackDataUms:
limits:
cpu: 1
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "250Mi"
memory: "256Mi"
umsStackDataSwp:
limits:
cpu: 1
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "250Mi"
memory: "256Mi"
umsStoreDav:
limits:
cpu: 1
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "250Mi"
memory: "256Mi"
umsUdmRestApi:
limits:
cpu: 1
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "250Mi"
memory: "256Mi"
umsUmcGateway:
limits:
cpu: 1
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "250Mi"
memory: "256Mi"
umsUmcServer:
limits:
cpu: 1
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "250Mi"
memory: "256Mi"
wellKnown:
limits:
cpu: 1
memory: "250Mi"
cpu: 99
memory: "256Mi"
requests:
cpu: 0.1
memory: "50Mi"
memory: "32Mi"
xwiki:
limits:
cpu: 2
cpu: 99
memory: "8Gi"
requests:
cpu: 0.1
memory: "6Gi"
memory: "1.5Gi"
...

3
helmfile/environments/default/secrets.gotmpl
View File

@@ -38,7 +38,8 @@ secrets:
keycloakExtensionUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_extensions_user" | sha1sum | quote }}
matrixUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "matrix_user" | sha1sum | quote }}
openprojectUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "openproject_user" | sha1sum | quote }}
notificationsapiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }}
umsNotificationsApiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }}
umsSelfserviceUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "selfservice_user" | sha1sum | quote }}
mariadb:
rootPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "root_password" | sha1sum | quote }}
xwikiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "xwiki_user" | sha1sum | quote }}

10
helmfile/environments/default/security.yaml Normal file
View File

@@ -0,0 +1,10 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
security:
otterizeIntents:
enabled: false
clusterPostfix:
enabled: false
namespace: ""
...

BIN
helmfile/files/gpg-pubkeys/opencode.gpg Normal file
View File

Binary file not shown.

2
helmfile/files/gpg-pubkeys/opencode.gpg.license Normal file
View File

@@ -0,0 +1,2 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0

BIN
helmfile/files/gpg-pubkeys/openproject-com.gpg Normal file
View File

Binary file not shown.

2
helmfile/files/gpg-pubkeys/openproject-com.gpg.license Normal file
View File

@@ -0,0 +1,2 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0