sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 23:41:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: sheppy:v0.5.47
Branches Tags
sheppy:develop sheppy:renovate/univention sheppy:renovate/openxchange sheppy:trossner/gpg-keys sheppy:trossner/mail_doc sheppy:tkaltenbrunner/fix-milter sheppy:ntretkowski/intercom-update sheppy:b1-boekhorst/nc_testing_encryption_bfp_nginx sheppy:trossner/ox_deputy sheppy:kuntke/size-profiles sheppy:trossner/misc_1.11.0 sheppy:feat/openproject/bump-16-6-2 sheppy:renovate/opf-helm-charts-openproject-11.x sheppy:rohland/selfsigned sheppy:sschmidt/feat_update_otterize sheppy:sell/opendesk-exporter sheppy:trossner/coco-update sheppy:renovate/lasuite-impress-y-provider-4.x sheppy:renovate/opf-helm-charts-openproject-10.x sheppy:renovate/openproject sheppy:renovate/nordeck sheppy:renovate/element sheppy:renovate/collabora sheppy:lender/test-externalsecrets sheppy:rfischer/baseline_requirements_update_2025 sheppy:chore/kyverno-sec sheppy:sell/pythonic-charts-local sheppy:trossner/ox-jitsi sheppy:irondesk-preview sheppy:chore/open-xchange/update-8.43 sheppy:b1-boekhorst/nc_basicauth_testing sheppy:lluerenbaum/develop sheppy:rfischer/nc_sharereview_app sheppy:tkaltenbrunner/fix/new-element-chart sheppy:vpracht/demo sheppy:main sheppy:b1-boekhorst/nc_status_php sheppy:gaberb1/postfix-sasl-security-options sheppy:ntretkowski/nubus-v1.15.0 sheppy:ntretkowski/ox-connector-v0.32.2 sheppy:sschmidt/feat_add_otterize_chart sheppy:b1-boekhorst/nc_bfp sheppy:trossner/nc_31-0-9 sheppy:trossner/token_exchange sheppy:boekhorst/nc_31-0-10_testing sheppy:ntretkowski/nubus-v1.14.1 sheppy:tkaltenbrunner/fix/dovecot-migration sheppy:tkaltenbrunner/fix/dovecot-caches sheppy:tkaltenbrunner/fix/postfix-transport sheppy:chore/open-xchange/update-8.42 sheppy:dkaminski/ca_certs sheppy:dpapoutsis/bundled-keycloak-secrets sheppy:boekhorst/favicon_resize sheppy:irondesk sheppy:boekhorst/nc_31-0-9 sheppy:migration_test sheppy:sschmidt/fix_services_otterize_intents sheppy:mmeschter/nats-secrets-refactor sheppy:sccon_2025 sheppy:jtorres/ox-test sheppy:lender/feat-externalsecrets-xwiki sheppy:sschmidt/fix_nubus_opendesk_keycloak_bootstrap_annotation sheppy:ntretkowski/nubus-2fa-upgrade-fix sheppy:jlohmer/ox-connector-helm-unittests sheppy:mmeschter/develop sheppy:tkaltenbrunner/fix/ox-push-notification sheppy:cgarcia/develop sheppy:trossner/fix_storageclassnames sheppy:jconde/ox-groups-deletion sheppy:ntretkowski/nubus-v1.13.1 sheppy:jtorres/develop sheppy:tkaltenbrunner/fix/opendesk-impress-customization sheppy:jconde/develop sheppy:mgcm/test/mas-upstream sheppy:document-nordeck-widgets sheppy:trossner/upd_jitsi_10431 sheppy:chaack/feat_add_jitsi_patchJVB_backoffLimit sheppy:trossner/xwiki_solr_image sheppy:1.7+harbor-fixes sheppy:lender/feat-externalsecrets-notes sheppy:tkaltenbrunner/fix/dovecot-fts sheppy:lender/feat-externalsecrets-postfix-dovecot sheppy:heading-capitalization-harmonization sheppy:lender/feat-externalsecrets-minio sheppy:jconde/debug-no-portal-tiles sheppy:hermann/feat-support-nginx-security-defaults sheppy:jtorres/ox-connector-manager-tests sheppy:jtorres/1.12.0-kc-bootstrap sheppy:sell/prometheus-nats-exporter sheppy:jconde/ics-secret-refactor sheppy:tkaltenbrunner/fix/postfix-submissions sheppy:jconde/debug-ics-with-keycloak-26.3 sheppy:data_storage_doc sheppy:tkaltenbrunner/fix/coco-internal sheppy:sell/keycloak-metrics sheppy:jconde/ox-connector-fixes sheppy:jlohmer/ox-connector-test sheppy:gaberb1/wip-ci sheppy:weber/update-notes sheppy:lender/feat-externalsecrets-redis sheppy:lender/feat-externalsecrets-opendesk-services sheppy:lender/feat-externalsecrets-collabora sheppy:lender/feat-externalsecrets-cassandra sheppy:lender/feat-externalsecrets-nextcloud sheppy:lender/feat-externalsecrets-openproject-bootstrap sheppy:thollwed/doc-bawue-migration-dev sheppy:1.5+nats-fix sheppy:trossner/nc_31.0.5 sheppy:sell/nubus-liveness-customization sheppy:integration-opendesk-family sheppy:gsautner/fix_nc_custom_baseDn sheppy:tkaltenbrunner/fix/ox-external-secrets sheppy:tlatz/portal_update sheppy:jbornhold/tmp-portal-update sheppy:trossner/temp_kc26.2.2_preview sheppy:yschmidt/nubus-v1.9.1-twofa-helpdesk sheppy:mmoura/phone-dial-in sheppy:lender/feat-externalsecrets-mariadb sheppy:lender/feat-externalsecrets-postgresql sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap-1725.191 sheppy:ys/dev-helpdesk sheppy:tkaltenbrunner/fix/dovecot-acls sheppy:ox-vpracht/dovecot-conf sheppy:renovate/major-openproject sheppy:renovate/major-platform sheppy:renovate/lasuite-impress-y-provider-3.x sheppy:renovate/lasuite-impress-y-provider-2.x sheppy:renovate/xwiki sheppy:trossner/nc_notifypush sheppy:cnegrini/load sheppy:nic/feat/ZO-155_dialin_docs sheppy:feat/dovecot-config sheppy:yschmidt/s3-region-example sheppy:trossner/nubus_ox_consumer sheppy:yschmidt/s3-region-vars sheppy:jschulz/fix_nubus-consumer-pvc-size sheppy:el/t3chguy/element-web-modules sheppy:jahlers/2fa-helpdesk sheppy:trossner/notes_guest_access sheppy:thollwed/nubus-v1.6.0-integration sheppy:jschulz/fix_set_jitsi_element_antiaffinity sheppy:jbornhold/nubus-v1.6.0-s3-ingress sheppy:chore/open-xchange/release-8.34 sheppy:jconde/test-ox-packaging sheppy:jtorres/ox-extension-integration sheppy:jschulz/feat_helmfile-enable-intents sheppy:chore/openproject/15-3-changes sheppy:nc-main sheppy:fischer/review-apps sheppy:jconde/fix-intercom-element sheppy:trossner/nc_notify_push sheppy:docs/nubus-version sheppy:schneemann/ingress-nginx-max-version sheppy:jlohmer/configurable-udm-listener-password sheppy:jtorres/hotfix-ics-secret sheppy:jtorres/ics-redis-ssl sheppy:dkaminski/feat/annotations sheppy:trossner/fix/openproject sheppy:jconde/ox-connector-kyverno sheppy:jconde/ics-kyverno-changes sheppy:chore/open-xchange/bump-8-31 sheppy:mmoura/feat_test sheppy:dkaminski/fix/nubus-v0.72.0 sheppy:jconde/ics-filepicker-fix sheppy:trossner/update_migrs sheppy:nic/qa/develop sheppy:nic/fix/widgets-no-guests sheppy:uv-jconde/plain-nubus sheppy:nubus/main sheppy:uv-jbornhold/preview-fe sheppy:nic/fix/undo-439-add-widgets sheppy:jtorres/bump-0.60-cache-http sheppy:acaceres/develop sheppy:fix/trossner/dominiks_improvements sheppy:uv-jbornhold/plain-nubus-3 sheppy:nubus-update-2024-09-16-backup sheppy:trossner/nubus-update-2024-09-16-ldap-mig sheppy:nic/feat/matrix-neoboard-widget-1.19.1 sheppy:jconde/integrate-ox-connector sheppy:jbornhold/include-ldap-migration-script sheppy:acaceres/integrate-ox-connector sheppy:uv-jbornhold/plain-nubus-2 sheppy:jtorres/clients-fixup sheppy:jconde/system-information sheppy:jtorres/remove-admin-credentials sheppy:jbornhold/develop sheppy:chore/openproject/bump-14-5-0 sheppy:temp/trossner/kcupd-fr sheppy:nubus/fix-domain-configuration sheppy:uv-fix/default-service-loglevel sheppy:uv-jlohmer/consumer-race-condition sheppy:uv-jconde/umc-plain-login sheppy:uv-jconde/statefulset-keycloak sheppy:jlohmer/develop sheppy:fix/tkaltenbrunner/oxmonitoring sheppy:jtorres/udm-loader sheppy:nubus/tkintscher/fix-fsnotify-load sheppy:nubus/wip-jbornhold-test sheppy:jbornhold/small-fixes sheppy:nubus/jconde-test-users sheppy:feat/nubus-updates sheppy:uv-jlohmer/manual-deploy-jobs sheppy:uv-jtorres/login-tiles sheppy:uv-jbornhold/fix-e2e-test-configuration sheppy:uv-jlohmer/fix-feature-flag-typo sheppy:uv-jbornhold/fix-e2e-test-configuration-test sheppy:uv-acaceres/register-ox-connector sheppy:uv-jtorres/keycloak-upgrade sheppy:uv-jtorres/create-readonly-user sheppy:uv-acaceres/update-provisioning-and-stack-data sheppy:uv-jlohmer/selfservice-consumer sheppy:uv-jlohmer/provisioning-consumer-feature-flag sheppy:uv-jconde/test-email-e2e-tests sheppy:jlohmer/nubus-updates-provisioning sheppy:nubus/provisioning-consumer-integration sheppy:uv-dkaminski/cert-manager-support sheppy:uv-jbornhold/update-portal-frontend sheppy:uv-provisioning-consumer-integration sheppy:uv-jtorres/opendesk-udm-loader sheppy:uv-jtorres/ox-extensions-to-data-loader sheppy:uv-jbornhold/update-stack-data sheppy:uv-maildev-ci-setup sheppy:uv-jconde/umc-server-session-stickyness sheppy:uv-jbornhold/cleanup sheppy:uv-dtroeder/raise-helm-timeout sheppy:uv-dtroeder/prov-int-biscet sheppy:uv-spike-plain-nubus sheppy:jtorres/univention-keycloak-provisioning sheppy:fix/trossner/proxy_ips sheppy:uv-jlohmer/provisioning-consumer-integration sheppy:uv-jconde/menu-patches sheppy:jconde/use-nubus-umbrella sheppy:jconde/udm-rest-api-fix sheppy:sandersen/develop sheppy:b1-demo1 sheppy:jbornhold/tmp-test-od-main-0.9.0 sheppy:feat/use-nubus-umbrella-2 sheppy:OC000007901454-main-patch-76476 sheppy:jtorres/allow-theme-configuration sheppy:acaceres/debug-ox-error sheppy:101-add-configmap-checksum-check-to-postfix-helm-chart sheppy:trossner/fix/op_guests sheppy:renovate/platform sheppy:feat/ldap-scalability sheppy:jlohmer/split-provisioning-listener sheppy:feat/update-keycloak-related-charts sheppy:acaceres/update-selfservice-to-use-provisioning sheppy:feat/nubus-keycloak-extensions sheppy:feat/nubus-keycloak-bootstrap sheppy:feat/nubus-provisioning-with-selfservice sheppy:refactor/ums-umbrella-values sheppy:54-issue-with-invitation-password-reset-mails sheppy:nic/fix/ew-1.11.59-widget-sync sheppy:trossner/fix/renovate sheppy:nic/test/ew-1.11.59 sheppy:feat/mon-redis sheppy:feat/mon-jitsi sheppy:feat/mon-ox sheppy:feat/mon-xwiki sheppy:v0.5.74-patch1
sheppy:v1.10.0 sheppy:v1.9.0 sheppy:v1.8.0 sheppy:v1.7.1 sheppy:v1.7.0 sheppy:v1.6.0 sheppy:v1.5.0 sheppy:v1.4.1 sheppy:v1.4.0 sheppy:v1.3.2 sheppy:v1.3.1 sheppy:v1.3.0 sheppy:v1.2.1 sheppy:v1.2.0 sheppy:v1.1.2 sheppy:v1.1.1 sheppy:v1.1.0 sheppy:v1.0.0 sheppy:v0.9.0 sheppy:v0.8.1 sheppy:v0.8.0 sheppy:v0.7.1 sheppy:v0.7.0 sheppy:v0.6.0 sheppy:v0.5.81 sheppy:v0.5.80 sheppy:v0.5.79 sheppy:v0.5.78 sheppy:v0.5.74 sheppy:24.03 sheppy:v0.5.77 sheppy:v0.5.76 sheppy:v0.5.75 sheppy:v0.5.73 sheppy:v0.5.72 sheppy:v0.5.71 sheppy:v0.5.70 sheppy:v0.5.69 sheppy:v0.5.68 sheppy:v0.5.67 sheppy:v0.5.66 sheppy:v0.5.65 sheppy:v0.5.64 sheppy:v0.5.63 sheppy:v0.5.62 sheppy:v0.5.61 sheppy:v0.5.60 sheppy:v0.5.59 sheppy:v0.5.58 sheppy:v0.5.57 sheppy:v0.5.56 sheppy:v0.5.55 sheppy:v0.5.54 sheppy:v0.5.53 sheppy:v0.5.52 sheppy:v0.5.51 sheppy:v0.5.50 sheppy:v0.5.49 sheppy:v0.5.48 sheppy:v0.5.47 sheppy:v0.5.46 sheppy:v0.5.45 sheppy:v0.5.44 sheppy:v0.5.43 sheppy:v0.5.42 sheppy:v0.5.41 sheppy:v0.5.40 sheppy:v0.5.39 sheppy:v0.5.38 sheppy:23.12 sheppy:v0.5.37 sheppy:v0.5.36 sheppy:v0.5.35 sheppy:v0.5.34 sheppy:v0.5.33 sheppy:v0.5.32 sheppy:v0.5.31 sheppy:v0.5.30 sheppy:v0.5.29 sheppy:v0.5.28 sheppy:v0.5.27 sheppy:v0.5.26 sheppy:v0.5.25 sheppy:v0.5.24 sheppy:v0.5.23 sheppy:v0.5.22 sheppy:v0.5.21 sheppy:v0.5.20 sheppy:v0.5.19 sheppy:v0.5.18 sheppy:v0.5.17 sheppy:v0.5.16 sheppy:v0.5.15 sheppy:v0.5.14 sheppy:v0.5.13 sheppy:v0.5.12 sheppy:v0.5.11 sheppy:v0.5.10 sheppy:v0.5.9 sheppy:v0.5.8 sheppy:v0.5.7 sheppy:v0.5.6 sheppy:v0.5.5 sheppy:v0.5.4 sheppy:v0.5.3 sheppy:v0.5.2 sheppy:v0.5.1 sheppy:v0.5.0 sheppy:v0.4.9 sheppy:v0.4.8 sheppy:v0.4.7 sheppy:v0.4.6 sheppy:v0.4.5 sheppy:v0.4.4 sheppy:v0.4.3 sheppy:v0.4.2 sheppy:v0.4.1 sheppy:v0.4.0 sheppy:v0.3.2 sheppy:v0.3.1 sheppy:v0.3.0 sheppy:v0.2.10 sheppy:v0.2.9 sheppy:v0.2.8 sheppy:v0.2.7 sheppy:v0.2.6 sheppy:v0.2.5 sheppy:v0.2.4 sheppy:v0.2.3 sheppy:v0.2.2 sheppy:v0.2.1 sheppy:v0.2.0 sheppy:v0.1.2 sheppy:v0.1.1 sheppy:v0.1.0 sheppy:v0.0.6 sheppy:v0.0.5 sheppy:v0.0.4 sheppy:v0.0.3 sheppy:v0.0.2 sheppy:v0.0.1
..
compare: sheppy:v0.5.72
Branches Tags
sheppy:renovate/univention sheppy:renovate/openxchange sheppy:trossner/gpg-keys sheppy:trossner/mail_doc sheppy:tkaltenbrunner/fix-milter sheppy:ntretkowski/intercom-update sheppy:b1-boekhorst/nc_testing_encryption_bfp_nginx sheppy:trossner/ox_deputy sheppy:kuntke/size-profiles sheppy:trossner/misc_1.11.0 sheppy:feat/openproject/bump-16-6-2 sheppy:renovate/opf-helm-charts-openproject-11.x sheppy:rohland/selfsigned sheppy:sschmidt/feat_update_otterize sheppy:sell/opendesk-exporter sheppy:trossner/coco-update sheppy:renovate/lasuite-impress-y-provider-4.x sheppy:renovate/opf-helm-charts-openproject-10.x sheppy:renovate/openproject sheppy:renovate/nordeck sheppy:renovate/element sheppy:renovate/collabora sheppy:lender/test-externalsecrets sheppy:develop sheppy:rfischer/baseline_requirements_update_2025 sheppy:chore/kyverno-sec sheppy:sell/pythonic-charts-local sheppy:trossner/ox-jitsi sheppy:irondesk-preview sheppy:chore/open-xchange/update-8.43 sheppy:b1-boekhorst/nc_basicauth_testing sheppy:lluerenbaum/develop sheppy:rfischer/nc_sharereview_app sheppy:tkaltenbrunner/fix/new-element-chart sheppy:vpracht/demo sheppy:main sheppy:b1-boekhorst/nc_status_php sheppy:gaberb1/postfix-sasl-security-options sheppy:ntretkowski/nubus-v1.15.0 sheppy:ntretkowski/ox-connector-v0.32.2 sheppy:sschmidt/feat_add_otterize_chart sheppy:b1-boekhorst/nc_bfp sheppy:trossner/nc_31-0-9 sheppy:trossner/token_exchange sheppy:boekhorst/nc_31-0-10_testing sheppy:ntretkowski/nubus-v1.14.1 sheppy:tkaltenbrunner/fix/dovecot-migration sheppy:tkaltenbrunner/fix/dovecot-caches sheppy:tkaltenbrunner/fix/postfix-transport sheppy:chore/open-xchange/update-8.42 sheppy:dkaminski/ca_certs sheppy:dpapoutsis/bundled-keycloak-secrets sheppy:boekhorst/favicon_resize sheppy:irondesk sheppy:boekhorst/nc_31-0-9 sheppy:migration_test sheppy:sschmidt/fix_services_otterize_intents sheppy:mmeschter/nats-secrets-refactor sheppy:sccon_2025 sheppy:jtorres/ox-test sheppy:lender/feat-externalsecrets-xwiki sheppy:sschmidt/fix_nubus_opendesk_keycloak_bootstrap_annotation sheppy:ntretkowski/nubus-2fa-upgrade-fix sheppy:jlohmer/ox-connector-helm-unittests sheppy:mmeschter/develop sheppy:tkaltenbrunner/fix/ox-push-notification sheppy:cgarcia/develop sheppy:trossner/fix_storageclassnames sheppy:jconde/ox-groups-deletion sheppy:ntretkowski/nubus-v1.13.1 sheppy:jtorres/develop sheppy:tkaltenbrunner/fix/opendesk-impress-customization sheppy:jconde/develop sheppy:mgcm/test/mas-upstream sheppy:document-nordeck-widgets sheppy:trossner/upd_jitsi_10431 sheppy:chaack/feat_add_jitsi_patchJVB_backoffLimit sheppy:trossner/xwiki_solr_image sheppy:1.7+harbor-fixes sheppy:lender/feat-externalsecrets-notes sheppy:tkaltenbrunner/fix/dovecot-fts sheppy:lender/feat-externalsecrets-postfix-dovecot sheppy:heading-capitalization-harmonization sheppy:lender/feat-externalsecrets-minio sheppy:jconde/debug-no-portal-tiles sheppy:hermann/feat-support-nginx-security-defaults sheppy:jtorres/ox-connector-manager-tests sheppy:jtorres/1.12.0-kc-bootstrap sheppy:sell/prometheus-nats-exporter sheppy:jconde/ics-secret-refactor sheppy:tkaltenbrunner/fix/postfix-submissions sheppy:jconde/debug-ics-with-keycloak-26.3 sheppy:data_storage_doc sheppy:tkaltenbrunner/fix/coco-internal sheppy:sell/keycloak-metrics sheppy:jconde/ox-connector-fixes sheppy:jlohmer/ox-connector-test sheppy:gaberb1/wip-ci sheppy:weber/update-notes sheppy:lender/feat-externalsecrets-redis sheppy:lender/feat-externalsecrets-opendesk-services sheppy:lender/feat-externalsecrets-collabora sheppy:lender/feat-externalsecrets-cassandra sheppy:lender/feat-externalsecrets-nextcloud sheppy:lender/feat-externalsecrets-openproject-bootstrap sheppy:thollwed/doc-bawue-migration-dev sheppy:1.5+nats-fix sheppy:trossner/nc_31.0.5 sheppy:sell/nubus-liveness-customization sheppy:integration-opendesk-family sheppy:gsautner/fix_nc_custom_baseDn sheppy:tkaltenbrunner/fix/ox-external-secrets sheppy:tlatz/portal_update sheppy:jbornhold/tmp-portal-update sheppy:trossner/temp_kc26.2.2_preview sheppy:yschmidt/nubus-v1.9.1-twofa-helpdesk sheppy:mmoura/phone-dial-in sheppy:lender/feat-externalsecrets-mariadb sheppy:lender/feat-externalsecrets-postgresql sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap-1725.191 sheppy:ys/dev-helpdesk sheppy:tkaltenbrunner/fix/dovecot-acls sheppy:ox-vpracht/dovecot-conf sheppy:renovate/major-openproject sheppy:renovate/major-platform sheppy:renovate/lasuite-impress-y-provider-3.x sheppy:renovate/lasuite-impress-y-provider-2.x sheppy:renovate/xwiki sheppy:trossner/nc_notifypush sheppy:cnegrini/load sheppy:nic/feat/ZO-155_dialin_docs sheppy:feat/dovecot-config sheppy:yschmidt/s3-region-example sheppy:trossner/nubus_ox_consumer sheppy:yschmidt/s3-region-vars sheppy:jschulz/fix_nubus-consumer-pvc-size sheppy:el/t3chguy/element-web-modules sheppy:jahlers/2fa-helpdesk sheppy:trossner/notes_guest_access sheppy:thollwed/nubus-v1.6.0-integration sheppy:jschulz/fix_set_jitsi_element_antiaffinity sheppy:jbornhold/nubus-v1.6.0-s3-ingress sheppy:chore/open-xchange/release-8.34 sheppy:jconde/test-ox-packaging sheppy:jtorres/ox-extension-integration sheppy:jschulz/feat_helmfile-enable-intents sheppy:chore/openproject/15-3-changes sheppy:nc-main sheppy:fischer/review-apps sheppy:jconde/fix-intercom-element sheppy:trossner/nc_notify_push sheppy:docs/nubus-version sheppy:schneemann/ingress-nginx-max-version sheppy:jlohmer/configurable-udm-listener-password sheppy:jtorres/hotfix-ics-secret sheppy:jtorres/ics-redis-ssl sheppy:dkaminski/feat/annotations sheppy:trossner/fix/openproject sheppy:jconde/ox-connector-kyverno sheppy:jconde/ics-kyverno-changes sheppy:chore/open-xchange/bump-8-31 sheppy:mmoura/feat_test sheppy:dkaminski/fix/nubus-v0.72.0 sheppy:jconde/ics-filepicker-fix sheppy:trossner/update_migrs sheppy:nic/qa/develop sheppy:nic/fix/widgets-no-guests sheppy:uv-jconde/plain-nubus sheppy:nubus/main sheppy:uv-jbornhold/preview-fe sheppy:nic/fix/undo-439-add-widgets sheppy:jtorres/bump-0.60-cache-http sheppy:acaceres/develop sheppy:fix/trossner/dominiks_improvements sheppy:uv-jbornhold/plain-nubus-3 sheppy:nubus-update-2024-09-16-backup sheppy:trossner/nubus-update-2024-09-16-ldap-mig sheppy:nic/feat/matrix-neoboard-widget-1.19.1 sheppy:jconde/integrate-ox-connector sheppy:jbornhold/include-ldap-migration-script sheppy:acaceres/integrate-ox-connector sheppy:uv-jbornhold/plain-nubus-2 sheppy:jtorres/clients-fixup sheppy:jconde/system-information sheppy:jtorres/remove-admin-credentials sheppy:jbornhold/develop sheppy:chore/openproject/bump-14-5-0 sheppy:temp/trossner/kcupd-fr sheppy:nubus/fix-domain-configuration sheppy:uv-fix/default-service-loglevel sheppy:uv-jlohmer/consumer-race-condition sheppy:uv-jconde/umc-plain-login sheppy:uv-jconde/statefulset-keycloak sheppy:jlohmer/develop sheppy:fix/tkaltenbrunner/oxmonitoring sheppy:jtorres/udm-loader sheppy:nubus/tkintscher/fix-fsnotify-load sheppy:nubus/wip-jbornhold-test sheppy:jbornhold/small-fixes sheppy:nubus/jconde-test-users sheppy:feat/nubus-updates sheppy:uv-jlohmer/manual-deploy-jobs sheppy:uv-jtorres/login-tiles sheppy:uv-jbornhold/fix-e2e-test-configuration sheppy:uv-jlohmer/fix-feature-flag-typo sheppy:uv-jbornhold/fix-e2e-test-configuration-test sheppy:uv-acaceres/register-ox-connector sheppy:uv-jtorres/keycloak-upgrade sheppy:uv-jtorres/create-readonly-user sheppy:uv-acaceres/update-provisioning-and-stack-data sheppy:uv-jlohmer/selfservice-consumer sheppy:uv-jlohmer/provisioning-consumer-feature-flag sheppy:uv-jconde/test-email-e2e-tests sheppy:jlohmer/nubus-updates-provisioning sheppy:nubus/provisioning-consumer-integration sheppy:uv-dkaminski/cert-manager-support sheppy:uv-jbornhold/update-portal-frontend sheppy:uv-provisioning-consumer-integration sheppy:uv-jtorres/opendesk-udm-loader sheppy:uv-jtorres/ox-extensions-to-data-loader sheppy:uv-jbornhold/update-stack-data sheppy:uv-maildev-ci-setup sheppy:uv-jconde/umc-server-session-stickyness sheppy:uv-jbornhold/cleanup sheppy:uv-dtroeder/raise-helm-timeout sheppy:uv-dtroeder/prov-int-biscet sheppy:uv-spike-plain-nubus sheppy:jtorres/univention-keycloak-provisioning sheppy:fix/trossner/proxy_ips sheppy:uv-jlohmer/provisioning-consumer-integration sheppy:uv-jconde/menu-patches sheppy:jconde/use-nubus-umbrella sheppy:jconde/udm-rest-api-fix sheppy:sandersen/develop sheppy:b1-demo1 sheppy:jbornhold/tmp-test-od-main-0.9.0 sheppy:feat/use-nubus-umbrella-2 sheppy:OC000007901454-main-patch-76476 sheppy:jtorres/allow-theme-configuration sheppy:acaceres/debug-ox-error sheppy:101-add-configmap-checksum-check-to-postfix-helm-chart sheppy:trossner/fix/op_guests sheppy:renovate/platform sheppy:feat/ldap-scalability sheppy:jlohmer/split-provisioning-listener sheppy:feat/update-keycloak-related-charts sheppy:acaceres/update-selfservice-to-use-provisioning sheppy:feat/nubus-keycloak-extensions sheppy:feat/nubus-keycloak-bootstrap sheppy:feat/nubus-provisioning-with-selfservice sheppy:refactor/ums-umbrella-values sheppy:54-issue-with-invitation-password-reset-mails sheppy:nic/fix/ew-1.11.59-widget-sync sheppy:trossner/fix/renovate sheppy:nic/test/ew-1.11.59 sheppy:feat/mon-redis sheppy:feat/mon-jitsi sheppy:feat/mon-ox sheppy:feat/mon-xwiki sheppy:v0.5.74-patch1
sheppy:v1.10.0 sheppy:v1.9.0 sheppy:v1.8.0 sheppy:v1.7.1 sheppy:v1.7.0 sheppy:v1.6.0 sheppy:v1.5.0 sheppy:v1.4.1 sheppy:v1.4.0 sheppy:v1.3.2 sheppy:v1.3.1 sheppy:v1.3.0 sheppy:v1.2.1 sheppy:v1.2.0 sheppy:v1.1.2 sheppy:v1.1.1 sheppy:v1.1.0 sheppy:v1.0.0 sheppy:v0.9.0 sheppy:v0.8.1 sheppy:v0.8.0 sheppy:v0.7.1 sheppy:v0.7.0 sheppy:v0.6.0 sheppy:v0.5.81 sheppy:v0.5.80 sheppy:v0.5.79 sheppy:v0.5.78 sheppy:v0.5.74 sheppy:24.03 sheppy:v0.5.77 sheppy:v0.5.76 sheppy:v0.5.75 sheppy:v0.5.73 sheppy:v0.5.72 sheppy:v0.5.71 sheppy:v0.5.70 sheppy:v0.5.69 sheppy:v0.5.68 sheppy:v0.5.67 sheppy:v0.5.66 sheppy:v0.5.65 sheppy:v0.5.64 sheppy:v0.5.63 sheppy:v0.5.62 sheppy:v0.5.61 sheppy:v0.5.60 sheppy:v0.5.59 sheppy:v0.5.58 sheppy:v0.5.57 sheppy:v0.5.56 sheppy:v0.5.55 sheppy:v0.5.54 sheppy:v0.5.53 sheppy:v0.5.52 sheppy:v0.5.51 sheppy:v0.5.50 sheppy:v0.5.49 sheppy:v0.5.48 sheppy:v0.5.47 sheppy:v0.5.46 sheppy:v0.5.45 sheppy:v0.5.44 sheppy:v0.5.43 sheppy:v0.5.42 sheppy:v0.5.41 sheppy:v0.5.40 sheppy:v0.5.39 sheppy:v0.5.38 sheppy:23.12 sheppy:v0.5.37 sheppy:v0.5.36 sheppy:v0.5.35 sheppy:v0.5.34 sheppy:v0.5.33 sheppy:v0.5.32 sheppy:v0.5.31 sheppy:v0.5.30 sheppy:v0.5.29 sheppy:v0.5.28 sheppy:v0.5.27 sheppy:v0.5.26 sheppy:v0.5.25 sheppy:v0.5.24 sheppy:v0.5.23 sheppy:v0.5.22 sheppy:v0.5.21 sheppy:v0.5.20 sheppy:v0.5.19 sheppy:v0.5.18 sheppy:v0.5.17 sheppy:v0.5.16 sheppy:v0.5.15 sheppy:v0.5.14 sheppy:v0.5.13 sheppy:v0.5.12 sheppy:v0.5.11 sheppy:v0.5.10 sheppy:v0.5.9 sheppy:v0.5.8 sheppy:v0.5.7 sheppy:v0.5.6 sheppy:v0.5.5 sheppy:v0.5.4 sheppy:v0.5.3 sheppy:v0.5.2 sheppy:v0.5.1 sheppy:v0.5.0 sheppy:v0.4.9 sheppy:v0.4.8 sheppy:v0.4.7 sheppy:v0.4.6 sheppy:v0.4.5 sheppy:v0.4.4 sheppy:v0.4.3 sheppy:v0.4.2 sheppy:v0.4.1 sheppy:v0.4.0 sheppy:v0.3.2 sheppy:v0.3.1 sheppy:v0.3.0 sheppy:v0.2.10 sheppy:v0.2.9 sheppy:v0.2.8 sheppy:v0.2.7 sheppy:v0.2.6 sheppy:v0.2.5 sheppy:v0.2.4 sheppy:v0.2.3 sheppy:v0.2.2 sheppy:v0.2.1 sheppy:v0.2.0 sheppy:v0.1.2 sheppy:v0.1.1 sheppy:v0.1.0 sheppy:v0.0.6 sheppy:v0.0.5 sheppy:v0.0.4 sheppy:v0.0.3 sheppy:v0.0.2 sheppy:v0.0.1

77 Commits
v0.5.47 ... v0.5.72

Author SHA1 Message Date
opendesk
ecf0ac77f2 chore(release): 0.5.72 [skip ci] 
## [0.5.72](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.71...v0.5.72) (2023-12-18)

### Bug Fixes

* **collabora:** Update image to 23.05.6.3.1 ([8c378c6](8c378c6f91))
* **docs:** Update scaling.md ([d342efe](d342efe9a9))
* **open-xchange:** Update Helm chart removing yaml templating doublettes ([c21dd46](c21dd46289))
 2023-12-18 15:24:27 +00:00
Thorsten Roßner
d342efe9a9 fix(docs): Update scaling.md 2023-12-18 10:50:06 +00:00
Thorsten Roßner
c21dd46289 fix(open-xchange): Update Helm chart removing yaml templating doublettes 2023-12-18 10:50:06 +00:00
Thorsten Roßner
8c378c6f91 fix(collabora): Update image to 23.05.6.3.1 2023-12-17 22:43:54 +01:00
opendesk
597842a871 chore(release): 0.5.71 [skip ci] 
## [0.5.71](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.70...v0.5.71) (2023-12-15)

### Bug Fixes

* **docs:** Security.md ([36bbbae](36bbbae579))
* **univention-management-stack:** Switch to Univention Keycloak ([902076c](902076c629))
 2023-12-15 17:19:19 +00:00
Thorsten Roßner
36bbbae579 fix(docs): Security.md 2023-12-15 10:01:13 +01:00
Thorsten Roßner
902076c629 fix(univention-management-stack): Switch to Univention Keycloak 2023-12-15 08:38:46 +01:00
opendesk
1b9f394489 chore(release): 0.5.70 [skip ci] 
## [0.5.70](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.69...v0.5.70) (2023-12-14)

### Bug Fixes

* **univention-management-stack:** Remove UCS container monolith and make UMS standard IAM ([450c434](450c434ed0))
 2023-12-14 07:12:00 +00:00
merge-request-bot
450c434ed0 fix(univention-management-stack): Remove UCS container monolith and make UMS standard IAM 2023-12-14 07:10:12 +00:00
opendesk
4b6a20faa4 chore(release): 0.5.69 [skip ci] 
## [0.5.69](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.68...v0.5.69) (2023-12-12)

### Bug Fixes

* **univention-management-stack:** Functional replacement for UCS container monolith, still optional. ([ce38714](ce38714a81))
 2023-12-12 21:01:26 +00:00
merge-request-bot
ce38714a81 fix(univention-management-stack): Functional replacement for UCS container monolith, still optional. 2023-12-12 19:31:27 +00:00
opendesk
37f1eb9794 chore(release): 0.5.68 [skip ci] 
## [0.5.68](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.67...v0.5.68) (2023-12-11)

### Bug Fixes

* **jitsi:** Disable IP Blacklist ([6a649cb](6a649cb7f0))
* **open-xchange:** Update to latest version ([db4bfa4](db4bfa4884))
 2023-12-11 18:01:31 +00:00
merge-request-bot
db4bfa4884 fix(open-xchange): Update to latest version 2023-12-11 16:56:36 +00:00
Dominik Kaminski
6a649cb7f0 fix(jitsi): Disable IP Blacklist 2023-12-11 17:00:06 +01:00
opendesk
b6ef559cde chore(release): 0.5.67 [skip ci] 
## [0.5.67](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.66...v0.5.67) (2023-12-11)

### Bug Fixes

* **services:** Use Charts from openCoDE registry ([cc0daa2](cc0daa2a22))
 2023-12-11 13:01:23 +00:00
Dominik Kaminski
cc0daa2a22 fix(services): Use Charts from openCoDE registry 2023-12-10 16:52:53 +01:00
opendesk
c69c62cd45 chore(release): 0.5.66 [skip ci] 
## [0.5.66](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.65...v0.5.66) (2023-12-08)

### Bug Fixes

* **element:** Update Element and Widgets ([6a26299](6a26299a75))
 2023-12-08 22:01:16 +00:00
merge-request-bot
6a26299a75 fix(element): Update Element and Widgets 2023-12-08 20:18:36 +00:00
opendesk
4101e91ae6 chore(release): 0.5.65 [skip ci] 
## [0.5.65](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.64...v0.5.65) (2023-12-08)

### Bug Fixes

* **univention-management-stack:** Bump OX Connector ([83192b7](83192b7834))
 2023-12-08 15:01:16 +00:00
Thorsten Roßner
83192b7834 fix(univention-management-stack): Bump OX Connector 2023-12-07 19:56:18 +01:00
opendesk
3b1091bb3e chore(release): 0.5.64 [skip ci] 
## [0.5.64](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.63...v0.5.64) (2023-12-06)

### Bug Fixes

* **openproject:** Switch to release container and set home url link ([e67ab8f](e67ab8f430))
 2023-12-06 19:01:06 +00:00
merge-request-bot
e67ab8f430 fix(openproject): Switch to release container and set home url link 2023-12-06 17:52:05 +00:00
opendesk
da731e7d5e chore(release): 0.5.63 [skip ci] 
## [0.5.63](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.62...v0.5.63) (2023-12-06)

### Bug Fixes

* **nextcloud:** Remove Talk folder ([0ea5856](0ea585633b))
 2023-12-06 11:13:39 +00:00
merge-request-bot
0ea585633b fix(nextcloud): Remove Talk folder 2023-12-06 11:10:39 +00:00
opendesk
fe40b7cfa1 chore(release): 0.5.62 [skip ci] 
## [0.5.62](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.61...v0.5.62) (2023-12-06)

### Bug Fixes

* **nextcloud:** Bump image to 27.1.4 and update Helm chart to configure "Shared_with_me" folder ([d04a603](d04a60349d))
* **univention-management-stack:** Update optional UMS preview state ([94ae3da](94ae3da78b))
 2023-12-06 09:10:05 +00:00
merge-request-bot
d04a60349d fix(nextcloud): Bump image to 27.1.4 and update Helm chart to configure "Shared_with_me" folder 2023-12-06 09:07:44 +00:00
merge-request-bot
94ae3da78b fix(univention-management-stack): Update optional UMS preview state 2023-12-05 20:27:57 +00:00
opendesk
3ca54159f7 chore(release): 0.5.61 [skip ci] 
## [0.5.61](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.60...v0.5.61) (2023-12-05)

### Bug Fixes

* **services:** Fix port declaration for Postfix ([bf5dcda](bf5dcda3b5))
 2023-12-05 15:13:35 +00:00
merge-request-bot
bf5dcda3b5 fix(services): Fix port declaration for Postfix 2023-12-05 15:11:22 +00:00
opendesk
08ca525d3e chore(release): 0.5.60 [skip ci] 
## [0.5.60](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.59...v0.5.60) (2023-12-05)

### Bug Fixes

* **ci:** Ensure release creation with artifacts ([dc7ce0b](dc7ce0bc4b))
 2023-12-05 13:11:56 +00:00
merge-request-bot
dc7ce0bc4b fix(ci): Ensure release creation with artifacts 2023-12-05 13:09:19 +00:00
opendesk
729a1ea849 chore(release): 0.5.59 [skip ci] 
## [0.5.59](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.58...v0.5.59) (2023-12-05)

### Bug Fixes

* **helmfile:** Add configurable objectstore ([3b5493d](3b5493d78d))
 2023-12-05 08:36:22 +00:00
Robin Rush
3b5493d78d fix(helmfile): Add configurable objectstore 2023-12-05 09:07:41 +01:00
opendesk
6711791009 chore(release): 0.5.58 [skip ci] 
## [0.5.58](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.57...v0.5.58) (2023-12-01)

### Bug Fixes

* **cryptpad:** Add websocket annotation ([c41643e](c41643ee3e))
* **openproject:** Add seederJob intent ([05cc82d](05cc82d7c5))
* **openproject:** Bump to 2.6.2 ([c8bc8b3](c8bc8b3172))
* **services:** Add NetworkPolicy section to docs/security.md ([24812b6](24812b667c))
* **services:** Add Otterize based security settings ([bec9a2d](bec9a2d46b))
* **univention-management-stack:** Add Otterize annotations for jobs ([2628a0e](2628a0e13e))
 2023-12-01 20:53:38 +00:00
Dominik Kaminski
c41643ee3e fix(cryptpad): Add websocket annotation 2023-12-01 20:50:08 +00:00
Dominik Kaminski
2628a0e13e fix(univention-management-stack): Add Otterize annotations for jobs 2023-12-01 20:50:08 +00:00
Dominik Kaminski
c8bc8b3172 fix(openproject): Bump to 2.6.2 2023-12-01 20:50:08 +00:00
Dominik Kaminski
24812b667c fix(services): Add NetworkPolicy section to docs/security.md 2023-12-01 20:50:08 +00:00
Dominik Kaminski
bec9a2d46b fix(services): Add Otterize based security settings 2023-12-01 20:50:08 +00:00
Dominik Kaminski
05cc82d7c5 fix(openproject): Add seederJob intent 2023-12-01 20:50:08 +00:00
opendesk
82be996d97 chore(release): 0.5.57 [skip ci] 
## [0.5.57](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.56...v0.5.57) (2023-12-01)

### Bug Fixes

* **helmfile:** Using correct private registry for  postfix helm-chart ([d367739](d367739248))
 2023-12-01 20:48:37 +00:00
Martin Müller
d367739248 fix(helmfile): Using correct private registry for postfix helm-chart 2023-12-01 15:20:25 +00:00
opendesk
ef870ae385 chore(release): 0.5.56 [skip ci] 
## [0.5.56](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.55...v0.5.56) (2023-11-30)

### Bug Fixes

* **element:** Raise treshold for login rate limit to avoid too early barrier hitting normal users ([466e741](466e741494))
 2023-11-30 15:33:14 +00:00
merge-request-bot
466e741494 fix(element): Raise treshold for login rate limit to avoid too early barrier hitting normal users 2023-11-30 15:31:25 +00:00
opendesk
00fafb6a1b chore(release): 0.5.55 [skip ci] 
## [0.5.55](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.54...v0.5.55) (2023-11-30)

### Bug Fixes

* **cryptpad:** Update Helm chart to enable readiness and liveness probes ([6d3e484](6d3e484855))
 2023-11-30 12:25:14 +00:00
merge-request-bot
6d3e484855 fix(cryptpad): Update Helm chart to enable readiness and liveness probes 2023-11-30 12:23:25 +00:00
opendesk
845a0a3189 chore(release): 0.5.54 [skip ci] 
## [0.5.54](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.53...v0.5.54) (2023-11-29)

### Bug Fixes

* **helmfile:** Add and document security context for components ([519db51](519db51be2))
 2023-11-29 19:52:12 +00:00
Thomas Kaltenbrunner
519db51be2 fix(helmfile): Add and document security context for components 2023-11-29 19:50:07 +00:00
opendesk
7ef3a10577 chore(release): 0.5.53 [skip ci] 
## [0.5.53](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.52...v0.5.53) (2023-11-29)

### Bug Fixes

* **univention-managemen-stack:** Integrate Attribute to Group Mapper into the containerized stack ([7bbab22](7bbab22939))
* **univention-management-stack:** Add Announcements icon into "umc-gateway" ([7a9ecf7](7a9ecf7b85))
* **univention-management-stack:** Add Announcements module into "umc-server" ([4c52a5a](4c52a5aaa8))
* **univention-management-stack:** Add branding related configuration to stack-gateway ([a5f263c](a5f263ce48))
* **univention-management-stack:** Apply styling ([b3d45c4](b3d45c45e1))
* **univention-management-stack:** Configure openDesk branding in frontend chart ([cbe8fb2](cbe8fb2d65))
* **univention-management-stack:** Document database of UMS Notifications API ([3cf348c](3cf348c7ae))
* **univention-management-stack:** Move static settings from gotmpl into yaml for umc-gateway ([b3ac0ae](b3ac0ae6d9))
* **univention-management-stack:** Quote all composed strings ([1c35ca6](1c35ca67ce))
* **univention-management-stack:** Remove frontend-custom ([8b6a4b2](8b6a4b2e88))
* **univention-management-stack:** Set SMTP host for self-service notifications ([0c7a77c](0c7a77c4b6))
* **univention-management-stack:** UMC uses external memcached ([211bee9](211bee94bb))
* **univention-management-stack:** Update ums-dependencies ([e0c6c14](e0c6c14dca))
* **univention-management-stack:** Update ums-dependencies ([c246edd](c246edd8f9))
* **univention-management-stack:** Update ums-dependencies ([86b4818](86b48188e1))
* **univention-management-stack:** Use "stack-gateway" in all deployments ([c19bca2](c19bca2be0))
 2023-11-29 17:59:12 +00:00
Johannes Bornhold
1c35ca67ce fix(univention-management-stack): Quote all composed strings 2023-11-29 13:41:14 +01:00
Johannes Bornhold
e0c6c14dca fix(univention-management-stack): Update ums-dependencies 2023-11-29 13:40:39 +01:00
Johannes Bornhold
3cf348c7ae fix(univention-management-stack): Document database of UMS Notifications API 2023-11-29 13:40:39 +01:00
Johannes Bornhold
b3d45c45e1 fix(univention-management-stack): Apply styling 2023-11-29 13:40:36 +01:00
Johannes Bornhold
c246edd8f9 fix(univention-management-stack): Update ums-dependencies 2023-11-29 13:39:14 +01:00
Johannes Bornhold
c19bca2be0 fix(univention-management-stack): Use "stack-gateway" in all deployments 2023-11-29 13:39:13 +01:00
Johannes Bornhold
a5f263ce48 fix(univention-management-stack): Add branding related configuration to stack-gateway 2023-11-29 13:37:36 +01:00
Johannes Bornhold
cbe8fb2d65 fix(univention-management-stack): Configure openDesk branding in frontend chart 2023-11-29 13:37:36 +01:00
Johannes Bornhold
8b6a4b2e88 fix(univention-management-stack): Remove frontend-custom 2023-11-29 13:37:33 +01:00
Thomas Kintscher
a61d00482f chore(univention-management-stack): Move static values of stack-data-swp to yaml file 2023-11-29 13:34:53 +01:00
Thomas Kintscher
0c7a77c4b6 fix(univention-management-stack): Set SMTP host for self-service notifications 2023-11-29 13:34:53 +01:00
Thomas Kintscher
211bee94bb fix(univention-management-stack): UMC uses external memcached 2023-11-29 13:34:52 +01:00
Johannes Bornhold
b3ac0ae6d9 fix(univention-management-stack): Move static settings from gotmpl into yaml for umc-gateway 2023-11-29 13:34:52 +01:00
Johannes Bornhold
4c52a5aaa8 fix(univention-management-stack): Add Announcements module into "umc-server" 2023-11-29 13:34:52 +01:00
Johannes Bornhold
7a9ecf7b85 fix(univention-management-stack): Add Announcements icon into "umc-gateway" 2023-11-29 13:34:52 +01:00
Johannes Bornhold
86b48188e1 fix(univention-management-stack): Update ums-dependencies 2023-11-29 13:34:52 +01:00
Johannes Lohmer
7bbab22939 fix(univention-managemen-stack): Integrate Attribute to Group Mapper into the containerized stack 2023-11-29 13:34:51 +01:00
opendesk
1343d6c93e chore(release): 0.5.52 [skip ci] 
## [0.5.52](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.51...v0.5.52) (2023-11-28)

### Bug Fixes

* **ci:** Open automatic MRs for new branches ([735fec3](735fec3b4c))
 2023-11-28 22:44:39 +00:00
Thomas Kaltenbrunner
735fec3b4c fix(ci): Open automatic MRs for new branches 2023-11-28 17:18:12 +01:00
opendesk
21b9d1d024 chore(release): 0.5.51 [skip ci] 
## [0.5.51](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.50...v0.5.51) (2023-11-28)

### Bug Fixes

* **nextcloud:** Bump chart to fix central navigation ([cac6abe](cac6abe251))
* **openproject:** Update container and prepare for OIDC based user admin role setting ([6dc92df](6dc92df2eb))
 2023-11-28 15:09:38 +00:00
Oliver Günther
6dc92df2eb fix(openproject): Update container and prepare for OIDC based user admin role setting 2023-11-28 15:07:54 +00:00
Thorsten Rossner
cac6abe251 fix(nextcloud): Bump chart to fix central navigation 2023-11-27 19:17:30 +00:00
opendesk
6c1664fc0d chore(release): 0.5.50 [skip ci] 
## [0.5.50](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.49...v0.5.50) (2023-11-27)

### Bug Fixes

* **ci:** Add metadata for renovate processing ([36aa3ed](36aa3ed7c9))
 2023-11-27 14:11:23 +00:00
Robin Rush
36aa3ed7c9 fix(ci): Add metadata for renovate processing 2023-11-27 14:11:43 +01:00
opendesk
23c46e7fe5 chore(release): 0.5.49 [skip ci] 
## [0.5.49](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.48...v0.5.49) (2023-11-27)

### Bug Fixes

* **nextcloud:** Bump image to incorporate fix for https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f962-hw26-g267 ([efbd814](efbd814968))
 2023-11-27 09:32:09 +00:00
Thorsten Rossner
efbd814968 fix(nextcloud): Bump image to incorporate fix for https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f962-hw26-g267 2023-11-27 09:30:10 +00:00
opendesk
812eb5a439 chore(release): 0.5.48 [skip ci] 
## [0.5.48](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.47...v0.5.48) (2023-11-24)

### Bug Fixes

* **services:** Update resource requests and remove cpu limits ([f86a74b](f86a74ba10))
 2023-11-24 17:10:40 +00:00
Dominik Kaminski
f86a74ba10 fix(services): Update resource requests and remove cpu limits 2023-11-24 17:06:46 +00:00
118 changed files with 4260 additions and 3404 deletions
Expand all files Collapse all files

122
.gitlab-ci.yml
View File

@@ -5,6 +5,7 @@ include:
- project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}" - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
ref: "main" ref: "main"
file: file:
- "ci/common/automr.yml"
- "ci/common/lint.yml" - "ci/common/lint.yml"
- "ci/release-automation/semantic-release.yml" - "ci/release-automation/semantic-release.yml"
- project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}" - project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
@@ -14,6 +15,7 @@ include:
stages: stages:
- ".pre" - ".pre"
- "automr"
- "lint" - "lint"
- "env-cleanup" - "env-cleanup"
- "env" - "env"
@@ -54,14 +56,11 @@ variables:
options: options:
- "yes" - "yes"
- "no" - "no"
DEPLOY_UCS: DEPLOY_UMS:
description: >- description: "Enable Univention Management Stack deployment."
Enable Univention Corporate Server deployment.
"ums-eval" does deploy the Univention Management Stack instead of the UCS container.
value: "no" value: "no"
options: options:
- "yes" - "yes"
- "ums-eval"
- "no" - "no"
DEPLOY_PROVISIONING: DEPLOY_PROVISIONING:
description: "Enable Provisioning Components." description: "Enable Provisioning Components."
@@ -87,12 +86,6 @@ variables:
options: options:
- "yes" - "yes"
- "no" - "no"
DEPLOY_KEYCLOAK:
description: "Enable Keycloak deployment."
value: "no"
options:
- "yes"
- "no"
DEPLOY_OX: DEPLOY_OX:
description: "Enable OX AppSuite8 deployment." description: "Enable OX AppSuite8 deployment."
value: "no" value: "no"
@@ -152,7 +145,8 @@ variables:
cache: {} cache: {}
dependencies: [] dependencies: []
extends: ".environments" extends: ".environments"
image: "registry.souvap-univention.de/souvap/tooling/images/helm:latest" image: "external-registry.souvap-univention.de/registry-souvap-univention-de/souvap/tooling/images/helm\
@sha256:5a53455af45f4af5c97a01ee2dd5f9ef683f365b59f1ab0102505bc0fd37f6c5"
script: script:
- "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}" - "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
# MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD # MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD
@@ -231,18 +225,6 @@ services-deploy:
variables: variables:
COMPONENT: "services" COMPONENT: "services"
ucs-deploy:
stage: "component-deploy-stage-1"
extends: ".deploy-common"
rules:
- if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
$NAMESPACE =~ /.+/ &&
($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UCS == "yes")
when: "always"
variables:
COMPONENT: "univention-corporate-container"
provisioning-deploy: provisioning-deploy:
stage: "component-deploy-stage-2" stage: "component-deploy-stage-2"
extends: ".deploy-common" extends: ".deploy-common"
@@ -250,7 +232,7 @@ provisioning-deploy:
- if: > - if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
$NAMESPACE =~ /.+/ && $NAMESPACE =~ /.+/ &&
($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UCS != "no" || $DEPLOY_PROVISIONING != "no") ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UMS != "no" || $DEPLOY_PROVISIONING != "no")
when: "always" when: "always"
variables: variables:
COMPONENT: "provisioning" COMPONENT: "provisioning"
@@ -262,36 +244,11 @@ ums-deploy:
- if: > - if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
$NAMESPACE =~ /.+/ && $NAMESPACE =~ /.+/ &&
$DEPLOY_UCS == "ums-eval" ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UMS != "no")
when: "always" when: "always"
variables: variables:
COMPONENT: "univention-management-stack" COMPONENT: "univention-management-stack"
keycloak-deploy:
stage: "component-deploy-stage-1"
extends: ".deploy-common"
rules:
- if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
$NAMESPACE =~ /.+/ &&
($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_KEYCLOAK != "no")
when: "always"
variables:
COMPONENT: "keycloak"
keycloak-bootstrap-deploy:
stage: "component-deploy-stage-1"
extends: ".deploy-common"
timeout: "30m"
rules:
- if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
$NAMESPACE =~ /.+/ &&
($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_KEYCLOAK != "no")
when: "always"
variables:
COMPONENT: "keycloak-bootstrap"
ox-deploy: ox-deploy:
stage: "component-deploy-stage-1" stage: "component-deploy-stage-1"
extends: ".deploy-common" extends: ".deploy-common"
@@ -432,6 +389,19 @@ env-stop:
variables: variables:
GIT_STRATEGY: "none" GIT_STRATEGY: "none"
.ums-default-password: &ums-default-password
- |
UMS_PASSWORDS=$( \
kubectl -n ${NAMESPACE} get cm ums-stack-data-swp-data -o jsonpath='{.data.dev-test-users\.yaml}' \
| yq '.properties.password' > passwords.txt \
)
DEFAULT_USER_PASSWORD=$( \
awk 'NR==1{print $1}' passwords.txt \
)
DEFAULT_ADMIN_PASSWORD=$(
awk 'NR==3{print $1}' passwords.txt \
)
run-tests: run-tests:
extends: ".deploy-common" extends: ".deploy-common"
environment: environment:
@@ -442,24 +412,8 @@ run-tests:
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_TESTS == "yes" $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_TESTS == "yes"
when: "always" when: "always"
script: script:
- *ums-default-password
- | - |
UCS_CONTAINER_NAME=$( \
kubectl -n ${NAMESPACE} get pods --no-headers --selector \
'app.kubernetes.io/instance=univention-corporate-container' \
| grep Running \
| awk '{print $1}' \
)
DEFAULT_USER_PASSWORD=$( \
kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
| grep DEFAULT_ACCOUNT_USER_PASSWORD \
| awk '{print $2}' \
)
DEFAULT_ADMIN_PASSWORD=$(
kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
| grep DEFAULT_ACCOUNT_ADMIN_PASSWORD \
| awk '{print $2}' \
)
curl --request POST \ curl --request POST \
--header "Content-Type: application/json" \ --header "Content-Type: application/json" \
--data "{ \ --data "{ \
@@ -476,12 +430,12 @@ run-tests:
\"DEPLOY_ELEMENT\": \"${DEPLOY_ELEMENT}\", \ \"DEPLOY_ELEMENT\": \"${DEPLOY_ELEMENT}\", \
\"DEPLOY_ICS\": \"${DEPLOY_ICS}\", \ \"DEPLOY_ICS\": \"${DEPLOY_ICS}\", \
\"DEPLOY_JITSI\": \"${DEPLOY_JITSI}\", \ \"DEPLOY_JITSI\": \"${DEPLOY_JITSI}\", \
\"DEPLOY_KEYCLOAK\": \"${DEPLOY_KEYCLOAK}\", \ \"DEPLOY_KEYCLOAK\": \"${DEPLOY_UMS}\", \
\"DEPLOY_NEXTCLOUD\": \"${DEPLOY_NEXTCLOUD}\", \ \"DEPLOY_NEXTCLOUD\": \"${DEPLOY_NEXTCLOUD}\", \
\"DEPLOY_OPENPROJECT\": \"${DEPLOY_OPENPROJECT}\", \ \"DEPLOY_OPENPROJECT\": \"${DEPLOY_OPENPROJECT}\", \
\"DEPLOY_OX\": \"${DEPLOY_OX}\", \ \"DEPLOY_OX\": \"${DEPLOY_OX}\", \
\"DEPLOY_SERVICES\": \"${DEPLOY_SERVICES}\", \ \"DEPLOY_SERVICES\": \"${DEPLOY_SERVICES}\", \
\"DEPLOY_UCS\": \"${DEPLOY_UCS}\", \ \"DEPLOY_UCS\": \"${DEPLOY_UMS}\", \
\"DEPLOY_XWIKI\": \"${DEPLOY_XWIKI}\", \ \"DEPLOY_XWIKI\": \"${DEPLOY_XWIKI}\", \
\"DEPLOY_PROVISIONING\": \"${DEPLOY_PROVISIONING}\" \ \"DEPLOY_PROVISIONING\": \"${DEPLOY_PROVISIONING}\" \
} \ } \
@@ -498,24 +452,8 @@ run-souvap-dev-tests:
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_UMS_TESTS == "yes" $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_UMS_TESTS == "yes"
when: "always" when: "always"
script: script:
- *ums-default-password
- | - |
UCS_CONTAINER_NAME=$( \
kubectl -n ${NAMESPACE} get pods --no-headers --selector \
'app.kubernetes.io/instance=univention-corporate-container' \
| grep Running \
| awk '{print $1}' \
)
DEFAULT_USER_PASSWORD=$( \
kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
| grep DEFAULT_ACCOUNT_USER_PASSWORD \
| awk '{print $2}' \
)
DEFAULT_ADMIN_PASSWORD=$(
kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
| grep DEFAULT_ACCOUNT_ADMIN_PASSWORD \
| awk '{print $2}' \
)
curl --request POST \ curl --request POST \
--header "Content-Type: application/json" \ --header "Content-Type: application/json" \
--data "{ \ --data "{ \
@@ -568,6 +506,14 @@ generate-release-assets:
image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest" image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest"
tags: [] tags: []
conventional-commits-linter:
rules:
- if: "$JOB_CONVENTIONAL_COMMITS_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
when: "never"
- when: "always"
common-yaml-linter: common-yaml-linter:
rules: rules:
- if: "$JOB_COMMON_YAML_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'" - if: "$JOB_COMMON_YAML_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
@@ -618,4 +564,6 @@ release:
} }
EOF EOF
- "semantic-release" - "semantic-release"
needs:
- "generate-release-assets"
... ...

201
CHANGELOG.md
View File

@@ -1,3 +1,204 @@
## [0.5.72](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.71...v0.5.72) (2023-12-18)
### Bug Fixes
* **collabora:** Update image to 23.05.6.3.1 ([8c378c6](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/8c378c6f91a88da3b45c209da5360cabfeb911aa))
* **docs:** Update scaling.md ([d342efe](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/d342efe9a9bbc8f018831e2723e664e5365abba3))
* **open-xchange:** Update Helm chart removing yaml templating doublettes ([c21dd46](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c21dd462895870fd6ba98bbb167ac063e747a501))
## [0.5.71](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.70...v0.5.71) (2023-12-15)
### Bug Fixes
* **docs:** Security.md ([36bbbae](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/36bbbae57918036f44ddb23e47b550b2f46e5f35))
* **univention-management-stack:** Switch to Univention Keycloak ([902076c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/902076c62909889f8ffcf90328bc06ebb908b9b8))
## [0.5.70](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.69...v0.5.70) (2023-12-14)
### Bug Fixes
* **univention-management-stack:** Remove UCS container monolith and make UMS standard IAM ([450c434](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/450c434ed08120ad0757d672dc269a78362e780d))
## [0.5.69](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.68...v0.5.69) (2023-12-12)
### Bug Fixes
* **univention-management-stack:** Functional replacement for UCS container monolith, still optional. ([ce38714](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/ce38714a81ea3b0e1377e6ea2d640fb65f317396))
## [0.5.68](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.67...v0.5.68) (2023-12-11)
### Bug Fixes
* **jitsi:** Disable IP Blacklist ([6a649cb](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6a649cb7f0d04736ccabcd27c035ef6d051f6fd5))
* **open-xchange:** Update to latest version ([db4bfa4](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/db4bfa488401f10bad111ce03c20a60473c64837))
## [0.5.67](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.66...v0.5.67) (2023-12-11)
### Bug Fixes
* **services:** Use Charts from openCoDE registry ([cc0daa2](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/cc0daa2a22837c00583038ffd9df7e669004e84e))
## [0.5.66](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.65...v0.5.66) (2023-12-08)
### Bug Fixes
* **element:** Update Element and Widgets ([6a26299](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6a26299a7507ae749ffcf25288d2cf5b24d220db))
## [0.5.65](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.64...v0.5.65) (2023-12-08)
### Bug Fixes
* **univention-management-stack:** Bump OX Connector ([83192b7](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/83192b78345c62465e2979195d9a1c882ddbf0ea))
## [0.5.64](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.63...v0.5.64) (2023-12-06)
### Bug Fixes
* **openproject:** Switch to release container and set home url link ([e67ab8f](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/e67ab8f4304a525b50a3a723c86d1e610313c594))
## [0.5.63](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.62...v0.5.63) (2023-12-06)
### Bug Fixes
* **nextcloud:** Remove Talk folder ([0ea5856](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/0ea585633b4bf72fe180ca744cc99d9e9f84998f))
## [0.5.62](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.61...v0.5.62) (2023-12-06)
### Bug Fixes
* **nextcloud:** Bump image to 27.1.4 and update Helm chart to configure "Shared_with_me" folder ([d04a603](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/d04a60349dbbff2d64ca2b36b9c44b75526bf859))
* **univention-management-stack:** Update optional UMS preview state ([94ae3da](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/94ae3da78bd79c61fd7a22db5a541d473eea6a2e))
## [0.5.61](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.60...v0.5.61) (2023-12-05)
### Bug Fixes
* **services:** Fix port declaration for Postfix ([bf5dcda](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/bf5dcda3b59e1dc98cbee7e67f50a960d344b8e0))
## [0.5.60](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.59...v0.5.60) (2023-12-05)
### Bug Fixes
* **ci:** Ensure release creation with artifacts ([dc7ce0b](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/dc7ce0bc4b9501b63274f68352e6d9e76b5424e8))
## [0.5.59](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.58...v0.5.59) (2023-12-05)
### Bug Fixes
* **helmfile:** Add configurable objectstore ([3b5493d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/3b5493d78dc027cd1f3206b26cf347dc6ce6e265))
## [0.5.58](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.57...v0.5.58) (2023-12-01)
### Bug Fixes
* **cryptpad:** Add websocket annotation ([c41643e](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c41643ee3e5610ef27a63a0355804159030a7452))
* **openproject:** Add seederJob intent ([05cc82d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/05cc82d7c5c5f93fb5de7df555a22e8e90279621))
* **openproject:** Bump to 2.6.2 ([c8bc8b3](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c8bc8b3172cfef3396379e3969dc087d67a228ee))
* **services:** Add NetworkPolicy section to docs/security.md ([24812b6](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/24812b667cded720a0ac09b8b3eb89df39b02afb))
* **services:** Add Otterize based security settings ([bec9a2d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/bec9a2d46b2b563b7001ed8c6625c10111d5f151))
* **univention-management-stack:** Add Otterize annotations for jobs ([2628a0e](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/2628a0e13e5957475ce81b12d4230400c9ffeafe))
## [0.5.57](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.56...v0.5.57) (2023-12-01)
### Bug Fixes
* **helmfile:** Using correct private registry for postfix helm-chart ([d367739](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/d367739248ed43b3bad6a00b059b2c949dde4cb7))
## [0.5.56](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.55...v0.5.56) (2023-11-30)
### Bug Fixes
* **element:** Raise treshold for login rate limit to avoid too early barrier hitting normal users ([466e741](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/466e7414942837fdb1aecabfb08eae49f9dab272))
## [0.5.55](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.54...v0.5.55) (2023-11-30)
### Bug Fixes
* **cryptpad:** Update Helm chart to enable readiness and liveness probes ([6d3e484](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6d3e484855540569be53130e133e0821a04b2ca5))
## [0.5.54](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.53...v0.5.54) (2023-11-29)
### Bug Fixes
* **helmfile:** Add and document security context for components ([519db51](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/519db51be2be3ce292a88965ac0ec049b4c8bb8e))
## [0.5.53](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.52...v0.5.53) (2023-11-29)
### Bug Fixes
* **univention-managemen-stack:** Integrate Attribute to Group Mapper into the containerized stack ([7bbab22](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/7bbab229396075c7d10f94f42bef14551faefe26))
* **univention-management-stack:** Add Announcements icon into "umc-gateway" ([7a9ecf7](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/7a9ecf7b8595edf0949d9c200d01b3409f25b9a7))
* **univention-management-stack:** Add Announcements module into "umc-server" ([4c52a5a](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/4c52a5aaa83ffb6f4c49faa039c94cb1855987bb))
* **univention-management-stack:** Add branding related configuration to stack-gateway ([a5f263c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/a5f263ce489f88b90cf1151de249f36616a51632))
* **univention-management-stack:** Apply styling ([b3d45c4](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/b3d45c45e1b754e14ab0519efcb6b6a359f0ad1e))
* **univention-management-stack:** Configure openDesk branding in frontend chart ([cbe8fb2](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/cbe8fb2d65e6ce73f9da95ef9b0ed3ffbb16d367))
* **univention-management-stack:** Document database of UMS Notifications API ([3cf348c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/3cf348c7ae8f438daf3e64addbf839230816f3d2))
* **univention-management-stack:** Move static settings from gotmpl into yaml for umc-gateway ([b3ac0ae](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/b3ac0ae6d91a058265fcd26c6653bb8a13d3e780))
* **univention-management-stack:** Quote all composed strings ([1c35ca6](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/1c35ca67ce0673e1b2f9a350bd07c82c22a05354))
* **univention-management-stack:** Remove frontend-custom ([8b6a4b2](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/8b6a4b2e88e8be1d299af91ed1ffff4405db88e6))
* **univention-management-stack:** Set SMTP host for self-service notifications ([0c7a77c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/0c7a77c4b6f20c6d83e977dabfc4e555b652f6ac))
* **univention-management-stack:** UMC uses external memcached ([211bee9](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/211bee94bb7675860f867f0335fec9f14fc96875))
* **univention-management-stack:** Update ums-dependencies ([e0c6c14](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/e0c6c14dcaefc0755495270bbf45898721e27985))
* **univention-management-stack:** Update ums-dependencies ([c246edd](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c246edd8f9753e37bc9c32683faf41f5b46d7675))
* **univention-management-stack:** Update ums-dependencies ([86b4818](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/86b48188e160c1f7d15f2c33f1f3cd0cc0e68bf2))
* **univention-management-stack:** Use "stack-gateway" in all deployments ([c19bca2](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c19bca2be0d14750bbef661e45c5c424f7da8e77))
## [0.5.52](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.51...v0.5.52) (2023-11-28)
### Bug Fixes
* **ci:** Open automatic MRs for new branches ([735fec3](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/735fec3b4ccd33ba63e5fa6482526efb6853c64a))
## [0.5.51](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.50...v0.5.51) (2023-11-28)
### Bug Fixes
* **nextcloud:** Bump chart to fix central navigation ([cac6abe](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/cac6abe2510b6793963633077543684a6a4e7cbc))
* **openproject:** Update container and prepare for OIDC based user admin role setting ([6dc92df](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6dc92df2ebcae435e3b3609cc163dc6c33fb1b83))
## [0.5.50](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.49...v0.5.50) (2023-11-27)
### Bug Fixes
* **ci:** Add metadata for renovate processing ([36aa3ed](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/36aa3ed7c9f9a6d0ffe23dc3ca2174d5f2741dfa))
## [0.5.49](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.48...v0.5.49) (2023-11-27)
### Bug Fixes
* **nextcloud:** Bump image to incorporate fix for https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f962-hw26-g267 ([efbd814](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/efbd81496868c5d4274f09805a1e771f47d548be))
## [0.5.48](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.47...v0.5.48) (2023-11-24)
### Bug Fixes
* **services:** Update resource requests and remove cpu limits ([f86a74b](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/f86a74ba100c7f08f6538b58a713bbc87c00e814))
## [0.5.47](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.46...v0.5.47) (2023-11-24) ## [0.5.47](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.46...v0.5.47) (2023-11-24)

9
COMPONENTS-SERVICE.md
View File

@@ -21,7 +21,9 @@ This services is used by:
## Database - PostgreSQL ## Database - PostgreSQL
This services is used by: This services is used by:
- Keycloak - Univention Management Stack
- Self Service
- Keycloak
- OpenProject - OpenProject
## Redis ## Redis
@@ -33,11 +35,12 @@ This service is used by:
## Postfix ## Postfix
This service is used by: This service is used by:
- Keycloak (e.g. new device login notification)
- Nextcloud (e.g. share file notifictions) - Nextcloud (e.g. share file notifictions)
- Open-Xchange (emails) - Open-Xchange (emails)
- OpenProject (general notifications) - OpenProject (general notifications)
- UCS (e.g. password reset emails) - Univention Management Stack
- Self Service (e.g. password reset emails)
- Keycloak (e.g. new device login notification)
- XWiki (e.g. change notifications) - XWiki (e.g. change notifications)
## TURN Server ## TURN Server

4
CONTRIBUTING.md
View File

@@ -52,14 +52,12 @@ Valid commit scopes:
- `collabora` - `collabora`
- `ìntercom-service` - `ìntercom-service`
- `jitsi` - `jitsi`
- `keycloak`
- `keycloak-bootstrap`
- `nextcloud` - `nextcloud`
- `open-xchange` - `open-xchange`
- `openproject` - `openproject`
- `provisioning` - `provisioning`
- `services` - `services`
- `univention-corporate-container` - `univention-management-stack`
- `xwiki` - `xwiki`
## Semantic Release ## Semantic Release

28
README.md
View File

@@ -9,14 +9,15 @@ openDesk is a Kubernetes based, open-source and cloud-native digital workplace s
Aufbau ZenDiS" of Germany's Federal Ministry of the Interior. Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
It features: It features:
- Fully integrated Identity Management (Univention, Keycloak) - Fully integrated Identity Management (Univention)
- File storage (Nextcloud) - File storage (Nextcloud)
- Weboffice (Collabora) - Weboffice (Collabora)
- Videoconference (Jitsi) - Videoconference (Nordeck w/ Jitsi)
- Encrypted Chat (Synapse, Element) - Chat and Collaboration (Element w/ Nordeck)
- Groupware (OX Appsuite) - Groupware (OX Appsuite)
- Wiki (XWiki) - Wiki (XWiki)
- Notes and Diagrams (Cryptpad, Draw.io) - Project Management (OpenProject)
- Notes and Diagrams (Cryptpad)
openDesk integrates these components and is working towards a seamless user experience. openDesk integrates these components and is working towards a seamless user experience.
@@ -40,14 +41,13 @@ Basic knowledge of Kubernetes and Devops is required though.
# Active development notice # Active development notice
openDesk will face breaking changes in the near future without upgrade paths before openDesk will face breaking changes in the near future without upgrade paths before
[technical release](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases [technical release](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases)
v1.0.0 is reached. v1.0.0 is reached.
While most components support upgrades, major configuration or component changes may occur, therefore we recommend While most components support upgrades, major configuration or component changes may occur, therefore we recommend
at the moment always installing from scratch. at the moment always installing from scratch.
Components that are going to be replaced soon are: Components that are going to be replaced soon are:
- the UCS dev container monolith will be substituted by multiple Univention Management Stack containers,
- the Nextcloud community container is going to be replaced by an openDesk specific Nextcloud distroless container and - the Nextcloud community container is going to be replaced by an openDesk specific Nextcloud distroless container and
- Dovecot Community is going to be replaced by a Dovecot container tailored for the needs of the public sector. - Dovecot Community is going to be replaced by a Dovecot container tailored for the needs of the public sector.
@@ -67,19 +67,19 @@ If you want to address other topics, please check the section
# Requirements # Requirements
⟶ Visit our detailed [Requirements](docs/requirements.md) overview. ⟶ Visit our detailed [Requirements](./docs/requirements.md) overview.
# Getting started # Getting started
⟶ Visit our detailed [Getting started](docs/getting-started.md) guide. ⟶ Visit our detailed [Getting started](./docs/getting-started.md) guide.
# Advanced customization # Advanced customization
- [External services](docs/external-services.md) - [External services](./docs/external-services.md)
- [Security](docs/security.md) - [Security](./docs/security.md)
- [Scaling](docs/scaling.md) - [Scaling](./docs/scaling.md)
- [Monitoring](docs/monitoring.md) - [Monitoring](./docs/monitoring.md)
- [Theming](docs/theming.md) - [Theming](./docs/theming.md)
# Releases # Releases
@@ -95,7 +95,7 @@ The following release artefacts are provided beside the default source code asse
# Components # Components
⟶ Visit our detailed [Component](docs/getting-started.md) docs. ⟶ Visit our detailed [Component](./docs/components.md) docs.
# License # License

9
docs/ci.md
View File

@@ -7,11 +7,11 @@ SPDX-License-Identifier: Apache-2.0
This page will cover openDesk automation via Gitlab CI. This page will cover openDesk automation via Gitlab CI.
<!-- TOC --> <!-- TOC -->
* [Deployment](#deployment) * [Deployment](#deployment)
* [Tests](#tests) * [Tests](#tests)
<!-- TOC --> <!-- TOC -->
## Deployment # Deployment
The project includes a `.gitlab-ci.yml` that allows you to execute the deployment from a Gitlab instance of your choice. The project includes a `.gitlab-ci.yml` that allows you to execute the deployment from a Gitlab instance of your choice.
@@ -30,8 +30,7 @@ Based on your input, the following variables will be set:
You might want to set credential variables in the Gitlab project at `Settings` > `CI/CD` > `Variables`. You might want to set credential variables in the Gitlab project at `Settings` > `CI/CD` > `Variables`.
# Tests
## Tests
The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project. The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project.
The `DEPLOY_`-variables are used to determine which components should be tested. The `DEPLOY_`-variables are used to determine which components should be tested.

55
docs/components.md
View File

@@ -7,20 +7,20 @@ SPDX-License-Identifier: Apache-2.0
This section covers the internal system requirements as well as external service requirements for productive use. This section covers the internal system requirements as well as external service requirements for productive use.
<!-- TOC --> <!-- TOC -->
* [Overview](#overview) * [Overview](#overview)
* [Component integration](#component-integration) * [Component integration](#component-integration)
* [Intercom Service (ICS)](#intercom-service-ics) * [Intercom Service (ICS)](#intercom-service-ics)
* [Filepicker](#filepicker) * [Filepicker](#filepicker)
* [Central Navigation](#central-navigation) * [Central Navigation](#central-navigation)
* [(Read & write) Central contacts](#read--write-central-contacts) * [(Read \& write) Central contacts](#read--write-central-contacts)
* [OpenProject Filestore](#openproject-filestore) * [OpenProject Filestore](#openproject-filestore)
* [Identity data flows](#identity-data-flows) * [Identity data flows](#identity-data-flows)
* [Provisioning](#provisioning) * [Provisioning](#provisioning)
* [Component specific documentation](#component-specific-documentation) * [Component specific documentation](#component-specific-documentation)
* [Links to component docs](#links-to-component-docs) * [Links to component docs](#links-to-component-docs)
<!-- TOC --> <!-- TOC -->
## Overview # Overview
openDesk consists out of a variety of open-source projects. Here is a list with the description and type. openDesk consists out of a variety of open-source projects. Here is a list with the description and type.
@@ -38,7 +38,6 @@ they need to be replaced in production deployments.
| Element | Secure communications platform | Functional | | Element | Secure communications platform | Functional |
| Intercom Service | Cross service data exchange | Functional | | Intercom Service | Cross service data exchange | Functional |
| Jitsi | Videoconferencing | Functional | | Jitsi | Videoconferencing | Functional |
| Keycloak | Identity Provider | Functional |
| MariaDB | Database | Eval | | MariaDB | Database | Eval |
| Memcached | Cache Database | Eval | | Memcached | Cache Database | Eval |
| MinIO | Object Storage | Eval | | MinIO | Object Storage | Eval |
@@ -49,18 +48,17 @@ they need to be replaced in production deployments.
| Postfix | MTA | Eval | | Postfix | MTA | Eval |
| PostgreSQL | Database | Eval | | PostgreSQL | Database | Eval |
| Redis | Cache Database | Eval | | Redis | Cache Database | Eval |
| Univention Corporate Server | Identity Management & Portal | Functional | | Univention Management Stack | Identity Management & Portal | Functional |
| Univention Management Stack | Identity Management & Portal | Eval |
| XWiki | Knowledgebase | Functional | | XWiki | Knowledgebase | Functional |
## Component integration # Component integration
Some use cases require inter component integration. Some use cases require inter component integration.
```mermaid ```mermaid
flowchart TD flowchart TD
OXAppSuiteFrontend-->|SilentLogin, Filepicker, CentralNavigation|IntercomService OXAppSuiteFrontend-->|SilentLogin, Filepicker, CentralNavigation|IntercomService
IntercomService-->|SilentLogin, TokenExchange|Keycloak IntercomService-->|SilentLogin, TokenExchange|IdP
IntercomService-->|Filepicker|Nextcloud IntercomService-->|Filepicker|Nextcloud
IntercomService-->|CentralNavigation|Portal IntercomService-->|CentralNavigation|Portal
OXAppSuiteBackend-->|Filepicker|Nextcloud OXAppSuiteBackend-->|Filepicker|Nextcloud
@@ -71,7 +69,7 @@ flowchart TD
OXAppSuiteFrontend-->|Filepicker|OXAppSuiteBackend OXAppSuiteFrontend-->|Filepicker|OXAppSuiteBackend
``` ```
### Intercom Service (ICS) ## Intercom Service (ICS)
The UCS Intercom Service's role is to enable cross-application integration based on browser interaction. The UCS Intercom Service's role is to enable cross-application integration based on browser interaction.
Handling authentication when the frontend of an application is using the API from another application is often a Handling authentication when the frontend of an application is using the API from another application is often a
@@ -84,7 +82,7 @@ login.
Currently only OX AppSuite is using the frontend-based integration, and therefore it is right now the only consumer of Currently only OX AppSuite is using the frontend-based integration, and therefore it is right now the only consumer of
the ICS API. the ICS API.
### Filepicker ## Filepicker
The Nextcloud filepicker which is integrated into the OX AppSuite allows you to add attachments or links to files from The Nextcloud filepicker which is integrated into the OX AppSuite allows you to add attachments or links to files from
and saving attachments to Nextcloud. and saving attachments to Nextcloud.
@@ -94,34 +92,33 @@ Frontend-based integration means that OX AppSuite in the browser is communicatin
While using backend-based integration, OX AppSuite middleware is communicating with Nextcloud, which is especially used While using backend-based integration, OX AppSuite middleware is communicating with Nextcloud, which is especially used
when adding a file to an email or storing a file into Nextcloud. when adding a file to an email or storing a file into Nextcloud.
### Central Navigation ## Central Navigation
Central navigation is based on an API endpoint in the portal that provides the contents of the portal for a user to Central navigation is based on an API endpoint in the portal that provides the contents of the portal for a user to
allow components to render the menu showing all available SWP applications for the user. allow components to render the menu showing all available SWP applications for the user.
### (Read & write) Central contacts ## (Read & write) Central contacts
Open-Xchange App Suite is used to manage contacts within openDesk. There is an API in the AppSuite that is being used by Open-Xchange App Suite is used to manage contacts within openDesk. There is an API in the AppSuite that is being used by
Nextcloud to lookup contacts as well as to create contacts. This is maybe done when a file is shared with a not yet Nextcloud to lookup contacts as well as to create contacts. This is maybe done when a file is shared with a not yet
available personal contact. available personal contact.
### OpenProject Filestore ## OpenProject Filestore
By default, Nextcloud is a configured option for storing attachments in OpenProject. By default, Nextcloud is a configured option for storing attachments in OpenProject.
The Filestore can be enabled on a per-project level in OpenProject's project admin section. The Filestore can be enabled on a per-project level in OpenProject's project admin section.
# Identity data flows
## Identity data flows
An overview of An overview of
- components that consume the LDAP service. Mostly by using a dedicated LDAP search account. - components that consume the LDAP service. Mostly by using a dedicated LDAP search account.
- components using Keycloak as identity provider. If not otherwise denoted based on the OAuth2 / OIDC flows. - components using Univention Keycloak as identity provider (IdP). If not otherwise denoted based on the OAuth2 / OIDC flows.
Some components trust others to handle authentication for them. Some components trust others to handle authentication for them.
```mermaid ```mermaid
flowchart TD flowchart TD
K[Keycloak]-->L[LDAP] K[IdP]-->L[LDAP]
N[Nextcloud]-->L N[Nextcloud]-->L
O[OpenProject] --> L O[OpenProject] --> L
A[OX AppSuite]-->L A[OX AppSuite]-->L
@@ -142,7 +139,7 @@ flowchart TD
F[Postfix]-->D F[Postfix]-->D
``` ```
## Provisioning # Provisioning
Currently, active provisioning is only done for OX AppSuite. The OX-Connector is synchronizing, creating, modifying and Currently, active provisioning is only done for OX AppSuite. The OX-Connector is synchronizing, creating, modifying and
deleting activities for the following objects to the OX AppSuite using the AppSuite's SOAP API: deleting activities for the following objects to the OX AppSuite using the AppSuite's SOAP API:
@@ -153,7 +150,7 @@ deleting activities for the following objects to the OX AppSuite using the AppSu
- Functional Mailboxes - Functional Mailboxes
- Resources - Resources
## Component specific documentation # Component specific documentation
We want to provide more information per component in separate, component-specific markdown file. We want to provide more information per component in separate, component-specific markdown file.
To establish a common view on the components, we are going to cover various aspects: To establish a common view on the components, we are going to cover various aspects:
@@ -173,6 +170,6 @@ To establish a common view on the components, we are going to cover various aspe
- **Uninstall**: Documented and working complete uninstallation of the component. - **Uninstall**: Documented and working complete uninstallation of the component.
- **Debugging**: Some helpful information when it comes to debugging a component, e.g. setting log level. - **Debugging**: Some helpful information when it comes to debugging a component, e.g. setting log level.
## Links to component docs # Links to component docs
- [Intercom-Service](./components/intercom-service.md) - [Intercom-Service](./components/intercom-service.md)

123
docs/external-services.md
View File

@@ -8,58 +8,88 @@ SPDX-License-Identifier: Apache-2.0
This document will cover the additional configuration to use external services like databases, caches or buckets. This document will cover the additional configuration to use external services like databases, caches or buckets.
<!-- TOC --> <!-- TOC -->
* [Database](#database) * [Database](#database)
* [Cache](#cache) * [Objectstore](#objectstore)
* [Cache](#cache)
<!-- TOC --> <!-- TOC -->
## Database # Database
When deploying this suite to production, you need to configure the applications to use your production grade database When deploying this suite to production, you need to configure the applications to use your production grade database
service. service.
| Component | Name | Type | Parameter | Key | Default | | Component | Name | Type | Parameter | Key | Default |
|-------------|--------------------|------------|-----------|----------------------------------------|----------------------------| |-------------|--------------------|------------|-----------|------------------------------------------|----------------------------|
| Element | Synapse | PostgreSQL | | | | | Element | Synapse | PostgreSQL | | | |
| | | | Name | `databases.synapse.name` | `matrix` | | | | | Name | `databases.synapse.name` | `matrix` |
| | | | Host | `databases.synapse.host` | `postgresql` | | | | | Host | `databases.synapse.host` | `postgresql` |
| | | | Port | `databases.synapse.port` | `5432` | | | | | Port | `databases.synapse.port` | `5432` |
| | | | Username | `databases.synapse.username` | `matrix_user` | | | | | Username | `databases.synapse.username` | `matrix_user` |
| | | | Password | `databases.synapse.password` | | | | | | Password | `databases.synapse.password` | |
| Keycloak | Keycloak | PostgreSQL | | | | | Keycloak | Keycloak | PostgreSQL | | | |
| | | | Name | `databases.keycloak.name` | `keycloak` | | | | | Name | `databases.keycloak.name` | `keycloak` |
| | | | Host | `databases.keycloak.host` | `postgresql` | | | | | Host | `databases.keycloak.host` | `postgresql` |
| | | | Port | `databases.keycloak.port` | `5432` | | | | | Port | `databases.keycloak.port` | `5432` |
| | | | Username | `databases.keycloak.username` | `keycloak_user` | | | | | Username | `databases.keycloak.username` | `keycloak_user` |
| | | | Password | `databases.keycloak.password` | | | | | | Password | `databases.keycloak.password` | |
| | Keycloak Extension | PostgreSQL | | | | | | Keycloak Extension | PostgreSQL | | | |
| | | | Name | `databases.keycloakExtension.name` | `keycloak_extensions` | | | | | Name | `databases.keycloakExtension.name` | `keycloak_extensions` |
| | | | Host | `databases.keycloakExtension.host` | `postgresql` | | | | | Host | `databases.keycloakExtension.host` | `postgresql` |
| | | | Port | `databases.keycloakExtension.port` | `5432` | | | | | Port | `databases.keycloakExtension.port` | `5432` |
| | | | Username | `databases.keycloakExtension.username` | `keycloak_extensions_user` | | | | | Username | `databases.keycloakExtension.username` | `keycloak_extensions_user` |
| | | | Password | `databases.keycloakExtension.password` | | | | | | Password | `databases.keycloakExtension.password` | |
| Nextcloud | Nextcloud | MariaDB | | | | | UMS | Notifications API | PostgreSQL | | | |
| | | | Name | `databases.nextcloud.name` | `nextcloud` | | | | | Name | `databases.umsNotificationsApi.name` | `notificationsapi` |
| | | | Host | `databases.nextcloud.host` | `mariadb` | | | | | Host | `databases.umsNotificationsApi.host` | `postgresql` |
| | | | Username | `databases.nextcloud.username` | `nextcloud_user` | | | | | Port | `databases.umsNotificationsApi.port` | `5432` |
| | | | Password | `databases.nextcloud.password` | | | | | | Username | `databases.umsNotificationsApi.username` | `notificationsapi_user` |
| OpenProject | OpenProject | PostgreSQL | | | | | | | | Password | `databases.umsNotificationsApi.password` | |
| | | | Name | `databases.openproject.name` | `openproject` | | | Self Service | PostgreSQL | | | |
| | | | Host | `databases.openproject.host` | `postgresql` | | | | | Name | `databases.umsSelfservice.name` | `selfservice` |
| | | | Port | `databases.openproject.port` | `5432` | | | | | Host | `databases.umsSelfservice.host` | `postgresql` |
| | | | Username | `databases.openproject.username` | `openproject_user` | | | | | Port | `databases.umsSelfservice.port` | `5432` |
| | | | Password | `databases.openproject.password` | | | | | | Username | `databases.umsSelfservice.username` | `selfservice_user` |
| OX Appsuite | OX Appsuite | MariaDB | | | | | | | | Password | `databases.umsSelfservice.password` | |
| | | | Name | `databases.oxAppsuite.name` | `CONFIGDB` | | Nextcloud | Nextcloud | MariaDB | | | |
| | | | Host | `databases.oxAppsuite.host` | `mariadb` | | | | | Name | `databases.nextcloud.name` | `nextcloud` |
| | | | Username | `databases.oxAppsuite.username` | `root` | | | | | Host | `databases.nextcloud.host` | `mariadb` |
| | | | Password | `databases.oxAppsuite.password` | | | | | | Username | `databases.nextcloud.username` | `nextcloud_user` |
| XWiki | XWiki | MariaDB | | | | | | | | Password | `databases.nextcloud.password` | |
| | | | Name | `databases.xwiki.name` | `xwiki` | | OpenProject | OpenProject | PostgreSQL | | | |
| | | | Host | `databases.xwiki.host` | `mariadb` | | | | | Name | `databases.openproject.name` | `openproject` |
| | | | Username | `databases.xwiki.username` | `xwiki_user` | | | | | Host | `databases.openproject.host` | `postgresql` |
| | | | Password | `databases.xwiki.password` | | | | | | Port | `databases.openproject.port` | `5432` |
| | | | Username | `databases.openproject.username` | `openproject_user` |
| | | | Password | `databases.openproject.password` | |
| OX Appsuite | OX Appsuite | MariaDB | | | |
| | | | Name | `databases.oxAppsuite.name` | `CONFIGDB` |
| | | | Host | `databases.oxAppsuite.host` | `mariadb` |
| | | | Username | `databases.oxAppsuite.username` | `root` |
| | | | Password | `databases.oxAppsuite.password` | |
| XWiki | XWiki | MariaDB | | | |
| | | | Name | `databases.xwiki.name` | `xwiki` |
| | | | Host | `databases.xwiki.host` | `mariadb` |
| | | | Username | `databases.xwiki.username` | `xwiki_user` |
| | | | Password | `databases.xwiki.password` | |
## Cache # Objectstore
When deploying this suite to production, you need to configure the applications to use your production grade objectstore
service.
| Component | Name | Parameter | Key | Default |
|-------------|-------------|-----------------|------------------------------------------|--------------------|
| OpenProject | OpenProject | | | |
| | | Backend | `objectstores.openproject.backend` | `minio` |
| | | Bucket | `objectstores.openproject.bucket` | `openproject` |
| | | Endpoint | `objectstores.openproject.endpoint` | |
| | | Provider | `objectstores.openproject.provider` | `AWS` |
| | | Region | `objectstores.openproject.region` | |
| | | Secret | `objectstores.openproject.secret` | |
| | | Username | `objectstores.openproject.username` | `openproject_user` |
| | | Use IAM profile | `objectstores.openproject.useIAMProfile` | |
# Cache
When deploying this suite to production, you need to configure the applications to use your production grade cache When deploying this suite to production, you need to configure the applications to use your production grade cache
service. service.
@@ -75,3 +105,6 @@ service.
| OpenProject | OpenProject | Memcached | | | | | OpenProject | OpenProject | Memcached | | | |
| | | | Host | `cache.openproject.host` | `memcached` | | | | | Host | `cache.openproject.host` | `memcached` |
| | | | Port | `cache.openproject.port` | `11211` | | | | | Port | `cache.openproject.port` | `11211` |
| UMS | Self Service | Memcached | | | |
| | | | Host | `cache.umsSelfservice.host` | `memcached` |
| | | | Port | `cache.umsSelfservice.port` | `11211` |

136
docs/getting-started.md
View File

@@ -8,38 +8,38 @@ SPDX-License-Identifier: Apache-2.0
This documentation should enable you to create your own evaluation instance of openDesk on your Kubernetes cluster. This documentation should enable you to create your own evaluation instance of openDesk on your Kubernetes cluster.
<!-- TOC --> <!-- TOC -->
* [Requirements](#requirements) * [Requirements](#requirements)
* [Customize environment](#customize-environment) * [Customize environment](#customize-environment)
* [Domain](#domain) * [Domain](#domain)
* [Apps](#apps) * [Apps](#apps)
* [Private OCI registry](#private-oci-registry) * [Private Image registry](#private-image-registry)
* [Private Helm registry](#private-helm-registry) * [Private Helm registry](#private-helm-registry)
* [Cluster capabilities](#cluster-capabilities) * [Cluster capabilities](#cluster-capabilities)
* [Service](#service) * [Service](#service)
* [Networking](#networking) * [Networking](#networking)
* [Ingress](#ingress) * [Ingress](#ingress)
* [Container runtime](#container-runtime) * [Container runtime](#container-runtime)
* [Volumes](#volumes) * [Volumes](#volumes)
* [Connectivity](#connectivity) * [Connectivity](#connectivity)
* [Mail/SMTP configuration](#mailsmtp-configuration) * [Mail/SMTP configuration](#mailsmtp-configuration)
* [TURN configuration](#turn-configuration) * [TURN configuration](#turn-configuration)
* [Certificate issuer](#certificate-issuer) * [Certificate issuer](#certificate-issuer)
* [Password seed](#password-seed) * [Password seed](#password-seed)
* [Install](#install) * [Install](#install)
* [Install single app](#install-single-app) * [Install single app](#install-single-app)
* [Install single release/chart](#install-single-releasechart) * [Install single release/chart](#install-single-releasechart)
* [Access deployment](#access-deployment) * [Access deployment](#access-deployment)
* [Uninstall](#uninstall) * [Uninstall](#uninstall)
<!-- TOC --> <!-- TOC -->
Thanks for looking into the openDesk Getting started guide. This documents covers essentials configuration steps to Thanks for looking into the openDesk Getting started guide. This documents covers essentials configuration steps to
deploy openDesk onto your kubernetes infrastructure. deploy openDesk onto your kubernetes infrastructure.
## Requirements # Requirements
Detailed system requirements are covered on [requirements](requirements.md) page. Detailed system requirements are covered on [requirements](requirements.md) page.
## Customize environment # Customize environment
Before deploying openDesk, you have to configure the deployment to suit your environment. Before deploying openDesk, you have to configure the deployment to suit your environment.
To keep your deployment up to date, we recommend customizing in `dev`, `test` or `prod` and not in `default` environment To keep your deployment up to date, we recommend customizing in `dev`, `test` or `prod` and not in `default` environment
@@ -50,9 +50,9 @@ files.
For the following guide, we will use `dev` as environment, where variables can be set in For the following guide, we will use `dev` as environment, where variables can be set in
`helmfile/environments/dev/values.yaml`. `helmfile/environments/dev/values.yaml`.
### Domain ## Domain
The deployment is designed to deploy each app under a subdomains. For your convenience, we recommend to create a The deployment is designed to deploy each app under a subdomains. For your convenience, we recommend to create a
`*.domain.tld` A-Record to your cluster ingress controller, otherwise you need to create an A-Record for each subdomain. `*.domain.tld` A-Record to your cluster ingress controller, otherwise you need to create an A-Record for each subdomain.
A list of all subdomains can be found in `helmfile/environments/default/global.yaml`. A list of all subdomains can be found in `helmfile/environments/default/global.yaml`.
@@ -107,7 +107,6 @@ All available apps and their default value can be found in `helmfile/environment
| Element | `element.enabled` | `true` | Secure communications platform | | Element | `element.enabled` | `true` | Secure communications platform |
| Intercom Service | `intercom.enabled` | `true` | Cross service data exchange | | Intercom Service | `intercom.enabled` | `true` | Cross service data exchange |
| Jitsi | `jitsi.enabled` | `true` | Videoconferencing | | Jitsi | `jitsi.enabled` | `true` | Videoconferencing |
| Keycloak | `keycloak.enabled` | `true` | Identity Provider |
| MariaDB | `mariadb.enabled` | `true` | Database | | MariaDB | `mariadb.enabled` | `true` | Database |
| Memcached | `memcached.enabled` | `true` | Cache Database | | Memcached | `memcached.enabled` | `true` | Cache Database |
| MinIO | `minio.enabled` | `true` | Object Storage | | MinIO | `minio.enabled` | `true` | Object Storage |
@@ -118,8 +117,7 @@ All available apps and their default value can be found in `helmfile/environment
| Postfix | `postfix.enabled` | `true` | MTA | | Postfix | `postfix.enabled` | `true` | MTA |
| PostgreSQL | `postgresql.enabled` | `true` | Database | | PostgreSQL | `postgresql.enabled` | `true` | Database |
| Redis | `redis.enabled` | `true` | Cache Database | | Redis | `redis.enabled` | `true` | Cache Database |
| Univention Corporate Server | `univentionCorporateServer.enabled` | `true` | Identity Management & Portal | | Univention Management Stack | `univentionManagementStack.enabled` | `true` | Identity Management & Portal |
| Univention Management Stack | `univentionManagementStack.enabled` | `false` | Identity Management & Portal |
| XWiki | `xwiki.enabled` | `true` | Knowledgebase | | XWiki | `xwiki.enabled` | `true` | Knowledgebase |
Exemplary, Jitsi can be disabled like: Exemplary, Jitsi can be disabled like:
@@ -129,9 +127,9 @@ jitsi:
enabled: false enabled: false
``` ```
### Private OCI registry ## Private Image registry
By default, all OCI artifacts are proxied via the project's container registry, which should get replaced soon by the By default, all OCI artifacts are proxied via the project's image registry, which should get replaced soon by the
OCI registries provided by Open CoDE. OCI registries provided by Open CoDE.
You also can set your own registry by: You also can set your own registry by:
@@ -154,17 +152,36 @@ global:
- "external-registry" - "external-registry"
``` ```
### Private Helm registry ## Private Helm registry
Some apps use Chart Museum style helm registries. You can use your own registry by setting this environment variable: Some apps use OCI style registry and some use Helm chart museum style registries.
In `helmfile/environments/default/charts.yaml` you can find all helm charts used and modify their registry, repository
or version.
```shell As an example, you can also use helmfile methods to use just a single environment variable to set registry and
export PRIVATE_CHART_REPOSITORY_URL=charts.open.desk authentication for all OCI helm charts.
```yaml
charts:
certificates:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
``` ```
### Cluster capabilities There is a full example including http and OCI style registries in `examples/private-helm-registry.yaml.gotmpl`.
The following environment variables have to be exposed when using the example:
#### Service | Environment variable | Description |
|-------------------------------------|--------------------------------------------------------------------------------------------|
| `OD_PRIVATE_HELM_OCI_REGISTRY` | Registry for OCI hosted helm charts, example: `external-registry.souvap-univention.de` |
| `OD_PRIVATE_HELM_HTTP_REGISTRY` | Registry URI for http hosted helm charts, `https://external-registry.souvap-univention.de` |
| `OD_PRIVATE_HELM_REGISTRY_USERNAME` | Username |
| `OD_PRIVATE_HELM_REGISTRY_PASSWORD` | Password |
## Cluster capabilities
### Service
Some apps, like Jitsi or Dovecot, require HTTP and external TCP connections. Some apps, like Jitsi or Dovecot, require HTTP and external TCP connections.
These apps create a Kubernetes service object. These apps create a Kubernetes service object.
@@ -177,7 +194,7 @@ cluster:
type: "NodePort" type: "NodePort"
``` ```
#### Networking ### Networking
If your cluster has not the default `cluster.local` domain configured, you need to provide the domain via: If your cluster has not the default `cluster.local` domain configured, you need to provide the domain via:
@@ -195,7 +212,7 @@ cluster:
cidr: "127.0.0.0/8" cidr: "127.0.0.0/8"
``` ```
#### Ingress ### Ingress
By default, the `ingressClassName` is empty to choose your default ingress controller, you may want to customize it by By default, the `ingressClassName` is empty to choose your default ingress controller, you may want to customize it by
setting: setting:
@@ -205,7 +222,7 @@ ingress:
ingressClassName: "cilium" ingressClassName: "cilium"
``` ```
#### Container runtime ### Container runtime
Some apps require specific configuration for container runtimes. You can set your container runtime like `cri-o`, Some apps require specific configuration for container runtimes. You can set your container runtime like `cri-o`,
`containerd` or `docker` by: `containerd` or `docker` by:
@@ -216,7 +233,7 @@ cluster:
engine: "containerd" engine: "containerd"
``` ```
#### Volumes ### Volumes
When your cluster has a `ReadWriteMany` volume provisioner, you can benefit from distributed or scaling of apps. By When your cluster has a `ReadWriteMany` volume provisioner, you can benefit from distributed or scaling of apps. By
default, only `ReadWriteOnce` is enabled. To enable `ReadWriteMany` you can set: default, only `ReadWriteOnce` is enabled. To enable `ReadWriteMany` you can set:
@@ -236,9 +253,9 @@ persistence:
RWO: "my-read-write-once-class" RWO: "my-read-write-once-class"
``` ```
### Connectivity ## Connectivity
#### Mail/SMTP configuration ### Mail/SMTP configuration
To use the full potential of the openDesk, you need to set up an SMTP Smarthost/Relay which allows to send emails from To use the full potential of the openDesk, you need to set up an SMTP Smarthost/Relay which allows to send emails from
the whole subdomain. the whole subdomain.
@@ -250,7 +267,7 @@ smtp:
password: "secret" password: "secret"
``` ```
#### TURN configuration ### TURN configuration
Some components (Jitsi, Element) use for direct communication a TURN server. You can configure your own TURN server with Some components (Jitsi, Element) use for direct communication a TURN server. You can configure your own TURN server with
these options: these options:
@@ -267,7 +284,7 @@ turn:
port: "5349" port: "5349"
``` ```
#### Certificate issuer ### Certificate issuer
As mentioned in [requirements](requirements.md#certificate-management) you can provide your own valid certificate. A TLS As mentioned in [requirements](requirements.md#certificate-management) you can provide your own valid certificate. A TLS
secret with name `opendesk-certificates-tls` needs to be present in application namespace. For deployment, you can secret with name `opendesk-certificates-tls` needs to be present in application namespace. For deployment, you can
@@ -294,9 +311,9 @@ certificate:
wildcard: true wildcard: true
``` ```
### Password seed ## Password seed
All secrets are generated from a single master password via Master Password (algorithm). All secrets are generated from a single master password via Master Password (algorithm).
To prevent others from using your openDesk instance, we highly recommend setting an individual master password via: To prevent others from using your openDesk instance, we highly recommend setting an individual master password via:
```shell ```shell
@@ -318,7 +335,7 @@ helmfile apply -e dev -n <NAMESPACE> [-l <label>] [--suppress-diff]
- `-l <label>`: Label selector - `-l <label>`: Label selector
- `--suppress-diff`: Disable diff printing - `--suppress-diff`: Disable diff printing
### Install single app ## Install single app
You can also install or upgrade only a single app like Collabora, either by label selector: You can also install or upgrade only a single app like Collabora, either by label selector:
@@ -333,7 +350,7 @@ cd helmfile/apps/collabora
helmfile apply -e dev -n <NAMESPACE> helmfile apply -e dev -n <NAMESPACE>
``` ```
### Install single release/chart ## Install single release/chart
Instead of iteration through all services, you can also deploy a single release like mariadb by: Instead of iteration through all services, you can also deploy a single release like mariadb by:
@@ -341,7 +358,7 @@ Instead of iteration through all services, you can also deploy a single release
helmfile apply -e dev -n <NAMESPACE> -l name=mariadb helmfile apply -e dev -n <NAMESPACE> -l name=mariadb
``` ```
## Access deployment # Access deployment
When all apps are successfully deployed and pod status' went to `Running` or `Succeeded`, you can navigate to When all apps are successfully deployed and pod status' went to `Running` or `Succeeded`, you can navigate to
@@ -349,7 +366,7 @@ When all apps are successfully deployed and pod status' went to `Running` or `Su
https://portal.domain.tld https://portal.domain.tld
``` ```
If you change the subdomain of `univentionCorporateServer` or `univentionManagementStack`, you need to replace `portal` If you change the subdomain of `univentionManagementStack`, you need to replace `portal`
by your specified subdomain. by your specified subdomain.
**Credentials:** **Credentials:**
@@ -358,20 +375,13 @@ by your specified subdomain.
# Replace with your namespace # Replace with your namespace
NAMESPACE=your-namespace NAMESPACE=your-namespace
# Get UCS container, which contains passwords as env var. # Get credentials from ConfigMap
CONTAINER=$(kubectl -n ${NAMESPACE} get po -l app.kubernetes.io/name=univention-corporate-container -o jsonpath='{.items[0].metadata.name}') kubectl -n ${NAMESPACE} get cm ums-stack-data-swp-data -o jsonpath='{.data.dev-test-users\.yaml}' \
# $ kubectl -n ${NAMESPACE} get po -l app.kubernetes.io/name=univention-corporate-container | yq '.properties.username,.properties.password'
# # default.user
# NAME READY STATUS RESTARTS AGE
# univention-corporate-container-8665c6f8b7-nlhc6 1/1 Running 0 10m
# Password of `default.user`
kubectl -n ${NAMESPACE} get po ${CONTAINER} -o=jsonpath='{.spec.containers[0].env[?(@.name=="DEFAULT_ACCOUNT_USER_PASSWORD")].value}'
# 40615..............................e9e2f # 40615..............................e9e2f
# ---
# Password of `default.admin` # default.admin
kubectl -n ${NAMESPACE} get po ${CONTAINER} -o=jsonpath='{.spec.containers[0].env[?(@.name=="DEFAULT_ACCOUNT_ADMIN_PASSWORD")].value}'
# bdbbb..............................04db6 # bdbbb..............................04db6
``` ```
@@ -382,7 +392,7 @@ Now you can log in with obtained credentials:
| `default.user` | `40615..............................e9e2f` | Application user | | `default.user` | `40615..............................e9e2f` | Application user |
| `default.admin` | `bdbbb..............................04db6` | Administrator | | `default.admin` | `bdbbb..............................04db6` | Administrator |
## Uninstall # Uninstall
You can uninstall the deployment by: You can uninstall the deployment by:

25
docs/monitoring.md
View File

@@ -9,15 +9,15 @@ This document will cover how you can enable observability with Prometheus based
well as the overall status of monitoring integration. well as the overall status of monitoring integration.
<!-- TOC --> <!-- TOC -->
* [Technology](#technology) * [Technology](#technology)
* [Defaults](#defaults) * [Defaults](#defaults)
* [Metrics](#metrics) * [Metrics](#metrics)
* [Alerts](#alerts) * [Alerts](#alerts)
* [Dashboards for Grafana](#dashboards-for-grafana) * [Dashboards for Grafana](#dashboards-for-grafana)
* [Components](#components) * [Components](#components)
<!-- TOC --> <!-- TOC -->
## Technology # Technology
We provide integration into the Prometheus based monitoring. We provide integration into the Prometheus based monitoring.
Together with Together with
@@ -27,12 +27,12 @@ easily leverage the full potential of open-source cloud-native observability sta
Before enabling the following options, you need to install the respective CRDs from the kube-prometheus-stack Before enabling the following options, you need to install the respective CRDs from the kube-prometheus-stack
repository or prometheus operator. repository or prometheus operator.
## Defaults # Defaults
All configurable options and their defaults can be found in All configurable options and their defaults can be found in
[`monitoring.yaml`](../helmfile/environments/default/monitoring.yaml). [`monitoring.yaml`](../helmfile/environments/default/monitoring.yaml).
## Metrics # Metrics
To deploy podMonitor and serviceMonitor custom resources, enable it by: To deploy podMonitor and serviceMonitor custom resources, enable it by:
@@ -44,7 +44,7 @@ prometheus:
enabled: true enabled: true
``` ```
## Alerts # Alerts
Some helm-charts provide a default set of prometheusRules for alerting, enable it by: Some helm-charts provide a default set of prometheusRules for alerting, enable it by:
@@ -54,7 +54,7 @@ prometheus:
enabled: true enabled: true
``` ```
## Dashboards for Grafana # Dashboards for Grafana
To deploy optional ConfigMaps with Grafana dashboards, enable it by: To deploy optional ConfigMaps with Grafana dashboards, enable it by:
@@ -64,7 +64,8 @@ grafana:
enabled: true enabled: true
``` ```
## Components # Components
| Component | Metrics (pod- or serviceMonitor) | Alerts (prometheusRule) | Dashboard (Grafana) | | Component | Metrics (pod- or serviceMonitor) | Alerts (prometheusRule) | Dashboard (Grafana) |
|:----------|-----------------------------------|-------------------------|---------------------| |:----------|-----------------------------------|-------------------------|---------------------|
| Collabora | :white_check_mark: | :white_check_mark: | :white_check_mark: | | Collabora | :white_check_mark: | :white_check_mark: | :white_check_mark: |

42
docs/requirements.md
View File

@@ -7,17 +7,17 @@ SPDX-License-Identifier: Apache-2.0
This section covers the internal system requirements as well as external service requirements for productive use. This section covers the internal system requirements as well as external service requirements for productive use.
<!-- TOC --> <!-- TOC -->
* [TL;DR;](#tldr) * [TL;DR;](#tldr)
* [Hardware](#hardware) * [Hardware](#hardware)
* [Kubernetes](#kubernetes) * [Kubernetes](#kubernetes)
* [Ingress controller](#ingress-controller) * [Ingress controller](#ingress-controller)
* [Volume provisioner](#volume-provisioner) * [Volume provisioner](#volume-provisioner)
* [Certificate management](#certificate-management) * [Certificate management](#certificate-management)
* [External services](#external-services) * [External services](#external-services)
* [Deployment](#deployment) * [Deployment](#deployment)
<!-- TOC --> <!-- TOC -->
## TL;DR; # TL;DR;
openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s) cluster. openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s) cluster.
- K8s cluster >= 1.24, [CNCF Certified Kubernetes Distro](https://www.cncf.io/certification/software-conformance/) - K8s cluster >= 1.24, [CNCF Certified Kubernetes Distro](https://www.cncf.io/certification/software-conformance/)
@@ -30,7 +30,7 @@ openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s)
- Certificate handling with [cert-manager](https://cert-manager.io/) - Certificate handling with [cert-manager](https://cert-manager.io/)
- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8 - [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8
## Hardware # Hardware
The following minimal requirements are thought for initial evaluation deployment: The following minimal requirements are thought for initial evaluation deployment:
@@ -40,7 +40,7 @@ The following minimal requirements are thought for initial evaluation deployment
| RAM | 16 GB, recommended 32 GB | | RAM | 16 GB, recommended 32 GB |
| Disk | HDD or SSD, >10 GB | | Disk | HDD or SSD, >10 GB |
## Kubernetes # Kubernetes
Any self-hosted or managed K8s cluster >= 1.24 listed in Any self-hosted or managed K8s cluster >= 1.24 listed in
[CNCF Certified Kubernetes Distros](https://www.cncf.io/certification/software-conformance/) should be supported. [CNCF Certified Kubernetes Distros](https://www.cncf.io/certification/software-conformance/) should be supported.
@@ -49,7 +49,7 @@ The deployment is tested against [kubespray](https://github.com/kubernetes-sigs/
> **Note:** The deployment is not tested against OpenShift. > **Note:** The deployment is not tested against OpenShift.
## Ingress controller # Ingress controller
The deployment is intended to use only over HTTPS via a configured FQDN, therefor it is required to have a proper The deployment is intended to use only over HTTPS via a configured FQDN, therefor it is required to have a proper
configured ingress controller deployed. configured ingress controller deployed.
@@ -63,14 +63,14 @@ configured ingress controller deployed.
When you want to use Open-Xchange Appsuite 8, you need to deploy and configure additionally [Istio](https://istio.io/) When you want to use Open-Xchange Appsuite 8, you need to deploy and configure additionally [Istio](https://istio.io/)
## Volume provisioner # Volume provisioner
Initial evaluation deployment requires a `ReadWriteOnce` volume provisioner. For local deployment a local- or hostPath- Initial evaluation deployment requires a `ReadWriteOnce` volume provisioner. For local deployment a local- or hostPath-
provisioner is sufficient. provisioner is sufficient.
> **Note:** Some components requiring a `ReadWriteMany` volume provisioner for distributed mode or scaling. > **Note:** Some components requiring a `ReadWriteMany` volume provisioner for distributed mode or scaling.
## Certificate management # Certificate management
This deployment leverages [cert-manager](https://cert-manager.io/) to generate valid certificates. This is **optional**, This deployment leverages [cert-manager](https://cert-manager.io/) to generate valid certificates. This is **optional**,
but a secret containing a valid TLS certificate is required. but a secret containing a valid TLS certificate is required.
@@ -78,16 +78,16 @@ but a secret containing a valid TLS certificate is required.
Only `Certificate` resources will be deployed, the `cert-manager` including its CRD must be installed prior to this or Only `Certificate` resources will be deployed, the `cert-manager` including its CRD must be installed prior to this or
openDesk certificate management disabled. openDesk certificate management disabled.
## External services # External services
Evaluation the openDesk deployment does not require any external service to start, but features may be limited. Evaluation the openDesk deployment does not require any external service to start, but features may be limited.
| Group | Type | Version | Tested against | | Group | Type | Version | Tested against |
|----------|---------------------|---------|-----------------------| |----------|---------------------|---------|-----------------------|
| Cache | Memached | `1.6.x` | Memached | | Cache | Memached | `1.6.x` | Memached |
| | Redis | `7.x.x` | Redis | | | Redis | `7.x.x` | Redis |
| Database | MariaDB | `10.x` | MariaDB | | Database | MariaDB | `10.x` | MariaDB |
| | PostgreSQL | `15.x` | PostgreSQL | | | PostgreSQL | `15.x` | PostgreSQL |
| Mail | Mail Transfer Agent | | Postfix | | Mail | Mail Transfer Agent | | Postfix |
| | PKI/CI (SMIME) | | | | | PKI/CI (SMIME) | | |
@@ -97,7 +97,7 @@ Evaluation the openDesk deployment does not require any external service to star
| | Object Storage | | MinIO | | | Object Storage | | MinIO |
| Voice | TURN | | Coturn | | Voice | TURN | | Coturn |
## Deployment # Deployment
The deployment of each individual component is [Helm](https://helm.sh/) based. The 35+ Helm charts are configured and The deployment of each individual component is [Helm](https://helm.sh/) based. The 35+ Helm charts are configured and
templated via [Helmfile](https://helmfile.readthedocs.io/en/latest/) to provide a streamlined deployment experience. templated via [Helmfile](https://helmfile.readthedocs.io/en/latest/) to provide a streamlined deployment experience.

8
docs/scaling.md
View File

@@ -8,10 +8,10 @@ SPDX-License-Identifier: Apache-2.0
This document should cover the abilities to scale apps. This document should cover the abilities to scale apps.
<!-- TOC --> <!-- TOC -->
* [Replicas](#replicas) * [Replicas](#replicas)
<!-- TOC --> <!-- TOC -->
## Replicas # Replicas
The Replicas can be increased of almost any component, but is only effective for high-availability or load-balancing for The Replicas can be increased of almost any component, but is only effective for high-availability or load-balancing for
apps with a check-mark in `Scaling (effective)` column. apps with a check-mark in `Scaling (effective)` column.
@@ -47,6 +47,6 @@ marked with a gear.
| Keycloak | `replicas.keycloak` | :white_check_mark: | :gear: | | Keycloak | `replicas.keycloak` | :white_check_mark: | :gear: |
| Minio | `replicas.minioDistributed` | :white_check_mark: | :white_check_mark: | | Minio | `replicas.minioDistributed` | :white_check_mark: | :white_check_mark: |
| Nextcloud | `replicas.nextcloud` | :white_check_mark: | :gear: | | Nextcloud | `replicas.nextcloud` | :white_check_mark: | :gear: |
| OpenProject | `replicas.openproject` | :white_check_mark: | :gear: | | OpenProject | `replicas.openproject` | :white_check_mark: | :white_check_mark: |
| Postfix | `replicas.postfix` | :x: | :gear: | | Postfix | `replicas.postfix` | :x: | :gear: |
| XWiki | `replicas.xwiki` | :white_check_mark: | :gear: | | XWiki | `replicas.xwiki` | :x: | :gear: |

136
docs/security.md
View File

@@ -8,11 +8,12 @@ SPDX-License-Identifier: Apache-2.0
This document should cover the current status of security measurements. This document should cover the current status of security measurements.
<!-- TOC --> <!-- TOC -->
* [Helm Chart Trust Chain](#helm-chart-trust-chain) * [Helm Chart Trust Chain](#helm-chart-trust-chain)
* [Kubernetes Security Enforcements](#kubernetes-security-enforcements) * [Kubernetes Security Enforcements](#kubernetes-security-enforcements)
* [NetworkPolicies](#networkpolicies)
<!-- TOC --> <!-- TOC -->
## Helm Chart Trust Chain # Helm Chart Trust Chain
Helm Charts which are released via openDesk CI/CD process are always signed. The public GPG keys are present in Helm Charts which are released via openDesk CI/CD process are always signed. The public GPG keys are present in
`pubkey.gpg` file and are validated during helmfile installation. `pubkey.gpg` file and are validated during helmfile installation.
@@ -27,7 +28,6 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
| istio-resources-repo | yes | :white_check_mark: | | istio-resources-repo | yes | :white_check_mark: |
| jitsi-repo | yes | :white_check_mark: | | jitsi-repo | yes | :white_check_mark: |
| keycloak-extensions-repo | no | :x: | | keycloak-extensions-repo | no | :x: |
| keycloak-theme-repo | yes | :white_check_mark: |
| mariadb-repo | yes | :white_check_mark: | | mariadb-repo | yes | :white_check_mark: |
| nextcloud-repo | no | :x: | | nextcloud-repo | no | :x: |
| opendesk-certificates-repo | yes | :white_check_mark: | | opendesk-certificates-repo | yes | :white_check_mark: |
@@ -36,57 +36,99 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
| opendesk-keycloak-bootstrap-repo | yes | :white_check_mark: | | opendesk-keycloak-bootstrap-repo | yes | :white_check_mark: |
| opendesk-nextcloud-bootstrap-repo | yes | :white_check_mark: | | opendesk-nextcloud-bootstrap-repo | yes | :white_check_mark: |
| opendesk-open-xchange-bootstrap-repo | yes | :white_check_mark: | | opendesk-open-xchange-bootstrap-repo | yes | :white_check_mark: |
| openproject-repo | no | :x: | | openproject-repo | yes | :white_check_mark: |
| openxchange-repo | yes | :x: | | openxchange-repo | yes | :x: |
| ox-connector-repo | no | :x: | | ox-connector-repo | no | :x: |
| postfix-repo | yes | :white_check_mark: | | postfix-repo | yes | :white_check_mark: |
| postgresql-repo | yes | :white_check_mark: | | postgresql-repo | yes | :white_check_mark: |
| univention-corporate-container-repo | yes | :white_check_mark: |
| ums-repo | no | :x: | | ums-repo | no | :x: |
| univention-keycloak-repo | yes | :white_check_mark: |
| univention-keycloak-bootstrap-repo | yes | :white_check_mark: |
| xwiki-repo | no | :x: | | xwiki-repo | no | :x: |
## Kubernetes Security Enforcements # Kubernetes Security Enforcements
This list gives you an overview of default security settings and if they comply with security standards: This list gives you an overview of default security settings and if they comply with security standards:
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup | | Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|--------------|----------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:| |-----------------------------|------------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | | ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | | | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | | | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | | | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 | | Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
| CryptPad | npm | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 | | CryptPad | npm | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 |
| Dovecot | dovecot | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`) | :white_check_mark: | :white_check_mark: | :x: | - | - | 1000 | | Dovecot | dovecot | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `KILL`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`) | :white_check_mark: | :white_check_mark: | :x: | - | - | 1000 |
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 | | Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 | | | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 | | | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 | | | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - | | IntercomService | intercom-service | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | | Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - | | | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | | | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | | | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | | | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 | | | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | | MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | | Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | | Minio | minio | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | | Nextcloud | nextcloud | :x: | :white_check_mark: | :x: (`NET_BIND_SERVICE`, `SETGID`, `SETUID`) | :white_check_mark: | :x: | :x: | - | - | 33 |
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 | | | nextcloud-cron | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | 33 |
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 | | | opendesk-nextcloud-bootstrap | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | 33 |
| Open-Xchange | core-documentconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - | | Open-Xchange | core-documentconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
| | core-guidedtours | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | | | core-guidedtours | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | core-imageconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - | | | core-imageconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
| | core-mw-default | :x: | :x: | :x: | :x: | :x: | :x: | - | - | - | | | core-mw-default | :x: | :x: | :x: | :x: | :x: | :x: | - | - | - |
| | core-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | | | core-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | core-ui-middleware | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | | | core-ui-middleware | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | core-ui-middleware-updater | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | | | core-ui-middleware-updater | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | core-user-guide | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | | | core-user-guide | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | gotenberg | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | | | gotenberg | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | guard-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | | | guard-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | nextlcoud-integration-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | | | nextlcoud-integration-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | public-sector-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | | | public-sector-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| OpenProject | openproject | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | - | | OpenProject | openproject | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | | | opendeskOpenprojectBootstrap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| Redis | redis | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 0 | 1001 |
| Univention Management Stack | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1000 | 1000 | 1000 |
| | keycloakBootstrap | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1000 | 1000 | 1000 |
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | ldap-notifier | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | ldap-server | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | notifications-api | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | opendeskKeycloakBootstrap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
| | portal-frontend | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | portal-listener | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | portal-server | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | selfservice-listener | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | stack-gateway | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| | store-dav | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | udm-rest-api | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | umc-gateway | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | umc-server | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| XWiki | xwiki | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 101 |
| | xwiki initContainers | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
# NetworkPolicies
Kubernetes NetworkPolicies are an important measure to secure your kubernetes apps and clusters.
When applied, they restrict the traffic to your services.
This protects other deployments in your cluster or other services in your deployment to get compromised when one
component is compromised.
We ship a default set of Otterize ClientIntents via
[Otterize intents operator](https://github.com/otterize/intents-operator) which translates intent-based access control
(IBAC) into kubernetes native NetworkPolicies.
This requires the Otterize intents operator to be installed.
```yaml
security:
otterizeIntents:
enabled: true
```

14
docs/theming.md
View File

@@ -8,13 +8,13 @@ SPDX-License-Identifier: Apache-2.0
This document will cover the theming and customization of your openDesk deployment. This document will cover the theming and customization of your openDesk deployment.
<!-- TOC --> <!-- TOC -->
* [Strings and texts](#strings-and-texts) * [Strings and texts](#strings-and-texts)
* [Colors](#colors) * [Colors](#colors)
* [Images and Logos](#images-and-logos) * [Images and Logos](#images-and-logos)
* [Known limits](#known-limits) * [Known limits](#known-limits)
<!-- TOC --> <!-- TOC -->
## Strings and texts # Strings and texts
The deployment name can be changed by: The deployment name can be changed by:
@@ -24,7 +24,7 @@ theme:
productName: "openDesk Cloud" productName: "openDesk Cloud"
``` ```
## Colors # Colors
The primary color and their derivates with lesser opacity be customized by: The primary color and their derivates with lesser opacity be customized by:
@@ -50,10 +50,10 @@ theme:
faviconIco: "..." faviconIco: "..."
``` ```
## Known limits # Known limits
Not all applications support theming. Known exceptions are: Not all applications support theming. Known exceptions are:
- Univention Corporate Container (should be superseded by the Univention Management Stack which has planned support - Univention Corporate Container (should be superseded by the Univention Management Stack which has planned support
for theming through the deployment). for theming through the deployment).
- OpenProject - OpenProject
- Jitsi - Jitsi

261
examples/private-helm-registry.yaml.gotmpl Normal file
View File

@@ -0,0 +1,261 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
charts:
certificates:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
clamav:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
clamavSimple:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
collabora:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
cryptpad:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
dovecot:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
element:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
elementWellKnown:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
intercomService:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
istioResources:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
jitsi:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsKeycloak:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsKeycloakBootstrap:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
opendeskKeycloakBootstrap:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsKeycloakExtensions:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
mariadb:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
matrixNeoboardWidget:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
matrixNeochoiseWidget:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
matrixNeodatefixBot:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
matrixNeodatefixWidget:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
matrixUserVerificationService:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
memcached:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
minio:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
nextcloud:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
nextcloudBootstrap:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
nginx:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
openproject:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
openprojectBootstrap:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
openXchangeAppSuite:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
openXchangeAppSuiteBootstrap:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
otterize:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
oxConnector:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
postfix:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
postgresql:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
redis:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
synapse:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
synapseCreateAccount:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
synapseWeb:
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsLdapNotifier:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsLdapServer:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsNotificationsApi:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsPortalFrontend:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsPortalListener:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsPortalServer:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsStackDataSwp:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsStackDataUms:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsStoreDav:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsUdmRestApi:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsUmcGateway:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
umsUmcServer:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
xwiki:
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
...

3
helmfile.yaml
View File

@@ -7,10 +7,7 @@
helmfiles: helmfiles:
# Path to the helmfile state file being processed BEFORE releases in this state file # Path to the helmfile state file being processed BEFORE releases in this state file
- path: "helmfile/apps/services/helmfile.yaml" - path: "helmfile/apps/services/helmfile.yaml"
- path: "helmfile/apps/keycloak/helmfile.yaml"
- path: "helmfile/apps/univention-corporate-container/helmfile.yaml"
- path: "helmfile/apps/univention-management-stack/helmfile.yaml" - path: "helmfile/apps/univention-management-stack/helmfile.yaml"
- path: "helmfile/apps/keycloak-bootstrap/helmfile.yaml"
- path: "helmfile/apps/intercom-service/helmfile.yaml" - path: "helmfile/apps/intercom-service/helmfile.yaml"
- path: "helmfile/apps/open-xchange/helmfile.yaml" - path: "helmfile/apps/open-xchange/helmfile.yaml"
- path: "helmfile/apps/nextcloud/helmfile.yaml" - path: "helmfile/apps/nextcloud/helmfile.yaml"

12
helmfile/apps/collabora/helmfile.yaml
View File

@@ -3,20 +3,20 @@
--- ---
bases: bases:
- "../../bases/environments.yaml" - "../../bases/environments.yaml"
--- ---
repositories: repositories:
# Collabora Online # Collabora Online
# Source: https://github.com/CollaboraOnline/online # Source: https://github.com/CollaboraOnline/online
- name: "collabora-online-repo" - name: "collabora-online-repo"
url: >- username: {{ .Values.charts.collabora.username | quote }}
{{ env "PRIVATE_CHART_REPOSITORY_URL" | password: {{ .Values.charts.collabora.password | quote }}
default "https://collaboraonline.github.io/online" }} oci: {{ .Values.charts.collabora.oci }}
url: "{{ .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}"
releases: releases:
- name: "collabora-online" - name: "collabora-online"
chart: "collabora-online-repo/collabora-online" chart: "collabora-online-repo/{{ .Values.charts.collabora.name }}"
version: "1.0.2" version: "{{ .Values.charts.collabora.version }}"
values: values:
- "values.yaml" - "values.yaml"
- "values.gotmpl" - "values.gotmpl"

14
helmfile/apps/cryptpad/helmfile.yaml
View File

@@ -3,20 +3,20 @@
--- ---
bases: bases:
- "../../bases/environments.yaml" - "../../bases/environments.yaml"
--- ---
repositories: repositories:
# CryptPad # CryptPad
# Source: https://github.com/cryptpad/helm # Source: https://github.com/cryptpad/helm
- name: "cryptpad-online-repo" - name: "cryptpad-repo"
url: >- username: {{ .Values.charts.cryptpad.username | quote }}
{{ env "PRIVATE_CHART_REPOSITORY_URL" | password: {{ .Values.charts.cryptpad.password | quote }}
default "https://cryptpad.github.io/helm" }} oci: {{ .Values.charts.cryptpad.oci }}
url: "{{ .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
releases: releases:
- name: "cryptpad" - name: "cryptpad"
chart: "cryptpad-online-repo/cryptpad" chart: "cryptpad-repo/{{ .Values.charts.cryptpad.name }}"
version: "0.0.13" version: "{{ .Values.charts.cryptpad.version }}"
values: values:
- "values.yaml" - "values.yaml"
- "values.gotmpl" - "values.gotmpl"

4
helmfile/apps/cryptpad/values.yaml
View File

@@ -22,6 +22,10 @@ enableEmbedding: true
fullnameOverride: "cryptpad" fullnameOverride: "cryptpad"
ingress:
annotations:
nginx.org/websocket-services: "cryptpad"
persistence: persistence:
enabled: false enabled: false

131
helmfile/apps/element/helmfile.yaml
View File

@@ -3,37 +3,90 @@
--- ---
bases: bases:
- "../../bases/environments.yaml" - "../../bases/environments.yaml"
--- ---
repositories: repositories:
# openDesk Element # openDesk Element
# Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/sovereign-workplace-element # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/sovereign-workplace-element
- name: "opendesk-element-repo" - name: "element-repo"
oci: true oci: {{ .Values.charts.element.oci }}
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.element.verify }}
username: {{ .Values.charts.element.username | quote }}
password: {{ .Values.charts.element.password | quote }}
url: "{{ .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
- name: "element-well-known-repo"
oci: {{ .Values.charts.elementWellKnown.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.elementWellKnown.verify }}
username: {{ .Values.charts.elementWellKnown.username | quote }}
password: {{ .Values.charts.elementWellKnown.password | quote }}
url: "{{ .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
- name: "synapse-web-repo"
oci: {{ .Values.charts.synapseWeb.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.synapseWeb.verify }}
username: {{ .Values.charts.synapseWeb.username | quote }}
password: {{ .Values.charts.synapseWeb.password | quote }}
url: "{{ .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
- name: "synapse-repo"
oci: {{ .Values.charts.synapse.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.synapse.verify }}
username: {{ .Values.charts.synapse.username | quote }}
password: {{ .Values.charts.synapse.password | quote }}
url: "{{ .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
- name: "synapse-create-account-repo"
oci: {{ .Values.charts.synapseCreateAccount.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.synapseCreateAccount.verify }}
username: {{ .Values.charts.synapseCreateAccount.username | quote }}
password: {{ .Values.charts.synapseCreateAccount.password | quote }}
url: "{{ .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
# openDesk Matrix Widgets # openDesk Matrix Widgets
# Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/opendesk-matrix-widgets # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/opendesk-matrix-widgets
- name: "opendesk-matrix-widgets-repo" - name: "matrix-user-verification-service-repo"
oci: true oci: {{ .Values.charts.matrixUserVerificationService.oci }}
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/opendesk-matrix-widgets" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.matrixUserVerificationService.verify }}
username: {{ .Values.charts.matrixUserVerificationService.username | quote }}
password: {{ .Values.charts.matrixUserVerificationService.password | quote }}
url: "{{ .Values.charts.matrixUserVerificationService.registry }}/\
{{ .Values.charts.matrixUserVerificationService.repository }}"
- name: "matrix-neoboard-widget-repo"
oci: {{ .Values.charts.matrixNeoboardWidget.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
username: {{ .Values.charts.matrixNeoboardWidget.username | quote }}
password: {{ .Values.charts.matrixNeoboardWidget.password | quote }}
url: "{{ .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
- name: "matrix-neochoice-widget-repo"
oci: {{ .Values.charts.matrixNeoboardWidget.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
username: {{ .Values.charts.matrixNeoboardWidget.username | quote }}
password: {{ .Values.charts.matrixNeoboardWidget.password | quote }}
url: "{{ .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
- name: "matrix-neodatefix-widget-repo"
oci: {{ .Values.charts.matrixNeodatefixWidget.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.matrixNeodatefixWidget.verify }}
username: {{ .Values.charts.matrixNeodatefixWidget.username | quote }}
password: {{ .Values.charts.matrixNeodatefixWidget.password | quote }}
url: "{{ .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
- name: "matrix-neodatefix-bot-repo"
oci: {{ .Values.charts.matrixNeodatefixBot.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.matrixNeodatefixBot.verify }}
username: {{ .Values.charts.matrixNeodatefixBot.username | quote }}
password: {{ .Values.charts.matrixNeodatefixBot.password | quote }}
url: "{{ .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
releases: releases:
- name: "opendesk-element" - name: "opendesk-element"
chart: "opendesk-element-repo/opendesk-element" chart: "element-repo/{{ .Values.charts.element.name }}"
version: "2.5.1" version: "{{ .Values.charts.element.version }}"
values: values:
- "values-element.yaml" - "values-element.yaml"
- "values-element.gotmpl" - "values-element.gotmpl"
@@ -41,8 +94,8 @@ releases:
timeout: 900 timeout: 900
- name: "opendesk-well-known" - name: "opendesk-well-known"
chart: "opendesk-element-repo/opendesk-well-known" chart: "element-well-known-repo/{{ .Values.charts.elementWellKnown.name }}"
version: "2.5.1" version: "{{ .Values.charts.elementWellKnown.version }}"
values: values:
- "values-well-known.yaml" - "values-well-known.yaml"
- "values-well-known.gotmpl" - "values-well-known.gotmpl"
@@ -50,8 +103,8 @@ releases:
timeout: 900 timeout: 900
- name: "opendesk-synapse-web" - name: "opendesk-synapse-web"
chart: "opendesk-element-repo/opendesk-synapse-web" chart: "synapse-web-repo/{{ .Values.charts.synapseWeb.name }}"
version: "2.5.1" version: "{{ .Values.charts.synapseWeb.version }}"
values: values:
- "values-synapse-web.yaml" - "values-synapse-web.yaml"
- "values-synapse-web.gotmpl" - "values-synapse-web.gotmpl"
@@ -59,8 +112,8 @@ releases:
timeout: 900 timeout: 900
- name: "opendesk-synapse" - name: "opendesk-synapse"
chart: "opendesk-element-repo/opendesk-synapse" chart: "synapse-repo/{{ .Values.charts.synapse.name }}"
version: "2.5.1" version: "{{ .Values.charts.synapse.version }}"
values: values:
- "values-synapse.yaml" - "values-synapse.yaml"
- "values-synapse.gotmpl" - "values-synapse.gotmpl"
@@ -68,8 +121,8 @@ releases:
timeout: 900 timeout: 900
- name: "opendesk-matrix-user-verification-service-bootstrap" - name: "opendesk-matrix-user-verification-service-bootstrap"
chart: "opendesk-element-repo/opendesk-synapse-create-account" chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
version: "2.5.1" version: "{{ .Values.charts.synapseCreateAccount.version }}"
values: values:
- "values-matrix-user-verification-service-bootstrap.yaml" - "values-matrix-user-verification-service-bootstrap.yaml"
- "values-matrix-user-verification-service-bootstrap.gotmpl" - "values-matrix-user-verification-service-bootstrap.gotmpl"
@@ -77,8 +130,8 @@ releases:
timeout: 900 timeout: 900
- name: "opendesk-matrix-user-verification-service" - name: "opendesk-matrix-user-verification-service"
chart: "opendesk-element-repo/opendesk-matrix-user-verification-service" chart: "matrix-user-verification-service-repo/{{ .Values.charts.matrixUserVerificationService.name }}"
version: "2.5.1" version: "{{ .Values.charts.matrixUserVerificationService.version }}"
values: values:
- "values-matrix-user-verification-service.yaml" - "values-matrix-user-verification-service.yaml"
- "values-matrix-user-verification-service.gotmpl" - "values-matrix-user-verification-service.gotmpl"
@@ -86,8 +139,8 @@ releases:
timeout: 900 timeout: 900
- name: "matrix-neoboard-widget" - name: "matrix-neoboard-widget"
chart: "opendesk-matrix-widgets-repo/matrix-neoboard-widget" chart: "matrix-neoboard-widget-repo/{{ .Values.charts.matrixNeoboardWidget.name }}"
version: "3.2.0" version: "{{ .Values.charts.matrixNeoboardWidget.version }}"
values: values:
- "values-matrix-neoboard-widget.yaml" - "values-matrix-neoboard-widget.yaml"
- "values-matrix-neoboard-widget.gotmpl" - "values-matrix-neoboard-widget.gotmpl"
@@ -95,8 +148,8 @@ releases:
timeout: 900 timeout: 900
- name: "matrix-neochoice-widget" - name: "matrix-neochoice-widget"
chart: "opendesk-matrix-widgets-repo/matrix-neochoice-widget" chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiseWidget.name }}"
version: "3.2.0" version: "{{ .Values.charts.matrixNeochoiseWidget.version }}"
values: values:
- "values-matrix-neochoice-widget.yaml" - "values-matrix-neochoice-widget.yaml"
- "values-matrix-neochoice-widget.gotmpl" - "values-matrix-neochoice-widget.gotmpl"
@@ -104,8 +157,8 @@ releases:
timeout: 900 timeout: 900
- name: "matrix-neodatefix-widget" - name: "matrix-neodatefix-widget"
chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-widget" chart: "matrix-neodatefix-widget-repo/{{ .Values.charts.matrixNeodatefixWidget.name }}"
version: "3.2.0" version: "{{ .Values.charts.matrixNeodatefixWidget.version }}"
values: values:
- "values-matrix-neodatefix-widget.yaml" - "values-matrix-neodatefix-widget.yaml"
- "values-matrix-neodatefix-widget.gotmpl" - "values-matrix-neodatefix-widget.gotmpl"
@@ -113,8 +166,8 @@ releases:
timeout: 900 timeout: 900
- name: "matrix-neodatefix-bot-bootstrap" - name: "matrix-neodatefix-bot-bootstrap"
chart: "opendesk-element-repo/opendesk-synapse-create-account" chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
version: "2.5.1" version: "{{ .Values.charts.synapseCreateAccount.version }}"
values: values:
- "values-matrix-neodatefix-bot-bootstrap.yaml" - "values-matrix-neodatefix-bot-bootstrap.yaml"
- "values-matrix-neodatefix-bot-bootstrap.gotmpl" - "values-matrix-neodatefix-bot-bootstrap.gotmpl"
@@ -122,8 +175,8 @@ releases:
timeout: 900 timeout: 900
- name: "matrix-neodatefix-bot" - name: "matrix-neodatefix-bot"
chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-bot" chart: "matrix-neodatefix-bot-repo/{{ .Values.charts.matrixNeodatefixBot.name }}"
version: "3.2.0" version: "{{ .Values.charts.matrixNeodatefixBot.version }}"
values: values:
- "values-matrix-neodatefix-bot.yaml" - "values-matrix-neodatefix-bot.yaml"
- "values-matrix-neodatefix-bot.gotmpl" - "values-matrix-neodatefix-bot.gotmpl"

6
helmfile/apps/element/values-element.gotmpl
View File

@@ -13,15 +13,15 @@ global:
configuration: configuration:
additionalConfiguration: additionalConfiguration:
logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}" logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
"net.nordeck.element_web.module.opendesk": "net.nordeck.element_web.module.opendesk":
config: config:
banner: banner:
ics_navigation_json_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/navigation.json" ics_navigation_json_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/navigation.json"
ics_silent_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/silent" ics_silent_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/silent"
portal_logo_svg_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg" portal_logo_svg_url: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
portal_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/" portal_url: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/"
custom_css_variables: custom_css_variables:
--cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }} --cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }}
widget_types: widget_types:

2
helmfile/apps/element/values-matrix-user-verification-service.yaml
View File

@@ -22,6 +22,8 @@ extraEnvVars:
secretKeyRef: secretKeyRef:
name: "opendesk-matrix-user-verification-service-account" name: "opendesk-matrix-user-verification-service-account"
key: "access_token" key: "access_token"
- name: "UVS_DISABLE_IP_BLACKLIST"
value: "true"
podSecurityContext: podSecurityContext:
enabled: true enabled: true

2
helmfile/apps/element/values-synapse.gotmpl
View File

@@ -38,7 +38,7 @@ configuration:
oidc: oidc:
clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }} clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap" issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
turn: turn:
sharedSecret: {{ .Values.turn.credentials | quote }} sharedSecret: {{ .Values.turn.credentials | quote }}

12
helmfile/apps/element/values-synapse.yaml
View File

@@ -11,10 +11,22 @@ configuration:
- "m.space.parent" - "m.space.parent"
- "net.nordeck.meetings.metadata" - "net.nordeck.meetings.metadata"
- "m.room.power_levels" - "m.room.power_levels"
# When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
# interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
# https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
rc_login:
account:
per_second: 2
burst_count: 8
address:
per_second: 2
burst_count: 12
homeserver: homeserver:
guestModule: guestModule:
enabled: true enabled: true
oidc:
clientId: "opendesk-matrix"
containerSecurityContext: containerSecurityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false

16
helmfile/apps/intercom-service/helmfile.yaml
View File

@@ -3,24 +3,24 @@
--- ---
bases: bases:
- "../../bases/environments.yaml" - "../../bases/environments.yaml"
--- ---
repositories: repositories:
# Intercom Service # Intercom Service
# Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
- name: "intercom-service-repo" - name: "intercom-service-repo"
oci: true oci: {{ .Values.charts.intercomService.oci }}
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/intercom-service" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.intercomService.verify }}
username: {{ .Values.charts.intercomService.username | quote }}
password: {{ .Values.charts.intercomService.password | quote }}
url: "{{ .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
releases: releases:
- name: "intercom-service" - name: "intercom-service"
chart: "intercom-service-repo/intercom-service" chart: "intercom-service-repo/{{ .Values.charts.intercomService.name }}"
version: "2.0.1" version: "{{ .Values.charts.intercomService.version }}"
values: values:
- "values.yaml"
- "values.gotmpl" - "values.gotmpl"
installed: {{ .Values.intercom.enabled }} installed: {{ .Values.intercom.enabled }}

11
helmfile/apps/intercom-service/values.gotmpl
View File

@@ -13,8 +13,10 @@ global:
ics: ics:
secret: {{ .Values.secrets.intercom.secret | quote }} secret: {{ .Values.secrets.intercom.secret | quote }}
issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap" issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
originRegex: "{{ .Values.istio.domain }}|{{ .Values.global.domain }}" originRegex: "{{ .Values.istio.domain }}|{{ .Values.global.domain }}"
keycloak:
realm: {{ .Values.platform.realm | quote }}
default: default:
domain: {{ .Values.global.domain | quote }} domain: {{ .Values.global.domain | quote }}
oidc: oidc:
@@ -33,7 +35,9 @@ ics:
password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }} password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }}
openxchange: openxchange:
url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
audience: "opendesk-oxappsuite"
nextcloud:
audience: "opendesk-nextcloud"
image: image:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
repository: {{ .Values.images.intercom.repository | quote }} repository: {{ .Values.images.intercom.repository | quote }}
@@ -46,4 +50,7 @@ ingress:
tls: tls:
enabled: {{ .Values.ingress.tls.enabled }} enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }} secretName: {{ .Values.ingress.tls.secretName | quote }}
resources:
{{ .Values.resources.intercomService | toYaml | nindent 2 }}
... ...

26
helmfile/apps/intercom-service/values.yaml Normal file
View File

@@ -0,0 +1,26 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
ics:
oidc:
id: "opendesk-intercom"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
podSecurityContext:
enabled: true
fsGroup: 1000
fsGroupChangePolicy: "Always"
...

15
helmfile/apps/jitsi/helmfile.yaml
View File

@@ -3,23 +3,22 @@
--- ---
bases: bases:
- "../../bases/environments.yaml" - "../../bases/environments.yaml"
--- ---
repositories: repositories:
# openDesk Jitsi # openDesk Jitsi
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-jitsi # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-jitsi
- name: "jitsi-repo" - name: "jitsi-repo"
oci: true oci: {{ .Values.charts.jitsi.oci }}
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
"external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-jitsi" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.jitsi.verify }}
username: {{ .Values.charts.jitsi.username | quote }}
password: {{ .Values.charts.jitsi.password | quote }}
url: "{{ .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
releases: releases:
- name: "jitsi" - name: "jitsi"
chart: "jitsi-repo/sovereign-workplace-jitsi" chart: "jitsi-repo/{{ .Values.charts.jitsi.name }}"
version: "1.7.1" version: "{{ .Values.charts.jitsi.version }}"
values: values:
- "values-jitsi.gotmpl" - "values-jitsi.gotmpl"
installed: {{ .Values.jitsi.enabled }} installed: {{ .Values.jitsi.enabled }}

4
helmfile/apps/jitsi/values-jitsi.gotmpl
View File

@@ -22,6 +22,8 @@ image:
settings: settings:
jwtAppSecret: {{ .Values.secrets.jitsi.jwtAppSecret | quote }} jwtAppSecret: {{ .Values.secrets.jitsi.jwtAppSecret | quote }}
keycloakRealm: {{ .Values.platform.realm | quote }}
keycloakClientId: "opendesk-jitsi"
theme: theme:
{{ .Values.theme | toYaml | nindent 2 }} {{ .Values.theme | toYaml | nindent 2 }}
@@ -60,7 +62,7 @@ jitsi:
- name: "AUTH_TYPE" - name: "AUTH_TYPE"
value: "hybrid_matrix_token" value: "hybrid_matrix_token"
- name: "JWT_APP_ID" - name: "JWT_APP_ID"
value: "myappid" value: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
- name: "JWT_APP_SECRET" - name: "JWT_APP_SECRET"
value: {{ .Values.secrets.jitsi.jwtAppSecret | quote }} value: {{ .Values.secrets.jitsi.jwtAppSecret | quote }}
- name: "MATRIX_UVS_SYNC_POWER_LEVELS" - name: "MATRIX_UVS_SYNC_POWER_LEVELS"

35
helmfile/apps/keycloak-bootstrap/helmfile.yaml
View File

@@ -1,35 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# openDesk Keycloak Bootstrap
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-keycloak-bootstrap
- name: "opendesk-keycloak-bootstrap-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-keycloak-bootstrap" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
releases:
- name: "opendesk-keycloak-bootstrap"
chart: "opendesk-keycloak-bootstrap-repo/sovereign-workplace-keycloak-bootstrap"
version: "1.1.12"
values:
- "values-bootstrap.gotmpl"
- "values-bootstrap.yaml"
installed: {{ .Values.keycloak.enabled }}
# as we have seen some slow clusters we want to ensure we not just fail due to a timeout.
timeout: 1800
commonLabels:
deploy-stage: "component-1"
component: "keycloak-bootstrap"
...

30
helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl
View File

@@ -1,30 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
registry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
config:
administrator:
password: {{ .Values.secrets.keycloak.adminPassword | quote }}
image:
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.keycloakBootstrap.repository | quote }}
tag: {{ .Values.images.keycloakBootstrap.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.keycloakBootstrap | toYaml | nindent 2 }}
...

62
helmfile/apps/keycloak/helmfile.yaml
View File

@@ -1,62 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# VMWare Bitnami
# Source: https://github.com/bitnami/charts/
- name: "bitnami-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
# openDesk Keycloak Theme
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-keycloak-theme
- name: "keycloak-theme-repo"
oci: true
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/keycloak-theme" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
# openDesk Keycloak Extensions
- name: "keycloak-extensions-repo"
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable" }}
releases:
- name: "keycloak-theme"
chart: "keycloak-theme-repo/opendesk-keycloak-theme"
version: "2.0.0"
values:
- "values-theme.gotmpl"
installed: {{ .Values.keycloak.enabled }}
- name: "keycloak"
chart: "bitnami-repo/keycloak"
version: "12.1.5"
values:
- "values-keycloak.gotmpl"
- "values-keycloak.yaml"
- "values-keycloak-idp.yaml"
wait: true
installed: {{ .Values.keycloak.enabled }}
- name: "keycloak-extensions"
chart: "keycloak-extensions-repo/keycloak-extensions"
version: "0.1.0"
needs:
- "keycloak"
values:
- "values-extensions.yaml"
- "values-extensions.gotmpl"
installed: {{ .Values.keycloak.enabled }}
commonLabels:
deploy-stage: "component-1"
component: "keycloak"
...

45
helmfile/apps/keycloak/values-extensions.yaml
View File

@@ -1,45 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
global:
keycloak:
host: "keycloak"
adminUsername: "kcadmin"
adminRealm: "master"
realm: "souvap"
handler:
appConfig:
captchaProtectionEnable: "False"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
postgresql:
enabled: false
proxy:
ingress:
annotations:
nginx.org/proxy-buffer-size: "8k"
nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
...

1693
helmfile/apps/keycloak/values-keycloak-idp.yaml
View File

File diff suppressed because it is too large Load Diff

89
helmfile/apps/keycloak/values-keycloak.gotmpl
View File

@@ -1,89 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
image:
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.keycloak.repository | quote }}
tag: {{ .Values.images.keycloak.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
externalDatabase:
host: {{ .Values.databases.keycloak.host | quote }}
port: {{ .Values.databases.keycloak.port }}
user: {{ .Values.databases.keycloak.username | quote }}
database: {{ .Values.databases.keycloak.name | quote }}
password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
auth:
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
replicaCount: {{ .Values.replicas.keycloak }}
keycloakConfigCli:
extraEnvVars:
- name: "LDAP_GROUPS_DN"
value: "cn=groups,dc=swp-ldap,dc=internal"
- name: "LDAP_USERS_DN"
value: "cn=users,dc=swp-ldap,dc=internal"
- name: "LDAP_SERVER_URL"
value: {{ .Values.ldap.host | quote }}
- name: "IDENTIFIER"
value: "souvap"
- name: "THEME"
value: "souvap"
- name: "KEYCLOAK_AVAILABILITYCHECK_TIMEOUT"
value: "600s"
- name: "UNIVENTION_CORPORATE_SERVER_DOMAIN"
value: "{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
- name: "KEYCLOAK_DOMAIN"
value: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
- name: "OPENXCHANGE_8_DOMAIN"
value: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
- name: "XWIKI_DOMAIN"
value: "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
- name: "OPENPROJECT_DOMAIN"
value: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
- name: "NEXTCLOUD_DOMAIN"
value: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
- name: "MATRIX_DOMAIN"
value: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
- name: "JITSI_DOMAIN"
value: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
- name: "ELEMENT_DOMAIN"
value: "{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
- name: "INTERCOM_SERVICE_DOMAIN"
value: "{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
- name: "CLIENT_SECRET_INTERCOM_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
- name: "CLIENT_SECRET_MATRIX_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
- name: "CLIENT_SECRET_JITSI_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.jitsi | quote }}
- name: "CLIENT_SECRET_NCOIDC_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
- name: "CLIENT_SECRET_OPENPROJECT_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
- name: "CLIENT_SECRET_XWIKI_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
- name: "CLIENT_SECRET_AS8OIDC_PASSWORD"
value: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
- name: "KEYCLOAK_STORAGEPROVICER_UCSLDAP_NAME"
value: "storage_provider_ucsldap"
- name: "LDAPSEARCH_PASSWORD"
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak | quote }}
- name: "LDAPSEARCH_USERNAME"
value: "ldapsearch_keycloak"
resources:
{{ .Values.resources.keycloak | toYaml | nindent 4 }}
resources:
{{ .Values.resources.keycloak | toYaml | nindent 2 }}
...

85
helmfile/apps/keycloak/values-keycloak.yaml
View File

@@ -1,85 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
postgresql:
enabled: false
externalDatabase:
existingSecret: ""
existingSecretPasswordKey: ""
auth:
adminUser: "kcadmin"
# not working as expected with older helm chart, check if it works with most recent one.
# meanwhile we set the loglevel using the extraEnvVars a bit below.
# logging:
# level: "DEBUG"
extraEnvVars:
- name: "KC_LOG_LEVEL"
value: "INFO"
extraStartupArgs: >
-Dkeycloak.profile.feature.token_exchange=enabled
-Dkeycloak.profile.feature.admin_fine_grained_authz=enabled
service:
type: "ClusterIP"
ingress:
enabled: false
extraVolumes:
- name: "keycloak-theme"
configMap:
name: "keycloak-theme"
items:
- key: "theme.properties"
path: "souvap/login/theme.properties"
- key: "messages_de.properties"
path: "souvap/login/messages/messages_de.properties"
- key: "messages_en.properties"
path: "souvap/login/messages/messages_en.properties"
- key: "styles.css"
path: "souvap/login/resources/css/styles.css"
- key: "logo.svg"
path: "souvap/login/resources/img/logo_phoenix.svg"
- key: "login.ftl"
path: "souvap/login/login.ftl"
extraVolumeMounts:
- name: "keycloak-theme"
mountPath: "/opt/bitnami/keycloak/themes"
keycloakConfigCli:
enabled: true
command:
- "java"
- "-jar"
- "/opt/bitnami/keycloak-config-cli/keycloak-config-cli-19.0.3.jar"
args:
- "--import.var-substitution.enabled=true"
cache:
enabled: false
containerSecurityContext:
enabled: true
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
podSecurityContext:
fsGroup: 1001
fsGroupChangePolicy: "OnRootMismatch"
...

13
helmfile/apps/keycloak/values-theme.gotmpl
View File

@@ -1,13 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}
...

34
helmfile/apps/nextcloud/helmfile.yaml
View File

@@ -3,32 +3,30 @@
--- ---
bases: bases:
- "../../bases/environments.yaml" - "../../bases/environments.yaml"
--- ---
repositories: repositories:
# openDesk Keycloak Bootstrap # openDesk Keycloak Bootstrap
# Source: # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/sovereign-workplace-nextcloud-bootstrap
# https://gitlab.opencode.de/bmi/opendesk/components/charts/sovereign-workplace-nextcloud-bootstrap - name: "nextcloud-bootstrap-repo"
- name: "opendesk-nextcloud-bootstrap-repo" oci: {{ .Values.charts.nextcloudBootstrap.oci }}
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
"external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.nextcloudBootstrap.verify }}
username: {{ .Values.charts.nextcloudBootstrap.username | quote }}
password: {{ .Values.charts.nextcloudBootstrap.password | quote }}
url: "{{ .Values.charts.nextcloudBootstrap.registry }}/{{ .Values.charts.nextcloudBootstrap.repository }}"
# Nextcloud # Nextcloud
# Source: https://github.com/nextcloud/helm/ # Source: https://github.com/nextcloud/helm/
- name: "nextcloud-repo" - name: "nextcloud-repo"
url: >- oci: {{ .Values.charts.nextcloud.oci }}
{{ env "PRIVATE_CHART_REPOSITORY_URL" | username: {{ .Values.charts.nextcloud.username | quote }}
default "https://nextcloud.github.io/helm/" }} password: {{ .Values.charts.nextcloud.password | quote }}
url: "{{ .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
releases: releases:
- name: "opendesk-nextcloud-bootstrap" - name: "opendesk-nextcloud-bootstrap"
chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap" chart: "nextcloud-bootstrap-repo/{{ .Values.charts.nextcloudBootstrap.name }}"
version: "3.2.3" version: "{{ .Values.charts.nextcloudBootstrap.version }}"
wait: true wait: true
waitForJobs: true waitForJobs: true
values: values:
@@ -38,8 +36,8 @@ releases:
timeout: 900 timeout: 900
- name: "nextcloud" - name: "nextcloud"
chart: "nextcloud-repo/nextcloud" chart: "nextcloud-repo/{{ .Values.charts.nextcloud.name }}"
version: "3.5.19" version: "{{ .Values.charts.nextcloud.version }}"
needs: needs:
- "opendesk-nextcloud-bootstrap" - "opendesk-nextcloud-bootstrap"
values: values:

4
helmfile/apps/nextcloud/values-bootstrap.gotmpl
View File

@@ -28,6 +28,7 @@ config:
password: {{ .Values.secrets.centralnavigation.apiKey | quote }} password: {{ .Values.secrets.centralnavigation.apiKey | quote }}
userOidc: userOidc:
password: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }} password: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
realm: {{ .Values.platform.realm }}
database: database:
host: {{ .Values.databases.nextcloud.host | quote }} host: {{ .Values.databases.nextcloud.host | quote }}
@@ -37,13 +38,14 @@ config:
ldapSearch: ldapSearch:
host: {{ .Values.ldap.host | quote }} host: {{ .Values.ldap.host | quote }}
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud | quote }} password: {{ .Values.secrets.univentionManagementStack.ldapSearch.nextcloud | quote }}
serverinfo: serverinfo:
token: {{ .Values.secrets.nextcloud.metricsToken | quote }} token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
smtp: smtp:
host: {{ .Values.smtp.host | quote }} host: {{ .Values.smtp.host | quote }}
port: {{ .Values.smtp.port | quote }}
username: {{ .Values.smtp.username | quote }} username: {{ .Values.smtp.username | quote }}
password: {{ .Values.smtp.password | quote }} password: {{ .Values.smtp.password | quote }}

18
helmfile/apps/nextcloud/values-bootstrap.yaml
View File

@@ -7,10 +7,24 @@ config:
apps: apps:
integrationSwp: integrationSwp:
username: "phoenixusername" username: "opendesk_username"
userOidc: userOidc:
username: "ncoidc" username: "opendesk-nextcloud"
userIdAttribute: "opendesk_useruuid"
cryptpad: cryptpad:
enabled: true enabled: true
containerSecurityContext:
allowPrivilegeEscalation: false
enabled: true
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsNonRoot: false
podSecurityContext:
enabled: true
fsGroup: 33
fsGroupChangePolicy: "Always"
... ...

2
helmfile/apps/nextcloud/values-nextcloud.gotmpl
View File

@@ -49,6 +49,8 @@ metrics:
enabled: {{ .Values.prometheus.serviceMonitors.enabled }} enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
labels: labels:
{{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }} {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
resources:
{{ .Values.resources.nextcloudMetrics | toYaml | nindent 4 }}
{{- if .Values.cluster.persistence.readWriteMany.enabled }} {{- if .Values.cluster.persistence.readWriteMany.enabled }}
replicaCount: {{ .Values.replicas.nextcloud }} replicaCount: {{ .Values.replicas.nextcloud }}

19
helmfile/apps/nextcloud/values-nextcloud.yaml
View File

@@ -20,6 +20,11 @@ cronjob:
- > - >
sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f
\/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data \/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
ingress: ingress:
annotations: annotations:
@@ -52,6 +57,20 @@ nextcloud:
{ {
"drawio": ["application/x-drawio"] "drawio": ["application/x-drawio"]
} }
podSecurityContext:
fsGroup: 33
seccompProfile:
type: "RuntimeDefault"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "NET_BIND_SERVICE"
- "SETGID"
- "SETUID"
# this is not documented but can be found in values.yaml # this is not documented but can be found in values.yaml
service: service:

51
helmfile/apps/open-xchange/helmfile.yaml
View File

@@ -3,39 +3,40 @@
--- ---
bases: bases:
- "../../bases/environments.yaml" - "../../bases/environments.yaml"
--- ---
repositories: repositories:
# openDesk Dovecot # openDesk Dovecot
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-dovecot # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-dovecot
- name: "opendesk-dovecot-repo" - name: "dovecot-repo"
oci: true oci: {{ .Values.charts.dovecot.oci }}
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
"external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/dovecot" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.dovecot.verify }}
username: {{ .Values.charts.dovecot.username | quote }}
password: {{ .Values.charts.dovecot.password | quote }}
url: "{{ .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
# Open-Xchange # Open-Xchange
- name: "openxchange-repo" - name: "open-xchange-repo"
oci: true oci: {{ .Values.charts.openXchangeAppSuite.oci }}
url: >- username: {{ .Values.charts.openXchangeAppSuite.username | quote }}
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "registry.open-xchange.com" }} password: {{ .Values.charts.openXchangeAppSuite.password | quote }}
url: "{{ .Values.charts.openXchangeAppSuite.registry }}/{{ .Values.charts.openXchangeAppSuite.repository }}"
# openDesk Open-Xchange Bootstrap # openDesk Open-Xchange Bootstrap
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap
- name: "opendesk-open-xchange-bootstrap-repo" - name: "open-xchange-bootstrap-repo"
oci: true oci: {{ .Values.charts.openXchangeAppSuiteBootstrap.oci }}
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
"external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-open-xchange-bootstrap" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.openXchangeAppSuiteBootstrap.verify }}
username: {{ .Values.charts.openXchangeAppSuiteBootstrap.username | quote }}
password: {{ .Values.charts.openXchangeAppSuiteBootstrap.password | quote }}
url: "{{ .Values.charts.openXchangeAppSuiteBootstrap.registry }}/\
{{ .Values.charts.openXchangeAppSuiteBootstrap.repository }}"
releases: releases:
- name: "dovecot" - name: "dovecot"
chart: "opendesk-dovecot-repo/dovecot" chart: "dovecot-repo/{{ .Values.charts.dovecot.name }}"
version: "1.3.6" version: "{{ .Values.charts.dovecot.version }}"
values: values:
- "values-dovecot.yaml" - "values-dovecot.yaml"
- "values-dovecot.gotmpl" - "values-dovecot.gotmpl"
@@ -43,8 +44,8 @@ releases:
timeout: 900 timeout: 900
- name: "open-xchange" - name: "open-xchange"
chart: "openxchange-repo/appsuite-public-sector/charts/appsuite-public-sector" chart: "open-xchange-repo/{{ .Values.charts.openXchangeAppSuite.name }}"
version: "2.1.1" version: "{{ .Values.charts.openXchangeAppSuite.version }}"
values: values:
- "values-openxchange.yaml" - "values-openxchange.yaml"
- "values-openxchange.gotmpl" - "values-openxchange.gotmpl"
@@ -54,8 +55,8 @@ releases:
timeout: 900 timeout: 900
- name: "opendesk-open-xchange-bootstrap" - name: "opendesk-open-xchange-bootstrap"
chart: "opendesk-open-xchange-bootstrap-repo/sovereign-workplace-open-xchange-bootstrap" chart: "open-xchange-bootstrap-repo/{{ .Values.charts.openXchangeAppSuiteBootstrap.name }}"
version: "1.3.1" version: "{{ .Values.charts.openXchangeAppSuiteBootstrap.version }}"
values: values:
- "values-openxchange-bootstrap.gotmpl" - "values-openxchange-bootstrap.gotmpl"
installed: {{ .Values.oxAppsuite.enabled }} installed: {{ .Values.oxAppsuite.enabled }}

8
helmfile/apps/open-xchange/values-dovecot.gotmpl
View File

@@ -20,12 +20,12 @@ dovecot:
ldap: ldap:
dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal" dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
host: {{ .Values.ldap.host | quote }} host: {{ .Values.ldap.host | quote }}
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }} password: {{ .Values.secrets.univentionManagementStack.ldapSearch.dovecot | quote }}
oidc: oidc:
introspectionHost: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }} introspectionHost: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
introspectionPath: "/realms/souvap/protocol/openid-connect/token/introspect" introspectionPath: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token/introspect"
clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }} clientSecret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
clientID: "as8oidc" clientID: "opendesk-dovecot"
loginTrustedNetworks: {{ .Values.cluster.networking.cidr | quote }} loginTrustedNetworks: {{ .Values.cluster.networking.cidr | quote }}
certificate: certificate:

4
helmfile/apps/open-xchange/values-dovecot.yaml
View File

@@ -27,8 +27,8 @@ dovecot:
oidc: oidc:
enabled: true enabled: true
clientID: "as8oidc" clientID: "opendesk-dovecot"
usernameAttribute: "phoenixusername" usernameAttribute: "opendesk_username"
submission: submission:
enabled: true enabled: true

2
helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl
View File

@@ -14,5 +14,5 @@ appsuite:
port: 389 port: 389
auth: auth:
adminDN: adminDN:
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }} password: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }}
... ...

47
helmfile/apps/open-xchange/values-openxchange.gotmpl
View File

@@ -25,6 +25,8 @@ nextcloud-integration-ui:
{{- range .Values.global.imagePullSecrets }} {{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }} - name: {{ . | quote }}
{{- end }} {{- end }}
resources:
{{ .Values.resources.openxchangeNextcloudIntegrationUI | toYaml | nindent 4 }}
public-sector-ui: public-sector-ui:
image: image:
@@ -35,6 +37,8 @@ public-sector-ui:
- name: {{ . | quote }} - name: {{ . | quote }}
{{- end }} {{- end }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }} pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.openxchangePublicSectorUI | toYaml | nindent 4 }}
appsuite: appsuite:
istio: istio:
@@ -62,34 +66,36 @@ appsuite:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGotenberg.repository }}" repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGotenberg.repository }}"
tag: {{ .Values.images.openxchangeGotenberg.tag | quote }} tag: {{ .Values.images.openxchangeGotenberg.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }} pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.openxchangeGotenberg | toYaml | nindent 8 }}
properties: properties:
"com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/certs" "com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
"com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap" "com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
"com.openexchange.authentication.oauth.tokenEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token" "com.openexchange.authentication.oauth.tokenEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
"com.openexchange.authentication.oauth.clientSecret": {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }} "com.openexchange.authentication.oauth.clientSecret": {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
"com.openexchange.oidc.rpRedirectURIAuth": "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/auth" "com.openexchange.oidc.rpRedirectURIAuth": "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/auth"
"com.openexchange.oidc.opAuthorizationEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/auth" "com.openexchange.oidc.opAuthorizationEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
"com.openexchange.oidc.opTokenEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token" "com.openexchange.oidc.opTokenEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
"com.openexchange.oidc.opIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap" "com.openexchange.oidc.opIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
"com.openexchange.oidc.opJwkSetEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/certs" "com.openexchange.oidc.opJwkSetEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
"com.openexchange.oidc.clientSecret": {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }} "com.openexchange.oidc.clientSecret": {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
"com.openexchange.oidc.rpRedirectURIPostSSOLogout": "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/logout" "com.openexchange.oidc.rpRedirectURIPostSSOLogout": "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/logout"
"com.openexchange.oidc.opLogoutEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout" "com.openexchange.oidc.opLogoutEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
"com.openexchange.oidc.rpRedirectURILogout": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}" "com.openexchange.oidc.rpRedirectURILogout": "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
secretProperties: secretProperties:
com.openexchange.cookie.hash.salt: {{ .Values.secrets.oxAppsuite.cookieHashSalt | quote }} com.openexchange.cookie.hash.salt: {{ .Values.secrets.oxAppsuite.cookieHashSalt | quote }}
com.openexchange.sessiond.encryptionKey: {{ .Values.secrets.oxAppsuite.sessiondEncryptionKey | quote }} com.openexchange.sessiond.encryptionKey: {{ .Values.secrets.oxAppsuite.sessiondEncryptionKey | quote }}
com.openexchange.share.cryptKey: {{ .Values.secrets.oxAppsuite.shareCryptKey | quote }} com.openexchange.share.cryptKey: {{ .Values.secrets.oxAppsuite.shareCryptKey | quote }}
propertiesFiles: propertiesFiles:
"/opt/open-xchange/etc/ldapauth.properties": "/opt/open-xchange/etc/ldapauth.properties":
bindDNPassword: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }} bindDNPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }}
java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal" java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal"
uiSettings: uiSettings:
"io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/" "io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
"io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/" "io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"
# Dynamic theme # Dynamic theme
io.ox/dynamic-theme//mainColor: {{ .Values.theme.colors.primary | quote }} io.ox/dynamic-theme//mainColor: {{ .Values.theme.colors.primary | quote }}
io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg" io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
io.ox/dynamic-theme//topbarBackground: {{ .Values.theme.colors.white | quote }} io.ox/dynamic-theme//topbarBackground: {{ .Values.theme.colors.white | quote }}
io.ox/dynamic-theme//topbarColor: {{ .Values.theme.colors.black | quote }} io.ox/dynamic-theme//topbarColor: {{ .Values.theme.colors.black | quote }}
io.ox/dynamic-theme//listSelected: {{ .Values.theme.colors.primary15 | quote }} io.ox/dynamic-theme//listSelected: {{ .Values.theme.colors.primary15 | quote }}
@@ -119,6 +125,8 @@ appsuite:
{{- range .Values.global.imagePullSecrets }} {{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }} - name: {{ . | quote }}
{{- end }} {{- end }}
resources:
{{ .Values.resources.openxchangeCoreMW | toYaml | nindent 6 }}
core-ui: core-ui:
imagePullSecrets: imagePullSecrets:
@@ -129,6 +137,8 @@ appsuite:
repository: {{ .Values.images.openxchangeCoreUI.repository | quote }} repository: {{ .Values.images.openxchangeCoreUI.repository | quote }}
tag: {{ .Values.images.openxchangeCoreUI.tag | quote }} tag: {{ .Values.images.openxchangeCoreUI.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }} pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.openxchangeCoreUI | toYaml | nindent 6 }}
core-ui-middleware: core-ui-middleware:
ingress: ingress:
@@ -146,13 +156,18 @@ appsuite:
redis: redis:
auth: auth:
password: {{ .Values.secrets.redis.password | quote }} password: {{ .Values.secrets.redis.password | quote }}
resources:
{{ .Values.resources.openxchangeCoreUIMiddleware | toYaml | nindent 6 }}
updater:
resources:
{{ .Values.resources.openxchangeCoreUIMiddlewareUpdater | toYaml | nindent 6 }}
core-documentconverter: core-documentconverter:
image: image:
repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }} repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }} tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
resources: resources:
{{- .Values.resources.oxDocumentConverter | toYaml | nindent 6 }} {{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
core-guidedtours: core-guidedtours:
imagePullSecrets: imagePullSecrets:
@@ -163,11 +178,15 @@ appsuite:
repository: {{ .Values.images.openxchangeCoreGuidedtours.repository | quote }} repository: {{ .Values.images.openxchangeCoreGuidedtours.repository | quote }}
tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }} tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }} pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{- .Values.resources.openxchangeCoreGuidedtours | toYaml | nindent 6 }}
core-imageconverter: core-imageconverter:
image: image:
repository: {{ .Values.images.openxchangeImageConverter.repository | quote }} repository: {{ .Values.images.openxchangeImageConverter.repository | quote }}
tag: {{ .Values.images.openxchangeImageConverter.tag | quote }} tag: {{ .Values.images.openxchangeImageConverter.tag | quote }}
resources:
{{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
guard-ui: guard-ui:
imagePullSecrets: imagePullSecrets:
@@ -178,6 +197,8 @@ appsuite:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}" repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}"
tag: {{ .Values.images.openxchangeGuardUI.tag | quote }} tag: {{ .Values.images.openxchangeGuardUI.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }} pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{- .Values.resources.openxchangeGuardUI | toYaml | nindent 6 }}
core-user-guide: core-user-guide:
image: image:
@@ -188,4 +209,6 @@ appsuite:
{{- range .Values.global.imagePullSecrets }} {{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }} - name: {{ . | quote }}
{{- end }} {{- end }}
resources:
{{- .Values.resources.openxchangeCoreUserGuide | toYaml | nindent 6 }}
... ...

11
helmfile/apps/open-xchange/values-openxchange.yaml
View File

@@ -55,16 +55,16 @@ appsuite:
com.openexchange.oidc.startDefaultBackend: "true" com.openexchange.oidc.startDefaultBackend: "true"
com.openexchange.oidc.ssoLogout: "true" com.openexchange.oidc.ssoLogout: "true"
com.openexchange.oidc.userLookupNamePart: "full" com.openexchange.oidc.userLookupNamePart: "full"
com.openexchange.oidc.userLookupClaim: "phoenixusername" com.openexchange.oidc.userLookupClaim: "opendesk_username"
com.openexchange.oidc.clientId: "as8oidc" com.openexchange.oidc.clientId: "opendesk-oxappsuite"
# OAUTH # OAUTH
com.openexchange.oauth.provider.enabled: "true" com.openexchange.oauth.provider.enabled: "true"
com.openexchange.oauth.provider.contextLookupClaim: "context" com.openexchange.oauth.provider.contextLookupClaim: "context"
com.openexchange.oauth.provider.contextLookupNamePart: "full" com.openexchange.oauth.provider.contextLookupNamePart: "full"
com.openexchange.oauth.provider.mode: "expect_jwt" com.openexchange.oauth.provider.mode: "expect_jwt"
com.openexchange.oauth.provider.userLookupNamePart: "full" com.openexchange.oauth.provider.userLookupNamePart: "full"
com.openexchange.oauth.provider.userLookupClaim: "phoenixusername" com.openexchange.oauth.provider.userLookupClaim: "opendesk_username"
com.openexchange.authentication.oauth.clientId: "as8oidc" com.openexchange.authentication.oauth.clientId: "opendesk-oxappsuite"
# MAIL # MAIL
com.openexchange.mail.authType: "xoauth2" com.openexchange.mail.authType: "xoauth2"
com.openexchange.mail.loginSource: "mail" com.openexchange.mail.loginSource: "mail"
@@ -150,6 +150,9 @@ appsuite:
io.ox/core//coloredIcons: "false" io.ox/core//coloredIcons: "false"
# Mail templates # Mail templates
io.ox/core//features/templates: "true" io.ox/core//features/templates: "true"
# Contact Collector
io.ox/mail//contactCollectOnMailTransport: "true"
# io.ox/mail//contactCollectOnMailAccess: "true"
asConfig: asConfig:
default: default:

19
helmfile/apps/openproject-bootstrap/helmfile.yaml
View File

@@ -3,25 +3,22 @@
--- ---
bases: bases:
- "../../bases/environments.yaml" - "../../bases/environments.yaml"
--- ---
repositories: repositories:
# openDesk OpenProject Bootstrap # openDesk OpenProject Bootstrap
# Source: Set when repo is managed on Open CoDE # Source: Set when repo is managed on Open CoDE
- name: "opendesk-openproject-bootstrap-repo" - name: "openproject-bootstrap-repo"
oci: true oci: {{ .Values.charts.openprojectBootstrap.oci }}
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/opendesk-openproject-bootstrap" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.openprojectBootstrap.verify }}
username: {{ .Values.charts.openprojectBootstrap.username | quote }}
password: {{ .Values.charts.openprojectBootstrap.password | quote }}
url: "{{ .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
releases: releases:
- name: "opendesk-openproject-bootstrap" - name: "opendesk-openproject-bootstrap"
chart: "opendesk-openproject-bootstrap-repo/opendesk-openproject-bootstrap" chart: "openproject-bootstrap-repo/{{ .Values.charts.openprojectBootstrap.name }}"
version: "1.2.1" version: "{{ .Values.charts.openprojectBootstrap.version }}"
wait: true wait: true
waitForJobs: true waitForJobs: true
values: values:

10
helmfile/apps/openproject-bootstrap/values.gotmpl
View File

@@ -4,18 +4,18 @@ SPDX-License-Identifier: Apache-2.0
*/}} */}}
--- ---
global: global:
domain: "{{ .Values.global.domain }}" domain: {{ .Values.global.domain | quote }}
hosts: hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }} {{ .Values.global.hosts | toYaml | nindent 4 }}
registry: "{{ .Values.global.imageRegistry }}" registry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets: imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image: image:
registry: {{ .Values.global.imageRegistry }} registry: {{ .Values.global.imageRegistry }}
repository: "{{ .Values.images.openprojectBootstrap.repository }}" repository: {{ .Values.images.openprojectBootstrap.repository | quote }}
tag: "{{ .Values.images.openprojectBootstrap.tag }}" tag: {{ .Values.images.openprojectBootstrap.tag | quote }}
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" imagePullPolicy: {{ .Values.global.imagePullPolicy |quote }}
cleanup: cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }} deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}

14
helmfile/apps/openproject/helmfile.yaml
View File

@@ -3,20 +3,22 @@
--- ---
bases: bases:
- "../../bases/environments.yaml" - "../../bases/environments.yaml"
--- ---
repositories: repositories:
# OpenProject # OpenProject
# Source: https://github.com/opf/helm-charts # Source: https://github.com/opf/helm-charts
- name: "openproject-repo" - name: "openproject-repo"
url: >- oci: {{ .Values.charts.openproject.oci }}
{{ env "PRIVATE_CHART_REPOSITORY_URL" | keyring: "../../files/gpg-pubkeys/openproject-com.gpg"
default "https://charts.openproject.org" }} verify: {{ .Values.charts.openproject.verify }}
username: {{ .Values.charts.openproject.username | quote }}
password: {{ .Values.charts.openproject.password | quote }}
url: "{{ .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
releases: releases:
- name: "openproject" - name: "openproject"
chart: "openproject-repo/openproject" chart: "openproject-repo/{{ .Values.charts.openproject.name }}"
version: "2.4.0" version: "{{ .Values.charts.openproject.version }}"
wait: true wait: true
waitForJobs: true waitForJobs: true
values: values:

29
helmfile/apps/openproject/values.gotmpl
View File

@@ -46,7 +46,10 @@ openproject:
mail: "openproject-admin@swp-domain.internal" mail: "openproject-admin@swp-domain.internal"
password_reset: "false" password_reset: "false"
password: {{ .Values.secrets.openproject.adminPassword | quote }} password: {{ .Values.secrets.openproject.adminPassword | quote }}
oidc:
authorizationEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
tokenEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
userinfoEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
ingress: ingress:
host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}" host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
enabled: {{ .Values.ingress.enabled }} enabled: {{ .Values.ingress.enabled }}
@@ -56,18 +59,18 @@ ingress:
secretName: {{ .Values.ingress.tls.secretName | quote }} secretName: {{ .Values.ingress.tls.secretName | quote }}
environment: environment:
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }} OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }} OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap" OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/" OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout" OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
# Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }} OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }}
OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389" OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }} OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}" OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.domain | quote }} OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.domain | quote }}
OPENPROJECT_SMTP__USER__NAME: {{ .Values.smtp.username | quote }} OPENPROJECT_SMTP__USER__NAME: {{ .Values.smtp.username | quote }}
OPENPROJECT_SMTP__PASSWORD: {{ .Values.smtp.password | quote }} OPENPROJECT_SMTP__PASSWORD: {{ .Values.smtp.password | quote }}
@@ -76,10 +79,18 @@ environment:
OPENPROJECT_SMTP__ADDRESS: {{ .Values.smtp.host | quote }} OPENPROJECT_SMTP__ADDRESS: {{ .Values.smtp.host | quote }}
OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}" OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}"
# Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }} OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSearch.openproject | quote }}
OPENPROJECT_FOG_CREDENTIALS_HOST: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}" {{ if ne .Values.objectstores.openproject.backend "aws" }}
OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: "https://{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}" OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: {{ .Values.secrets.minio.openprojectUser | quote }} OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
{{ end }}
OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: {{ .Values.objectstores.openproject.username | quote }}
OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: {{ .Values.objectstores.openproject.secret | default .Values.secrets.minio.openprojectUser | quote }}
OPENPROJECT_FOG_CREDENTIALS_PROVIDER: {{ .Values.objectstores.openproject.provider | default "AWS" | quote }}
OPENPROJECT_FOG_CREDENTIALS_REGION: {{ .Values.objectstores.openproject.region | quote }}
OPENPROJECT_FOG_DIRECTORY: {{ .Values.objectstores.openproject.bucket | quote }}
OPENPROJECT_FOG_CREDENTIALS_USE__IAM__PROFILE: {{ .Values.objectstores.openproject.useIAMProfile | default "false" | quote }}
OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
replicaCount: {{ .Values.replicas.openproject }} replicaCount: {{ .Values.replicas.openproject }}

30
helmfile/apps/openproject/values.yaml
View File

@@ -22,19 +22,23 @@ openproject:
oidc: oidc:
enabled: true enabled: true
provider: "keycloak" provider: "keycloak"
identifier: "openproject" identifier: "opendesk-openproject"
authorizationEndpoint: "/realms/souvap/protocol/openid-connect/auth" scope: "[openid,opendesk]"
tokenEndpoint: "/realms/souvap/protocol/openid-connect/token"
userinfoEndpoint: "/realms/souvap/protocol/openid-connect/userinfo"
scope: "[openid,phoenix]"
# seed will only be executed on initial installation # seed will only be executed on initial installation
seed_locale: "de" seed_locale: "de"
securityContext: containerSecurityContext:
enabled: true
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile: seccompProfile:
type: "RuntimeDefault" type: "RuntimeDefault"
readOnlyRootFilesystem: false readOnlyRootFilesystem: true
runAsNonRoot: true
persistence: persistence:
enabled: false enabled: false
@@ -46,7 +50,7 @@ s3:
# https://www.openproject.org/docs/installation-and-operations/configuration/environment/ # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
environment: environment:
OPENPROJECT_LOG__LEVEL: "info" OPENPROJECT_LOG__LEVEL: "info"
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_LOGIN: "phoenixusername" OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_LOGIN: "opendesk_username"
OPENPROJECT_LOGIN__REQUIRED: "true" OPENPROJECT_LOGIN__REQUIRED: "true"
OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true" OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak" OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
@@ -75,8 +79,12 @@ environment:
OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn" OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
# Details: https://www.openproject.org/docs/installation-and-operations/configuration/#attachments-storage # Details: https://www.openproject.org/docs/installation-and-operations/configuration/#attachments-storage
OPENPROJECT_ATTACHMENTS__STORAGE: "fog" OPENPROJECT_ATTACHMENTS__STORAGE: "fog"
OPENPROJECT_FOG_DIRECTORY: "openproject"
OPENPROJECT_FOG_CREDENTIALS_PROVIDER: "AWS"
OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true" OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: "openproject_user" # Define an admin mapping from the claim
# The attribute mapping cannot currently be defined in the value
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_ADMIN: "openproject_admin"
seederJob:
annotations:
intents.otterize.com/service-name: "openproject-seeder"
... ...

12
helmfile/apps/provisioning/helmfile.yaml
View File

@@ -3,19 +3,19 @@
--- ---
bases: bases:
- "../../bases/environments.yaml" - "../../bases/environments.yaml"
--- ---
repositories: repositories:
# OX Connector # OX Connector
- name: "ox-connector-repo" - name: "ox-connector-repo"
url: >- oci: {{ .Values.charts.oxConnector.oci }}
{{ env "PRIVATE_CHART_REPOSITORY_URL" | username: {{ .Values.charts.oxConnector.username | quote }}
default "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable" }} password: {{ .Values.charts.oxConnector.password | quote }}
url: "{{ .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
releases: releases:
- name: "ox-connector" - name: "ox-connector"
chart: "ox-connector-repo/ox-connector" chart: "ox-connector-repo/{{ .Values.charts.oxConnector.name }}"
version: "0.1.0-pre-jconde-listener-entrypoint-chaining" version: "{{ .Values.charts.oxConnector.version }}"
values: values:
- "values-oxconnector.yaml" - "values-oxconnector.yaml"
- "values-oxconnector.gotmpl" - "values-oxconnector.gotmpl"

2
helmfile/apps/provisioning/values-oxconnector.gotmpl
View File

@@ -26,7 +26,7 @@ oxConnector:
oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }} oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
oxDefaultContext: "1" oxDefaultContext: "1"
ldapPassword: {{ if eq .Values.ldap.host "univention-corporate-container" }} "ucctempldapstring" {{ else }} {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} {{ end }} ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
resources: resources:
{{ .Values.resources.oxConnector | toYaml | nindent 2 }} {{ .Values.resources.oxConnector | toYaml | nindent 2 }}

175
helmfile/apps/services/helmfile.yaml
View File

@@ -3,143 +3,194 @@
--- ---
bases: bases:
- "../../bases/environments.yaml" - "../../bases/environments.yaml"
--- ---
repositories: repositories:
# openDesk Otterize
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-otterize
- name: "otterize-repo"
oci: {{ .Values.charts.otterize.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.otterize.verify }}
username: {{ .Values.charts.otterize.username | quote }}
password: {{ .Values.charts.otterize.password | quote }}
url: "{{ .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
# openDesk Certificates # openDesk Certificates
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-certificates # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-certificates
- name: "opendesk-certificates-repo" - name: "certificates-repo"
oci: true oci: {{ .Values.charts.certificates.oci }}
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-certificates" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.certificates.verify }}
username: {{ .Values.charts.certificates.username | quote }}
password: {{ .Values.charts.certificates.password | quote }}
url: "{{ .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
# openDesk PostgreSQL # openDesk PostgreSQL
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postgresql # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postgresql
- name: "postgresql-repo" - name: "postgresql-repo"
oci: true oci: {{ .Values.charts.postgresql.oci }}
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postgresql" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.postgresql.verify }}
username: {{ .Values.charts.postgresql.username | quote }}
password: {{ .Values.charts.postgresql.password | quote }}
url: "{{ .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
# openDesk MariaDB # openDesk MariaDB
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-mariadb # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-mariadb
- name: "mariadb-repo" - name: "mariadb-repo"
oci: true oci: {{ .Values.charts.mariadb.oci }}
url: >- keyring: "../../files/gpg-pubkeys/opencode.gpg"
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | verify: {{ .Values.charts.mariadb.verify }}
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/mariadb" }} username: {{ .Values.charts.mariadb.username | quote }}
verify: true password: {{ .Values.charts.mariadb.password | quote }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" url: "{{ .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
# openDesk Postfix # openDesk Postfix
# https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postfix # https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postfix
- name: "postfix-repo" - name: "postfix-repo"
oci: true oci: {{ .Values.charts.postfix.oci }}
url: >-
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postfix" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.postfix.verify }}
username: {{ .Values.charts.postfix.username | quote }}
password: {{ .Values.charts.postfix.password | quote }}
url: "{{ .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
# openDesk Istio Resources # openDesk Istio Resources
# https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-istio-resources # https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-istio-resources
- name: "istio-resources-repo" - name: "istio-resources-repo"
oci: true oci: {{ .Values.charts.istioResources.oci }}
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/istio-ressources" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.istioResources.verify }}
username: {{ .Values.charts.istioResources.username | quote }}
password: {{ .Values.charts.istioResources.password | quote }}
url: "{{ .Values.charts.istioResources.registry }}/{{ .Values.charts.istioResources.repository }}"
# openDesk ClamAV # openDesk ClamAV
# https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-clamav # https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-clamav
- name: "clamav-repo" - name: "clamav-repo"
oci: true oci: {{ .Values.charts.clamav.oci }}
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/clamav" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.clamav.verify }}
username: {{ .Values.charts.clamav.username | quote }}
password: {{ .Values.charts.clamav.password | quote }}
url: "{{ .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
- name: "clamav-simple-repo"
oci: {{ .Values.charts.clamavSimple.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.clamavSimple.verify }}
username: {{ .Values.charts.clamavSimple.username | quote }}
password: {{ .Values.charts.clamavSimple.password | quote }}
url: "{{ .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
# VMWare Bitnami # VMWare Bitnami
# Source: https://github.com/bitnami/charts/ # Source: https://github.com/bitnami/charts/
- name: "bitnami-repo" - name: "memcached-repo"
oci: true oci: {{ .Values.charts.memcached.oci }}
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.memcached.verify }}
username: {{ .Values.charts.memcached.username | quote }}
password: {{ .Values.charts.memcached.password | quote }}
url: "{{ .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
- name: "redis-repo"
oci: {{ .Values.charts.redis.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.redis.verify }}
username: {{ .Values.charts.redis.username | quote }}
password: {{ .Values.charts.redis.password | quote }}
url: "{{ .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
- name: "minio-repo"
oci: {{ .Values.charts.minio.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.minio.verify }}
username: {{ .Values.charts.minio.username | quote }}
password: {{ .Values.charts.minio.password | quote }}
url: "{{ .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
releases: releases:
- name: "opendesk-otterize"
chart: "otterize-repo/{{ .Values.charts.otterize.name }}"
version: "{{ .Values.charts.otterize.version }}"
values:
- "values-otterize.gotmpl"
installed: {{ .Values.security.otterizeIntents.enabled }}
- name: "opendesk-certificates" - name: "opendesk-certificates"
chart: "opendesk-certificates-repo/opendesk-certificates" chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
version: "2.1.0" version: "{{ .Values.charts.certificates.version }}"
values: values:
- "values-certificates.gotmpl" - "values-certificates.gotmpl"
installed: {{ .Values.certificates.enabled }} installed: {{ .Values.certificates.enabled }}
- name: "redis" - name: "redis"
chart: "bitnami-repo/redis" chart: "redis-repo/{{ .Values.charts.redis.name }}"
version: "18.1.2" version: "{{ .Values.charts.redis.version }}"
values: values:
- "values-redis.gotmpl" - "values-redis.gotmpl"
- "values-redis.yaml" - "values-redis.yaml"
installed: {{ .Values.redis.enabled }} installed: {{ .Values.redis.enabled }}
- name: "memcached" - name: "memcached"
chart: "bitnami-repo/memcached" chart: "memcached-repo/{{ .Values.charts.memcached.name }}"
version: "6.6.2" version: "{{ .Values.charts.memcached.version }}"
values: values:
- "values-memcached.yaml" - "values-memcached.yaml"
- "values-memcached.gotmpl" - "values-memcached.gotmpl"
installed: {{ .Values.memcached.enabled }} installed: {{ .Values.memcached.enabled }}
- name: "postgresql" - name: "postgresql"
chart: "postgresql-repo/postgresql" chart: "postgresql-repo/{{ .Values.charts.postgresql.name }}"
version: "2.0.3" version: "{{ .Values.charts.postgresql.version }}"
values: values:
- "values-postgresql.yaml" - "values-postgresql.yaml"
- "values-postgresql.gotmpl" - "values-postgresql.gotmpl"
installed: {{ .Values.postgresql.enabled }} installed: {{ .Values.postgresql.enabled }}
timeout: 900 timeout: 900
- name: "mariadb" - name: "mariadb"
chart: "mariadb-repo/mariadb" chart: "mariadb-repo/{{ .Values.charts.mariadb.name }}"
version: "2.1.1" version: "{{ .Values.charts.mariadb.version }}"
values: values:
- "values-mariadb.yaml" - "values-mariadb.yaml"
- "values-mariadb.gotmpl" - "values-mariadb.gotmpl"
installed: {{ .Values.mariadb.enabled }} installed: {{ .Values.mariadb.enabled }}
timeout: 900 timeout: 900
- name: "postfix" - name: "postfix"
chart: "postfix-repo/postfix" chart: "postfix-repo/{{ .Values.charts.postfix.name }}"
version: "2.0.4" version: "{{ .Values.charts.postfix.version }}"
values: values:
- "values-postfix.yaml" - "values-postfix.yaml"
- "values-postfix.gotmpl" - "values-postfix.gotmpl"
installed: {{ .Values.postfix.enabled }} installed: {{ .Values.postfix.enabled }}
- name: "clamav" - name: "clamav"
chart: "clamav-repo/opendesk-clamav" chart: "clamav-repo/{{ .Values.charts.clamav.name }}"
version: "4.0.0" version: "{{ .Values.charts.clamav.version }}"
values: values:
- "values-clamav-distributed.yaml" - "values-clamav-distributed.yaml"
- "values-clamav-distributed.gotmpl" - "values-clamav-distributed.gotmpl"
installed: {{ .Values.clamavDistributed.enabled }} installed: {{ .Values.clamavDistributed.enabled }}
- name: "clamav-simple" - name: "clamav-simple"
chart: "clamav-repo/clamav-simple" chart: "clamav-simple-repo/{{ .Values.charts.clamavSimple.name }}"
version: "4.0.0" version: "{{ .Values.charts.clamavSimple.version }}"
values: values:
- "values-clamav-simple.yaml" - "values-clamav-simple.yaml"
- "values-clamav-simple.gotmpl" - "values-clamav-simple.gotmpl"
installed: {{ .Values.clamavSimple.enabled }} installed: {{ .Values.clamavSimple.enabled }}
- name: "opendesk-gateway" - name: "opendesk-gateway"
chart: "istio-resources-repo/istio-gateway" chart: "istio-resources-repo/{{ .Values.charts.istioResources.name }}"
version: "2.0.0" version: "{{ .Values.charts.istioResources.version }}"
values: values:
- "values-istio-gateway.yaml" - "values-istio-gateway.yaml"
- "values-istio-gateway.gotmpl" - "values-istio-gateway.gotmpl"
installed: {{ .Values.istio.enabled }} installed: {{ .Values.istio.enabled }}
- name: "minio" - name: "minio"
chart: "bitnami-repo/minio" chart: "minio-repo/{{ .Values.charts.minio.name }}"
version: "12.8.19" version: "{{ .Values.charts.minio.version }}"
values: values:
- "values-minio.yaml" - "values-minio.yaml"
- "values-minio.gotmpl" - "values-minio.gotmpl"

3
helmfile/apps/services/values-mariadb.gotmpl
View File

@@ -8,6 +8,9 @@ global:
imagePullSecrets: imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
image: image:
repository: {{ .Values.images.mariadb.repository | quote }} repository: {{ .Values.images.mariadb.repository | quote }}
tag: {{ .Values.images.mariadb.tag | quote }} tag: {{ .Values.images.mariadb.tag | quote }}

54
helmfile/apps/services/values-otterize.gotmpl Normal file
View File

@@ -0,0 +1,54 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
apps:
clamavDistributed:
enabled: {{ .Values.clamavDistributed.enabled }}
clamavSimple:
enabled: {{ .Values.clamavSimple.enabled }}
collabora:
enabled: {{ .Values.collabora.enabled }}
cryptpad:
enabled: {{ .Values.cryptpad.enabled }}
dovecot:
enabled: {{ .Values.dovecot.enabled }}
element:
enabled: {{ .Values.element.enabled }}
intercom:
enabled: {{ .Values.intercom.enabled }}
jitsi:
enabled: {{ .Values.jitsi.enabled }}
keycloak:
enabled: {{ .Values.keycloak.enabled }}
mariadb:
enabled: {{ .Values.mariadb.enabled }}
memcached:
enabled: {{ .Values.memcached.enabled }}
minio:
enabled: {{ .Values.minio.enabled }}
nextcloud:
enabled: {{ .Values.nextcloud.enabled }}
openproject:
enabled: {{ .Values.openproject.enabled }}
oxAppsuite:
enabled: {{ .Values.oxAppsuite.enabled }}
oxConnector:
enabled: {{ .Values.oxConnector.enabled }}
postfix:
enabled: {{ .Values.postfix.enabled }}
postgresql:
enabled: {{ .Values.postgresql.enabled }}
redis:
enabled: {{ .Values.redis.enabled }}
univentionManagementStack:
enabled: {{ .Values.univentionManagementStack.enabled }}
xwiki:
enabled: {{ .Values.xwiki.enabled }}
extraApps:
clusterPostfix:
enabled: {{ .Values.security.clusterPostfix.enabled }}
namespace: {{ .Values.security.clusterPostfix.namespace }}
...

2
helmfile/apps/services/values-postfix.gotmpl
View File

@@ -24,7 +24,7 @@ postfix:
- fileName: "sasl_passwd.map" - fileName: "sasl_passwd.map"
content: content:
- {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }} - {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
relayHost: {{ printf "[%s]:587" .Values.smtp.host | quote }} relayHost: {{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}
relayNets: {{ .Values.cluster.networking.cidr | quote}} relayNets: {{ .Values.cluster.networking.cidr | quote}}
virtualTransport: "lmtps:dovecot:24" virtualTransport: "lmtps:dovecot:24"
smtpdSASLPath: "inet:dovecot:3659" smtpdSASLPath: "inet:dovecot:3659"

6
helmfile/apps/services/values-postgresql.gotmpl
View File

@@ -24,7 +24,9 @@ job:
- username: "matrix_user" - username: "matrix_user"
password: {{ .Values.secrets.postgresql.matrixUser | quote }} password: {{ .Values.secrets.postgresql.matrixUser | quote }}
- username: "notificationsapi_user" - username: "notificationsapi_user"
password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }} password: {{ .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
- username: "selfservice_user"
password: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
databases: databases:
- name: "keycloak" - name: "keycloak"
user: "keycloak_user" user: "keycloak_user"
@@ -37,6 +39,8 @@ job:
additionalParams: "ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0" additionalParams: "ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0"
- name: "notificationsapi" - name: "notificationsapi"
user: "notificationsapi_user" user: "notificationsapi_user"
- name: "selfservice"
user: "selfservice_user"
persistence: persistence:
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }} storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}

32
helmfile/apps/univention-corporate-container/helmfile.yaml
View File

@@ -1,32 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
bases:
- "../../bases/environments.yaml"
---
repositories:
# openDesk Univention Corporate Server (as eval Container)
- name: "univention-corporate-container-repo"
oci: true
# yamllint disable rule:line-length
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
"external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/univention-corporate-container" }}
# yamllint enable rule:line-length
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
releases:
- name: "univention-corporate-container"
chart: "univention-corporate-container-repo/univention-corporate-container"
version: "1.0.10"
values:
- "values.yaml"
- "values.gotmpl"
installed: {{ .Values.univentionCorporateServer.enabled }}
commonLabels:
deploy-stage: "component-1"
component: "univention-corporate-container"
...

68
helmfile/apps/univention-corporate-container/values.gotmpl
View File

@@ -1,68 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
registry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: {{ .Values.global.imageRegistry | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
repository: {{ .Values.images.univentionCorporateServer.repository | quote }}
tag: {{ .Values.images.univentionCorporateServer.tag | quote }}
ingress:
host: "{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
persistence:
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionCorporateServer | quote }}
extraEnvVars:
- name: ISTIO_DOMAIN
value: {{ .Values.istio.domain | quote }}
- name: CENTRALNAVIGATION_API_SECRET
value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
- name: LDAPSEARCH_OX_USERNAME
value: "ldapsearch_ox"
- name: LDAPSEARCH_OX_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
- name: LDAPSEARCH_DOVECOT_USERNAME
value: "ldapsearch_dovecot"
- name: LDAPSEARCH_DOVECOT_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
- name: LDAPSEARCH_KEYCLOAK_USERNAME
value: "ldapsearch_keycloak"
- name: LDAPSEARCH_KEYCLOAK_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak | quote }}
- name: LDAPSEARCH_NEXTCLOUD_USERNAME
value: "ldapsearch_nextcloud"
- name: LDAPSEARCH_NEXTCLOUD_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud | quote }}
- name: LDAPSEARCH_OPENPROJECT_USERNAME
value: "ldapsearch_openproject"
- name: LDAPSEARCH_OPENPROJECT_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }}
- name: LDAPSEARCH_XWIKI_USERNAME
value: "ldapsearch_xwiki"
- name: LDAPSEARCH_XWIKI_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki | quote }}
- name: DEFAULT_ACCOUNT_USER_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.userPassword | quote }}
- name: DEFAULT_ACCOUNT_ADMIN_PASSWORD
value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.adminPassword | quote }}
resources:
{{ .Values.resources.univentionCorporateServer | toYaml | nindent 2 }}
...

239
helmfile/apps/univention-management-stack/helmfile.yaml
View File

@@ -3,137 +3,270 @@
--- ---
bases: bases:
- "../../bases/environments.yaml" - "../../bases/environments.yaml"
--- ---
repositories: repositories:
# Univention Management Stack # Univention Management Stack
- name: "ums-repo" - name: "ums-store-dav-repo"
url: >- oci: {{ .Values.charts.umsStoreDav.oci }}
{{ env "PRIVATE_CHART_REPOSITORY_URL" | username: {{ .Values.charts.umsStoreDav.username | quote }}
default "https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable" }} password: {{ .Values.charts.umsStoreDav.password | quote }}
url: "{{ .Values.charts.umsStoreDav.registry }}/{{ .Values.charts.umsStoreDav.repository }}"
- name: "ums-ldap-server-repo"
oci: {{ .Values.charts.umsLdapServer.oci }}
username: {{ .Values.charts.umsLdapServer.username | quote }}
password: {{ .Values.charts.umsLdapServer.password | quote }}
url: "{{ .Values.charts.umsLdapServer.registry }}/{{ .Values.charts.umsLdapServer.repository }}"
- name: "ums-ldap-notifier-repo"
oci: {{ .Values.charts.umsLdapNotifier.oci }}
username: {{ .Values.charts.umsLdapNotifier.username | quote }}
password: {{ .Values.charts.umsLdapNotifier.password | quote }}
url: "{{ .Values.charts.umsLdapNotifier.registry }}/{{ .Values.charts.umsLdapNotifier.repository }}"
- name: "ums-udm-rest-api-repo"
oci: {{ .Values.charts.umsUdmRestApi.oci }}
username: {{ .Values.charts.umsUdmRestApi.username | quote }}
password: {{ .Values.charts.umsUdmRestApi.password | quote }}
url: "{{ .Values.charts.umsUdmRestApi.registry }}/{{ .Values.charts.umsUdmRestApi.repository }}"
- name: "ums-stack-data-ums-repo"
oci: {{ .Values.charts.umsStackDataUms.oci }}
username: {{ .Values.charts.umsStackDataUms.username | quote }}
password: {{ .Values.charts.umsStackDataUms.password | quote }}
url: "{{ .Values.charts.umsStackDataUms.registry }}/{{ .Values.charts.umsStackDataUms.repository }}"
- name: "ums-stack-data-swp-repo"
oci: {{ .Values.charts.umsStackDataSwp.oci }}
username: {{ .Values.charts.umsStackDataSwp.username | quote }}
password: {{ .Values.charts.umsStackDataSwp.password | quote }}
url: "{{ .Values.charts.umsStackDataSwp.registry }}/{{ .Values.charts.umsStackDataSwp.repository }}"
- name: "ums-portal-server-repo"
oci: {{ .Values.charts.umsPortalServer.oci }}
username: {{ .Values.charts.umsPortalServer.username | quote }}
password: {{ .Values.charts.umsPortalServer.password | quote }}
url: "{{ .Values.charts.umsPortalServer.registry }}/{{ .Values.charts.umsPortalServer.repository }}"
- name: "ums-notifications-api-repo"
oci: {{ .Values.charts.umsNotificationsApi.oci }}
username: {{ .Values.charts.umsNotificationsApi.username | quote }}
password: {{ .Values.charts.umsNotificationsApi.password | quote }}
url: "{{ .Values.charts.umsNotificationsApi.registry }}/{{ .Values.charts.umsNotificationsApi.repository }}"
- name: "ums-portal-listener-repo"
oci: {{ .Values.charts.umsPortalListener.oci }}
username: {{ .Values.charts.umsPortalListener.username | quote }}
password: {{ .Values.charts.umsPortalListener.password | quote }}
url: "{{ .Values.charts.umsPortalListener.registry }}/{{ .Values.charts.umsPortalListener.repository }}"
- name: "ums-portal-frontend-repo"
oci: {{ .Values.charts.umsPortalFrontend.oci }}
username: {{ .Values.charts.umsPortalFrontend.username | quote }}
password: {{ .Values.charts.umsPortalFrontend.password | quote }}
url: "{{ .Values.charts.umsPortalFrontend.registry }}/{{ .Values.charts.umsPortalFrontend.repository }}"
- name: "ums-umc-gateway-repo"
oci: {{ .Values.charts.umsUmcGateway.oci }}
username: {{ .Values.charts.umsUmcGateway.username | quote }}
password: {{ .Values.charts.umsUmcGateway.password | quote }}
url: "{{ .Values.charts.umsUmcGateway.registry }}/{{ .Values.charts.umsUmcGateway.repository }}"
- name: "ums-umc-server-repo"
oci: {{ .Values.charts.umsUmcServer.oci }}
username: {{ .Values.charts.umsUmcServer.username | quote }}
password: {{ .Values.charts.umsUmcServer.password | quote }}
url: "{{ .Values.charts.umsUmcServer.registry }}/{{ .Values.charts.umsUmcServer.repository }}"
- name: "ums-selfservice-listener-repo"
oci: {{ .Values.charts.umsSelfserviceListener.oci }}
username: {{ .Values.charts.umsSelfserviceListener.username | quote }}
password: {{ .Values.charts.umsSelfserviceListener.password | quote }}
url: "{{ .Values.charts.umsSelfserviceListener.registry }}/{{ .Values.charts.umsSelfserviceListener.repository }}"
# Univention Keycloak Extensions
- name: "ums-keycloak-extensions-repo"
oci: {{ .Values.charts.umsKeycloakExtensions.oci }}
username: {{ .Values.charts.umsKeycloakExtensions.username | quote }}
password: {{ .Values.charts.umsKeycloakExtensions.password | quote }}
url: "{{ .Values.charts.umsKeycloakExtensions.registry }}/{{ .Values.charts.umsKeycloakExtensions.repository }}"
# Univention Keycloak
- name: "ums-keycloak-repo"
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.umsKeycloak.verify }}
oci: {{ .Values.charts.umsKeycloak.oci }}
username: {{ .Values.charts.umsKeycloak.username | quote }}
password: {{ .Values.charts.umsKeycloak.password | quote }}
url: "{{ .Values.charts.umsKeycloak.registry }}/{{ .Values.charts.umsKeycloak.repository }}"
- name: "ums-keycloak-bootstrap-repo"
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.umsKeycloakBootstrap.verify }}
oci: {{ .Values.charts.umsKeycloakBootstrap.oci }}
username: {{ .Values.charts.umsKeycloakBootstrap.username | quote }}
password: {{ .Values.charts.umsKeycloakBootstrap.password | quote }}
url: "{{ .Values.charts.umsKeycloakBootstrap.registry }}/{{ .Values.charts.umsKeycloakBootstrap.repository }}"
- name: "opendesk-keycloak-bootstrap-repo"
oci: {{ .Values.charts.opendeskKeycloakBootstrap.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.opendeskKeycloakBootstrap.verify }}
username: {{ .Values.charts.opendeskKeycloakBootstrap.username | quote }}
password: {{ .Values.charts.opendeskKeycloakBootstrap.password | quote }}
url: "{{ .Values.charts.opendeskKeycloakBootstrap.registry }}/\
{{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
# VMWare Bitnami # VMWare Bitnami
# Source: https://github.com/bitnami/charts/ # Source: https://github.com/bitnami/charts/
- name: "bitnami-repo" - name: "nginx-repo"
oci: true oci: {{ .Values.charts.nginx.oci }}
url: >-
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
verify: true
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.nginx.verify }}
username: {{ .Values.charts.nginx.username | quote }}
password: {{ .Values.charts.nginx.password | quote }}
url: "{{ .Values.charts.nginx.registry }}/{{ .Values.charts.nginx.repository }}"
releases: releases:
# TODO: Interim, until the UMS stack has a stack umbrella chart and provides a solution - name: "ums-keycloak"
# {{- if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }} chart: "ums-keycloak-repo/{{ .Values.charts.umsKeycloak.name }}"
version: "{{ .Values.charts.umsKeycloak.version }}"
values:
- "values-ums-keycloak.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-keycloak-extensions"
chart: "ums-keycloak-extensions-repo/{{ .Values.charts.umsKeycloakExtensions.name }}"
version: "{{ .Values.charts.umsKeycloakExtensions.version }}"
values:
- "values-ums-keycloak-extensions.yaml.gotmpl"
needs:
- "ums-keycloak"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-keycloak-bootstrap"
chart: "ums-keycloak-bootstrap-repo/{{ .Values.charts.umsKeycloakBootstrap.name }}"
version: "{{ .Values.charts.umsKeycloakBootstrap.version }}"
values:
- "values-ums-keycloak-bootstrap.yaml.gotmpl"
needs:
- "ums-keycloak"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "opendesk-keycloak-bootstrap"
chart: "opendesk-keycloak-bootstrap-repo/{{ .Values.charts.opendeskKeycloakBootstrap.name }}"
version: "{{ .Values.charts.opendeskKeycloakBootstrap.version }}"
values:
- "values-opendesk-keycloak-bootstrap.yaml.gotmpl"
needs:
- "ums-keycloak-bootstrap"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-stack-gateway" - name: "ums-stack-gateway"
chart: "bitnami-repo/nginx" chart: "nginx-repo/{{ .Values.charts.nginx.name }}"
version: "15.3.5" version: "{{ .Values.charts.nginx.version }}"
values: values:
- "values-ums-stack-gateway.gotmpl" - "values-ums-stack-gateway.gotmpl"
- "values-ums-stack-gateway.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
# {{- end }}
- name: "ums-store-dav" - name: "ums-store-dav"
chart: "ums-repo/store-dav" chart: "ums-store-dav-repo/{{ .Values.charts.umsStoreDav.name }}"
version: "0.5.2" version: "{{ .Values.charts.umsStoreDav.version }}"
values: values:
- "values-common.gotmpl" - "values-common.gotmpl"
- "values-common.yaml" - "values-common.yaml"
- "values-store-dav.gotmpl" - "values-store-dav.gotmpl"
- "values-store-dav.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-ldap-server" - name: "ums-ldap-server"
chart: "ums-repo/ldap-server" chart: "ums-ldap-server-repo/{{ .Values.charts.umsLdapServer.name }}"
version: "0.7.0" version: "{{ .Values.charts.umsLdapServer.version }}"
values: values:
- "values-common.gotmpl" - "values-common.gotmpl"
- "values-common.yaml" - "values-common.yaml"
- "values-ldap-server.gotmpl" - "values-ldap-server.gotmpl"
- "values-ldap-server.yaml" - "values-ldap-server.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-ldap-notifier" - name: "ums-ldap-notifier"
chart: "ums-repo/ldap-notifier" chart: "ums-ldap-notifier-repo/{{ .Values.charts.umsLdapNotifier.name }}"
version: "0.7.0" version: "{{ .Values.charts.umsLdapNotifier.version }}"
values: values:
- "values-common.gotmpl" - "values-common.gotmpl"
- "values-common.yaml" - "values-common.yaml"
- "values-ldap-notifier.gotmpl" - "values-ldap-notifier.gotmpl"
- "values-ldap-notifier.yaml" - "values-ldap-notifier.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-udm-rest-api" - name: "ums-udm-rest-api"
chart: "ums-repo/udm-rest-api" chart: "ums-udm-rest-api-repo/{{ .Values.charts.umsUdmRestApi.name }}"
version: "0.3.5" version: "{{ .Values.charts.umsUdmRestApi.version }}"
values: values:
- "values-common.gotmpl" - "values-common.gotmpl"
- "values-common.yaml" - "values-common.yaml"
- "values-udm-rest-api.gotmpl" - "values-udm-rest-api.gotmpl"
- "values-udm-rest-api.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-stack-data-ums" - name: "ums-stack-data-ums"
chart: "ums-repo/stack-data-ums" chart: "ums-stack-data-ums-repo/{{ .Values.charts.umsStackDataUms.name }}"
version: "0.33.0" version: "{{ .Values.charts.umsStackDataUms.version }}"
values: values:
- "values-common.gotmpl" - "values-common.gotmpl"
- "values-common.yaml" - "values-common.yaml"
- "values-stack-data-ums.gotmpl" - "values-stack-data-ums.gotmpl"
- "values-stack-data-ums.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-stack-data-swp" - name: "ums-stack-data-swp"
chart: "ums-repo/stack-data-swp" chart: "ums-stack-data-swp-repo/{{ .Values.charts.umsStackDataSwp.name }}"
version: "0.33.0" version: "{{ .Values.charts.umsStackDataSwp.version }}"
values: values:
- "values-common.gotmpl" - "values-common.gotmpl"
- "values-common.yaml" - "values-common.yaml"
- "values-stack-data-swp.gotmpl" - "values-stack-data-swp.gotmpl"
- "values-stack-data-swp.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-portal-server" - name: "ums-portal-server"
chart: "ums-repo/portal-server" chart: "ums-portal-server-repo/{{ .Values.charts.umsPortalServer.name }}"
version: "0.4.3" version: "{{ .Values.charts.umsPortalServer.version }}"
values: values:
- "values-common.gotmpl" - "values-common.gotmpl"
- "values-common.yaml" - "values-common.yaml"
- "values-portal-server.gotmpl" - "values-portal-server.gotmpl"
- "values-portal-server.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-notifications-api" - name: "ums-notifications-api"
chart: "ums-repo/notifications-api" chart: "ums-notifications-api-repo/{{ .Values.charts.umsNotificationsApi.name }}"
version: "0.4.3" version: "{{ .Values.charts.umsNotificationsApi.version }}"
values: values:
- "values-common.gotmpl" - "values-common.gotmpl"
- "values-common.yaml" - "values-common.yaml"
- "values-notifications-api.gotmpl" - "values-notifications-api.gotmpl"
- "values-notifications-api.yaml" - "values-notifications-api.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-portal-listener" - name: "ums-portal-listener"
chart: "ums-repo/portal-listener" chart: "ums-portal-listener-repo/{{ .Values.charts.umsPortalListener.name }}"
version: "0.4.3" version: "{{ .Values.charts.umsPortalListener.version }}"
values: values:
- "values-common.gotmpl" - "values-common.gotmpl"
- "values-common.yaml" - "values-common.yaml"
- "values-portal-listener.gotmpl" - "values-portal-listener.gotmpl"
- "values-portal-listener.yaml" - "values-portal-listener.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-portal-frontend" - name: "ums-portal-frontend"
chart: "ums-repo/portal-frontend" chart: "ums-portal-frontend-repo/{{ .Values.charts.umsPortalFrontend.name }}"
version: "0.4.3" version: "{{ .Values.charts.umsPortalFrontend.version }}"
values: values:
- "values-common.gotmpl" - "values-common.gotmpl"
- "values-common.yaml" - "values-common.yaml"
- "values-portal-frontend.gotmpl" - "values-portal-frontend.gotmpl"
- "values-portal-frontend.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-portal-frontend-custom"
# TODO: Replace with our own Nginx chart.
chart: "bitnami-repo/nginx"
version: "15.3.5"
values:
- "values-portal-frontend-custom.yaml"
- "values-portal-frontend-custom.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-umc-gateway" - name: "ums-umc-gateway"
chart: "ums-repo/umc-gateway" chart: "ums-umc-gateway-repo/{{ .Values.charts.umsUmcGateway.name }}"
version: "0.5.1" version: "{{ .Values.charts.umsUmcGateway.version }}"
values: values:
- "values-common.gotmpl" - "values-common.gotmpl"
- "values-common.yaml" - "values-common.yaml"
- "values-umc-gateway.gotmpl" - "values-umc-gateway.gotmpl"
- "values-umc-gateway.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-umc-server" - name: "ums-umc-server"
chart: "ums-repo/umc-server" chart: "ums-umc-server-repo/{{ .Values.charts.umsUmcServer.name }}"
version: "0.5.1" version: "{{ .Values.charts.umsUmcServer.version }}"
values: values:
- "values-common.gotmpl" - "values-common.gotmpl"
- "values-common.yaml" - "values-common.yaml"
@@ -141,6 +274,16 @@ releases:
- "values-umc-server.yaml" - "values-umc-server.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
- name: "ums-selfservice-listener"
chart: "ums-selfservice-listener-repo/{{ .Values.charts.umsSelfserviceListener.name }}"
version: "{{ .Values.charts.umsSelfserviceListener.version }}"
values:
- "values-common.gotmpl"
- "values-common.yaml"
- "values-selfservice-listener.gotmpl"
- "values-selfservice-listener.yaml"
installed: {{ .Values.univentionManagementStack.enabled }}
commonLabels: commonLabels:
deploy-stage: "component-1" deploy-stage: "component-1"
component: "univention-management-stack" component: "univention-management-stack"

8
helmfile/apps/univention-management-stack/values-common.gotmpl
View File

@@ -4,11 +4,7 @@ SPDX-License-Identifier: Apache-2.0
*/}} */}}
--- ---
ingress: ingress:
enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }} host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
ingressClassName: {{ .Values.ingress.ingressClassName | quote }} ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
# The TLS configuration is on the "master" Ingress, see "portal-frontend"
enabled: false
secretName: ""
... ...

13
helmfile/apps/univention-management-stack/values-common.yaml
View File

@@ -6,5 +6,18 @@ global:
configMapUcr: "ums-stack-data-swp-ucr" configMapUcr: "ums-stack-data-swp-ucr"
configMapUcrForced: null configMapUcrForced: null
ingress:
# Intentionally not using the Ingress configuration of the UMS stack at the
# moment, since it does depend on rewriting capabilities of the ingress
# controller. Those are encapsulated into the release "stack-gateway" so that
# the compatibility with all ingress controllers is increased.
enabled: false
tls:
# The TLS configuration is on the "master" Ingress, see "portal-frontend"
enabled: false
secretName: ""
istio: istio:
enabled: false enabled: false
...

8
helmfile/apps/univention-management-stack/values-ldap-notifier.yaml
View File

@@ -7,4 +7,12 @@ volumes:
shared-data: "shared-data-ums-ldap-server-0" shared-data: "shared-data-ums-ldap-server-0"
shared-run: "shared-run-ums-ldap-server-0" shared-run: "shared-run-ums-ldap-server-0"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
... ...

19
helmfile/apps/univention-management-stack/values-ldap-server.gotmpl
View File

@@ -5,15 +5,7 @@ SPDX-License-Identifier: Apache-2.0
--- ---
ldapServer: ldapServer:
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
ldapBaseDn: "dc=swp-ldap,dc=internal" ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
waitForSamlMetadata: true
# TODO: Certificates handling
# caCert: ""
# certPem: ""
# privateKey: ""
# dhParam: ""
image: image:
registry: {{ .Values.global.imageRegistry | quote }} registry: {{ .Values.global.imageRegistry | quote }}
@@ -26,12 +18,11 @@ image:
{{- end }} {{- end }}
waitForDependency: waitForDependency:
registry: "{{ .Values.global.imageRegistry }}" registry: {{ .Values.global.imageRegistry | quote }}
repository: "{{ .Values.images.umsWaitForDependency.repository }}" repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
imagePullPolicy: "Always" imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: "{{ .Values.images.umsWaitForDependency.tag }}" tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
# TODO: Pending upstream support, #199
persistence: persistence:
data: data:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }} storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}

24
helmfile/apps/univention-management-stack/values-ldap-server.yaml
View File

@@ -2,6 +2,9 @@
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
--- ---
ldapServer:
waitForSamlMetadata: true
service: service:
type: "ClusterIP" type: "ClusterIP"
@@ -27,4 +30,25 @@ extraVolumeMounts:
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema" mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema"
subPath: "opendeskProjectmanagement.schema" subPath: "opendeskProjectmanagement.schema"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
... ...

10
helmfile/apps/univention-management-stack/values-notifications-api.gotmpl
View File

@@ -6,12 +6,12 @@ SPDX-License-Identifier: Apache-2.0
postgresql: postgresql:
bundled: false bundled: false
connection: connection:
host: "postgresql" host: {{ .Values.databases.umsNotificationsApi.host | quote }}
port: 5432 port: {{ .Values.databases.umsNotificationsApi.port | quote }}
auth: auth:
username: "notificationsapi_user" username: {{ .Values.databases.umsNotificationsApi.username | quote }}
database: "notificationsapi" database: {{ .Values.databases.umsNotificationsApi.name | quote }}
password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }} password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
image: image:
registry: {{ .Values.global.imageRegistry }} registry: {{ .Values.global.imageRegistry }}

8
helmfile/apps/univention-management-stack/values-notifications-api.yaml
View File

@@ -9,4 +9,12 @@ notificationsapi:
sql_echo: "False" sql_echo: "False"
api_prefix: "/univention/portal/notifications-api" api_prefix: "/univention/portal/notifications-api"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
... ...

320
helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl Normal file
View File

@@ -0,0 +1,320 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: "{{ .Values.global.domain }}"
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
registry: "{{ .Values.global.imageRegistry }}"
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: "{{ .Values.global.imageRegistry }}"
repository: "{{ .Values.images.opendeskKeycloakBootstrap.repository }}"
tag: "{{ .Values.images.opendeskKeycloakBootstrap.tag }}"
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
config:
keycloak:
adminUser: "kcadmin"
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
realm: {{ .Values.platform.realm | quote }}
intraCluster:
enabled: true
internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
custom:
clientScopes:
- name: "read_contacts"
protocol: "openid-connect"
- name: "write_contacts"
protocol: "openid-connect"
- name: "opendesk"
protocol: "openid-connect"
protocolMappers:
- name: "opendesk_useruuid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_useruuid"
jsonType.label: "String"
- name: "opendesk_username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "opendesk_username"
jsonType.label: "String"
clients:
- name: "opendesk-dovecot"
clientId: "opendesk-dovecot"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
consentRequired: false
frontchannelLogout: false
publicClient: false
attributes:
backchannel.logout.session.required: false
defaultClientScopes:
- "opendesk"
- name: "opendesk-intercom"
clientId: "opendesk-intercom"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback"
consentRequired: false
frontchannelLogout: false
publicClient: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
protocolMappers:
- name: "intercom-audience"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "opendesk-intercom"
id.token.claim: false
access.token.claim: true
# temporary additional claim while entryuuid is a hardcoded attribute in IntercomService and we cannot set
# it to `opendesk_useruuid` standard claim. For reference:
# https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/app.js#L89
- name: "entryuuid_temp"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "entryUUID"
id.token.claim: true
access.token.claim: true
claim.name: "entryuuid"
jsonType.label: "String"
# temporary additional claim while phoenixusername is a hardcoded attribute in IntercomService and we cannot
# set it to `opendesk_username` standard claim. For reference:
# https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/routes/navigation.js#L27
- name: "phoenixusername_temp"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "phoenixusername"
jsonType.label: "String"
defaultClientScopes:
- "opendesk"
- "offline_access"
- name: "opendesk-jitsi"
clientId: "opendesk-jitsi"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
redirectUris:
- "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: true
fullScopeAllowed: true
defaultClientScopes:
- "opendesk"
- "profile"
- name: "opendesk-matrix"
clientId: "opendesk-matrix"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
standardFlowEnabled: true
directAccessGrantsEnabled: true
serviceAccountsEnabled: true
consentRequired: false
frontchannelLogout: false
publicClient: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk"
optionalClientScopes:
- "email"
- "profile"
# This is a temporary OIDC client for matrix, as the OIDC logout still uses "matrix" as client ID. Unless that
# is solved and also is able to use "opendesk-matrix" we keep that dummy client that
- name: "matrix"
clientId: "matrix"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
standardFlowEnabled: true
directAccessGrantsEnabled: true
consentRequired: false
frontchannelLogout: false
publicClient: false
attributes:
post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
- name: "opendesk-nextcloud"
clientId: "opendesk-nextcloud"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/user_oidc/backchannel-logout/ncoidc"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
protocolMappers:
- name: "context"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "oxContextIDNum"
id.token.claim: true
access.token.claim: true
claim.name: "context"
jsonType.label: "String"
defaultClientScopes:
- "opendesk"
- "email"
- "read_contacts"
- "write_contacts"
- name: "opendesk-openproject"
clientId: "opendesk-openproject"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
serviceAccountsEnabled: true
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
protocolMappers:
- name: "opendeskProjectmanagementAdmin"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "opendeskProjectmanagementAdmin"
id.token.claim: true
access.token.claim: true
claim.name: "openproject_admin"
jsonType.label: "String"
defaultClientScopes:
- "opendesk"
- "email"
- "profile"
- name: "opendesk-oxappsuite"
clientId: "opendesk-oxappsuite"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/*"
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/ajax/oidc/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
protocolMappers:
- name: "context"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "oxContextIDNum"
id.token.claim: true
access.token.claim: true
claim.name: "context"
jsonType.label: "String"
defaultClientScopes:
- "opendesk"
- "read_contacts"
- "write_contacts"
- name: "opendesk-xwiki"
clientId: "opendesk-xwiki"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
publicClient: false
attributes:
backchannel.logout.session.required: false
backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/NOT_YET_IMPLEMENTED_DONT_FORGET_TO_DISABLE_FCL_WHEN_BCL_IS_ACTIVATED/backchannel-logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk"
- "address"
- "email"
- "profile"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak-bootstrap"
podSecurityContext:
enabled: true
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
resources:
{{ .Values.resources.opendeskKeycloakBootstrap | toYaml | nindent 2 }}
...

53
helmfile/apps/univention-management-stack/values-portal-frontend-custom.gotmpl
View File

@@ -1,53 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
ingress:
enabled: true
hostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
ingressClassName: "nginx"
annotations:
nginx.org/mergeable-ingress-type: "minion"
tls: false
pathType: Exact
path: /favicon.ico
extraPaths:
- pathType: Exact
path: /univention/portal/css/custom.css
backend:
service:
name: ums-portal-frontend-custom-nginx
port:
name: http
- pathType: Exact
path: /univention/portal/icons/logo.svg
backend:
service:
name: ums-portal-frontend-custom-nginx
port:
name: http
- pathType: Exact
path: /univention/portal/icons/logo_small_border.svg
backend:
service:
name: ums-portal-frontend-custom-nginx
port:
name: http
- pathType: Exact
path: /univention/portal/custom/portal_background_image.png
backend:
service:
name: ums-portal-frontend-custom-nginx
port:
name: http
- pathType: Exact
path: /univention/portal/custom/portal_background_image.svg
backend:
service:
name: ums-portal-frontend-custom-nginx
port:
name: http
...

33
helmfile/apps/univention-management-stack/values-portal-frontend-custom.yaml
View File

@@ -1,33 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
service:
type: "ClusterIP"
extraVolumes:
- name: "opendesk-branding"
configMap:
name: "ums-stack-data-swp-branding"
extraVolumeMounts:
- name: "opendesk-branding"
mountPath: "/app/favicon.ico"
subPath: "favicon.ico"
- name: "opendesk-branding"
mountPath: "/app/univention/portal/css/custom.css"
subPath: "custom.css"
- name: "opendesk-branding"
mountPath: "/app/univention/portal/icons/logo.svg"
subPath: "logo.svg"
- name: "opendesk-branding"
mountPath: "/app/univention/portal/icons/logo_small_border.svg"
subPath: "logo_small_border.svg"
- name: "opendesk-branding"
mountPath: "/app/univention/portal/custom/portal_background_image.png"
subPath: "portal_background_image.png"
- name: "opendesk-branding"
mountPath: "/app/univention/portal/custom/portal_background_image.svg"
subPath: "portal_background_image.svg"
...

6
helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl
View File

@@ -14,13 +14,7 @@ image:
{{- end }} {{- end }}
extraIngresses: extraIngresses:
redirects:
enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
# The TLS configuration is on the "master" Ingress, see below.
tls:
enabled: false
master: master:
enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
tls: tls:
enabled: {{ .Values.ingress.tls.enabled }} enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }} secretName: {{ .Values.ingress.tls.secretName | quote }}

93
helmfile/apps/univention-management-stack/values-portal-frontend.yaml Normal file
View File

@@ -0,0 +1,93 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
extraIngresses:
redirects:
# Using "stack-gateway" currently.
enabled: false
# The TLS configuration is on the "master" Ingress, see below.
tls:
enabled: false
master:
# Using "stack-gateway" currently.
enabled: false
# See "extraVolumeMounts" below
custom-favicon:
# Using "stack-gateway" at the moment
enabled: false
annotations:
nginx.org/mergeable-ingress-type: "minion"
paths:
- pathType: "Exact"
path: "/favicon.ico"
tls: {}
# See "extraVolumeMounts" below
custom-branding:
# Using "stack-gateway" at the moment
enabled: false
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
rewrite ^/univention/portal(/.*)$ $1 break;
nginx.org/location-snippets: |
rewrite ^/univention/portal(/.*)$ $1 break;
nginx.org/mergeable-ingress-type: "minion"
paths:
# This relies on the correct implementation of the matching for paths of
# type "Prefix" since "/univention/portal/icons/entries/" is owned by
# store-dav.
# See: https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches
- pathType: "Prefix"
path: "/univention/portal/icons/"
- pathType: "Prefix"
path: "/univention/portal/custom/"
tls: {}
extraVolumes:
- name: "opendesk-branding"
configMap:
name: "ums-stack-data-swp-branding"
extraVolumeMounts:
- name: "opendesk-branding"
mountPath: "/var/www/html/favicon.ico"
subPath: "favicon.ico"
- name: "opendesk-branding"
mountPath: "/var/www/html/css/custom.css"
subPath: "custom.css"
- name: "opendesk-branding"
mountPath: "/var/www/html/icons/logo.svg"
subPath: "logo.svg"
- name: "opendesk-branding"
mountPath: "/var/www/html/icons/logo_small_border.svg"
subPath: "logo_small_border.svg"
- name: "opendesk-branding"
mountPath: "/var/www/html/custom/portal_background_image.png"
subPath: "portal_background_image.png"
- name: "opendesk-branding"
mountPath: "/var/www/html/custom/portal_background_image.svg"
subPath: "portal_background_image.svg"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

22
helmfile/apps/univention-management-stack/values-portal-listener.gotmpl
View File

@@ -4,25 +4,20 @@ SPDX-License-Identifier: Apache-2.0
*/}} */}}
--- ---
portalListener: portalListener:
adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal" adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
environment: "staging" assetsRoot: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-assets/" | quote }}
debugLevel: "4" ucsInternalUrl: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-data" | quote }}
assetsRoot: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-assets/"
ucsInternalUrl: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-data/"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
ldapBaseDn: "dc=swp-ldap,dc=internal" ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
ldapHost: "{{ .Values.ldap.host }}" ldapHost: {{ .Values.ldap.host | quote }}
ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal" ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
notifierServer: {{ .Values.ldap.notifierHost | quote }} notifierServer: {{ .Values.ldap.notifierHost | quote }}
portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,dc=swp-ldap,dc=internal" portalDefaultDn: {{ printf "%s,%s" "cn=domain,cn=portal,cn=portals,cn=univention" .Values.ldap.baseDn | quote }}
udmApiUrl: "http://ums-udm-rest-api/udm/" udmApiUrl: "http://ums-udm-rest-api/udm/"
udmApiUsername: "cn=admin" udmApiUsername: "cn=admin"
tlsMode: "off"
image: image:
registry: {{ .Values.global.imageRegistry | quote }} registry: {{ .Values.global.imageRegistry | quote }}
@@ -37,10 +32,9 @@ image:
waitForDependency: waitForDependency:
registry: {{ .Values.global.imageRegistry | quote }} registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsWaitForDependency.repository | quote }} repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
imagePullPolicy: "Always" imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsWaitForDependency.tag | quote }} tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
# TODO: Pending upstream support, #200
persistence: persistence:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }} storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }} size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }}

28
helmfile/apps/univention-management-stack/values-portal-listener.yaml
View File

@@ -2,7 +2,35 @@
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
--- ---
portalListener:
debugLevel: "4"
tlsMode: "off"
udmApiUrl: "http://ums-udm-rest-api/udm/"
udmApiUsername: "cn=admin"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
store-dav: store-dav:
bundled: false bundled: false
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
... ...

11
helmfile/apps/univention-management-stack/values-portal-server.gotmpl
View File

@@ -4,16 +4,9 @@ SPDX-License-Identifier: Apache-2.0
*/}} */}}
--- ---
portalServer: portalServer:
adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal" adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
authMode: "saml" ucsInternalUrl: {{ printf "%s%s%s" "http://portal-server:" .Values.secrets.univentionManagementStack.storeDavUsers.portalServer "@ums-store-dav/portal-data" | quote }}
environment: "staging"
editable: "false"
logLevel: "DEBUG"
ucsInternalUrl: "http://portal-server:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}@ums-store-dav/portal-data"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
centralNavigation: centralNavigation:
enabled: true
authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }} authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
image: image:

34
helmfile/apps/univention-management-stack/values-portal-server.yaml Normal file
View File

@@ -0,0 +1,34 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
portalServer:
authMode: "saml"
editable: "false"
logLevel: "DEBUG"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
centralNavigation:
enabled: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

48
helmfile/apps/univention-management-stack/values-selfservice-listener.gotmpl Normal file
View File

@@ -0,0 +1,48 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
selfserviceListener:
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
notifierServer: {{ .Values.ldap.notifierHost | quote }}
umcAdminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
image:
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
selfserviceListener:
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsSelfserviceListener.repository | quote }}
tag: {{ .Values.images.umsSelfserviceListener.tag | quote }}
selfserviceInvitation:
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsSelfserviceInvitation.repository | quote }}
tag: {{ .Values.images.umsSelfserviceInvitation.tag | quote }}
waitForDependency:
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
persistence:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.selfserviceListener | quote }}
resources:
{{ .Values.resources.umsSelfserviceListener | toYaml | nindent 2 }}
resourcesDependencyWaiter:
{{ .Values.resources.umsSelfserviceListenerDependencies | toYaml | nindent 2 }}
...

31
helmfile/apps/univention-management-stack/values-selfservice-listener.yaml Normal file
View File

@@ -0,0 +1,31 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
selfserviceListener:
debugLevel: "4"
tlsMode: "off"
umcServerUrl: "http://ums-umc-server"
umcAdminUser: "default.admin"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

34
helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl
View File

@@ -4,31 +4,31 @@ SPDX-License-Identifier: Apache-2.0
*/}} */}}
--- ---
stackDataSwp: stackDataSwp:
udmApiUser: "cn=admin"
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
udmApiUrl: "http://ums-udm-rest-api/udm/"
loadDevData: true
stackDataContext: stackDataContext:
ldapBase: "dc=swp-ldap,dc=internal"
ldapSearchUsers: ldapSearchUsers:
{{- range $k, $v := .Values.secrets.univentionCorporateServer.ldapSearch }} {{- range $username, $password := .Values.secrets.univentionManagementStack.ldapSearch }}
- username: {{ printf "ldapsearch_%s" $k | quote }} - username: {{ printf "ldapsearch_%s" $username | quote }}
password: {{ $v | quote }} password: {{ $password | quote }}
lastname: {{ "LDAP-Search-User" }} lastname: "LDAP-Search-User"
{{- end }} {{- end }}
externalDomainName: "{{ .Values.global.domain }}" externalDomainName: {{ .Values.global.domain | quote }}
externalMailDomain: "{{ .Values.global.domain }}" externalMailDomain: {{ .Values.global.domain | quote }}
portalGroupwareLinkBase: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.istio.domain | quote }}
portalFileshareLinkBase: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}" portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain | quote }}
portalRealtimeCollaborationLinkBase: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}" portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain | quote }}
portalRealtimeVideoconferenceLinkBase: "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}" portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain | quote }}
portalManagementProjectLinkBase: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}" portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain | quote }}
portalManagementKnowledgeLinkBase: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}" portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain | quote }}
portalTitleDE: "{{ .Values.theme.texts.productName }} Portal"
portalTitleEN: "{{ .Values.theme.texts.productName }} Portal"
oxDefaultContext: "10" smtpHost: {{ .Values.smtp.host | quote }}
smtpPort: {{ .Values.smtp.port | quote }}
smtpUser: {{ .Values.smtp.username | quote }}
userPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.userPassword | quote }} userPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.userPassword | quote }}
adminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }} adminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}

25
helmfile/apps/univention-management-stack/values-stack-data-swp.yaml Normal file
View File

@@ -0,0 +1,25 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
stackDataSwp:
udmApiUser: "cn=admin"
udmApiUrl: "http://ums-udm-rest-api/udm/"
loadDevData: true
stackDataContext:
ldapBase: "dc=swp-ldap,dc=internal"
oxDefaultContext: "1"
smtpStartTls: true
additionalAnnotations:
intents.otterize.com/service-name: "ums-stack-data-swp"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

32
helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl
View File

@@ -4,32 +4,22 @@ SPDX-License-Identifier: Apache-2.0
*/}} */}}
--- ---
stackDataUms: stackDataUms:
udmApiUser: "cn=admin"
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
udmApiUrl: "http://ums-udm-rest-api/udm/"
loadDevData: true
stackDataContext: stackDataContext:
domainname: "{{ .Values.global.domain }}" domainname: {{ .Values.global.domain | quote }}
externalMailDomain: "{{ .Values.global.domain }}" externalMailDomain: {{ .Values.global.domain | quote }}
hostname: "{{ .Values.global.hosts.univentionManagementStack }}" hostname: {{ .Values.global.hosts.univentionManagementStack | quote }}
ldapHost: "{{ .Values.ldap.host }}" ldapHost: {{ .Values.ldap.host | quote }}
ldapBase: "dc=swp-ldap,dc=internal" ldapBase: {{ .Values.ldap.baseDn | quote }}
# TODO: This should not be required, the machine account is not there ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
# ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
ldapHostDn: cn=admin,dc=swp-ldap,dc=internal
idpSamlMetadataUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/saml/descriptor" idpSamlMetadataUrl: {{ printf "https://%s.%s/%s/%s/%s" .Values.global.hosts.keycloak .Values.global.domain "realms" .Values.platform.realm "protocol/saml/descriptor" | quote }}
idpSamlMetadataUrlInternal: null umcSamlSpFqdn: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
umcSamlSpFqdn: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" idpFqdn: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
umcSamlSchemes: "https" ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
idpFqdn: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
ldapSamlSpUrls: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/saml/metadata"
initialPasswordAdministrator: "{{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword }}" initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
# The SWP configuration brings its own UMC policies.
installUmcPolicies: false
image: image:
registry: {{ .Values.global.imageRegistry | quote }} registry: {{ .Values.global.imageRegistry | quote }}

26
helmfile/apps/univention-management-stack/values-stack-data-ums.yaml Normal file
View File

@@ -0,0 +1,26 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
stackDataUms:
loadDevData: true
udmApiUrl: "http://ums-udm-rest-api/udm/"
udmApiUser: "cn=admin"
stackDataContext:
idpSamlMetadataUrlInternal: null
umcSamlSchemes: "https"
# The openDesk configuration brings its own UMC policies.
installUmcPolicies: false
additionalAnnotations:
intents.otterize.com/service-name: "ums-stack-data-ums"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

2
helmfile/apps/univention-management-stack/values-store-dav.gotmpl
View File

@@ -21,7 +21,6 @@ image:
configHtpasswd: configHtpasswd:
registry: {{ .Values.global.imageRegistry | quote }} registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsConfigHtpasswd.repository | quote }} repository: {{ .Values.images.umsConfigHtpasswd.repository | quote }}
pullPolicy: "Always"
pullPolicy: {{ .Values.global.imagePullPolicy | quote }} pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsConfigHtpasswd.tag | quote }} tag: {{ .Values.images.umsConfigHtpasswd.tag | quote }}
pullSecrets: pullSecrets:
@@ -29,7 +28,6 @@ image:
- name: {{ . | quote }} - name: {{ . | quote }}
{{- end }} {{- end }}
# TODO: Pending upstream support, #201
persistence: persistence:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }} storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }} size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }}

24
helmfile/apps/univention-management-stack/values-store-dav.yaml Normal file
View File

@@ -0,0 +1,24 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

7
helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl
View File

@@ -7,12 +7,7 @@ udmRestApi:
# TODO: Secret should be entered without b64enc # TODO: Secret should be entered without b64enc
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }} ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
# TODO: Secret should be entered without b64enc # TODO: Secret should be entered without b64enc
machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}" machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
# TODO: Stub value currently
caCert: ""
# TODO: This should not be part of the udm-rest-api anymore
loadJoinData:
enabled: true
image: image:
registry: {{ .Values.global.imageRegistry | quote }} registry: {{ .Values.global.imageRegistry | quote }}

41
helmfile/apps/univention-management-stack/values-udm-rest-api.yaml Normal file
View File

@@ -0,0 +1,41 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
udmRestApi:
# TODO: Stub value currently
caCert: ""
extraVolumes:
- name: "attribute-to-group-mapper-hook"
configMap:
name: "ums-stack-data-swp-attribute-to-group-mapper-hook"
extraVolumeMounts:
- name: "attribute-to-group-mapper-hook"
mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py"
subPath: "AttributeToGroupMapper.py"
- name: "attribute-to-group-mapper-hook"
mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
subPath: "flag_to_group_mapping.json"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

13
helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl
View File

@@ -3,19 +3,6 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
SPDX-License-Identifier: Apache-2.0 SPDX-License-Identifier: Apache-2.0
*/}} */}}
--- ---
umcGateway:
extraVolumes:
- name: "entrypoint-swp-patches"
configMap:
name: "ums-stack-data-swp-umc-gateway-entrypoint"
defaultMode: 0555
extraVolumeMounts:
- name: "entrypoint-swp-patches"
mountPath: "/entrypoint.d/90-swp.sh"
subPath: "90-swp.sh"
image: image:
registry: {{ .Values.global.imageRegistry | quote }} registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsUmcGateway.repository | quote }} repository: {{ .Values.images.umsUmcGateway.repository | quote }}

44
helmfile/apps/univention-management-stack/values-umc-gateway.yaml Normal file
View File

@@ -0,0 +1,44 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
extraVolumes:
- name: "entrypoint-swp-patches"
configMap:
name: "ums-stack-data-swp-umc-gateway-entrypoint"
defaultMode: 0555
- name: "announcements-customization"
configMap:
name: "ums-stack-data-swp-umc-server-announcements"
defaultMode: 0444
extraVolumeMounts:
- name: "entrypoint-swp-patches"
mountPath: "/entrypoint.d/90-swp.sh"
subPath: "90-swp.sh"
- name: "announcements-customization"
mountPath:
"/usr/share/univention-management-console-frontend/js/dijit/themes\
/umc/icons/16x16/udm-portals-announcement.png"
subPath: "udm-portals-announcement.png"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

15
helmfile/apps/univention-management-stack/values-umc-server.gotmpl
View File

@@ -9,6 +9,21 @@ umcServer:
# TODO: Secret should be entered without b64enc # TODO: Secret should be entered without b64enc
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }} machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
smtpSecret: {{ .Values.smtp.password | quote }}
postgresql:
connection:
host: {{ .Values.databases.umsSelfservice.host | quote }}
port: {{ .Values.databases.umsSelfservice.port | quote }}
auth:
username: {{ .Values.databases.umsSelfservice.username | quote }}
database: {{ .Values.databases.umsSelfservice.name | quote }}
password: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
postgresPassword: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
memcached:
server: {{ .Values.cache.umsSelfservice.host | quote }}
image: image:
registry: {{ .Values.global.imageRegistry | quote }} registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsUmcServer.repository | quote }} repository: {{ .Values.images.umsUmcServer.repository | quote }}

45
helmfile/apps/univention-management-stack/values-umc-server.yaml
View File

@@ -17,6 +17,13 @@ extraVolumes:
configMap: configMap:
name: "ums-stack-data-swp-self-service-emails" name: "ums-stack-data-swp-self-service-emails"
defaultMode: 0444 defaultMode: 0444
- name: "attribute-to-group-mapper-hook"
configMap:
name: "ums-stack-data-swp-attribute-to-group-mapper-hook"
- name: "announcements-customization"
configMap:
name: "ums-stack-data-swp-umc-server-announcements"
defaultMode: 0444
extraVolumeMounts: extraVolumeMounts:
- name: "certificates" - name: "certificates"
@@ -26,5 +33,43 @@ extraVolumeMounts:
subPath: "90-customization.sh" subPath: "90-customization.sh"
- name: "self-service-emails" - name: "self-service-emails"
mountPath: "/usr/share/univention-self-service/email_bodies" mountPath: "/usr/share/univention-self-service/email_bodies"
- name: "attribute-to-group-mapper-hook"
mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py"
subPath: "AttributeToGroupMapper.py"
- name: "attribute-to-group-mapper-hook"
mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
subPath: "flag_to_group_mapping.json"
- name: "announcements-customization"
mountPath: "/usr/share/univention-management-console/modules/udm-portals-announcement.xml"
subPath: "udm-portals-announcement.xml"
postgresql:
bundled: false
memcached:
bundled: false
auth:
username: null
password: null
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
... ...

80
helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl Normal file
View File

@@ -0,0 +1,80 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
registry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsKeycloakBootstrap.repository | quote }}
tag: {{ .Values.images.umsKeycloakBootstrap.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
config:
keycloak:
adminUser: "kcadmin"
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
realm: {{ .Values.platform.realm | quote }}
intraCluster:
enabled: true
internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
loginLinks:
- link_number: 1
language: "de"
description: "Passwort vergessen?"
href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten"
- link_number: 1
language: "en"
description: "Forgot password?"
href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten"
ums:
ldap:
internalHostname: {{ .Values.ldap.host | quote }}
baseDN: {{ .Values.ldap.baseDn | quote }}
readUserDN: "uid=ldapsearch_keycloak,cn=users,dc=swp-ldap,dc=internal"
readUserPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.keycloak | quote }}
mappers:
- ldapAndUserModelAttributeName: "opendeskProjectmanagementAdmin"
- ldapAndUserModelAttributeName: "oxContextIDNum"
saml:
serviceProviderHostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
twoFactorAuthentication:
enabled: true
group: "2fa-users"
containerSecurityContext:
enabled: true
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: false
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak-bootstrap"
podSecurityContext:
enabled: true
fsGroup: 1000
fsGroupChangePolicy: "Always"
resources:
{{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 2 }}
...

52
helmfile/apps/keycloak/values-extensions.gotmpl → helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
View File

@@ -5,7 +5,11 @@ SPDX-License-Identifier: Apache-2.0
--- ---
global: global:
keycloak: keycloak:
host: "ums-keycloak:8080"
adminUsername: "kcadmin"
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }} adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
adminRealm: "master"
realm: {{ .Values.platform.realm | quote }}
postgresql: postgresql:
connection: connection:
host: {{ .Values.databases.keycloakExtension.host | quote }} host: {{ .Values.databases.keycloakExtension.host | quote }}
@@ -17,29 +21,65 @@ global:
handler: handler:
image: image:
registry: {{ .Values.global.imageRegistry | quote }} registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.keycloakExtensionHandler.repository | quote }} repository: {{ .Values.images.umsKeycloakExtensionHandler.repository | quote }}
tag: {{ .Values.images.keycloakExtensionHandler.tag | quote }} tag: {{ .Values.images.umsKeycloakExtensionHandler.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
appConfig: appConfig:
captchaProtectionEnable: false
smtpPassword: {{ .Values.smtp.password | quote }} smtpPassword: {{ .Values.smtp.password | quote }}
smtpHost: {{ .Values.smtp.host | quote }} smtpHost: {{ .Values.smtp.host | quote }}
smtpPort: {{ .Values.smtp.port | quote }}
smtpUsername: {{ .Values.smtp.username | quote }} smtpUsername: {{ .Values.smtp.username | quote }}
mailFrom: "noreply@{{ .Values.global.domain }}" mailFrom: "noreply@{{ .Values.global.domain }}"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
resources: resources:
{{ .Values.resources.keycloakExtension | toYaml | nindent 4 }} {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 4 }}
postgresql:
enabled: false
proxy: proxy:
image: image:
registry: {{ .Values.global.imageRegistry | quote }} registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.keycloakExtensionProxy.repository | quote }} repository: {{ .Values.images.umsKeycloakExtensionProxy.repository | quote }}
tag: {{ .Values.images.keycloakExtensionProxy.tag | quote }} tag: {{ .Values.images.umsKeycloakExtensionProxy.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
ingress: ingress:
annotations:
nginx.org/proxy-buffer-size: "8k"
nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
paths:
- pathType: "Prefix"
path: "/realms"
- pathType: "Prefix"
path: "/resources"
- pathType: "Prefix"
path: "/fingerprintjs"
enabled: {{ .Values.ingress.enabled }} enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }} ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
tls: tls:
enabled: {{ .Values.ingress.tls.enabled }} enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }} secretName: {{ .Values.ingress.tls.secretName | quote }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
resources: resources:
{{ .Values.resources.keycloakProxy | toYaml | nindent 4 }} {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 4 }}
... ...

56
helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl Normal file
View File

@@ -0,0 +1,56 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imageRegistry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.umsKeycloak.repository | quote }}
tag: {{ .Values.images.umsKeycloak.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
config:
admin:
password: {{ .Values.secrets.keycloak.adminPassword | quote }}
database:
host: {{ .Values.databases.keycloak.host | quote }}
port: {{ .Values.databases.keycloak.port }}
user: {{ .Values.databases.keycloak.username | quote }}
database: {{ .Values.databases.keycloak.name | quote }}
password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
podSecurityContext:
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
theme:
univentionTheme: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/theme.css"
univentionCustomTheme: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/css/custom.css"
favIcon: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/favicon.ico"
replicaCount: {{ .Values.replicas.keycloak }}
resources:
{{ .Values.resources.umsKeycloak | toYaml | nindent 2 }}
...

172
helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl
View File

@@ -3,171 +3,11 @@
--- ---
ingress: ingress:
enabled: true enabled: {{ .Values.ingress.enabled }}
hostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" hostname: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
ingressClassName: "{{ .Values.ingress.ingressClassName }}" ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls: false
extraTls: extraTls:
- hosts: - hosts:
- "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" - {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
secretName: "{{ .Values.ingress.tls.secretName }}" secretName: {{ .Values.ingress.tls.secretName | quote }}
...
service:
type: "ClusterIP"
# The content of the "serverBlock" does resemble the Ingress configuration of
# the UMS components. The "location" entries do intentionally reflect precisely
# the respective paths which are configured.
serverBlock: |
server {
listen 8080;
## portal-frontend
# The frontend does not own "/univention/portal", only these two bits
location = /univention/portal/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
location = /univention/portal/index.html {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
# The following prefixes are owned by the frontend
location /univention/portal/css/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/fonts/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/i18n/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/media/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/js/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/oidc/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
## frontend redirects
location = / {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention/ {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention/portal {
absolute_redirect off;
return 302 /univention/portal/;
}
## portal-server
location = /univention/portal/portal.json {
proxy_pass http://ums-portal-server:80;
}
location = /univention/portal/navigation.json {
proxy_pass http://ums-portal-server:80;
}
## store-dav
location /univention/portal/icons/entries/ {
rewrite ^/univention/portal(/icons/entries/.*)$ /portal-assets$1 break;
proxy_pass http://ums-store-dav:80;
}
location /univention/portal/icons/logos/ {
rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break;
proxy_pass http://ums-store-dav:80;
}
## udm-rest-api
location /univention/udm/ {
rewrite ^/univention(/udm/.*)$ $1 break;
proxy_pass http://ums-udm-rest-api:80;
proxy_set_header X-Forwarded-Host $host;
}
## umc-gateway
location = /univention/languages.json {
proxy_pass http://ums-umc-gateway:80;
}
location = /univention/meta.json {
proxy_pass http://ums-umc-gateway:80;
}
location = /univention/theme.css {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/js/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/login/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/management/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/themes/ {
proxy_pass http://ums-umc-gateway:80;
}
## umc-server
location = /univention/auth {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/logout/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/saml/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/get/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/set/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/command/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/upload/ {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
## notifications-api
location /univention/portal/notifications-api/ {
rewrite ^/univention/portal/notifications-api(/.*)$ $1 break;
proxy_pass http://ums-notifications-api:80;
}
}

258
helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml Normal file
View File

@@ -0,0 +1,258 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
ingress:
annotations:
# Ensure that the ingress controller can handle responses with plenty of
# headers. This is a requirement from the UDM Rest API.
nginx.org/proxy-buffer-size: "64k"
nginx.org/proxy-buffers: "4 128k"
tls: false
service:
type: "ClusterIP"
fullnameOverride: "ums-stack-gateway"
# The content of the "serverBlock" does resemble the Ingress configuration of
# the UMS components. The "location" entries do intentionally reflect precisely
# the respective paths which are configured.
serverBlock: |
server {
listen 8080;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_x_forwarded_host;
proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
## portal-frontend
# The frontend does not own "/univention/portal" nor
# "/univention/selfservice", only these two bits
location = /univention/portal/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
location = /univention/portal/index.html {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
location = /univention/selfservice/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
# The following prefixes are owned by the frontend
location /univention/portal/css/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/fonts/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/i18n/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/media/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/js/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/oidc/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/css/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/fonts/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/i18n/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/media/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/js/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/oidc/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
## frontend redirects
location = / {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention/ {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention/portal {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention/selfservice {
absolute_redirect off;
return 302 /univention/selfservice/;
}
## portal-server
location = /univention/portal/portal.json {
proxy_pass http://ums-portal-server:80;
}
location = /univention/selfservice/portal.json {
proxy_pass http://ums-portal-server:80;
}
location = /univention/portal/navigation.json {
proxy_pass http://ums-portal-server:80;
}
## store-dav
location /univention/portal/icons/entries/ {
rewrite ^/univention/portal(/icons/entries/.*)$ /portal-assets$1 break;
proxy_pass http://ums-store-dav:80;
}
location /univention/portal/icons/logos/ {
rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break;
proxy_pass http://ums-store-dav:80;
}
location /univention/selfservice/icons/entries/ {
rewrite ^/univention/selfservice(/icons/entries/.*)$ /portal-assets$1 break;
proxy_pass http://ums-store-dav:80;
}
location /univention/selfservice/icons/logos/ {
rewrite ^/univention/selfservice(/icons/logos/.*)$ /portal-assets$1 break;
proxy_pass http://ums-store-dav:80;
}
## udm-rest-api
location /univention/udm/ {
# The UDM Rest API does return on some endpoints a lot of headers
proxy_busy_buffers_size 128k;
proxy_buffers 4 128k;
proxy_buffer_size 64k;
rewrite ^/univention(/udm/.*)$ $1 break;
proxy_pass http://ums-udm-rest-api:80;
}
## umc-gateway
location = /univention/languages.json {
proxy_pass http://ums-umc-gateway:80;
}
location = /univention/meta.json {
proxy_pass http://ums-umc-gateway:80;
}
location = /univention/theme.css {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/js/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/login/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/management/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/themes/ {
proxy_pass http://ums-umc-gateway:80;
}
## umc-server
location = /univention/auth {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/logout {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/saml {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/get {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/set {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/command {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/upload {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
## notifications-api
location /univention/portal/notifications-api/ {
rewrite ^/univention/portal/notifications-api(/.*)$ $1 break;
proxy_pass http://ums-notifications-api:80;
}
## openDesk branding
location = /favicon.ico {
proxy_pass http://ums-portal-frontend:80/;
}
location /univention/portal/custom/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
location /univention/portal/icons/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
}
podSecurityContext:
enabled: true
fsGroup: 1001
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: false
runAsUser: 1001
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
...

12
helmfile/apps/xwiki/helmfile.yaml
View File

@@ -3,20 +3,20 @@
--- ---
bases: bases:
- "../../bases/environments.yaml" - "../../bases/environments.yaml"
--- ---
repositories: repositories:
# XWiki # XWiki
# Source: https://github.com/xwiki-contrib/xwiki-helm # Source: https://github.com/xwiki-contrib/xwiki-helm
- name: "xwiki-repo" - name: "xwiki-repo"
url: >- oci: {{ .Values.charts.xwiki.oci }}
{{ env "PRIVATE_CHART_REPOSITORY_URL" | username: {{ .Values.charts.xwiki.username | quote }}
default "https://xwiki-contrib.github.io/xwiki-helm" }} password: {{ .Values.charts.xwiki.password | quote }}
url: "{{ .Values.charts.xwiki.registry }}/{{ .Values.charts.xwiki.repository }}"
releases: releases:
- name: "xwiki" - name: "xwiki"
chart: "xwiki-repo/xwiki" chart: "xwiki-repo/{{ .Values.charts.xwiki.name }}"
version: "1.2.3" version: "{{ .Values.charts.xwiki.version }}"
wait: true wait: true
values: values:
- "values.yaml" - "values.yaml"

16
helmfile/apps/xwiki/values.gotmpl
View File

@@ -22,21 +22,21 @@ customConfigs:
xwiki.authentication.ldap.port: 389 xwiki.authentication.ldap.port: 389
## Authentication to the LDAP server ## Authentication to the LDAP server
xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal" xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"
xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki | quote }} xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.univentionManagementStack.ldapSearch.xwiki | quote }}
## Base DN used for searching for users ## Base DN used for searching for users
xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal" xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
## Allow short update cycles of the LDAP group cache ## Allow short update cycles of the LDAP group cache
xwiki.authentication.ldap.groupcache_expiration: 300 xwiki.authentication.ldap.groupcache_expiration: 300
"xwiki.properties": "xwiki.properties":
"oidc.endpoint.authorization": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/auth" "oidc.endpoint.authorization": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
"oidc.endpoint.token": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token" "oidc.endpoint.token": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
"oidc.endpoint.userinfo": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/userinfo" "oidc.endpoint.userinfo": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
"oidc.endpoint.logout": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout" "oidc.endpoint.logout": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
"oidc.secret": {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }} "oidc.secret": {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
"url.trustedDomains": "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" "url.trustedDomains": "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
"workplaceServices.navigationEndpoint": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json" "workplaceServices.navigationEndpoint": "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
"workplaceServices.base": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}" "workplaceServices.base": "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
"workplaceServices.portalSecret": {{ .Values.secrets.centralnavigation.apiKey | quote }} "workplaceServices.portalSecret": {{ .Values.secrets.centralnavigation.apiKey | quote }}
properties: properties:
@@ -46,7 +46,7 @@ properties:
"property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": {{ .Values.theme.colors.secondaryGreyLight | quote }} "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": {{ .Values.theme.colors.secondaryGreyLight | quote }}
## Link LDAP users and users authenticated through OIDC ## Link LDAP users and users authenticated through OIDC
"property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1 "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
"property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap" "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
ingress: ingress:
enabled: {{ .Values.ingress.enabled }} enabled: {{ .Values.ingress.enabled }}

Some files were not shown because too many files have changed in this diff Show More