mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-06 07:21:36 +01:00
Compare commits
176 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
4b6a20faa4 | ||
|
|
ce38714a81 | ||
|
|
37f1eb9794 | ||
|
|
db4bfa4884 | ||
|
|
6a649cb7f0 | ||
|
|
b6ef559cde | ||
|
|
cc0daa2a22 | ||
|
|
c69c62cd45 | ||
|
|
6a26299a75 | ||
|
|
4101e91ae6 | ||
|
|
83192b7834 | ||
|
|
3b1091bb3e | ||
|
|
e67ab8f430 | ||
|
|
da731e7d5e | ||
|
|
0ea585633b | ||
|
|
fe40b7cfa1 | ||
|
|
d04a60349d | ||
|
|
94ae3da78b | ||
|
|
3ca54159f7 | ||
|
|
bf5dcda3b5 | ||
|
|
08ca525d3e | ||
|
|
dc7ce0bc4b | ||
|
|
729a1ea849 | ||
|
|
3b5493d78d | ||
|
|
6711791009 | ||
|
|
c41643ee3e | ||
|
|
2628a0e13e | ||
|
|
c8bc8b3172 | ||
|
|
24812b667c | ||
|
|
bec9a2d46b | ||
|
|
05cc82d7c5 | ||
|
|
82be996d97 | ||
|
|
d367739248 | ||
|
|
ef870ae385 | ||
|
|
466e741494 | ||
|
|
00fafb6a1b | ||
|
|
6d3e484855 | ||
|
|
845a0a3189 | ||
|
|
519db51be2 | ||
|
|
7ef3a10577 | ||
|
|
1c35ca67ce | ||
|
|
e0c6c14dca | ||
|
|
3cf348c7ae | ||
|
|
b3d45c45e1 | ||
|
|
c246edd8f9 | ||
|
|
c19bca2be0 | ||
|
|
a5f263ce48 | ||
|
|
cbe8fb2d65 | ||
|
|
8b6a4b2e88 | ||
|
|
a61d00482f | ||
|
|
0c7a77c4b6 | ||
|
|
211bee94bb | ||
|
|
b3ac0ae6d9 | ||
|
|
4c52a5aaa8 | ||
|
|
7a9ecf7b85 | ||
|
|
86b48188e1 | ||
|
|
7bbab22939 | ||
|
|
1343d6c93e | ||
|
|
735fec3b4c | ||
|
|
21b9d1d024 | ||
|
|
6dc92df2eb | ||
|
|
cac6abe251 | ||
|
|
6c1664fc0d | ||
|
|
36aa3ed7c9 | ||
|
|
23c46e7fe5 | ||
|
|
efbd814968 | ||
|
|
812eb5a439 | ||
|
|
f86a74ba10 | ||
|
|
71d11cfcd0 | ||
|
|
6aa3d386af | ||
|
|
7ac2e0f9de | ||
|
|
6f556bce70 | ||
|
|
a447c137fe | ||
|
|
47a385683c | ||
|
|
db48140f3a | ||
|
|
d7cae3b1fa | ||
|
|
7ae65a36a2 | ||
|
|
01466947cc | ||
|
|
061e588da9 | ||
|
|
b460206bd4 | ||
|
|
ea14f953a4 | ||
|
|
feed270fd7 | ||
|
|
225398b5a6 | ||
|
|
cd0e94f96f | ||
|
|
767c382091 | ||
|
|
55f6ba21dc | ||
|
|
b3c4ec5165 | ||
|
|
e231e5749d | ||
|
|
f98c48616b | ||
|
|
c460467d74 | ||
|
|
3f7faf88fb | ||
|
|
1971dfbded | ||
|
|
b50e5c982b | ||
|
|
97034a556f | ||
|
|
8b87432317 | ||
|
|
baa5827de3 | ||
|
|
1d03a6e11f | ||
|
|
08811decd9 | ||
|
|
69ea840517 | ||
|
|
ea5bd0a6b7 | ||
|
|
0d8e92fc5a | ||
|
|
d7119a656b | ||
|
|
89ae1d94ea | ||
|
|
dfc7fed325 | ||
|
|
65ce9a171b | ||
|
|
5e50ed119f | ||
|
|
d0a07997c1 | ||
|
|
985df5906f | ||
|
|
385d81b9a9 | ||
|
|
0ad043406b | ||
|
|
4a79728f01 | ||
|
|
7c56c7244f | ||
|
|
e0fce6631b | ||
|
|
899a8c5af9 | ||
|
|
6cee2c878b | ||
|
|
4359b21f1c | ||
|
|
d8b2bd3af0 | ||
|
|
8fafd906a3 | ||
|
|
fece4ace87 | ||
|
|
ab6014f8c6 | ||
|
|
fecd13612b | ||
|
|
38336d0240 | ||
|
|
9f9e4e9521 | ||
|
|
b47de62f98 | ||
|
|
9e54299917 | ||
|
|
d249d0e3ce | ||
|
|
fbe7de3c56 | ||
|
|
034e98c850 | ||
|
|
7feaadf7f8 | ||
|
|
a7fef3afff | ||
|
|
5d01f8ca46 | ||
|
|
7093022ec4 | ||
|
|
2313f75dbe | ||
|
|
af9caea726 | ||
|
|
b39986907c | ||
|
|
a02d7c6085 | ||
|
|
a046deaf17 | ||
|
|
c76e960446 | ||
|
|
535823e0a8 | ||
|
|
9966bf640e | ||
|
|
8e376bb4a5 | ||
|
|
7c0e4aa9a6 | ||
|
|
e609b75cc7 | ||
|
|
20d26a069b | ||
|
|
59d58e320e | ||
|
|
49b71aafb4 | ||
|
|
cbe514176a | ||
|
|
0898d96571 | ||
|
|
7f7c364071 | ||
|
|
fd9e04d992 | ||
|
|
86657b139a | ||
|
|
cdffbe1298 | ||
|
|
82a037ec7c | ||
|
|
1a4eced998 | ||
|
|
06dcdd78af | ||
|
|
f564efd97f | ||
|
|
16f2ac464e | ||
|
|
30405d182d | ||
|
|
785989e91d | ||
|
|
27b6796639 | ||
|
|
7756d35fa1 | ||
|
|
5afd2339c2 | ||
|
|
b7f220a6b6 | ||
|
|
fb7dba787c | ||
|
|
72e3afdffd | ||
|
|
85b8fcaab5 | ||
|
|
c3129f1443 | ||
|
|
000be8b032 | ||
|
|
da1bf3581c | ||
|
|
4d0011d957 | ||
|
|
74f9ec28e4 | ||
|
|
b1d4b2d8ea | ||
|
|
711d29e374 | ||
|
|
0ba7be2a5f | ||
|
|
d4c751d29f | ||
|
|
70744d04c6 |
1
.gitignore
vendored
1
.gitignore
vendored
@@ -2,6 +2,7 @@
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
.vscode
|
||||
.idea
|
||||
.yamllint
|
||||
|
||||
# Ignore changes to sample environments
|
||||
helmfile/environments/dev/values.yaml
|
||||
|
||||
@@ -5,6 +5,7 @@ include:
|
||||
- project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
|
||||
ref: "main"
|
||||
file:
|
||||
- "ci/common/automr.yml"
|
||||
- "ci/common/lint.yml"
|
||||
- "ci/release-automation/semantic-release.yml"
|
||||
- project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
|
||||
@@ -14,6 +15,7 @@ include:
|
||||
|
||||
stages:
|
||||
- ".pre"
|
||||
- "automr"
|
||||
- "lint"
|
||||
- "env-cleanup"
|
||||
- "env"
|
||||
@@ -33,9 +35,6 @@ variables:
|
||||
description: "Define which cluster to use. Cluster must be defined in gitlab/environments.yaml of
|
||||
sovereign-workplace-env included above."
|
||||
value: "dev"
|
||||
BASE_DOMAIN:
|
||||
description: "Define the Cluster Base Domain."
|
||||
value: "souvap.cloud"
|
||||
MASTER_PASSWORD_WEB_VAR:
|
||||
description: "Optional: Provide a passphrase to be used for password generation."
|
||||
value: ""
|
||||
@@ -78,6 +77,12 @@ variables:
|
||||
options:
|
||||
- "yes"
|
||||
- "no"
|
||||
DEPLOY_CRYPTPAD:
|
||||
description: "Enable CryptPad deployment."
|
||||
value: "no"
|
||||
options:
|
||||
- "yes"
|
||||
- "no"
|
||||
DEPLOY_ELEMENT:
|
||||
description: "Enable Element deployment."
|
||||
value: "no"
|
||||
@@ -144,9 +149,6 @@ variables:
|
||||
UMS_TESTS_BRANCH:
|
||||
description: "Branch of E2E test suite of SouvAP Dev team"
|
||||
value: "main"
|
||||
# please use the following set of variables with normalized names:
|
||||
DOMAIN: "${NAMESPACE}.${CLUSTER}.${BASE_DOMAIN}"
|
||||
ISTIO_DOMAIN: "${NAMESPACE}.istio.${CLUSTER}.${BASE_DOMAIN}"
|
||||
|
||||
.deploy-common:
|
||||
cache: {}
|
||||
@@ -198,7 +200,6 @@ env-cleanup:
|
||||
env-start:
|
||||
environment:
|
||||
name: "${NAMESPACE}"
|
||||
url: "https://portal.${DOMAIN}"
|
||||
on_stop: "env-stop"
|
||||
extends: ".deploy-common"
|
||||
image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
|
||||
@@ -342,6 +343,18 @@ collabora-deploy:
|
||||
variables:
|
||||
COMPONENT: "collabora"
|
||||
|
||||
cryptpad-deploy:
|
||||
stage: "component-deploy-stage-1"
|
||||
extends: ".deploy-common"
|
||||
rules:
|
||||
- if: >
|
||||
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
|
||||
$NAMESPACE =~ /.+/ &&
|
||||
($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_NEXTCLOUD != "no" || $DEPLOY_CRYPTPAD != "no")
|
||||
when: "always"
|
||||
variables:
|
||||
COMPONENT: "cryptpad"
|
||||
|
||||
nextcloud-deploy:
|
||||
stage: "component-deploy-stage-1"
|
||||
extends: ".deploy-common"
|
||||
@@ -366,6 +379,18 @@ openproject-deploy:
|
||||
variables:
|
||||
COMPONENT: "openproject"
|
||||
|
||||
openproject-bootstrap-deploy:
|
||||
stage: "component-deploy-stage-2"
|
||||
extends: ".deploy-common"
|
||||
rules:
|
||||
- if: >
|
||||
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
|
||||
$NAMESPACE =~ /.+/ &&
|
||||
($DEPLOY_ALL_COMPONENTS != "no" || ($DEPLOY_OPENPROJECT != "no" && $DEPLOY_NEXTCLOUD != "no"))
|
||||
when: "always"
|
||||
variables:
|
||||
COMPONENT: "openproject-bootstrap"
|
||||
|
||||
jitsi-deploy:
|
||||
stage: "component-deploy-stage-1"
|
||||
extends: ".deploy-common"
|
||||
@@ -413,10 +438,6 @@ run-tests:
|
||||
extends: ".deploy-common"
|
||||
environment:
|
||||
name: "${NAMESPACE}"
|
||||
tags:
|
||||
- "docker"
|
||||
- "kubernetes"
|
||||
- "${CLUSTER}"
|
||||
stage: "tests"
|
||||
rules:
|
||||
- if: >
|
||||
@@ -473,10 +494,6 @@ run-souvap-dev-tests:
|
||||
extends: ".deploy-common"
|
||||
environment:
|
||||
name: "${NAMESPACE}"
|
||||
tags:
|
||||
- "docker"
|
||||
- "kubernetes"
|
||||
- "${CLUSTER}"
|
||||
stage: "tests"
|
||||
rules:
|
||||
- if: >
|
||||
@@ -540,7 +557,7 @@ generate-release-assets:
|
||||
- "./build_artefacts/image-index.json"
|
||||
tags: []
|
||||
variables:
|
||||
ASSET_GENERATOR_REPO_PATH: "bmi/souveraener_arbeitsplatz/tooling/opendesk-asset-generator"
|
||||
ASSET_GENERATOR_REPO_PATH: "bmi/opendesk/tooling/opendesk-asset-generator"
|
||||
|
||||
|
||||
# Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.
|
||||
@@ -603,4 +620,6 @@ release:
|
||||
}
|
||||
EOF
|
||||
- "semantic-release"
|
||||
needs:
|
||||
- "generate-release-assets"
|
||||
...
|
||||
|
||||
499
CHANGELOG.md
499
CHANGELOG.md
@@ -1,3 +1,497 @@
|
||||
## [0.5.69](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.68...v0.5.69) (2023-12-12)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **univention-management-stack:** Functional replacement for UCS container monolith, still optional. ([ce38714](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/ce38714a81ea3b0e1377e6ea2d640fb65f317396))
|
||||
|
||||
## [0.5.68](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.67...v0.5.68) (2023-12-11)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **jitsi:** Disable IP Blacklist ([6a649cb](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6a649cb7f0d04736ccabcd27c035ef6d051f6fd5))
|
||||
* **open-xchange:** Update to latest version ([db4bfa4](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/db4bfa488401f10bad111ce03c20a60473c64837))
|
||||
|
||||
## [0.5.67](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.66...v0.5.67) (2023-12-11)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **services:** Use Charts from openCoDE registry ([cc0daa2](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/cc0daa2a22837c00583038ffd9df7e669004e84e))
|
||||
|
||||
## [0.5.66](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.65...v0.5.66) (2023-12-08)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **element:** Update Element and Widgets ([6a26299](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6a26299a7507ae749ffcf25288d2cf5b24d220db))
|
||||
|
||||
## [0.5.65](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.64...v0.5.65) (2023-12-08)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **univention-management-stack:** Bump OX Connector ([83192b7](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/83192b78345c62465e2979195d9a1c882ddbf0ea))
|
||||
|
||||
## [0.5.64](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.63...v0.5.64) (2023-12-06)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **openproject:** Switch to release container and set home url link ([e67ab8f](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/e67ab8f4304a525b50a3a723c86d1e610313c594))
|
||||
|
||||
## [0.5.63](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.62...v0.5.63) (2023-12-06)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **nextcloud:** Remove Talk folder ([0ea5856](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/0ea585633b4bf72fe180ca744cc99d9e9f84998f))
|
||||
|
||||
## [0.5.62](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.61...v0.5.62) (2023-12-06)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **nextcloud:** Bump image to 27.1.4 and update Helm chart to configure "Shared_with_me" folder ([d04a603](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/d04a60349dbbff2d64ca2b36b9c44b75526bf859))
|
||||
* **univention-management-stack:** Update optional UMS preview state ([94ae3da](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/94ae3da78bd79c61fd7a22db5a541d473eea6a2e))
|
||||
|
||||
## [0.5.61](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.60...v0.5.61) (2023-12-05)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **services:** Fix port declaration for Postfix ([bf5dcda](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/bf5dcda3b59e1dc98cbee7e67f50a960d344b8e0))
|
||||
|
||||
## [0.5.60](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.59...v0.5.60) (2023-12-05)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **ci:** Ensure release creation with artifacts ([dc7ce0b](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/dc7ce0bc4b9501b63274f68352e6d9e76b5424e8))
|
||||
|
||||
## [0.5.59](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.58...v0.5.59) (2023-12-05)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **helmfile:** Add configurable objectstore ([3b5493d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/3b5493d78dc027cd1f3206b26cf347dc6ce6e265))
|
||||
|
||||
## [0.5.58](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.57...v0.5.58) (2023-12-01)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **cryptpad:** Add websocket annotation ([c41643e](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c41643ee3e5610ef27a63a0355804159030a7452))
|
||||
* **openproject:** Add seederJob intent ([05cc82d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/05cc82d7c5c5f93fb5de7df555a22e8e90279621))
|
||||
* **openproject:** Bump to 2.6.2 ([c8bc8b3](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c8bc8b3172cfef3396379e3969dc087d67a228ee))
|
||||
* **services:** Add NetworkPolicy section to docs/security.md ([24812b6](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/24812b667cded720a0ac09b8b3eb89df39b02afb))
|
||||
* **services:** Add Otterize based security settings ([bec9a2d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/bec9a2d46b2b563b7001ed8c6625c10111d5f151))
|
||||
* **univention-management-stack:** Add Otterize annotations for jobs ([2628a0e](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/2628a0e13e5957475ce81b12d4230400c9ffeafe))
|
||||
|
||||
## [0.5.57](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.56...v0.5.57) (2023-12-01)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **helmfile:** Using correct private registry for postfix helm-chart ([d367739](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/d367739248ed43b3bad6a00b059b2c949dde4cb7))
|
||||
|
||||
## [0.5.56](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.55...v0.5.56) (2023-11-30)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **element:** Raise treshold for login rate limit to avoid too early barrier hitting normal users ([466e741](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/466e7414942837fdb1aecabfb08eae49f9dab272))
|
||||
|
||||
## [0.5.55](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.54...v0.5.55) (2023-11-30)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **cryptpad:** Update Helm chart to enable readiness and liveness probes ([6d3e484](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6d3e484855540569be53130e133e0821a04b2ca5))
|
||||
|
||||
## [0.5.54](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.53...v0.5.54) (2023-11-29)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **helmfile:** Add and document security context for components ([519db51](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/519db51be2be3ce292a88965ac0ec049b4c8bb8e))
|
||||
|
||||
## [0.5.53](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.52...v0.5.53) (2023-11-29)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **univention-managemen-stack:** Integrate Attribute to Group Mapper into the containerized stack ([7bbab22](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/7bbab229396075c7d10f94f42bef14551faefe26))
|
||||
* **univention-management-stack:** Add Announcements icon into "umc-gateway" ([7a9ecf7](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/7a9ecf7b8595edf0949d9c200d01b3409f25b9a7))
|
||||
* **univention-management-stack:** Add Announcements module into "umc-server" ([4c52a5a](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/4c52a5aaa83ffb6f4c49faa039c94cb1855987bb))
|
||||
* **univention-management-stack:** Add branding related configuration to stack-gateway ([a5f263c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/a5f263ce489f88b90cf1151de249f36616a51632))
|
||||
* **univention-management-stack:** Apply styling ([b3d45c4](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/b3d45c45e1b754e14ab0519efcb6b6a359f0ad1e))
|
||||
* **univention-management-stack:** Configure openDesk branding in frontend chart ([cbe8fb2](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/cbe8fb2d65e6ce73f9da95ef9b0ed3ffbb16d367))
|
||||
* **univention-management-stack:** Document database of UMS Notifications API ([3cf348c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/3cf348c7ae8f438daf3e64addbf839230816f3d2))
|
||||
* **univention-management-stack:** Move static settings from gotmpl into yaml for umc-gateway ([b3ac0ae](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/b3ac0ae6d91a058265fcd26c6653bb8a13d3e780))
|
||||
* **univention-management-stack:** Quote all composed strings ([1c35ca6](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/1c35ca67ce0673e1b2f9a350bd07c82c22a05354))
|
||||
* **univention-management-stack:** Remove frontend-custom ([8b6a4b2](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/8b6a4b2e88e8be1d299af91ed1ffff4405db88e6))
|
||||
* **univention-management-stack:** Set SMTP host for self-service notifications ([0c7a77c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/0c7a77c4b6f20c6d83e977dabfc4e555b652f6ac))
|
||||
* **univention-management-stack:** UMC uses external memcached ([211bee9](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/211bee94bb7675860f867f0335fec9f14fc96875))
|
||||
* **univention-management-stack:** Update ums-dependencies ([e0c6c14](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/e0c6c14dcaefc0755495270bbf45898721e27985))
|
||||
* **univention-management-stack:** Update ums-dependencies ([c246edd](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c246edd8f9753e37bc9c32683faf41f5b46d7675))
|
||||
* **univention-management-stack:** Update ums-dependencies ([86b4818](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/86b48188e160c1f7d15f2c33f1f3cd0cc0e68bf2))
|
||||
* **univention-management-stack:** Use "stack-gateway" in all deployments ([c19bca2](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c19bca2be0d14750bbef661e45c5c424f7da8e77))
|
||||
|
||||
## [0.5.52](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.51...v0.5.52) (2023-11-28)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **ci:** Open automatic MRs for new branches ([735fec3](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/735fec3b4ccd33ba63e5fa6482526efb6853c64a))
|
||||
|
||||
## [0.5.51](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.50...v0.5.51) (2023-11-28)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **nextcloud:** Bump chart to fix central navigation ([cac6abe](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/cac6abe2510b6793963633077543684a6a4e7cbc))
|
||||
* **openproject:** Update container and prepare for OIDC based user admin role setting ([6dc92df](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6dc92df2ebcae435e3b3609cc163dc6c33fb1b83))
|
||||
|
||||
## [0.5.50](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.49...v0.5.50) (2023-11-27)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **ci:** Add metadata for renovate processing ([36aa3ed](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/36aa3ed7c9f9a6d0ffe23dc3ca2174d5f2741dfa))
|
||||
|
||||
## [0.5.49](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.48...v0.5.49) (2023-11-27)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **nextcloud:** Bump image to incorporate fix for https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f962-hw26-g267 ([efbd814](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/efbd81496868c5d4274f09805a1e771f47d548be))
|
||||
|
||||
## [0.5.48](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.47...v0.5.48) (2023-11-24)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **services:** Update resource requests and remove cpu limits ([f86a74b](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/f86a74ba100c7f08f6538b58a713bbc87c00e814))
|
||||
|
||||
## [0.5.47](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.46...v0.5.47) (2023-11-24)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **helmfile:** Rename absolute paths on OpenCoDE to new 'opendesk' base group name ([7ac2e0f](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/7ac2e0f9de2a8386a7f5809ba40db4ed7164a857))
|
||||
* **xwiki:** Enable the sync of user profile picture from LDAP ([6aa3d38](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6aa3d386afe8b3f22e47f9971fd719089006b54e))
|
||||
|
||||
## [0.5.46](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.45...v0.5.46) (2023-11-23)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **element:** Fix quotes in element chart ([a447c13](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a447c137fe58be343e7ada55afb7f6891a5cde74))
|
||||
|
||||
## [0.5.45](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.44...v0.5.45) (2023-11-22)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **open-xchange:** Add security context ([db48140](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/db48140f3ae6576b21e93ac0f10f40765efd608d))
|
||||
|
||||
## [0.5.44](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.43...v0.5.44) (2023-11-21)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **ci:** Remove default BASE_DOMAIN in .gitlab-ci.yml ([7ae65a3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7ae65a36a2777d249ba3784bf965da4c790a1b21))
|
||||
|
||||
## [0.5.43](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.42...v0.5.43) (2023-11-20)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **univention-management-stack:** Update optional UMS preview state ([061e588](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/061e588da90e52b531df0688347675bf4dcb431e))
|
||||
|
||||
## [0.5.42](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.41...v0.5.42) (2023-11-20)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **nextcloud:** Add exporter and serviceMonitor ([feed270](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/feed270fd7949743e8f9974e7f147e89ab623347))
|
||||
* **nextcloud:** Bump openDesk bootstrap to 3.2.3 to support serverinfo token ([ea14f95](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ea14f953a4a54c01cc0d66db1bdb645ca4a661e5))
|
||||
|
||||
## [0.5.41](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.40...v0.5.41) (2023-11-16)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **helmfile:** Split README into docs ([cd0e94f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/cd0e94f96fa5b377ab382b6c7738ed279cb2a199))
|
||||
|
||||
## [0.5.40](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.39...v0.5.40) (2023-11-14)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **open-xchange:** Bump Dovecot and fix out-of-office replys ([55f6ba2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/55f6ba21dc9eab811ac501bf0e2b78d4ae772194))
|
||||
|
||||
## [0.5.39](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.38...v0.5.39) (2023-11-14)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **univention-management-stack:** Update optional UMS preview state ([e231e57](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e231e5749d3804f888ec23e12b58783856043219))
|
||||
|
||||
## [0.5.38](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.37...v0.5.38) (2023-11-13)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **collabora:** Update image to 23.05.5.4.1 ([c460467](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c460467d7449b107134562b785e95f6280e3473d))
|
||||
|
||||
## [0.5.37](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.36...v0.5.37) (2023-11-12)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **openproject:** Add bootstrapping of Nextcloud filestore ([1971dfb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1971dfbded21d16909e889ba6d19ff9cf3e4cb20))
|
||||
|
||||
## [0.5.36](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.35...v0.5.36) (2023-11-10)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **element:** Update Element and Widgets ([97034a5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/97034a556f4cdcc447f61003ad9cd036c186bc3b))
|
||||
|
||||
## [0.5.35](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.34...v0.5.35) (2023-11-10)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **helmfile:** Eliminate some yamllint errors ([1d03a6e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1d03a6e11f368fd81dd10b91b0d9d7fc29c0cb24))
|
||||
* **helmfile:** Move ldap host variable into helpers ([08811de](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/08811decd92e7fd7802d0eba2644046512ec58a4))
|
||||
* **helmfile:** Update charts to use proper quoting ([69ea840](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/69ea84051721f3aaf36a5dbafdfb37dd86b66dbb))
|
||||
* **services:** Add minio as service and consume by OpenProject ([baa5827](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/baa5827de3e1e368abf238a932a5849f169af723))
|
||||
|
||||
## [0.5.34](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.33...v0.5.34) (2023-11-09)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **openproject:** Bump helmchart and properly template OP's initdb image ([0d8e92f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0d8e92fc5a4729ff7649e5a10e629b962a9b671b))
|
||||
|
||||
## [0.5.33](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.32...v0.5.33) (2023-11-09)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **cryptpad:** Update security context ([89ae1d9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/89ae1d94ea4c4e8a15a395a80847a7f235365747))
|
||||
|
||||
## [0.5.32](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.31...v0.5.32) (2023-11-09)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **collabora:** Resource definitions ([65ce9a1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/65ce9a171b7c8ebc453fb6bbe96743c8516da2c6))
|
||||
|
||||
## [0.5.31](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.30...v0.5.31) (2023-11-08)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **univention-management-stack:** Update optional UMS preview state ([d0a0799](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d0a07997c12ddb9731a0dfed0d6fa71d9a3790e7))
|
||||
|
||||
## [0.5.30](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.29...v0.5.30) (2023-11-06)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **collabora:** Init monitoring in defaults and in collabora (for prometheus-monitor, -rules and grafana dashboard) ([0ad0434](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0ad043406bef7bb10d561ef1418b58cbd8714d43))
|
||||
* **helmfile:** Add monitoring.yaml for optional monitoring ([385d81b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/385d81b9a9e1ec319706493c51629c8e48822aa7))
|
||||
|
||||
## [0.5.29](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.28...v0.5.29) (2023-11-06)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **xwiki:** Update XWiki Helm configuration to enable LDAP and OIDC user synchronization ([7c56c72](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7c56c7244f3862b6b21627661430a94d804c6974))
|
||||
|
||||
## [0.5.28](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.27...v0.5.28) (2023-11-06)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **open-xchange:** Add Document- and ImageConverter, improve LDAP address book filters ([899a8c5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/899a8c5af9052634b98d9876dfbaea517d89ad49))
|
||||
|
||||
## [0.5.27](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.26...v0.5.27) (2023-11-04)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **docs:** Re-include release artefacts ([4359b21](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4359b21f1cdae91a87b87ad2b270d67a2b1eda21))
|
||||
|
||||
## [0.5.26](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.25...v0.5.26) (2023-11-02)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **element:** Enables user directory search for all users ([8fafd90](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/8fafd906a3b0efa7e4164b357656d7903fc55371))
|
||||
|
||||
## [0.5.25](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.24...v0.5.25) (2023-11-01)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **cryptpad:** Add CryptPad to support editing of diagrams.net files from within Nextcloud ([ab6014f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ab6014f8c6285785be5c56cd656fe0636df4434c))
|
||||
|
||||
## [0.5.24](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.23...v0.5.24) (2023-11-01)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **collabora:** Update image to 23.05.5.3.1 ([38336d0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/38336d024033f4fe1a28b0f76f9c63ecdb076156))
|
||||
|
||||
## [0.5.23](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.22...v0.5.23) (2023-11-01)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **element:** Update Element Web to latest release ([b47de62](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b47de62f987e8778878fee55ecda3032beb55f3d))
|
||||
|
||||
## [0.5.22](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.21...v0.5.22) (2023-10-31)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **openproject:** Nextcloud integration within K8s instances ([d249d0e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d249d0e3ce3ee0966033e870ea5c4d9e1928f045))
|
||||
|
||||
## [0.5.21](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.20...v0.5.21) (2023-10-30)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **helmfile:** Deinstall components if disabled ([7feaadf](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7feaadf7f8830d8d0d5df752733c9b8f47315df6))
|
||||
* **helmfile:** Put enviroments in first document inside of a yaml ([034e98c](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/034e98c850fa1f67300c04883904737a69448a25))
|
||||
|
||||
## [0.5.20](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.19...v0.5.20) (2023-10-30)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **helmfile:** Remove old XWiki image, set explicit timeout for OP deployment, bump Jitsi Helm chart to enable chat for stand-alone Jitsi ([5d01f8c](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5d01f8ca46384d63d69dab0119998c4bb3183084))
|
||||
|
||||
## [0.5.19](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.18...v0.5.19) (2023-10-30)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **element:** Update Element Web and Nordeck Widgets to latest releases ([2313f75](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2313f75dbe32d855b0c440944bd0de51c8e104ca))
|
||||
|
||||
## [0.5.18](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.17...v0.5.18) (2023-10-28)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **xwiki:** Switch to Alpine/Jetty slim image ([b399869](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b39986907cece3cec06012531a55b2699d131f90))
|
||||
|
||||
## [0.5.17](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.16...v0.5.17) (2023-10-28)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **nextcloud:** Update swp_integration app and prepare CryptPad integration ([a046dea](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a046deaf173ab41029c2ab5e3161bd89e0fdabcb))
|
||||
|
||||
## [0.5.16](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.15...v0.5.16) (2023-10-26)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **openproject:** Slim container with upgraded helm-chart ([535823e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/535823e0a8b2bde72d159835248b2287fd136af7))
|
||||
|
||||
## [0.5.15](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.14...v0.5.15) (2023-10-25)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **helmfile:** Add XWiki Jetty and UniventionKeycloak to image.yaml for Compliance checks. They are not yet part of standard deployment. ([8e376bb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/8e376bb4a5e37e16d76ea527cd02a5f614cdfe3d))
|
||||
|
||||
## [0.5.14](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.13...v0.5.14) (2023-10-20)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **element:** Support for openDesk top bar with central navigation ([e609b75](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e609b75cc7fcbb7f03997cb5e26dd9cf4628f77d))
|
||||
|
||||
## [0.5.13](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.12...v0.5.13) (2023-10-20)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **element:** Configure rights and roles ([59d58e3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/59d58e320e503727e42dbfe0b027ba7948275ac6))
|
||||
|
||||
## [0.5.12](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.11...v0.5.12) (2023-10-19)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **element:** Add an application service for the intercom-service ([1a4eced](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1a4eced998998faa7ac862b8c409bbd743b16ec0))
|
||||
* **element:** Add the Matrix NeoBoard Widget deployment ([5afd233](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5afd2339c20a0be41078ae4c3ce703c62f332557))
|
||||
* **element:** Add the Matrix NeoChoice Widget deployment ([7756d35](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7756d35fa156b36ed50ba8f837273db56323f45f))
|
||||
* **element:** Add the Matrix NeoDateFix Bot deployment ([785989e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/785989e91df5547ab5ac60914b82bc99c4f1a790))
|
||||
* **element:** Add the Matrix NeoDateFix Widget deployment ([27b6796](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/27b6796639f37dbd6c26f21fd54502153398aed0))
|
||||
* **element:** Add the Matrix User Verification Service deployment ([30405d1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/30405d182d44a5586a4070738dfbe1c141841d19))
|
||||
* **element:** Upgrade Element to v1.11.46 ([82a037e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/82a037ec7c25baf41bd0542c3ded47402adc2844))
|
||||
* **element:** Upgrade the opendesk-element charts to 2.3.0 ([fd9e04d](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/fd9e04d9922b949d0f213016169a9024a66a1ded))
|
||||
* **element:** Upgrade the opendesk-matrix-widgets charts to 2.3.0 ([cbe5141](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/cbe514176a4d86d166db248d7297d215409016d2))
|
||||
* **element:** Use a separate image configuration for the bootstrap tasks ([7f7c364](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7f7c364071072b01d485d3e248a3f8de49a07309))
|
||||
* **intercom-service:** Allow access from the non-istio domain and reference to the correct synapse hostname ([16f2ac4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/16f2ac464eb7267f1c4d87c3ccaca2c91a7ecc1b))
|
||||
* **intercom-service:** Fix the nordeck configuration ([06dcdd7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/06dcdd78afe0e6514c1f30d24924d3e7077ae6da))
|
||||
* **jitsi:** Use template for the cluster networking domain ([0898d96](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0898d9657145d66fd4c52fe6036c955ad58a0cfe))
|
||||
* **keycloak:** Use the correct backchannel logout configuration for element ([86657b1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/86657b139a6d8f4ff3f921b8755e04cb790c3786))
|
||||
* **open-xchange:** Enable Element calendar integration ([f564efd](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f564efd97f8db39cffaea317e36db3825fc9121e))
|
||||
|
||||
## [0.5.11](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.10...v0.5.11) (2023-10-11)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **helmfile:** Quote all password template strings ([fb7dba7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/fb7dba787c232c402aa9c989c0e8ace51869d534))
|
||||
* **services:** Add memcached service ([72e3afd](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/72e3afdffdeb6f88f8e926426dbc26adf4b54e7a))
|
||||
|
||||
## [0.5.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.9...v0.5.10) (2023-10-11)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **intercom-service:** Update intercom-service chart to v2.0.0 ([c3129f1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c3129f14437728be890187bb7c4a1bfc42d90958))
|
||||
|
||||
## [0.5.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.8...v0.5.9) (2023-10-10)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **element:** Enable the guest module in Synapse ([da1bf35](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/da1bf3581c5790786601948cabcef8a1d1c680ad))
|
||||
|
||||
## [0.5.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.7...v0.5.8) (2023-10-10)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **helmfile:** Add default port for SMTP in environment ([74f9ec2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/74f9ec28e401f7caeefc4e50ac0a7e95fea41a53))
|
||||
|
||||
## [0.5.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.6...v0.5.7) (2023-10-09)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **openproject:** Mail sender address ([711d29e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/711d29e374d13a3c8b7bcdf3e8440d03e0ef2b7d))
|
||||
|
||||
## [0.5.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.5...v0.5.6) (2023-10-09)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **helmfile:** Use signed bitnami charts from openDesk Mirror Builds ([70744d0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/70744d04c66f32d65dc968c8570ed7a397f4efcc))
|
||||
* **services:** Bump redis chart to 18.1.2 ([d4c751d](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d4c751d29f15c718957f6bc388a99347e2923c87))
|
||||
|
||||
## [0.5.5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.4...v0.5.5) (2023-10-09)
|
||||
|
||||
|
||||
@@ -423,3 +917,8 @@
|
||||
* **open-xchange:** OX AppSuite 8 within SWP is now publicly available ([6dc470f](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/6dc470fd67edbb9711e406acb067569ca357b989))
|
||||
* **services:** Add clamav-simple deployment ([505f25c](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/505f25c5493ebb9e0181233ed5b7d8018e3a315d))
|
||||
* **sovereign-workplace:** Initial commit ([533c504](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/533c5040faebd91f4012b604d0f4779ea1510424))
|
||||
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
|
||||
@@ -1,28 +0,0 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
**Content / Quick navigation**
|
||||
|
||||
[[_TOC_]]
|
||||
|
||||
# Functional Components
|
||||
|
||||
Functional components are the core of the SWP as they provide it's rich functionaly. We use the community versions of the named products. For production environments please use enterprise versions for support and scalabiliy reasons.
|
||||
|
||||
## Groupware - Open-Xchange AppSuite
|
||||
|
||||
## WebOffice - Collabora Development Edition
|
||||
|
||||
## File & Share - Nextcloud
|
||||
|
||||
## Kollaboration - Element
|
||||
|
||||
## Videokonferenzen - Jitsi
|
||||
|
||||
## Knowledge Management - XWiki
|
||||
|
||||
## Project Management - OpenProject
|
||||
|
||||
## Portal & IAM - Univention Corporate Services
|
||||
@@ -60,3 +60,6 @@ This service is used by
|
||||
- Open-Xchange
|
||||
|
||||
## Objectstore - MinIO
|
||||
|
||||
This services is used by:
|
||||
- OpenProject (attachment storage)
|
||||
|
||||
@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
# Read me first
|
||||
|
||||
Please read the [project's overall CONTRIBUTING.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/CONTRIBUTING.md) first.
|
||||
Please read the [project's overall CONTRIBUTING.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/CONTRIBUTING.md) first.
|
||||
|
||||
# How to contribute?
|
||||
|
||||
|
||||
601
README.md
601
README.md
@@ -2,551 +2,106 @@
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
**Content / Quick navigation**
|
||||
|
||||
[[_TOC_]]
|
||||
|
||||
|
||||
# Disclaimer August 2023
|
||||
openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the "Projektgruppe für
|
||||
Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
|
||||
|
||||
The current state of the Sovereign Workplace contains components that are going to be
|
||||
replaced. Like for example the UCS dev container monolith will be substituted by
|
||||
multiple Univention Management Stack containers.
|
||||
It features:
|
||||
- Fully integrated Identity Management (Univention)
|
||||
- File storage (Nextcloud)
|
||||
- Weboffice (Collabora)
|
||||
- Videoconference (Nordeck w/ Jitsi)
|
||||
- Chat and Collaboration (Element w/ Nordeck)
|
||||
- Groupware (OX Appsuite)
|
||||
- Wiki (XWiki)
|
||||
- Project Management (OpenProject)
|
||||
- Notes and Diagrams (Cryptpad)
|
||||
|
||||
In the next months we not only expect upstream updates of the functional
|
||||
components within their feature scope, but we are also going to address
|
||||
operational issues like monitoring and network policies.
|
||||
openDesk integrates these components and is working towards a seamless user experience.
|
||||
|
||||
While not all components are perfectly shaped for the execution inside containers, one of the project objectives is to
|
||||
align the applications with the best practises regarding container design and operations.
|
||||
|
||||
This documentation aims to give you all that is needed to set up your own instance of the openDesk.
|
||||
Basic knowledge of Kubernetes and Devops is required though.
|
||||
|
||||
<!-- TOC -->
|
||||
* [Active development notice](#active-development-notice)
|
||||
* [Feedback](#feedback)
|
||||
* [Requirements](#requirements)
|
||||
* [Getting started](#getting-started)
|
||||
* [Advanced customization](#advanced-customization)
|
||||
* [Releases](#releases)
|
||||
* [Components](#components)
|
||||
* [License](#license)
|
||||
* [Copyright](#copyright)
|
||||
<!-- TOC -->
|
||||
|
||||
# Active development notice
|
||||
openDesk will face breaking changes in the near future without upgrade paths before
|
||||
[technical release](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases)
|
||||
v1.0.0 is reached.
|
||||
|
||||
While most components support upgrades, major configuration or component changes may occur, therefore we recommend
|
||||
at the moment always installing from scratch.
|
||||
|
||||
Components that are going to be replaced soon are:
|
||||
- the UCS dev container monolith will be substituted by multiple Univention Management Stack containers,
|
||||
- the Nextcloud community container is going to be replaced by an openDesk specific Nextcloud distroless container and
|
||||
- Dovecot Community is going to be replaced by a Dovecot container tailored for the needs of the public sector.
|
||||
|
||||
In the next months, we not only expect upstream updates of the functional components within their feature scope, but we
|
||||
are also going to address operational issues like monitoring and network policies.
|
||||
|
||||
Of course, further development also includes enhancing the documentation.
|
||||
|
||||
The first release of the Sovereign Workplace is scheduled for December 2023.
|
||||
Before that release there will be breaking changes in the deployment.
|
||||
# Feedback
|
||||
|
||||
|
||||
# The Sovereign Workplace (SWP)
|
||||
|
||||
The Sovereign Workplace's runtime environment is [Kubernetes](https://kubernetes.io/), or "K8s" in
|
||||
short.
|
||||
|
||||
While not all components are still perfectly shaped for the execution inside
|
||||
containers, one of the projects objectives is it to align the applications
|
||||
with the best practises regarding container design and operations.
|
||||
|
||||
This documentation aims to give you all that is needed to set up your own
|
||||
instance of the Sovereign Workplace. Basic knowledge of Kubernetes and Devops is
|
||||
required though.
|
||||
|
||||
To have an overview of what can be found at Open CoDE and the basic components
|
||||
of the Sovereign Workplace, please check out the
|
||||
[OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md) in the [Info repository](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info).
|
||||
|
||||
We love to get feedback from you! Related to the deployment / contents of this
|
||||
repository please use the [issues within this project](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/issues).
|
||||
We love to get feedback from you!
|
||||
Related to the deployment / contents of this repository,
|
||||
please use the [issues within this project](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/issues).
|
||||
|
||||
If you want to address other topics, please check the section
|
||||
["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
|
||||
["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
|
||||
|
||||
# Requirements
|
||||
|
||||
⟶ Visit our detailed [Requirements](docs/requirements.md) overview.
|
||||
|
||||
# Getting started
|
||||
|
||||
⟶ Visit our detailed [Getting started](docs/getting-started.md) guide.
|
||||
|
||||
# Advanced customization
|
||||
|
||||
- [External services](docs/external-services.md)
|
||||
- [Security](docs/security.md)
|
||||
- [Scaling](docs/scaling.md)
|
||||
- [Monitoring](docs/monitoring.md)
|
||||
- [Theming](docs/theming.md)
|
||||
|
||||
# Releases
|
||||
|
||||
All technical releases are created using [Semantic Versioning](https://semver.org/lang/de/).
|
||||
|
||||
Gitlab provides an [overview on the releases](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/releases) of this project.
|
||||
Gitlab provides an
|
||||
[overview on the releases](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases)
|
||||
of this project.
|
||||
|
||||
The following release artefacts are provided beside the default source code assets:
|
||||
- `chart-index.json`: An overview of all Helm charts used by the release.
|
||||
- `image-index.json`: An overview of all container images used by the release.
|
||||
# Deployment
|
||||
|
||||
**Note for project members:** You can use the project's `dev` K8s cluster to set
|
||||
up your own instance for development purposes. Please see the project
|
||||
`sovereign-workplace-env` on the internal Gitlab for more details.
|
||||
# Components
|
||||
|
||||
## Prerequisites
|
||||
⟶ Visit our detailed [Component](docs/getting-started.md) docs.
|
||||
|
||||
### Mandatory technical prerequisites
|
||||
|
||||
These are the requirements of the Sovereign Workplace deployment:
|
||||
# License
|
||||
|
||||
- K8s cluster >= 1.24, [CNCF Certified Kubernetes Distro](https://www.cncf.io/certification/software-conformance/)
|
||||
- Domain and DNS Service
|
||||
- Ingress controller (supported are nginx-ingress, ingress-nginx, HAProxy)
|
||||
- [Helm](https://helm.sh/) >= v3.9.0
|
||||
- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v0.157.0**
|
||||
- [HelmDiff](https://github.com/databus23/helm-diff) >= 3.6.0
|
||||
- Volume provisioner supporting RWO (read-write-once)
|
||||
- Certificate handling with [cert-manager](https://cert-manager.io/)
|
||||
- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8, we are talking to Open-Xchange and will try to get rid of this dependency.
|
||||
This project uses the following license: Apache-2.0
|
||||
|
||||
#### TLS Certificate
|
||||
|
||||
The setup will create a `cert-manager.io` Certificate resource.
|
||||
|
||||
You can set the ClusterIssuer via `certificate.issuerRef.name`
|
||||
|
||||
### Required input variables
|
||||
|
||||
You need to expose following environment variables in order to run the
|
||||
installation.
|
||||
|
||||
| name | default | description |
|
||||
|---------------------|-----------------------|---------------------------------------------------|
|
||||
| `DOMAIN` | `souvap.cloud` | External reachable domain |
|
||||
| `ISTIO_DOMAIN` | `istio.souvap.cloud` | External reachable domain for Istio Gateway |
|
||||
| `MASTER_PASSWORD` | `sovereign-workplace` | The password that seeds the autogenerated secrets |
|
||||
|
||||
Please ensure that you set the DNS records pointing to the loadbalancer/IP for
|
||||
`DOMAIN` and `ISTIO_DOMAIN`.
|
||||
|
||||
If you want inbound email you need to set the MX records that points to the
|
||||
public IP address of the Postfix-pods.
|
||||
|
||||
More details on DNS options including SPF/DKIM and autodiscovery options
|
||||
are to come...
|
||||
|
||||
### Optional or feature based prerequisites
|
||||
|
||||
All of these requirements are optional as long as you do not want to use the
|
||||
related feature.
|
||||
|
||||
| Feature | Component(s) | Requirement |
|
||||
|------------------------------|----------------|-----------------------------|
|
||||
| Component Scalability | Various[^1] | Read-Write-Many Provisioner |
|
||||
| Sending outbound emails | Various | SMTP relay/gateway |
|
||||
| S/MIME Support | OX AppSuite8 | PKI / CI |
|
||||
| Improved videoconferencing | Jitsi | STUN/TURN server |
|
||||
|
||||
## CI based deployment
|
||||
|
||||
The project includes a `.gitlab-ci.yml` that allows you to execute the
|
||||
deployment from a Gitlab instance of your choice.
|
||||
|
||||
Please ensure to provide the environment variables listed at
|
||||
[Required input variables](#required-input-variables).
|
||||
|
||||
When starting the pipeline through the Gitlab UI you will be queried for some
|
||||
of the variables plus the following ones:
|
||||
|
||||
- `BASE_DOMAIN`: The base domain the SWP will use. For example: `souvap.cloud`
|
||||
- `NAMESPACE`: Defines into which namespace of your K8s cluster the SWP will be installed
|
||||
- `MASTER_PASSWORD_WEB_VAR`: Overwrites value of `MASTER_PASSWORD`
|
||||
|
||||
Based on your input the following variables will be set:
|
||||
- `DOMAIN` = `NAMESPACE`.`BASE_DOMAIN`
|
||||
- `ISTIO_DOMAIN` = istio.`DOMAIN`
|
||||
- `MASTER_PASSWORD` = `MASTER_PASSWORD_WEB_VAR`. If `MASTER_PASSWORD_WEB_VAR`
|
||||
is not set, the default for `MASTER_PASSWORD` will be used, unless you set
|
||||
`MASTER_PASSWORD` as a masked CI/CD variable in Gitlab to supercede the default.
|
||||
|
||||
You might want to set credential variables in the Gitlab project at
|
||||
`Settings` > `CI/CD` > `Variables`.
|
||||
|
||||
## Local deployment
|
||||
|
||||
Please ensure to provide the environment variables listed at
|
||||
[Required input variables](#required-input-variables).
|
||||
Also, please read [Helmfile](#helmfile) a little below in case of a non default
|
||||
configuration.
|
||||
|
||||
Then go with
|
||||
|
||||
```shell
|
||||
helmfile apply -n <NAMESPACE>
|
||||
```
|
||||
|
||||
and wait a little. After the deployment is finished some bootstrapping is
|
||||
executed which might take some more minutes before you can log in your new
|
||||
instance.
|
||||
|
||||
Deployments can be removed with:
|
||||
|
||||
```shell
|
||||
helmfile destroy -n <NAMESPACE>
|
||||
```
|
||||
|
||||
## Offline deployment
|
||||
|
||||
Before executing a [local deployment](#local-deployment), you can set following
|
||||
environment variables to use your own container image and helm chart registry:
|
||||
|
||||
| name | description |
|
||||
|------------------------------|--------------------------------|
|
||||
| PRIVATE_CHART_REPOSITORY_URL | Your helm chart repository url |
|
||||
| PRIVATE_IMAGE_REGISTRY_URL | Your image registry url |
|
||||
|
||||
## Logging in
|
||||
|
||||
When successfully deployed the SWP, all K8s jobs from the deployment should be
|
||||
in the status `Succeeded` and all pods should be `Running`.
|
||||
|
||||
You should see the portal's login page at `https://portal.<DOMAIN>`.
|
||||
|
||||
Off the shelf you get two accounts with passwords you can look up in the
|
||||
`univention-corporate-container-*` pod environment. You can use a shell on that
|
||||
container or a `kubectl describe`-command to get the credentials.
|
||||
|
||||
| Username / Login | Password environment variable |
|
||||
|--------------------|--------------------------------|
|
||||
| default.user | DEFAULT_ACCOUNT_USER_PASSWORD |
|
||||
| default.admin | DEFAULT_ACCOUNT_ADMIN_PASSWORD |
|
||||
|
||||
If you do not see any tiles in the portal after the login you may want to wait a
|
||||
couple of minutes, as on the initial start some bootstrapping and cache building
|
||||
is done. This blocks the portal entries from showing up.
|
||||
|
||||
# Helmfile
|
||||
|
||||
## Custom Configuration
|
||||
|
||||
### Deployment selection
|
||||
|
||||
By default, all components are deployed. The components of type `Eval` are used
|
||||
for development and evaluation purposes only - they need to be replaced in
|
||||
production deployments. These components are grouped together in the
|
||||
subdirectory `/helmfile/apps/services`.
|
||||
|
||||
| Component | Name | Default | Description | Type |
|
||||
|-----------------------------|-------------------------------------|---------|--------------------------------|------------|
|
||||
| Certificates | `certificates.enabled` | `true` | TLS certificates | Eval |
|
||||
| ClamAV (Distributed) | `clamavDistributed.enabled` | `false` | Antivirus engine | Eval |
|
||||
| ClamAV (Simple) | `clamavSimple.enabled` | `true` | Antivirus engine | Eval |
|
||||
| Collabora | `collabora.enabled` | `true` | Weboffice | Functional |
|
||||
| Dovecot | `dovecot.enabled` | `true` | Mail backend | Functional |
|
||||
| Element | `element.enabled` | `true` | Secure communications platform | Functional |
|
||||
| Intercom Service | `intercom.enabled` | `true` | Cross service data exchange | Functional |
|
||||
| Jitsi | `jitsi.enabled` | `true` | Videoconferencing | Functional |
|
||||
| Keycloak | `keycloak.enabled` | `true` | Identity Provider | Functional |
|
||||
| MariaDB | `mariadb.enabled` | `true` | Database | Eval |
|
||||
| Nextcloud | `nextcloud.enabled` | `true` | File share | Functional |
|
||||
| OpenProject | `openproject.enabled` | `true` | Project management | Functional |
|
||||
| OX Appsuite | `oxAppsuite.enabled` | `true` | Groupware | Functional |
|
||||
| Provisioning | `oxConnector.enabled` | `true` | Backend provisioning | Functional |
|
||||
| Postfix | `postfix.enabled` | `true` | MTA | Eval |
|
||||
| PostgreSQL | `postgresql.enabled` | `true` | Database | Eval |
|
||||
| Redis | `redis.enabled` | `true` | Cache Database | Eval |
|
||||
| Univention Corporate Server | `univentionCorporateServer.enabled` | `true` | Identity Management & Portal | Functional |
|
||||
| Univention Management Stack | `univentionManagementStack.enabled` | `false` | Identity Management & Portal | Eval |
|
||||
| XWiki | `xwiki.enabled` | `true` | Knowledgebase | Functional |
|
||||
|
||||
|
||||
#### Cluster capabilities
|
||||
| Capability | Default | Options | Notes |
|
||||
|-------------------------------------|-----------------|-----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| `cluster.service.type` | `LoadBalancer` | `ClusterIP`, `NodePort`, `LoadBalancer` | External access to TCP/UDP services. [Additional Information](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) |
|
||||
| `cluster.persistence.readWriteMany` | `false` | `true`, `false` | Enable if ReadWriteMany (RWX) storage is available (f.e. CephFS, NFS, ...). |
|
||||
| `cluster.networking.domain` | `cluster.local` | | Kubernetes cluster domain. |
|
||||
| `cluster.networking.cidr` | `10.0.0.0/8` | | Kubernetes internal network |
|
||||
|
||||
|
||||
#### Databases
|
||||
|
||||
In case you don't got for a develop or evaluation environment you want to point
|
||||
the application to your own database instances.
|
||||
|
||||
| Component | Name | Type | Parameter | Key | Default |
|
||||
|-------------|--------------------|------------|-----------|----------------------------------------|----------------------------|
|
||||
| Element | Synapse | PostgreSQL | | | |
|
||||
| | | | Name | `databases.synapse.name` | `matrix` |
|
||||
| | | | Host | `databases.synapse.host` | `postgresql` |
|
||||
| | | | Port | `databases.synapse.port` | `5432` |
|
||||
| | | | Username | `databases.synapse.username` | `matrix_user` |
|
||||
| | | | Password | `databases.synapse.password` | |
|
||||
| Keycloak | Keycloak | PostgreSQL | | | |
|
||||
| | | | Name | `databases.keycloak.name` | `keycloak` |
|
||||
| | | | Host | `databases.keycloak.host` | `postgresql` |
|
||||
| | | | Port | `databases.keycloak.port` | `5432` |
|
||||
| | | | Username | `databases.keycloak.username` | `keycloak_user` |
|
||||
| | | | Password | `databases.keycloak.password` | |
|
||||
| | Keycloak Extension | PostgreSQL | | | |
|
||||
| | | | Name | `databases.keycloakExtension.name` | `keycloak_extensions` |
|
||||
| | | | Host | `databases.keycloakExtension.host` | `postgresql` |
|
||||
| | | | Port | `databases.keycloakExtension.port` | `5432` |
|
||||
| | | | Username | `databases.keycloakExtension.username` | `keycloak_extensions_user` |
|
||||
| | | | Password | `databases.keycloakExtension.password` | |
|
||||
| Nextcloud | Nextcloud | MariaDB | | | |
|
||||
| | | | Name | `databases.nextcloud.name` | `nextcloud` |
|
||||
| | | | Host | `databases.nextcloud.host` | `mariadb` |
|
||||
| | | | Username | `databases.nextcloud.username` | `nextcloud_user` |
|
||||
| | | | Password | `databases.nextcloud.password` | |
|
||||
| OpenProject | Keycloak | PostgreSQL | | | |
|
||||
| | | | Name | `databases.openproject.name` | `openproject` |
|
||||
| | | | Host | `databases.openproject.host` | `postgresql` |
|
||||
| | | | Port | `databases.openproject.port` | `5432` |
|
||||
| | | | Username | `databases.openproject.username` | `openproject_user` |
|
||||
| | | | Password | `databases.openproject.password` | |
|
||||
| OX Appsuite | OX Appsuite | MariaDB | | | |
|
||||
| | | | Name | `databases.oxAppsuite.name` | `CONFIGDB` |
|
||||
| | | | Host | `databases.oxAppsuite.host` | `mariadb` |
|
||||
| | | | Username | `databases.oxAppsuite.username` | `root` |
|
||||
| | | | Password | `databases.oxAppsuite.password` | |
|
||||
| XWiki | XWiki | MariaDB | | | |
|
||||
| | | | Name | `databases.xwiki.name` | `xwiki` |
|
||||
| | | | Host | `databases.xwiki.host` | `mariadb` |
|
||||
| | | | Username | `databases.xwiki.username` | `xwiki_user` |
|
||||
| | | | Password | `databases.xwiki.password` | |
|
||||
|
||||
### Scaling
|
||||
|
||||
The Replicas of components can be increased, while we still have to look in the
|
||||
actual scalability of the components (see column `Scaling (verified)`).
|
||||
|
||||
| Component | Name | Scaling (effective) | Scaling (verified) |
|
||||
|-------------|------------------------|:-------------------:|:------------------:|
|
||||
| ClamAV | `replicas.clamav` | :white_check_mark: | :white_check_mark: |
|
||||
| | `replicas.clamd` | :white_check_mark: | :white_check_mark: |
|
||||
| | `replicas.freshclam` | :x: | :x: |
|
||||
| | `replicas.icap` | :white_check_mark: | :white_check_mark: |
|
||||
| | `replicas.milter` | :white_check_mark: | :white_check_mark: |
|
||||
| Collabora | `replicas.collabora` | :white_check_mark: | :gear: |
|
||||
| Dovecot | `replicas.dovecot` | :x: | :gear: |
|
||||
| Element | `replicas.element` | :white_check_mark: | :white_check_mark: |
|
||||
| | `replicas.synapse` | :x: | :gear: |
|
||||
| | `replicas.synapseWeb` | :white_check_mark: | :white_check_mark: |
|
||||
| | `replicas.wellKnown` | :white_check_mark: | :white_check_mark: |
|
||||
| Jitsi | `replicas.jibri` | :white_check_mark: | :gear: |
|
||||
| | `replicas.jicofo` | :white_check_mark: | :gear: |
|
||||
| | `replicas.jitsi ` | :white_check_mark: | :gear: |
|
||||
| | `replicas.jvb ` | :x: | :x: |
|
||||
| Keycloak | `replicas.keycloak` | :white_check_mark: | :gear: |
|
||||
| Nextcloud | `replicas.nextcloud` | :white_check_mark: | :gear: |
|
||||
| OpenProject | `replicas.openproject` | :white_check_mark: | :gear: |
|
||||
| Postfix | `replicas.postfix` | :x: | :gear: |
|
||||
| XWiki | `replicas.xwiki` | :white_check_mark: | :gear: |
|
||||
|
||||
|
||||
### Mail/SMTP configuration
|
||||
|
||||
To use the full potential of the openDesk, you need to set up a STMP Smarthost/Relay which allows to send emails from
|
||||
the whole subdomain.
|
||||
|
||||
```yaml
|
||||
smtp:
|
||||
host: # your SMTP host or IP-address
|
||||
username: # username/email for authentication
|
||||
password: # password for authentication, or via environment variable SMTP_PASSWORD
|
||||
```
|
||||
|
||||
### TURN configuration
|
||||
|
||||
Some components (Jitsi, Element) use for direct communication a TURN server.
|
||||
You can configure your own TURN server with these options:
|
||||
|
||||
```yaml
|
||||
turn:
|
||||
transport: # "udp" or "tcp"
|
||||
credentials: # turn credential string
|
||||
server: # configuration for unsecure connections
|
||||
host: # your TURN host or IP-address
|
||||
port: # server port
|
||||
tls: # configuration for secure connections
|
||||
host: # your TURN host or IP-address
|
||||
port: # server port
|
||||
```
|
||||
|
||||
## Security
|
||||
|
||||
This section summarizes various aspects of security and compliance aspects.
|
||||
|
||||
### Kubernetes Security Enforcements
|
||||
|
||||
This list gives you an overview of default security settings and if they comply with security standards:
|
||||
|
||||
|
||||
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|
||||
|------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
|
||||
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
|
||||
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
|
||||
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
|
||||
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
|
||||
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
|
||||
|
||||
### Helm Chart Trust Chain
|
||||
|
||||
Helm Charts which are released via openDesk CI/CD process are always signed. The public GPG keys are present in
|
||||
`pubkey.gpg` file and are validated during helmfile installation.
|
||||
|
||||
| Repository | OCI | Verifiable |
|
||||
|--------------------------------------|:---:|:------------------:|
|
||||
| bitnami-repo | yes | :x: |
|
||||
| clamav-repo | yes | :white_check_mark: |
|
||||
| collabora-online-repo | no | :x: |
|
||||
| intercom-service-repo | yes | :white_check_mark: |
|
||||
| istio-resources-repo | yes | :white_check_mark: |
|
||||
| jitsi-repo | yes | :white_check_mark: |
|
||||
| keycloak-extensions-repo | no | :x: |
|
||||
| keycloak-theme-repo | yes | :white_check_mark: |
|
||||
| mariadb-repo | yes | :white_check_mark: |
|
||||
| nextcloud-repo | no | :x: |
|
||||
| opendesk-certificates-repo | yes | :white_check_mark: |
|
||||
| opendesk-dovecot-repo | yes | :white_check_mark: |
|
||||
| opendesk-element-repo | yes | :white_check_mark: |
|
||||
| opendesk-keycloak-bootstrap-repo | yes | :white_check_mark: |
|
||||
| opendesk-nextcloud-bootstrap-repo | yes | :white_check_mark: |
|
||||
| opendesk-open-xchange-bootstrap-repo | yes | :white_check_mark: |
|
||||
| openproject-repo | no | :x: |
|
||||
| openxchange-repo | yes | :x: |
|
||||
| ox-connector-repo | no | :x: |
|
||||
| postfix-repo | yes | :white_check_mark: |
|
||||
| postgresql-repo | yes | :white_check_mark: |
|
||||
| univention-corporate-container-repo | yes | :white_check_mark: |
|
||||
| ums-repo | no | :x: |
|
||||
| xwiki-repo | no | :x: |
|
||||
|
||||
|
||||
# Component integration
|
||||
|
||||
## Functional use cases
|
||||
|
||||
### Overview
|
||||
|
||||
Some use cases require inter component integration.
|
||||
|
||||
```mermaid
|
||||
flowchart TD
|
||||
OXAppSuiteFrontend-->|SilentLogin, Filepicker, CentralNavigation|IntercomService
|
||||
IntercomService-->|SilentLogin, TokenExchange|Keycloak
|
||||
IntercomService-->|Filepicker|Nextcloud
|
||||
IntercomService-->|CentralNavigation|Portal
|
||||
OXAppSuiteBackend-->|Filepicker|Nextcloud
|
||||
Nextcloud-->|CentralNavigation|Portal
|
||||
OpenProject-->|CentralNavigation|Portal
|
||||
XWiki-->|CentralNavigation|Portal
|
||||
Nextcloud-->|CentralContacts|OXAppSuiteBackend
|
||||
OXAppSuiteFrontend-->|Filepicker|OXAppSuiteBackend
|
||||
```
|
||||
|
||||
#### Intercom Service (ICS)
|
||||
|
||||
The UCS Intercom Service's role is to enable cross application integration based
|
||||
on browser interaction. Handling authentication when the frontend of an
|
||||
application is using the API from another application is often a challenge.
|
||||
For more details on the ICS please refer to its own [README.md](./helmfile/apps/intercom-service/README.md).
|
||||
|
||||
In order to establish a session with the Intercom Service, the application that
|
||||
wants to use the ICS must initiate a silent login.
|
||||
|
||||
Currently only OX AppSuite is using the frontend based integration, and
|
||||
therefore it is right now the only consumer of the ICS API.
|
||||
|
||||
### Filepicker
|
||||
|
||||
The Nextcloud filepicker which is integrated into the OX AppSuite allows you to
|
||||
add attachments or links to files from and saving attachments to Nextcloud.
|
||||
|
||||
The filepicker is using frontend and backend based integration. Frontend based
|
||||
integration means that OX AppSuite in the browser is communicating with ICS.
|
||||
While using backend based integration, OX AppSuite middleware is communicating
|
||||
with Nextcloud, which is especially used when adding a file to an email or
|
||||
storing a file into Nextcloud.
|
||||
|
||||
### Central Navigation
|
||||
|
||||
Central navigation is based on an API endpoint in the portal that provides the
|
||||
contents of the portal for a user in order to allow components to render the
|
||||
menu showing all available SWP applications for the user.
|
||||
|
||||
### (Read & write) Central contacts
|
||||
|
||||
Open-Xchange App Suite is used to manage contacts within the Sovereign
|
||||
Workplace. There is an API in the AppSuite that is being used by
|
||||
Nextcloud to lookup contacts as well as to create contacts. This is maybe done
|
||||
when a file is shared with a not yet available personal contact.
|
||||
|
||||
# Identity data flows
|
||||
|
||||
An overview of
|
||||
- components that consume the LDAP service. Mostly by using a dedicated LDAP search account.
|
||||
- components using Keycloak as identity provider. If not otherwise denoted based on the OAuth2 / OIDC flows.
|
||||
|
||||
Some components trust others to handle authentication for them.
|
||||
|
||||
```mermaid
|
||||
flowchart TD
|
||||
K[Keycloak]-->L[LDAP]
|
||||
N[Nextcloud]-->L
|
||||
A[OX AppSuite]-->L
|
||||
D[OX Dovecot]-->L
|
||||
P[Portal/Admin]-->L
|
||||
O[OpenProject]-->L
|
||||
X[XWiki]-->|in 2023|L
|
||||
A-->K
|
||||
N-->K
|
||||
D-->K
|
||||
O-->K
|
||||
X-->K
|
||||
P-->|SAML|K
|
||||
E[Element]-->K
|
||||
J[Jitsi]-->K
|
||||
I[IntercomService]-->K
|
||||
C[Collabora]-->N
|
||||
F[Postfix]-->D
|
||||
```
|
||||
|
||||
# Provisioning
|
||||
|
||||
Currently active provisioning is only done for OX AppSuite. The OX-Connector
|
||||
synchronizes creates, modifies and deletes activities for the following objects
|
||||
to the OX AppSuite using the AppSuite's SOAP API:
|
||||
|
||||
- Contexts
|
||||
- Users
|
||||
- Groups
|
||||
- Functional Mailboxes
|
||||
- Resources
|
||||
|
||||
# Component specific documentation
|
||||
|
||||
We want to provide more information per component in separate, component
|
||||
specific `README.md` files. In order to establish a common view on the
|
||||
components we are going to cover various aspects:
|
||||
|
||||
- **Component overview**: Shall provide a quick introduction including the components prerequisites and subcomponents (f.e. pods).
|
||||
- **Resources**: Will contain a link to the components upstream documentation, the helm chart and image locations.
|
||||
- **Operational Capabilities**
|
||||
- **Install**: The components installs within the SWP.
|
||||
- **Restart**: Deleting and restarting pods works seamlessly.
|
||||
- **Update**: Redeploying the component with a different configuration works as expected. The component makes use of the updates configuration afterwards.
|
||||
- **Upgrade**: Component allows to upgrade existing deployments with more current versions of itself.
|
||||
- **Secrets**: The component uses K8s secrets.
|
||||
- **Logging**: Only logging to STDOUT, no logs inside the container.
|
||||
- **Monitoring**: Application provides based on kube-prometheus-stack CRD: ServiceMonitor and PrometheusRule. Optional: Grafana Dashboard.
|
||||
- **Scale**: If supported (as we use community products) the component should be manually scalable. Optional: Autoscaling.
|
||||
- **Network policies**: Deny by default, allow application related traffic.
|
||||
- **Uninstall**: Documented and working complete uninstallation of the component.
|
||||
- **Debugging**: Some helpful information when it comes to debugging a component, e.g. setting log level.
|
||||
|
||||
## Links to component README.mds
|
||||
|
||||
- [Intercom-Service](./helmfile/apps/intercom-service/README.md)
|
||||
|
||||
## Tests
|
||||
|
||||
The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project.
|
||||
The `DEPLOY_`-variables are used to determine which components should be tested.
|
||||
In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this gitlab project's CI variables
|
||||
that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
|
||||
`<domain of gitlab>/api/v4/projects/<id>`.
|
||||
|
||||
If the branch of the test pipeline is not `main` this can be set with the .gitlab-ci.yml variable
|
||||
`TESTS_BRANCH` while creating a new pipeline.
|
||||
|
||||
|
||||
# Footnotes
|
||||
|
||||
[^1] Required for scaling components Nextcloud, Dovecot and ClamAV Distributed.
|
||||
# Copyright
|
||||
Copyright (C) 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
|
||||
43
docs/ci.md
Normal file
43
docs/ci.md
Normal file
@@ -0,0 +1,43 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
<h1>CI/CD</h1>
|
||||
|
||||
This page will cover openDesk automation via Gitlab CI.
|
||||
|
||||
<!-- TOC -->
|
||||
* [Deployment](#deployment)
|
||||
* [Tests](#tests)
|
||||
<!-- TOC -->
|
||||
|
||||
## Deployment
|
||||
|
||||
The project includes a `.gitlab-ci.yml` that allows you to execute the deployment from a Gitlab instance of your choice.
|
||||
|
||||
|
||||
When starting the pipeline through the Gitlab UI, you will be queried for some variables plus the following ones:
|
||||
|
||||
- `DOMAIN` = The domain to deploy to.
|
||||
- `ISTIO_DOMAIN` = istio.`DOMAIN`
|
||||
- `NAMESPACE`: Defines into which namespace of your K8s cluster the SWP will be installed
|
||||
- `MASTER_PASSWORD_WEB_VAR`: Overwrites value of `MASTER_PASSWORD`
|
||||
|
||||
Based on your input, the following variables will be set:
|
||||
- `MASTER_PASSWORD` = `MASTER_PASSWORD_WEB_VAR`. If `MASTER_PASSWORD_WEB_VAR`
|
||||
is not set, the default for `MASTER_PASSWORD` will be used, unless you set
|
||||
`MASTER_PASSWORD` as a masked CI/CD variable in Gitlab to supersede the default.
|
||||
|
||||
You might want to set credential variables in the Gitlab project at `Settings` > `CI/CD` > `Variables`.
|
||||
|
||||
|
||||
## Tests
|
||||
|
||||
The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project.
|
||||
The `DEPLOY_`-variables are used to determine which components should be tested.
|
||||
In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this gitlab project's CI variables
|
||||
that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
|
||||
`<domain of gitlab>/api/v4/projects/<id>`.
|
||||
|
||||
If the branch of the test pipeline is not `main` this can be set with the .gitlab-ci.yml variable
|
||||
`TESTS_BRANCH` while creating a new pipeline.
|
||||
178
docs/components.md
Normal file
178
docs/components.md
Normal file
@@ -0,0 +1,178 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
<h1>Components</h1>
|
||||
|
||||
This section covers the internal system requirements as well as external service requirements for productive use.
|
||||
|
||||
<!-- TOC -->
|
||||
* [Overview](#overview)
|
||||
* [Component integration](#component-integration)
|
||||
* [Intercom Service (ICS)](#intercom-service-ics)
|
||||
* [Filepicker](#filepicker)
|
||||
* [Central Navigation](#central-navigation)
|
||||
* [(Read & write) Central contacts](#read--write-central-contacts)
|
||||
* [OpenProject Filestore](#openproject-filestore)
|
||||
* [Identity data flows](#identity-data-flows)
|
||||
* [Provisioning](#provisioning)
|
||||
* [Component specific documentation](#component-specific-documentation)
|
||||
* [Links to component docs](#links-to-component-docs)
|
||||
<!-- TOC -->
|
||||
|
||||
## Overview
|
||||
|
||||
openDesk consists out of a variety of open-source projects. Here is a list with the description and type.
|
||||
|
||||
Components of type `Eval` are used for development and evaluation purposes only,
|
||||
they need to be replaced in production deployments.
|
||||
|
||||
| Component | Description | Type |
|
||||
|-----------------------------|--------------------------------|------------|
|
||||
| Certificates | TLS certificates | Eval |
|
||||
| ClamAV (Distributed) | Antivirus engine | Eval |
|
||||
| ClamAV (Simple) | Antivirus engine | Eval |
|
||||
| Collabora | Weboffice | Functional |
|
||||
| CryptPad | Weboffice | Functional |
|
||||
| Dovecot | Mail backend | Functional |
|
||||
| Element | Secure communications platform | Functional |
|
||||
| Intercom Service | Cross service data exchange | Functional |
|
||||
| Jitsi | Videoconferencing | Functional |
|
||||
| Keycloak | Identity Provider | Functional |
|
||||
| MariaDB | Database | Eval |
|
||||
| Memcached | Cache Database | Eval |
|
||||
| MinIO | Object Storage | Eval |
|
||||
| Nextcloud | File share | Functional |
|
||||
| OpenProject | Project management | Functional |
|
||||
| OX Appsuite | Groupware | Functional |
|
||||
| Provisioning | Backend provisioning | Functional |
|
||||
| Postfix | MTA | Eval |
|
||||
| PostgreSQL | Database | Eval |
|
||||
| Redis | Cache Database | Eval |
|
||||
| Univention Corporate Server | Identity Management & Portal | Functional |
|
||||
| Univention Management Stack | Identity Management & Portal | Eval |
|
||||
| XWiki | Knowledgebase | Functional |
|
||||
|
||||
## Component integration
|
||||
|
||||
Some use cases require inter component integration.
|
||||
|
||||
```mermaid
|
||||
flowchart TD
|
||||
OXAppSuiteFrontend-->|SilentLogin, Filepicker, CentralNavigation|IntercomService
|
||||
IntercomService-->|SilentLogin, TokenExchange|Keycloak
|
||||
IntercomService-->|Filepicker|Nextcloud
|
||||
IntercomService-->|CentralNavigation|Portal
|
||||
OXAppSuiteBackend-->|Filepicker|Nextcloud
|
||||
Nextcloud-->|CentralNavigation|Portal
|
||||
OpenProject-->|CentralNavigation|Portal
|
||||
XWiki-->|CentralNavigation|Portal
|
||||
Nextcloud-->|CentralContacts|OXAppSuiteBackend
|
||||
OXAppSuiteFrontend-->|Filepicker|OXAppSuiteBackend
|
||||
```
|
||||
|
||||
### Intercom Service (ICS)
|
||||
|
||||
The UCS Intercom Service's role is to enable cross-application integration based on browser interaction.
|
||||
Handling authentication when the frontend of an application is using the API from another application is often a
|
||||
challenge.
|
||||
For more details on the ICS please refer to its own [doc](./components/intercom-service.md).
|
||||
|
||||
To establish a session with the Intercom Service, the application that wants to use the ICS must initiate a silent
|
||||
login.
|
||||
|
||||
Currently only OX AppSuite is using the frontend-based integration, and therefore it is right now the only consumer of
|
||||
the ICS API.
|
||||
|
||||
### Filepicker
|
||||
|
||||
The Nextcloud filepicker which is integrated into the OX AppSuite allows you to add attachments or links to files from
|
||||
and saving attachments to Nextcloud.
|
||||
|
||||
The filepicker is using frontend and backend based integration.
|
||||
Frontend-based integration means that OX AppSuite in the browser is communicating with ICS.
|
||||
While using backend-based integration, OX AppSuite middleware is communicating with Nextcloud, which is especially used
|
||||
when adding a file to an email or storing a file into Nextcloud.
|
||||
|
||||
### Central Navigation
|
||||
|
||||
Central navigation is based on an API endpoint in the portal that provides the contents of the portal for a user to
|
||||
allow components to render the menu showing all available SWP applications for the user.
|
||||
|
||||
### (Read & write) Central contacts
|
||||
|
||||
Open-Xchange App Suite is used to manage contacts within openDesk. There is an API in the AppSuite that is being used by
|
||||
Nextcloud to lookup contacts as well as to create contacts. This is maybe done when a file is shared with a not yet
|
||||
available personal contact.
|
||||
|
||||
### OpenProject Filestore
|
||||
|
||||
By default, Nextcloud is a configured option for storing attachments in OpenProject.
|
||||
The Filestore can be enabled on a per-project level in OpenProject's project admin section.
|
||||
|
||||
|
||||
## Identity data flows
|
||||
|
||||
An overview of
|
||||
- components that consume the LDAP service. Mostly by using a dedicated LDAP search account.
|
||||
- components using Keycloak as identity provider. If not otherwise denoted based on the OAuth2 / OIDC flows.
|
||||
|
||||
Some components trust others to handle authentication for them.
|
||||
|
||||
```mermaid
|
||||
flowchart TD
|
||||
K[Keycloak]-->L[LDAP]
|
||||
N[Nextcloud]-->L
|
||||
O[OpenProject] --> L
|
||||
A[OX AppSuite]-->L
|
||||
D[OX Dovecot]-->L
|
||||
P[Portal/Admin]-->L
|
||||
X[XWiki]-->|in 2023|L
|
||||
A-->K
|
||||
N-->K
|
||||
D-->K
|
||||
O-->K
|
||||
X-->K
|
||||
P-->|SAML|K
|
||||
E[Element]-->K
|
||||
J[Jitsi]-->K
|
||||
I[IntercomService]-->K
|
||||
C[Collabora]-->N
|
||||
R[CryptPad]-->N
|
||||
F[Postfix]-->D
|
||||
```
|
||||
|
||||
## Provisioning
|
||||
|
||||
Currently, active provisioning is only done for OX AppSuite. The OX-Connector is synchronizing, creating, modifying and
|
||||
deleting activities for the following objects to the OX AppSuite using the AppSuite's SOAP API:
|
||||
|
||||
- Contexts
|
||||
- Users
|
||||
- Groups
|
||||
- Functional Mailboxes
|
||||
- Resources
|
||||
|
||||
## Component specific documentation
|
||||
|
||||
We want to provide more information per component in separate, component-specific markdown file.
|
||||
To establish a common view on the components, we are going to cover various aspects:
|
||||
|
||||
- **Component overview**: Shall provide a quick introduction including the components prerequisites and subcomponents (f.e. pods).
|
||||
- **Resources**: Will contain a link to the component upstream documentation, the helm chart and image locations.
|
||||
- **Operational Capabilities**
|
||||
- **Install**: The components install within the SWP.
|
||||
- **Restart**: Deleting and restarting pods works seamlessly.
|
||||
- **Update**: Redeploying the component with a different configuration works as expected. The component makes use of the updates configuration afterwards.
|
||||
- **Upgrade**: Component allows upgrading existing deployments with more current versions of itself.
|
||||
- **Secrets**: The component uses K8s secrets.
|
||||
- **Logging**: Only logging to STDOUT, no logs inside the container.
|
||||
- **Monitoring**: Application provides based on kube-prometheus-stack CRD: ServiceMonitor and PrometheusRule. Optional: Grafana Dashboard.
|
||||
- **Scale**: If supported (as we use community products) the component should be manually scalable. Optional: Autoscaling.
|
||||
- **Network policies**: Deny by default, allow application related traffic.
|
||||
- **Uninstall**: Documented and working complete uninstallation of the component.
|
||||
- **Debugging**: Some helpful information when it comes to debugging a component, e.g. setting log level.
|
||||
|
||||
## Links to component docs
|
||||
|
||||
- [Intercom-Service](./components/intercom-service.md)
|
||||
110
docs/external-services.md
Normal file
110
docs/external-services.md
Normal file
@@ -0,0 +1,110 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
|
||||
<h1>External services</h1>
|
||||
|
||||
This document will cover the additional configuration to use external services like databases, caches or buckets.
|
||||
|
||||
<!-- TOC -->
|
||||
* [Database](#database)
|
||||
* [Objectstore](#objectstore)
|
||||
* [Cache](#cache)
|
||||
<!-- TOC -->
|
||||
|
||||
## Database
|
||||
|
||||
When deploying this suite to production, you need to configure the applications to use your production grade database
|
||||
service.
|
||||
|
||||
| Component | Name | Type | Parameter | Key | Default |
|
||||
|-------------|--------------------|------------|-----------|------------------------------------------|----------------------------|
|
||||
| Element | Synapse | PostgreSQL | | | |
|
||||
| | | | Name | `databases.synapse.name` | `matrix` |
|
||||
| | | | Host | `databases.synapse.host` | `postgresql` |
|
||||
| | | | Port | `databases.synapse.port` | `5432` |
|
||||
| | | | Username | `databases.synapse.username` | `matrix_user` |
|
||||
| | | | Password | `databases.synapse.password` | |
|
||||
| Keycloak | Keycloak | PostgreSQL | | | |
|
||||
| | | | Name | `databases.keycloak.name` | `keycloak` |
|
||||
| | | | Host | `databases.keycloak.host` | `postgresql` |
|
||||
| | | | Port | `databases.keycloak.port` | `5432` |
|
||||
| | | | Username | `databases.keycloak.username` | `keycloak_user` |
|
||||
| | | | Password | `databases.keycloak.password` | |
|
||||
| | Keycloak Extension | PostgreSQL | | | |
|
||||
| | | | Name | `databases.keycloakExtension.name` | `keycloak_extensions` |
|
||||
| | | | Host | `databases.keycloakExtension.host` | `postgresql` |
|
||||
| | | | Port | `databases.keycloakExtension.port` | `5432` |
|
||||
| | | | Username | `databases.keycloakExtension.username` | `keycloak_extensions_user` |
|
||||
| | | | Password | `databases.keycloakExtension.password` | |
|
||||
| UMS | Notifications API | PostgreSQL | | | |
|
||||
| | | | Name | `databases.umsNotificationsApi.name` | `notificationsapi` |
|
||||
| | | | Host | `databases.umsNotificationsApi.host` | `postgresql` |
|
||||
| | | | Port | `databases.umsNotificationsApi.port` | `5432` |
|
||||
| | | | Username | `databases.umsNotificationsApi.username` | `notificationsapi_user` |
|
||||
| | | | Password | `databases.umsNotificationsApi.password` | |
|
||||
| | Self Service | PostgreSQL | | | |
|
||||
| | | | Name | `databases.umsSelfservice.name` | `selfservice` |
|
||||
| | | | Host | `databases.umsSelfservice.host` | `postgresql` |
|
||||
| | | | Port | `databases.umsSelfservice.port` | `5432` |
|
||||
| | | | Username | `databases.umsSelfservice.username` | `selfservice_user` |
|
||||
| | | | Password | `databases.umsSelfservice.password` | |
|
||||
| Nextcloud | Nextcloud | MariaDB | | | |
|
||||
| | | | Name | `databases.nextcloud.name` | `nextcloud` |
|
||||
| | | | Host | `databases.nextcloud.host` | `mariadb` |
|
||||
| | | | Username | `databases.nextcloud.username` | `nextcloud_user` |
|
||||
| | | | Password | `databases.nextcloud.password` | |
|
||||
| OpenProject | OpenProject | PostgreSQL | | | |
|
||||
| | | | Name | `databases.openproject.name` | `openproject` |
|
||||
| | | | Host | `databases.openproject.host` | `postgresql` |
|
||||
| | | | Port | `databases.openproject.port` | `5432` |
|
||||
| | | | Username | `databases.openproject.username` | `openproject_user` |
|
||||
| | | | Password | `databases.openproject.password` | |
|
||||
| OX Appsuite | OX Appsuite | MariaDB | | | |
|
||||
| | | | Name | `databases.oxAppsuite.name` | `CONFIGDB` |
|
||||
| | | | Host | `databases.oxAppsuite.host` | `mariadb` |
|
||||
| | | | Username | `databases.oxAppsuite.username` | `root` |
|
||||
| | | | Password | `databases.oxAppsuite.password` | |
|
||||
| XWiki | XWiki | MariaDB | | | |
|
||||
| | | | Name | `databases.xwiki.name` | `xwiki` |
|
||||
| | | | Host | `databases.xwiki.host` | `mariadb` |
|
||||
| | | | Username | `databases.xwiki.username` | `xwiki_user` |
|
||||
| | | | Password | `databases.xwiki.password` | |
|
||||
|
||||
## Objectstore
|
||||
|
||||
When deploying this suite to production, you need to configure the applications to use your production grade objectstore
|
||||
service.
|
||||
|
||||
| Component | Name | Parameter | Key | Default |
|
||||
|-------------|-------------|-----------------|------------------------------------------|--------------------|
|
||||
| OpenProject | OpenProject | | | |
|
||||
| | | Backend | `objectstores.openproject.backend` | `minio` |
|
||||
| | | Bucket | `objectstores.openproject.bucket` | `openproject` |
|
||||
| | | Endpoint | `objectstores.openproject.endpoint` | |
|
||||
| | | Provider | `objectstores.openproject.provider` | `AWS` |
|
||||
| | | Region | `objectstores.openproject.region` | |
|
||||
| | | Secret | `objectstores.openproject.secret` | |
|
||||
| | | Username | `objectstores.openproject.username` | `openproject_user` |
|
||||
| | | Use IAM profile | `objectstores.openproject.useIAMProfile` | |
|
||||
|
||||
## Cache
|
||||
|
||||
When deploying this suite to production, you need to configure the applications to use your production grade cache
|
||||
service.
|
||||
|
||||
| Component | Name | Type | Parameter | Key | Default |
|
||||
|------------------|------------------|-----------|-----------|------------------------------|------------------|
|
||||
| Intercom Service | Intercom Service | Redis | | | |
|
||||
| | | | Host | `cache.intercomService.host` | `redis-headless` |
|
||||
| | | | Port | `cache.intercomService.port` | `6379` |
|
||||
| Nextcloud | Nextcloud | Redis | | | |
|
||||
| | | | Host | `cache.nextcloud.host` | `redis-headless` |
|
||||
| | | | Port | `cache.nextcloud.port` | `6379` |
|
||||
| OpenProject | OpenProject | Memcached | | | |
|
||||
| | | | Host | `cache.openproject.host` | `memcached` |
|
||||
| | | | Port | `cache.openproject.port` | `11211` |
|
||||
| UMS | Self Service | Memcached | | | |
|
||||
| | | | Host | `cache.umsSelfservice.host` | `memcached` |
|
||||
| | | | Port | `cache.umsSelfservice.port` | `11211` |
|
||||
432
docs/getting-started.md
Normal file
432
docs/getting-started.md
Normal file
@@ -0,0 +1,432 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
|
||||
<h1>Getting stated</h1>
|
||||
|
||||
This documentation should enable you to create your own evaluation instance of openDesk on your Kubernetes cluster.
|
||||
|
||||
<!-- TOC -->
|
||||
* [Requirements](#requirements)
|
||||
* [Customize environment](#customize-environment)
|
||||
* [Domain](#domain)
|
||||
* [Apps](#apps)
|
||||
* [Private Image registry](#private-image-registry)
|
||||
* [Private Helm registry](#private-helm-registry)
|
||||
* [Cluster capabilities](#cluster-capabilities)
|
||||
* [Service](#service)
|
||||
* [Networking](#networking)
|
||||
* [Ingress](#ingress)
|
||||
* [Container runtime](#container-runtime)
|
||||
* [Volumes](#volumes)
|
||||
* [Connectivity](#connectivity)
|
||||
* [Mail/SMTP configuration](#mailsmtp-configuration)
|
||||
* [TURN configuration](#turn-configuration)
|
||||
* [Certificate issuer](#certificate-issuer)
|
||||
* [Password seed](#password-seed)
|
||||
* [Install](#install)
|
||||
* [Install single app](#install-single-app)
|
||||
* [Install single release/chart](#install-single-releasechart)
|
||||
* [Access deployment](#access-deployment)
|
||||
* [Uninstall](#uninstall)
|
||||
<!-- TOC -->
|
||||
|
||||
Thanks for looking into the openDesk Getting started guide. This documents covers essentials configuration steps to
|
||||
deploy openDesk onto your kubernetes infrastructure.
|
||||
|
||||
## Requirements
|
||||
|
||||
Detailed system requirements are covered on [requirements](requirements.md) page.
|
||||
|
||||
## Customize environment
|
||||
|
||||
Before deploying openDesk, you have to configure the deployment to suit your environment.
|
||||
To keep your deployment up to date, we recommend customizing in `dev`, `test` or `prod` and not in `default` environment
|
||||
files.
|
||||
|
||||
> All configuration options and their default values can be found in files at `helmfile/environments/default/`
|
||||
|
||||
For the following guide, we will use `dev` as environment, where variables can be set in
|
||||
`helmfile/environments/dev/values.yaml`.
|
||||
|
||||
### Domain
|
||||
|
||||
The deployment is designed to deploy each app under a subdomains. For your convenience, we recommend to create a
|
||||
`*.domain.tld` A-Record to your cluster ingress controller, otherwise you need to create an A-Record for each subdomain.
|
||||
|
||||
A list of all subdomains can be found in `helmfile/environments/default/global.yaml`.
|
||||
|
||||
All subdomains can be customized. For example, _Nextcloud_ can be changed to `files.domain.tld` in `dev` environment:
|
||||
|
||||
```yaml
|
||||
global:
|
||||
hosts:
|
||||
nextcloud: "files"
|
||||
```
|
||||
|
||||
The domain have to be set either via `dev` environment
|
||||
|
||||
```yaml
|
||||
global:
|
||||
domain: "my.open.desk"
|
||||
istio:
|
||||
domain: "istio.my.open.desk"
|
||||
```
|
||||
|
||||
or via environment variable
|
||||
|
||||
```shell
|
||||
export DOMAIN=my.open.desk
|
||||
export ISTIO_DOMAIN=istio.my.open.desk
|
||||
```
|
||||
|
||||
When you configure each subdomain individually, you can set `global.domain` and `istio.domain` to the same value.
|
||||
|
||||
Istio is only used for Open-Xchange Appsuite 8, when you don't want to install it, you can disable Istio:
|
||||
|
||||
```yaml
|
||||
istio:
|
||||
enabled: false
|
||||
oxAppsuite:
|
||||
enabled: false
|
||||
```
|
||||
|
||||
### Apps
|
||||
|
||||
All available apps and their default value can be found in `helmfile/environments/default/workplace.yaml`.
|
||||
|
||||
| Component | Name | Default | Description |
|
||||
|-----------------------------|-------------------------------------|---------|--------------------------------|
|
||||
| Certificates | `certificates.enabled` | `true` | TLS certificates |
|
||||
| ClamAV (Distributed) | `clamavDistributed.enabled` | `false` | Antivirus engine |
|
||||
| ClamAV (Simple) | `clamavSimple.enabled` | `true` | Antivirus engine |
|
||||
| Collabora | `collabora.enabled` | `true` | Weboffice |
|
||||
| CryptPad | `cryptpad.enabled` | `true` | Weboffice |
|
||||
| Dovecot | `dovecot.enabled` | `true` | Mail backend |
|
||||
| Element | `element.enabled` | `true` | Secure communications platform |
|
||||
| Intercom Service | `intercom.enabled` | `true` | Cross service data exchange |
|
||||
| Jitsi | `jitsi.enabled` | `true` | Videoconferencing |
|
||||
| Keycloak | `keycloak.enabled` | `true` | Identity Provider |
|
||||
| MariaDB | `mariadb.enabled` | `true` | Database |
|
||||
| Memcached | `memcached.enabled` | `true` | Cache Database |
|
||||
| MinIO | `minio.enabled` | `true` | Object Storage |
|
||||
| Nextcloud | `nextcloud.enabled` | `true` | File share |
|
||||
| OpenProject | `openproject.enabled` | `true` | Project management |
|
||||
| OX Appsuite | `oxAppsuite.enabled` | `true` | Groupware |
|
||||
| Provisioning | `oxConnector.enabled` | `true` | Backend provisioning |
|
||||
| Postfix | `postfix.enabled` | `true` | MTA |
|
||||
| PostgreSQL | `postgresql.enabled` | `true` | Database |
|
||||
| Redis | `redis.enabled` | `true` | Cache Database |
|
||||
| Univention Corporate Server | `univentionCorporateServer.enabled` | `true` | Identity Management & Portal |
|
||||
| Univention Management Stack | `univentionManagementStack.enabled` | `false` | Identity Management & Portal |
|
||||
| XWiki | `xwiki.enabled` | `true` | Knowledgebase |
|
||||
|
||||
Exemplary, Jitsi can be disabled like:
|
||||
|
||||
```yaml
|
||||
jitsi:
|
||||
enabled: false
|
||||
```
|
||||
|
||||
### Private Image registry
|
||||
|
||||
By default, all OCI artifacts are proxied via the project's image registry, which should get replaced soon by the
|
||||
OCI registries provided by Open CoDE.
|
||||
|
||||
You also can set your own registry by:
|
||||
|
||||
```yaml
|
||||
global:
|
||||
imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
|
||||
```
|
||||
|
||||
or via environments variable:
|
||||
|
||||
```shell
|
||||
export PRIVATE_IMAGE_REGISTRY_URL=external-registry.souvap-univention.de/sovereign-workplace
|
||||
```
|
||||
|
||||
If authentication is required, you can reference imagePullSecrets as following:
|
||||
```yaml
|
||||
global:
|
||||
imagePullSecrets:
|
||||
- "external-registry"
|
||||
```
|
||||
|
||||
### Private Helm registry
|
||||
|
||||
Some apps use OCI style registry and some use Helm chart museum style registries.
|
||||
In `helmfile/environments/default/charts.yaml` you can find all helm charts used and modify their registry, repository
|
||||
or version.
|
||||
|
||||
As an example, you can also use helmfile methods to use just a single environment variable to set registry and
|
||||
authentication for all OCI helm charts.
|
||||
|
||||
```yaml
|
||||
charts:
|
||||
certificates:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
password: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
```
|
||||
|
||||
There is a full example including http and OCI style registries in `examples/private-helm-registry.yaml.gotmpl`.
|
||||
The following environment variables have to be exposed when using the example:
|
||||
|
||||
| Environment variable | Description |
|
||||
|-------------------------------------|--------------------------------------------------------------------------------------------|
|
||||
| `OD_PRIVATE_HELM_OCI_REGISTRY` | Registry for OCI hosted helm charts, example: `external-registry.souvap-univention.de` |
|
||||
| `OD_PRIVATE_HELM_HTTP_REGISTRY` | Registry URI for http hosted helm charts, `https://external-registry.souvap-univention.de` |
|
||||
| `OD_PRIVATE_HELM_REGISTRY_USERNAME` | Username |
|
||||
| `OD_PRIVATE_HELM_REGISTRY_PASSWORD` | Password |
|
||||
|
||||
|
||||
### Cluster capabilities
|
||||
|
||||
#### Service
|
||||
|
||||
Some apps, like Jitsi or Dovecot, require HTTP and external TCP connections.
|
||||
These apps create a Kubernetes service object.
|
||||
You can configure, whether `NodePort` (for on-premise), `LoadBalancer` (for cloud) or `ClusterIP` (to disable) should be
|
||||
used:
|
||||
|
||||
```yaml
|
||||
cluster:
|
||||
service:
|
||||
type: "NodePort"
|
||||
```
|
||||
|
||||
#### Networking
|
||||
|
||||
If your cluster has not the default `cluster.local` domain configured, you need to provide the domain via:
|
||||
|
||||
```yaml
|
||||
cluster:
|
||||
networking:
|
||||
domain: "acme.internal"
|
||||
```
|
||||
|
||||
If your cluster has not the default `10.0.0.0/8` CIDR configured, you need to provide the CIDR via:
|
||||
|
||||
```yaml
|
||||
cluster:
|
||||
networking:
|
||||
cidr: "127.0.0.0/8"
|
||||
```
|
||||
|
||||
#### Ingress
|
||||
|
||||
By default, the `ingressClassName` is empty to choose your default ingress controller, you may want to customize it by
|
||||
setting:
|
||||
|
||||
```yaml
|
||||
ingress:
|
||||
ingressClassName: "cilium"
|
||||
```
|
||||
|
||||
#### Container runtime
|
||||
|
||||
Some apps require specific configuration for container runtimes. You can set your container runtime like `cri-o`,
|
||||
`containerd` or `docker` by:
|
||||
|
||||
```yaml
|
||||
cluster:
|
||||
container:
|
||||
engine: "containerd"
|
||||
```
|
||||
|
||||
#### Volumes
|
||||
|
||||
When your cluster has a `ReadWriteMany` volume provisioner, you can benefit from distributed or scaling of apps. By
|
||||
default, only `ReadWriteOnce` is enabled. To enable `ReadWriteMany` you can set:
|
||||
|
||||
```yaml
|
||||
cluster:
|
||||
persistence:
|
||||
readWriteMany: true
|
||||
```
|
||||
|
||||
The **StorageClass** can be set by:
|
||||
|
||||
```yaml
|
||||
persistence:
|
||||
storageClassNames:
|
||||
RWX: "my-read-write-many-class"
|
||||
RWO: "my-read-write-once-class"
|
||||
```
|
||||
|
||||
### Connectivity
|
||||
|
||||
#### Mail/SMTP configuration
|
||||
|
||||
To use the full potential of the openDesk, you need to set up an SMTP Smarthost/Relay which allows to send emails from
|
||||
the whole subdomain.
|
||||
|
||||
```yaml
|
||||
smtp:
|
||||
host: "mail.open.desk"
|
||||
username: "openDesk"
|
||||
password: "secret"
|
||||
```
|
||||
|
||||
#### TURN configuration
|
||||
|
||||
Some components (Jitsi, Element) use for direct communication a TURN server. You can configure your own TURN server with
|
||||
these options:
|
||||
|
||||
```yaml
|
||||
turn:
|
||||
transport: "udp" # or tcp
|
||||
credentials: "secret"
|
||||
server:
|
||||
host: "turn.open.desk"
|
||||
port: "3478"
|
||||
tls:
|
||||
host: "turns.open.desk"
|
||||
port: "5349"
|
||||
```
|
||||
|
||||
#### Certificate issuer
|
||||
|
||||
As mentioned in [requirements](requirements.md#certificate-management) you can provide your own valid certificate. A TLS
|
||||
secret with name `opendesk-certificates-tls` needs to be present in application namespace. For deployment, you can
|
||||
disable `Certificate` resource creation by:
|
||||
|
||||
```yaml
|
||||
certificates:
|
||||
enabled: false
|
||||
```
|
||||
|
||||
If you want to leverage the `cert-manager.io` to handle certificates, like `Let's encrypt`, you need to provide the
|
||||
configured cluster issuer:
|
||||
|
||||
```yaml
|
||||
certificate:
|
||||
issuerRef:
|
||||
name: "letsencrypt-prod"
|
||||
```
|
||||
|
||||
Additionally, it is possible to request wildcard certificates by:
|
||||
|
||||
```yaml
|
||||
certificate:
|
||||
wildcard: true
|
||||
```
|
||||
|
||||
### Password seed
|
||||
|
||||
All secrets are generated from a single master password via Master Password (algorithm).
|
||||
To prevent others from using your openDesk instance, we highly recommend setting an individual master password via:
|
||||
|
||||
```shell
|
||||
export MASTER_PASSWORD="openDesk"
|
||||
```
|
||||
|
||||
## Install
|
||||
|
||||
After setting your environment specific values in `dev` environment, you can start deployment by:
|
||||
|
||||
```shell
|
||||
helmfile apply -e dev -n <NAMESPACE> [-l <label>] [--suppress-diff]
|
||||
```
|
||||
|
||||
**Arguments:**
|
||||
|
||||
- `-e <env>`: Environment name out of `default`, `dev`, `test`, `prod`
|
||||
- `-n <namespace>`: Kubernetes namespace
|
||||
- `-l <label>`: Label selector
|
||||
- `--suppress-diff`: Disable diff printing
|
||||
|
||||
### Install single app
|
||||
|
||||
You can also install or upgrade only a single app like Collabora, either by label selector:
|
||||
|
||||
```shell
|
||||
helmfile apply -e dev -n <NAMESPACE> -l component=collabora
|
||||
```
|
||||
|
||||
or by switching into the apps' directory (faster):
|
||||
|
||||
```shell
|
||||
cd helmfile/apps/collabora
|
||||
helmfile apply -e dev -n <NAMESPACE>
|
||||
```
|
||||
|
||||
### Install single release/chart
|
||||
|
||||
Instead of iteration through all services, you can also deploy a single release like mariadb by:
|
||||
|
||||
```shell
|
||||
helmfile apply -e dev -n <NAMESPACE> -l name=mariadb
|
||||
```
|
||||
|
||||
## Access deployment
|
||||
|
||||
When all apps are successfully deployed and pod status' went to `Running` or `Succeeded`, you can navigate to
|
||||
|
||||
```text
|
||||
https://portal.domain.tld
|
||||
```
|
||||
|
||||
If you change the subdomain of `univentionCorporateServer` or `univentionManagementStack`, you need to replace `portal`
|
||||
by your specified subdomain.
|
||||
|
||||
**Credentials:**
|
||||
|
||||
```shell
|
||||
# Replace with your namespace
|
||||
NAMESPACE=your-namespace
|
||||
|
||||
# Get UCS container, which contains passwords as env var.
|
||||
CONTAINER=$(kubectl -n ${NAMESPACE} get po -l app.kubernetes.io/name=univention-corporate-container -o jsonpath='{.items[0].metadata.name}')
|
||||
# $ kubectl -n ${NAMESPACE} get po -l app.kubernetes.io/name=univention-corporate-container
|
||||
#
|
||||
# NAME READY STATUS RESTARTS AGE
|
||||
# univention-corporate-container-8665c6f8b7-nlhc6 1/1 Running 0 10m
|
||||
|
||||
|
||||
# Password of `default.user`
|
||||
kubectl -n ${NAMESPACE} get po ${CONTAINER} -o=jsonpath='{.spec.containers[0].env[?(@.name=="DEFAULT_ACCOUNT_USER_PASSWORD")].value}'
|
||||
# 40615..............................e9e2f
|
||||
|
||||
# Password of `default.admin`
|
||||
kubectl -n ${NAMESPACE} get po ${CONTAINER} -o=jsonpath='{.spec.containers[0].env[?(@.name=="DEFAULT_ACCOUNT_ADMIN_PASSWORD")].value}'
|
||||
# bdbbb..............................04db6
|
||||
```
|
||||
|
||||
Now you can log in with obtained credentials:
|
||||
|
||||
| Username | Password | Description |
|
||||
|-----------------|--------------------------------------------|------------------|
|
||||
| `default.user` | `40615..............................e9e2f` | Application user |
|
||||
| `default.admin` | `bdbbb..............................04db6` | Administrator |
|
||||
|
||||
## Uninstall
|
||||
|
||||
You can uninstall the deployment by:
|
||||
|
||||
```shell
|
||||
helmfile destroy -n <NAMESPACE>
|
||||
```
|
||||
|
||||
> **Note**
|
||||
> Not all Jobs, PersistentVolumeClaims or Certificates are deleted; you have to delete them manually
|
||||
|
||||
**'Sledgehammer destroy'** - for fast development turn-around times (at your own risk):
|
||||
|
||||
```shell
|
||||
NAMESPACE=your-namespace
|
||||
|
||||
# Uninstall all Helm charts
|
||||
for OPENDESK_RELEASE in $(helm ls -n ${NAMESPACE} -aq); do
|
||||
helm uninstall -n ${NAMESPACE} ${OPENDESK_RELEASE};
|
||||
done
|
||||
|
||||
# Delete leftover resources
|
||||
kubectl delete pvc --all --namespace ${NAMESPACE};
|
||||
kubectl delete jobs --all --namespace ${NAMESPACE};
|
||||
```
|
||||
|
||||
> **Warning**
|
||||
> Without specifying or empty `--namespace` flag, cluster-wide components get deleted!
|
||||
71
docs/monitoring.md
Normal file
71
docs/monitoring.md
Normal file
@@ -0,0 +1,71 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
|
||||
<h1>Monitoring</h1>
|
||||
|
||||
This document will cover how you can enable observability with Prometheus based monitoring and Grafana dashboards, as
|
||||
well as the overall status of monitoring integration.
|
||||
|
||||
<!-- TOC -->
|
||||
* [Technology](#technology)
|
||||
* [Defaults](#defaults)
|
||||
* [Metrics](#metrics)
|
||||
* [Alerts](#alerts)
|
||||
* [Dashboards for Grafana](#dashboards-for-grafana)
|
||||
* [Components](#components)
|
||||
<!-- TOC -->
|
||||
|
||||
## Technology
|
||||
|
||||
We provide integration into the Prometheus based monitoring.
|
||||
Together with
|
||||
[kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack) you
|
||||
easily leverage the full potential of open-source cloud-native observability stack.
|
||||
|
||||
Before enabling the following options, you need to install the respective CRDs from the kube-prometheus-stack
|
||||
repository or prometheus operator.
|
||||
|
||||
## Defaults
|
||||
|
||||
All configurable options and their defaults can be found in
|
||||
[`monitoring.yaml`](../helmfile/environments/default/monitoring.yaml).
|
||||
|
||||
## Metrics
|
||||
|
||||
To deploy podMonitor and serviceMonitor custom resources, enable it by:
|
||||
|
||||
```yaml
|
||||
prometheus:
|
||||
serviceMonitors:
|
||||
enabled: true
|
||||
podMonitors:
|
||||
enabled: true
|
||||
```
|
||||
|
||||
## Alerts
|
||||
|
||||
Some helm-charts provide a default set of prometheusRules for alerting, enable it by:
|
||||
|
||||
```yaml
|
||||
prometheus:
|
||||
prometheusRules:
|
||||
enabled: true
|
||||
```
|
||||
|
||||
## Dashboards for Grafana
|
||||
|
||||
To deploy optional ConfigMaps with Grafana dashboards, enable it by:
|
||||
|
||||
```yaml
|
||||
grafana:
|
||||
dashboards:
|
||||
enabled: true
|
||||
```
|
||||
|
||||
## Components
|
||||
| Component | Metrics (pod- or serviceMonitor) | Alerts (prometheusRule) | Dashboard (Grafana) |
|
||||
|:----------|-----------------------------------|-------------------------|---------------------|
|
||||
| Collabora | :white_check_mark: | :white_check_mark: | :white_check_mark: |
|
||||
| Nextcloud | :white_check_mark: | :x: | :x: |
|
||||
105
docs/requirements.md
Normal file
105
docs/requirements.md
Normal file
@@ -0,0 +1,105 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
<h1>Requirements</h1>
|
||||
|
||||
This section covers the internal system requirements as well as external service requirements for productive use.
|
||||
|
||||
<!-- TOC -->
|
||||
* [TL;DR;](#tldr)
|
||||
* [Hardware](#hardware)
|
||||
* [Kubernetes](#kubernetes)
|
||||
* [Ingress controller](#ingress-controller)
|
||||
* [Volume provisioner](#volume-provisioner)
|
||||
* [Certificate management](#certificate-management)
|
||||
* [External services](#external-services)
|
||||
* [Deployment](#deployment)
|
||||
<!-- TOC -->
|
||||
|
||||
## TL;DR;
|
||||
openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s) cluster.
|
||||
|
||||
- K8s cluster >= 1.24, [CNCF Certified Kubernetes Distro](https://www.cncf.io/certification/software-conformance/)
|
||||
- Domain and DNS Service
|
||||
- Ingress controller (supported are nginx-ingress, HAProxy)
|
||||
- [Helm](https://helm.sh/) >= v3.9.0
|
||||
- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v0.157.0**
|
||||
- [HelmDiff](https://github.com/databus23/helm-diff) >= 3.6.0
|
||||
- Volume provisioner supporting RWO (read-write-once)
|
||||
- Certificate handling with [cert-manager](https://cert-manager.io/)
|
||||
- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8
|
||||
|
||||
## Hardware
|
||||
|
||||
The following minimal requirements are thought for initial evaluation deployment:
|
||||
|
||||
| Spec | Value |
|
||||
|------|------------------------------------------------------|
|
||||
| CPU | 8 Cores of x64 or x86 CPU (ARM is not supported yet) |
|
||||
| RAM | 16 GB, recommended 32 GB |
|
||||
| Disk | HDD or SSD, >10 GB |
|
||||
|
||||
## Kubernetes
|
||||
|
||||
Any self-hosted or managed K8s cluster >= 1.24 listed in
|
||||
[CNCF Certified Kubernetes Distros](https://www.cncf.io/certification/software-conformance/) should be supported.
|
||||
|
||||
The deployment is tested against [kubespray](https://github.com/kubernetes-sigs/kubespray) based clusters.
|
||||
|
||||
> **Note:** The deployment is not tested against OpenShift.
|
||||
|
||||
## Ingress controller
|
||||
|
||||
The deployment is intended to use only over HTTPS via a configured FQDN, therefor it is required to have a proper
|
||||
configured ingress controller deployed.
|
||||
|
||||
**Maintained controllers:**
|
||||
- [NGINX Ingress Controller](https://github.com/nginxinc/kubernetes-ingress)
|
||||
- [HAProxy Kubernetes Ingress Controller](https://github.com/haproxytech/kubernetes-ingress)
|
||||
|
||||
**Community Supported:**
|
||||
- [Ingress NGINX Controller](https://github.com/kubernetes/ingress-nginx)
|
||||
|
||||
When you want to use Open-Xchange Appsuite 8, you need to deploy and configure additionally [Istio](https://istio.io/)
|
||||
|
||||
## Volume provisioner
|
||||
|
||||
Initial evaluation deployment requires a `ReadWriteOnce` volume provisioner. For local deployment a local- or hostPath-
|
||||
provisioner is sufficient.
|
||||
|
||||
> **Note:** Some components requiring a `ReadWriteMany` volume provisioner for distributed mode or scaling.
|
||||
|
||||
## Certificate management
|
||||
|
||||
This deployment leverages [cert-manager](https://cert-manager.io/) to generate valid certificates. This is **optional**,
|
||||
but a secret containing a valid TLS certificate is required.
|
||||
|
||||
Only `Certificate` resources will be deployed, the `cert-manager` including its CRD must be installed prior to this or
|
||||
openDesk certificate management disabled.
|
||||
|
||||
## External services
|
||||
|
||||
Evaluation the openDesk deployment does not require any external service to start, but features may be limited.
|
||||
|
||||
|
||||
| Group | Type | Version | Tested against |
|
||||
|----------|---------------------|---------|-----------------------|
|
||||
| Cache | Memached | `1.6.x` | Memached |
|
||||
| | Redis | `7.x.x` | Redis |
|
||||
| Database | MariaDB | `10.x` | MariaDB |
|
||||
| | PostgreSQL | `15.x` | PostgreSQL |
|
||||
| Mail | Mail Transfer Agent | | Postfix |
|
||||
| | PKI/CI (SMIME) | | |
|
||||
| Security | AntiVirus/ICAP | | ClamAV |
|
||||
| Storage | K8s ReadWriteOnce | | Ceph / Cloud specific |
|
||||
| | K8s ReadWriteMany | | Ceph / NFS |
|
||||
| | Object Storage | | MinIO |
|
||||
| Voice | TURN | | Coturn |
|
||||
|
||||
## Deployment
|
||||
|
||||
The deployment of each individual component is [Helm](https://helm.sh/) based. The 35+ Helm charts are configured and
|
||||
templated via [Helmfile](https://helmfile.readthedocs.io/en/latest/) to provide a streamlined deployment experience.
|
||||
|
||||
Helmfile requires [HelmDiff](https://github.com/databus23/helm-diff) to compare desired against deployed state.
|
||||
52
docs/scaling.md
Normal file
52
docs/scaling.md
Normal file
@@ -0,0 +1,52 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
|
||||
<h1>Scaling</h1>
|
||||
|
||||
This document should cover the abilities to scale apps.
|
||||
|
||||
<!-- TOC -->
|
||||
* [Replicas](#replicas)
|
||||
<!-- TOC -->
|
||||
|
||||
## Replicas
|
||||
|
||||
The Replicas can be increased of almost any component, but is only effective for high-availability or load-balancing for
|
||||
apps with a check-mark in `Scaling (effective)` column.
|
||||
|
||||
Verified positive effects are marke with a check-mark in `Scaling (verified)` column, apps which are not yet tested are
|
||||
marked with a gear.
|
||||
|
||||
|
||||
| Component | Name | Scaling (effective) | Scaling (verified) |
|
||||
|-------------|------------------------------------------|:-------------------:|:------------------:|
|
||||
| ClamAV | `replicas.clamav` | :white_check_mark: | :white_check_mark: |
|
||||
| | `replicas.clamd` | :white_check_mark: | :white_check_mark: |
|
||||
| | `replicas.freshclam` | :x: | :x: |
|
||||
| | `replicas.icap` | :white_check_mark: | :white_check_mark: |
|
||||
| | `replicas.milter` | :white_check_mark: | :white_check_mark: |
|
||||
| Collabora | `replicas.collabora` | :white_check_mark: | :gear: |
|
||||
| CryptPad | `replicas.cryptpad` | :white_check_mark: | :gear: |
|
||||
| Dovecot | `replicas.dovecot` | :x: | :gear: |
|
||||
| Element | `replicas.element` | :white_check_mark: | :white_check_mark: |
|
||||
| | `replicas.matrixNeoBoardWidget` | :white_check_mark: | :gear: |
|
||||
| | `replicas.matrixNeoChoiceWidget` | :white_check_mark: | :gear: |
|
||||
| | `replicas.matrixNeoDateFixBot` | :white_check_mark: | :gear: |
|
||||
| | `replicas.matrixNeoDateFixWidget` | :white_check_mark: | :gear: |
|
||||
| | `replicas.matrixUserVerificationService` | :white_check_mark: | :gear: |
|
||||
| | `replicas.synapse` | :x: | :gear: |
|
||||
| | `replicas.synapseWeb` | :white_check_mark: | :white_check_mark: |
|
||||
| | `replicas.wellKnown` | :white_check_mark: | :white_check_mark: |
|
||||
| Jitsi | `replicas.jibri` | :white_check_mark: | :gear: |
|
||||
| | `replicas.jicofo` | :white_check_mark: | :gear: |
|
||||
| | `replicas.jitsi ` | :white_check_mark: | :gear: |
|
||||
| | `replicas.jitsiKeycloakAdapter` | :white_check_mark: | :gear: |
|
||||
| | `replicas.jvb ` | :x: | :x: |
|
||||
| Keycloak | `replicas.keycloak` | :white_check_mark: | :gear: |
|
||||
| Minio | `replicas.minioDistributed` | :white_check_mark: | :white_check_mark: |
|
||||
| Nextcloud | `replicas.nextcloud` | :white_check_mark: | :gear: |
|
||||
| OpenProject | `replicas.openproject` | :white_check_mark: | :gear: |
|
||||
| Postfix | `replicas.postfix` | :x: | :gear: |
|
||||
| XWiki | `replicas.xwiki` | :white_check_mark: | :gear: |
|
||||
121
docs/security.md
Normal file
121
docs/security.md
Normal file
@@ -0,0 +1,121 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
|
||||
<h1>Security</h1>
|
||||
|
||||
This document should cover the current status of security measurements.
|
||||
|
||||
<!-- TOC -->
|
||||
* [Helm Chart Trust Chain](#helm-chart-trust-chain)
|
||||
* [Kubernetes Security Enforcements](#kubernetes-security-enforcements)
|
||||
* [NetworkPolicies](#networkpolicies)
|
||||
<!-- TOC -->
|
||||
|
||||
## Helm Chart Trust Chain
|
||||
|
||||
Helm Charts which are released via openDesk CI/CD process are always signed. The public GPG keys are present in
|
||||
`pubkey.gpg` file and are validated during helmfile installation.
|
||||
|
||||
| Repository | OCI | Verifiable |
|
||||
|--------------------------------------|:---:|:------------------:|
|
||||
| bitnami-repo (openDesk build) | yes | :white_check_mark: |
|
||||
| clamav-repo | yes | :white_check_mark: |
|
||||
| collabora-online-repo | no | :x: |
|
||||
| cryptpad-online-repo | no | :x: |
|
||||
| intercom-service-repo | yes | :white_check_mark: |
|
||||
| istio-resources-repo | yes | :white_check_mark: |
|
||||
| jitsi-repo | yes | :white_check_mark: |
|
||||
| keycloak-extensions-repo | no | :x: |
|
||||
| keycloak-theme-repo | yes | :white_check_mark: |
|
||||
| mariadb-repo | yes | :white_check_mark: |
|
||||
| nextcloud-repo | no | :x: |
|
||||
| opendesk-certificates-repo | yes | :white_check_mark: |
|
||||
| opendesk-dovecot-repo | yes | :white_check_mark: |
|
||||
| opendesk-element-repo | yes | :white_check_mark: |
|
||||
| opendesk-keycloak-bootstrap-repo | yes | :white_check_mark: |
|
||||
| opendesk-nextcloud-bootstrap-repo | yes | :white_check_mark: |
|
||||
| opendesk-open-xchange-bootstrap-repo | yes | :white_check_mark: |
|
||||
| openproject-repo | yes | :white_check_mark: |
|
||||
| openxchange-repo | yes | :x: |
|
||||
| ox-connector-repo | no | :x: |
|
||||
| postfix-repo | yes | :white_check_mark: |
|
||||
| postgresql-repo | yes | :white_check_mark: |
|
||||
| univention-corporate-container-repo | yes | :white_check_mark: |
|
||||
| ums-repo | no | :x: |
|
||||
| xwiki-repo | no | :x: |
|
||||
|
||||
## Kubernetes Security Enforcements
|
||||
|
||||
This list gives you an overview of default security settings and if they comply with security standards:
|
||||
|
||||
|
||||
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|
||||
|-----------------|--------------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
|
||||
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
|
||||
| CryptPad | npm | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 |
|
||||
| Dovecot | dovecot | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `KILL`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`) | :white_check_mark: | :white_check_mark: | :x: | - | - | 1000 |
|
||||
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
|
||||
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| IntercomService | intercom-service | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
|
||||
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
|
||||
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
|
||||
| Minio | minio | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
|
||||
| Nextcloud | nextcloud | :x: | :white_check_mark: | :x: (`NET_BIND_SERVICE`, `SETGID`, `SETUID`) | :white_check_mark: | :x: | :x: | - | - | 33 |
|
||||
| | nextcloud-cron | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | 33 |
|
||||
| | opendesk-nextcloud-bootstrap | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | 33 |
|
||||
| Open-Xchange | core-documentconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
|
||||
| | core-guidedtours | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-imageconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
|
||||
| | core-mw-default | :x: | :x: | :x: | :x: | :x: | :x: | - | - | - |
|
||||
| | core-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-ui-middleware | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-ui-middleware-updater | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-user-guide | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | gotenberg | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | guard-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | nextlcoud-integration-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | public-sector-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| OpenProject | openproject | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
|
||||
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
|
||||
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| Redis | redis | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 0 | 1001 |
|
||||
| UCC | univention-corporate-container | :x: | :x: | :x: | :x: | :x: | :x: | - | - | - |
|
||||
| XWiki | xwiki | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | xwiki initContainers | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
|
||||
|
||||
## NetworkPolicies
|
||||
|
||||
Kubernetes NetworkPolicies are an important measure to secure your kubernetes apps and clusters.
|
||||
When applied, they restrict the traffic to your services.
|
||||
This protects other deployments in your cluster or other services in your deployment to get compromised when one
|
||||
component is compromised.
|
||||
|
||||
We ship a default set of Otterize ClientIntents via
|
||||
[Otterize intents operator](https://github.com/otterize/intents-operator) which translates intent-based access control
|
||||
(IBAC) into kubernetes native NetworkPolicies.
|
||||
|
||||
This requires the Otterize intents operator to be installed.
|
||||
|
||||
```yaml
|
||||
security:
|
||||
otterizeIntents:
|
||||
enabled: true
|
||||
```
|
||||
59
docs/theming.md
Normal file
59
docs/theming.md
Normal file
@@ -0,0 +1,59 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
|
||||
<h1>Theming</h1>
|
||||
|
||||
This document will cover the theming and customization of your openDesk deployment.
|
||||
|
||||
<!-- TOC -->
|
||||
* [Strings and texts](#strings-and-texts)
|
||||
* [Colors](#colors)
|
||||
* [Images and Logos](#images-and-logos)
|
||||
* [Known limits](#known-limits)
|
||||
<!-- TOC -->
|
||||
|
||||
## Strings and texts
|
||||
|
||||
The deployment name can be changed by:
|
||||
|
||||
```yaml
|
||||
theme:
|
||||
texts:
|
||||
productName: "openDesk Cloud"
|
||||
```
|
||||
|
||||
## Colors
|
||||
|
||||
The primary color and their derivates with lesser opacity be customized by:
|
||||
|
||||
```yaml
|
||||
theme:
|
||||
colors:
|
||||
primary: "#5e27dd"
|
||||
primary65: "#9673e9"
|
||||
primary35: "#c7b3f3"
|
||||
primary15: "#e7dffa"
|
||||
```
|
||||
|
||||
## Images and Logos
|
||||
|
||||
You can customize the logo and favicon by providing SVG or icon as inline value:
|
||||
|
||||
```yaml
|
||||
theme:
|
||||
imagery:
|
||||
logoHeaderSvg: '<?xml version="1.0" encoding="UTF-8"?>...</svg>'
|
||||
logoHeaderSvgWhite: '<?xml version="1.0" encoding="UTF-8"?>...</svg>'
|
||||
logoPortalBackgroundSvg: '<?xml version="1.0" encoding="UTF-8"?>...</svg>'
|
||||
faviconIco: "..."
|
||||
```
|
||||
|
||||
## Known limits
|
||||
|
||||
Not all applications support theming. Known exceptions are:
|
||||
- Univention Corporate Container (should be superseded by the Univention Management Stack which has planned support
|
||||
for theming through the deployment).
|
||||
- OpenProject
|
||||
- Jitsi
|
||||
266
examples/private-helm-registry.yaml.gotmpl
Normal file
266
examples/private-helm-registry.yaml.gotmpl
Normal file
@@ -0,0 +1,266 @@
|
||||
{{/*
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
charts:
|
||||
certificates:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
password: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
clamav:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
clamavSimple:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
collabora:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
cryptpad:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
dovecot:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
element:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
elementWellKnown:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
intercomService:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
istioResources:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
jitsi:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
keycloak:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
keycloakBootstrap:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
keycloakExtensions:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
keycloakTheme:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
mariadb:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
matrixNeoboardWidget:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
matrixNeochoiseWidget:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
matrixNeodatefixBot:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
matrixNeodatefixWidget:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
matrixUserVerificationService:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
memcached:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
minio:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
nextcloud:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
nextcloudBootstrap:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
nginx:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
openproject:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
openprojectBootstrap:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
openXchangeAppSuite:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
openXchangeAppSuiteBootstrap:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
otterize:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
oxConnector:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
postfix:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
postgresql:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
redis:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
synapse:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
synapseCreateAccount:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
synapseWeb:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
umsLdapNotifier:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
umsLdapServer:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
umsNotificationsApi:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
umsPortalFrontend:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
umsPortalListener:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
umsPortalServer:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
umsStackDataSwp:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
umsStackDataUms:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
umsStoreDav:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
umsUdmRestApi:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
umsUmcGateway:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
umsUmcServer:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
univentionCorporateServer:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
|
||||
xwiki:
|
||||
registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
|
||||
username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
|
||||
...
|
||||
@@ -20,6 +20,7 @@ helmfiles:
|
||||
- path: "helmfile/apps/openproject/helmfile.yaml"
|
||||
- path: "helmfile/apps/xwiki/helmfile.yaml"
|
||||
- path: "helmfile/apps/provisioning/helmfile.yaml"
|
||||
- path: "helmfile/apps/openproject-bootstrap/helmfile.yaml"
|
||||
|
||||
missingFileHandler: "Error"
|
||||
|
||||
@@ -28,7 +29,7 @@ missingFileHandler: "Error"
|
||||
# - Installing all releases from root via helmfile apply
|
||||
# - Installing a single release from root via helmfile apply -f helmfile/apps/<app>/helmfile.yaml
|
||||
# - Installing a single release from app directory via helmfile apply
|
||||
# Issue: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/issues/2
|
||||
# Issue: https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/issues/2
|
||||
|
||||
environments:
|
||||
default:
|
||||
|
||||
@@ -1,27 +1,27 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
---
|
||||
repositories:
|
||||
# Collabora Online
|
||||
# Source: https://github.com/CollaboraOnline/online
|
||||
- name: "collabora-online-repo"
|
||||
url: >-
|
||||
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
|
||||
default "https://collaboraonline.github.io/online" }}
|
||||
username: "{{ .Values.charts.collabora.username }}"
|
||||
password: {{ .Values.charts.collabora.password | quote }}
|
||||
url: "{{ .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}"
|
||||
|
||||
releases:
|
||||
- name: "collabora-online"
|
||||
chart: "collabora-online-repo/collabora-online"
|
||||
version: "1.0.2"
|
||||
chart: "collabora-online-repo/{{ .Values.charts.collabora.name }}"
|
||||
version: "{{ .Values.charts.collabora.version }}"
|
||||
values:
|
||||
- "values.yaml"
|
||||
- "values.gotmpl"
|
||||
condition: "collabora.enabled"
|
||||
installed: {{ .Values.collabora.enabled }}
|
||||
|
||||
commonLabels:
|
||||
deploy-stage: "component-1"
|
||||
component: "collabora"
|
||||
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
...
|
||||
|
||||
@@ -5,37 +5,55 @@ SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
image:
|
||||
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.collabora.repository }}"
|
||||
tag: "{{ .Values.images.collabora.tag }}"
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
tag: {{ .Values.images.collabora.tag | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
|
||||
ingress:
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
className: "{{ .Values.ingress.ingressClassName }}"
|
||||
className: {{ .Values.ingress.ingressClassName | quote }}
|
||||
hosts:
|
||||
- host: "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
|
||||
paths:
|
||||
- path: "/"
|
||||
pathType: "Prefix"
|
||||
tls:
|
||||
- secretName: "{{ .Values.ingress.tls.secretName }}"
|
||||
- secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
hosts:
|
||||
- "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
|
||||
|
||||
collabora:
|
||||
# Admin Console Credentials: https://CODE-domain/browser/dist/admin/admin.html
|
||||
username: "collabora-internal-admin"
|
||||
password: {{ .Values.secrets.collabora.adminPassword }}
|
||||
password: {{ .Values.secrets.collabora.adminPassword | quote }}
|
||||
aliasgroups:
|
||||
- host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
|
||||
|
||||
|
||||
replicaCount: {{ .Values.replicas.collabora }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.collabora | toYaml | nindent 2 }}
|
||||
|
||||
prometheus:
|
||||
servicemonitor:
|
||||
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
|
||||
labels:
|
||||
{{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
|
||||
rules:
|
||||
enabled: {{ .Values.prometheus.prometheusRules.enabled }}
|
||||
additionalLabels:
|
||||
{{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }}
|
||||
|
||||
grafana:
|
||||
dashboards:
|
||||
enabled: {{ .Values.grafana.dashboards.enabled }}
|
||||
labels:
|
||||
{{- toYaml .Values.grafana.dashboards.labels | nindent 6 }}
|
||||
annotations:
|
||||
{{- toYaml .Values.grafana.dashboards.annotations | nindent 6 }}
|
||||
|
||||
...
|
||||
|
||||
27
helmfile/apps/cryptpad/helmfile.yaml
Normal file
27
helmfile/apps/cryptpad/helmfile.yaml
Normal file
@@ -0,0 +1,27 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
---
|
||||
repositories:
|
||||
# CryptPad
|
||||
# Source: https://github.com/cryptpad/helm
|
||||
- name: "cryptpad-repo"
|
||||
username: "{{ .Values.charts.cryptpad.username }}"
|
||||
password: {{ .Values.charts.cryptpad.password | quote }}
|
||||
url: "{{ .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
|
||||
|
||||
releases:
|
||||
- name: "cryptpad"
|
||||
chart: "cryptpad-repo/{{ .Values.charts.cryptpad.name }}"
|
||||
version: "{{ .Values.charts.cryptpad.version }}"
|
||||
values:
|
||||
- "values.yaml"
|
||||
- "values.gotmpl"
|
||||
installed: {{ .Values.cryptpad.enabled }}
|
||||
|
||||
commonLabels:
|
||||
deploy-stage: "component-1"
|
||||
component: "cryptpad"
|
||||
...
|
||||
33
helmfile/apps/cryptpad/values.gotmpl
Normal file
33
helmfile/apps/cryptpad/values.gotmpl
Normal file
@@ -0,0 +1,33 @@
|
||||
{{/*
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
image:
|
||||
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.cryptpad.repository }}"
|
||||
tag: {{ .Values.images.cryptpad.tag | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
|
||||
ingress:
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
className: {{ .Values.ingress.ingressClassName | quote }}
|
||||
hosts:
|
||||
- host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
|
||||
paths:
|
||||
- path: "/"
|
||||
pathType: "ImplementationSpecific"
|
||||
tls:
|
||||
- secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
hosts:
|
||||
- "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
|
||||
|
||||
replicaCount: {{ .Values.replicas.cryptpad }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.cryptpad | toYaml | nindent 2 }}
|
||||
...
|
||||
51
helmfile/apps/cryptpad/values.yaml
Normal file
51
helmfile/apps/cryptpad/values.yaml
Normal file
@@ -0,0 +1,51 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
# https://github.com/cryptpad/helm/blob/main/charts/cryptpad/README.md or
|
||||
# https://github.com/cryptpad/helm/blob/main/charts/cryptpad/values.yaml
|
||||
|
||||
# Disable registration and access to unregistered users:
|
||||
# (https://docs.cryptpad.org/en/admin_guide/customization.html#application-config)
|
||||
|
||||
application_config:
|
||||
availablePadTypes:
|
||||
- "diagram"
|
||||
|
||||
# Deactivating public access breaks nextcloud plugin!
|
||||
# registeredOnlyTypes:
|
||||
# - "diagram"
|
||||
|
||||
autoscaling:
|
||||
enabled: false
|
||||
|
||||
enableEmbedding: true
|
||||
|
||||
fullnameOverride: "cryptpad"
|
||||
|
||||
ingress:
|
||||
annotations:
|
||||
nginx.org/websocket-services: "cryptpad"
|
||||
|
||||
persistence:
|
||||
enabled: false
|
||||
|
||||
podSecurityContext:
|
||||
fsGroup: 4001
|
||||
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
# readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 4001
|
||||
runAsGroup: 4001
|
||||
|
||||
serviceAccount:
|
||||
create: true
|
||||
|
||||
workloadStateful: false
|
||||
...
|
||||
@@ -1,56 +1,189 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
---
|
||||
repositories:
|
||||
# openDesk Element
|
||||
# Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/sovereign-workplace-element
|
||||
- name: "opendesk-element-repo"
|
||||
- name: "element-repo"
|
||||
oci: true
|
||||
# yamllint disable rule:line-length
|
||||
url: >-
|
||||
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
|
||||
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element" }}
|
||||
# yamllint enable rule:line-length
|
||||
verify: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.element.verify }}
|
||||
username: "{{ .Values.charts.element.username }}"
|
||||
password: {{ .Values.charts.element.password | quote }}
|
||||
url: "{{ .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
|
||||
- name: "element-well-known-repo"
|
||||
oci: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.element.verify }}
|
||||
username: "{{ .Values.charts.elementWellKnown.username }}"
|
||||
password: {{ .Values.charts.elementWellKnown.password | quote }}
|
||||
url: "{{ .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
|
||||
- name: "synapse-web-repo"
|
||||
oci: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.element.verify }}
|
||||
username: "{{ .Values.charts.synapseWeb.username }}"
|
||||
password: {{ .Values.charts.synapseWeb.password | quote }}
|
||||
url: "{{ .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
|
||||
- name: "synapse-repo"
|
||||
oci: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.element.verify }}
|
||||
username: "{{ .Values.charts.synapse.username }}"
|
||||
password: {{ .Values.charts.synapse.password | quote }}
|
||||
url: "{{ .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
|
||||
- name: "synapse-create-account-repo"
|
||||
oci: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.element.verify }}
|
||||
username: "{{ .Values.charts.synapseCreateAccount.username }}"
|
||||
password: {{ .Values.charts.synapseCreateAccount.password | quote }}
|
||||
url: "{{ .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
|
||||
|
||||
# openDesk Matrix Widgets
|
||||
# Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/opendesk-matrix-widgets
|
||||
- name: "matrix-user-verification-service-repo"
|
||||
oci: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.matrixUserVerificationService.verify }}
|
||||
username: "{{ .Values.charts.matrixUserVerificationService.username }}"
|
||||
password: {{ .Values.charts.matrixUserVerificationService.password | quote }}
|
||||
url: "{{ .Values.charts.matrixUserVerificationService.registry }}/\
|
||||
{{ .Values.charts.matrixUserVerificationService.repository }}"
|
||||
- name: "matrix-neoboard-widget-repo"
|
||||
oci: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
|
||||
username: "{{ .Values.charts.matrixNeoboardWidget.username }}"
|
||||
password: {{ .Values.charts.matrixNeoboardWidget.password | quote }}
|
||||
url: "{{ .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
|
||||
- name: "matrix-neochoice-widget-repo"
|
||||
oci: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
|
||||
username: "{{ .Values.charts.matrixNeoboardWidget.username }}"
|
||||
password: {{ .Values.charts.matrixNeoboardWidget.password | quote }}
|
||||
url: "{{ .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
|
||||
- name: "matrix-neodatefix-widget-repo"
|
||||
oci: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.matrixNeodatefixWidget.verify }}
|
||||
username: "{{ .Values.charts.matrixNeodatefixWidget.username }}"
|
||||
password: {{ .Values.charts.matrixNeodatefixWidget.password | quote }}
|
||||
url: "{{ .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
|
||||
- name: "matrix-neodatefix-bot-repo"
|
||||
oci: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.matrixNeodatefixBot.verify }}
|
||||
username: "{{ .Values.charts.matrixNeodatefixBot.username }}"
|
||||
password: {{ .Values.charts.matrixNeodatefixBot.password | quote }}
|
||||
url: "{{ .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
|
||||
|
||||
|
||||
releases:
|
||||
- name: "opendesk-element"
|
||||
chart: "opendesk-element-repo/opendesk-element"
|
||||
version: "2.2.0"
|
||||
chart: "element-repo/{{ .Values.charts.element.name }}"
|
||||
version: "{{ .Values.charts.element.version }}"
|
||||
values:
|
||||
- "values-element.yaml"
|
||||
- "values-element.gotmpl"
|
||||
condition: "element.enabled"
|
||||
installed: {{ .Values.element.enabled }}
|
||||
timeout: 900
|
||||
|
||||
- name: "opendesk-well-known"
|
||||
chart: "opendesk-element-repo/opendesk-well-known"
|
||||
version: "2.2.0"
|
||||
chart: "element-well-known-repo/{{ .Values.charts.elementWellKnown.name }}"
|
||||
version: "{{ .Values.charts.elementWellKnown.version }}"
|
||||
values:
|
||||
- "values-well-known.yaml"
|
||||
- "values-well-known.gotmpl"
|
||||
condition: "element.enabled"
|
||||
installed: {{ .Values.element.enabled }}
|
||||
timeout: 900
|
||||
|
||||
- name: "opendesk-synapse-web"
|
||||
chart: "opendesk-element-repo/opendesk-synapse-web"
|
||||
version: "2.2.0"
|
||||
chart: "synapse-web-repo/{{ .Values.charts.synapseWeb.name }}"
|
||||
version: "{{ .Values.charts.synapseWeb.version }}"
|
||||
values:
|
||||
- "values-synapse-web.yaml"
|
||||
- "values-synapse-web.gotmpl"
|
||||
condition: "element.enabled"
|
||||
installed: {{ .Values.element.enabled }}
|
||||
timeout: 900
|
||||
|
||||
- name: "opendesk-synapse"
|
||||
chart: "opendesk-element-repo/opendesk-synapse"
|
||||
version: "2.2.0"
|
||||
chart: "synapse-repo/{{ .Values.charts.synapse.name }}"
|
||||
version: "{{ .Values.charts.synapse.version }}"
|
||||
values:
|
||||
- "values-synapse.yaml"
|
||||
- "values-synapse.gotmpl"
|
||||
condition: "element.enabled"
|
||||
installed: {{ .Values.element.enabled }}
|
||||
timeout: 900
|
||||
|
||||
- name: "opendesk-matrix-user-verification-service-bootstrap"
|
||||
chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
|
||||
version: "{{ .Values.charts.synapseCreateAccount.version }}"
|
||||
values:
|
||||
- "values-matrix-user-verification-service-bootstrap.yaml"
|
||||
- "values-matrix-user-verification-service-bootstrap.gotmpl"
|
||||
installed: {{ .Values.element.enabled }}
|
||||
timeout: 900
|
||||
|
||||
- name: "opendesk-matrix-user-verification-service"
|
||||
chart: "matrix-user-verification-service-repo/{{ .Values.charts.matrixUserVerificationService.name }}"
|
||||
version: "{{ .Values.charts.matrixUserVerificationService.version }}"
|
||||
values:
|
||||
- "values-matrix-user-verification-service.yaml"
|
||||
- "values-matrix-user-verification-service.gotmpl"
|
||||
installed: {{ .Values.element.enabled }}
|
||||
timeout: 900
|
||||
|
||||
- name: "matrix-neoboard-widget"
|
||||
chart: "matrix-neoboard-widget-repo/{{ .Values.charts.matrixNeoboardWidget.name }}"
|
||||
version: "{{ .Values.charts.matrixNeoboardWidget.version }}"
|
||||
values:
|
||||
- "values-matrix-neoboard-widget.yaml"
|
||||
- "values-matrix-neoboard-widget.gotmpl"
|
||||
installed: {{ .Values.element.enabled }}
|
||||
timeout: 900
|
||||
|
||||
- name: "matrix-neochoice-widget"
|
||||
chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiseWidget.name }}"
|
||||
version: "{{ .Values.charts.matrixNeochoiseWidget.version }}"
|
||||
values:
|
||||
- "values-matrix-neochoice-widget.yaml"
|
||||
- "values-matrix-neochoice-widget.gotmpl"
|
||||
installed: {{ .Values.element.enabled }}
|
||||
timeout: 900
|
||||
|
||||
- name: "matrix-neodatefix-widget"
|
||||
chart: "matrix-neodatefix-widget-repo/{{ .Values.charts.matrixNeodatefixWidget.name }}"
|
||||
version: "{{ .Values.charts.matrixNeodatefixWidget.version }}"
|
||||
values:
|
||||
- "values-matrix-neodatefix-widget.yaml"
|
||||
- "values-matrix-neodatefix-widget.gotmpl"
|
||||
installed: {{ .Values.element.enabled }}
|
||||
timeout: 900
|
||||
|
||||
- name: "matrix-neodatefix-bot-bootstrap"
|
||||
chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
|
||||
version: "{{ .Values.charts.synapseCreateAccount.version }}"
|
||||
values:
|
||||
- "values-matrix-neodatefix-bot-bootstrap.yaml"
|
||||
- "values-matrix-neodatefix-bot-bootstrap.gotmpl"
|
||||
installed: {{ .Values.element.enabled }}
|
||||
timeout: 900
|
||||
|
||||
- name: "matrix-neodatefix-bot"
|
||||
chart: "matrix-neodatefix-bot-repo/{{ .Values.charts.matrixNeodatefixBot.name }}"
|
||||
version: "{{ .Values.charts.matrixNeodatefixBot.version }}"
|
||||
values:
|
||||
- "values-matrix-neodatefix-bot.yaml"
|
||||
- "values-matrix-neodatefix-bot.gotmpl"
|
||||
installed: {{ .Values.element.enabled }}
|
||||
timeout: 900
|
||||
|
||||
commonLabels:
|
||||
deploy-stage: "component-1"
|
||||
component: "element"
|
||||
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
...
|
||||
|
||||
@@ -4,8 +4,8 @@ SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
domain: "{{ .Values.global.domain }}"
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
hosts:
|
||||
{{ .Values.global.hosts | toYaml | nindent 4 }}
|
||||
imagePullSecrets:
|
||||
@@ -15,19 +15,110 @@ configuration:
|
||||
additionalConfiguration:
|
||||
logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
|
||||
|
||||
"net.nordeck.element_web.module.opendesk":
|
||||
config:
|
||||
banner:
|
||||
ics_navigation_json_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/navigation.json"
|
||||
ics_silent_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/silent"
|
||||
portal_logo_svg_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
|
||||
portal_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/"
|
||||
custom_css_variables:
|
||||
--cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }}
|
||||
widget_types:
|
||||
- jitsi
|
||||
- net.nordeck
|
||||
|
||||
"net.nordeck.element_web.module.widget_lifecycle":
|
||||
widget_permissions:
|
||||
"https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/jitsi.html":
|
||||
identity_approved: true
|
||||
"https://{{ .Values.global.hosts.matrixNeoBoardWidget }}.{{ .Values.global.domain }}/*":
|
||||
preload_approved: true
|
||||
capabilities_approved:
|
||||
- org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.create
|
||||
- org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.create
|
||||
- org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.chunk
|
||||
- org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.chunk
|
||||
- org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.snapshot
|
||||
- org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.snapshot
|
||||
- org.matrix.msc2762.send.state_event:m.room.power_levels#
|
||||
- org.matrix.msc2762.receive.state_event:m.room.power_levels#
|
||||
- org.matrix.msc2762.receive.state_event:m.room.member
|
||||
- org.matrix.msc2762.receive.state_event:m.room.name
|
||||
- org.matrix.msc2762.send.state_event:net.nordeck.whiteboard
|
||||
- org.matrix.msc2762.receive.state_event:net.nordeck.whiteboard
|
||||
- org.matrix.msc2762.send.state_event:net.nordeck.whiteboard.sessions#*
|
||||
- org.matrix.msc2762.receive.state_event:net.nordeck.whiteboard.sessions
|
||||
- org.matrix.msc3819.send.to_device:net.nordeck.whiteboard.connection_signaling
|
||||
- org.matrix.msc3819.receive.to_device:net.nordeck.whiteboard.connection_signaling
|
||||
- town.robin.msc3846.turn_servers
|
||||
"https://{{ .Values.global.hosts.matrixNeoChoiceWidget }}.{{ .Values.global.domain }}/*":
|
||||
preload_approved: true
|
||||
capabilities_approved:
|
||||
- org.matrix.msc2762.send.event:net.nordeck.poll.vote
|
||||
- org.matrix.msc2762.receive.event:net.nordeck.poll.vote
|
||||
- org.matrix.msc2762.send.state_event:net.nordeck.poll
|
||||
- org.matrix.msc2762.receive.state_event:net.nordeck.poll
|
||||
- org.matrix.msc2762.send.state_event:net.nordeck.poll.settings
|
||||
- org.matrix.msc2762.receive.state_event:net.nordeck.poll.settings
|
||||
- org.matrix.msc2762.receive.state_event:m.room.power_levels
|
||||
- org.matrix.msc2762.receive.state_event:m.room.name
|
||||
- org.matrix.msc2762.receive.state_event:m.room.member
|
||||
- org.matrix.msc2762.send.state_event:net.nordeck.poll.group
|
||||
- org.matrix.msc2762.receive.state_event:net.nordeck.poll.group
|
||||
- org.matrix.msc2762.send.event:net.nordeck.poll.start
|
||||
- org.matrix.msc2762.receive.event:net.nordeck.poll.start
|
||||
"https://{{ .Values.global.hosts.matrixNeoDateFixWidget }}.{{ .Values.global.domain }}/*":
|
||||
preload_approved: true
|
||||
identity_approved: true
|
||||
capabilities_approved:
|
||||
- org.matrix.msc2931.navigate
|
||||
- org.matrix.msc2762.timeline:*
|
||||
- org.matrix.msc2762.receive.state_event:m.room.power_levels
|
||||
- org.matrix.msc2762.receive.event:m.reaction
|
||||
- org.matrix.msc2762.receive.state_event:m.room.create
|
||||
- org.matrix.msc2762.receive.state_event:m.room.tombstone
|
||||
- org.matrix.msc2762.receive.state_event:m.room.member
|
||||
- org.matrix.msc2762.send.state_event:m.room.member
|
||||
- org.matrix.msc2762.receive.state_event:m.room.name
|
||||
- org.matrix.msc2762.receive.state_event:m.room.topic
|
||||
- org.matrix.msc2762.receive.state_event:m.space.parent
|
||||
- org.matrix.msc2762.receive.state_event:m.space.child
|
||||
- org.matrix.msc2762.receive.state_event:net.nordeck.meetings.metadata
|
||||
- org.matrix.msc2762.receive.state_event:im.vector.modular.widgets
|
||||
- org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.create
|
||||
- org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.create
|
||||
- org.matrix.msc2762.send.event:net.nordeck.meetings.breakoutsessions.create
|
||||
- org.matrix.msc2762.receive.event:net.nordeck.meetings.breakoutsessions.create
|
||||
- org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.close
|
||||
- org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.close
|
||||
- org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.widgets.handle
|
||||
- org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.widgets.handle
|
||||
- org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.participants.handle
|
||||
- org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.participants.handle
|
||||
- org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.update
|
||||
- org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.update
|
||||
- org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.change.message_permissions
|
||||
- org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.change.message_permissions
|
||||
- org.matrix.msc2762.send.event:net.nordeck.meetings.sub_meetings.send_message
|
||||
- org.matrix.msc2762.receive.event:net.nordeck.meetings.sub_meetings.send_message
|
||||
- org.matrix.msc3973.user_directory_search
|
||||
|
||||
welcomeUserId: "@meetings-bot:{{ .Values.global.domain }}"
|
||||
|
||||
image:
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.element.repository }}"
|
||||
tag: "{{ .Values.images.element.tag }}"
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.element.repository | quote }}
|
||||
tag: {{ .Values.images.element.tag | quote }}
|
||||
|
||||
ingress:
|
||||
host: "{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
|
||||
enabled: "{{ .Values.ingress.enabled }}"
|
||||
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
|
||||
tls:
|
||||
enabled: "{{ .Values.ingress.tls.enabled }}"
|
||||
secretName: "{{ .Values.ingress.tls.secretName }}"
|
||||
enabled: {{ .Values.ingress.tls.enabled }}
|
||||
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
|
||||
theme:
|
||||
{{ .Values.theme | toYaml | nindent 2 }}
|
||||
|
||||
33
helmfile/apps/element/values-matrix-neoboard-widget.gotmpl
Normal file
33
helmfile/apps/element/values-matrix-neoboard-widget.gotmpl
Normal file
@@ -0,0 +1,33 @@
|
||||
{{/*
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
imageRegistry: {{ .Values.global.imageRegistry | quote }}
|
||||
hosts:
|
||||
{{ .Values.global.hosts | toYaml | nindent 4 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
image:
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
repository: {{ .Values.images.matrixNeoBoardWidget.repository | quote }}
|
||||
tag: {{ .Values.images.matrixNeoBoardWidget.tag | quote }}
|
||||
|
||||
ingress:
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
|
||||
tls:
|
||||
enabled: {{ .Values.ingress.tls.enabled }}
|
||||
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
|
||||
theme:
|
||||
{{ .Values.theme | toYaml | nindent 2 }}
|
||||
|
||||
replicaCount: {{ .Values.replicas.matrixNeoBoardWidget }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.matrixNeoBoardWidget | toYaml | nindent 2 }}
|
||||
...
|
||||
21
helmfile/apps/element/values-matrix-neoboard-widget.yaml
Normal file
21
helmfile/apps/element/values-matrix-neoboard-widget.yaml
Normal file
@@ -0,0 +1,21 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 101
|
||||
runAsNonRoot: true
|
||||
runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 101
|
||||
...
|
||||
33
helmfile/apps/element/values-matrix-neochoice-widget.gotmpl
Normal file
33
helmfile/apps/element/values-matrix-neochoice-widget.gotmpl
Normal file
@@ -0,0 +1,33 @@
|
||||
{{/*
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
imageRegistry: {{ .Values.global.imageRegistry | quote }}
|
||||
hosts:
|
||||
{{ .Values.global.hosts | toYaml | nindent 4 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
image:
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
repository: {{ .Values.images.matrixNeoChoiceWidget.repository | quote }}
|
||||
tag: {{ .Values.images.matrixNeoChoiceWidget.tag | quote }}
|
||||
|
||||
ingress:
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
|
||||
tls:
|
||||
enabled: {{ .Values.ingress.tls.enabled }}
|
||||
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
|
||||
theme:
|
||||
{{ .Values.theme | toYaml | nindent 2 }}
|
||||
|
||||
replicaCount: {{ .Values.replicas.matrixNeoChoiceWidget }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.matrixNeoChoiceWidget | toYaml | nindent 2 }}
|
||||
...
|
||||
21
helmfile/apps/element/values-matrix-neochoice-widget.yaml
Normal file
21
helmfile/apps/element/values-matrix-neochoice-widget.yaml
Normal file
@@ -0,0 +1,21 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 101
|
||||
runAsNonRoot: true
|
||||
runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 101
|
||||
...
|
||||
@@ -0,0 +1,23 @@
|
||||
{{/*
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
imageRegistry: {{ .Values.global.imageRegistry | quote }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
cleanup:
|
||||
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
|
||||
deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
|
||||
|
||||
configuration:
|
||||
password: {{ .Values.secrets.matrixNeoDateFixBot.password | quote }}
|
||||
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
url: {{ .Values.images.synapseCreateUser.repository | quote }}
|
||||
tag: {{ .Values.images.synapseCreateUser.tag | quote }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
...
|
||||
@@ -0,0 +1,8 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
configuration:
|
||||
username: "meetings-bot"
|
||||
pod: "opendesk-synapse-0"
|
||||
secretName: "matrix-neodatefix-bot-account"
|
||||
...
|
||||
37
helmfile/apps/element/values-matrix-neodatefix-bot.gotmpl
Normal file
37
helmfile/apps/element/values-matrix-neodatefix-bot.gotmpl
Normal file
@@ -0,0 +1,37 @@
|
||||
{{/*
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
imageRegistry: {{ .Values.global.imageRegistry | quote }}
|
||||
hosts:
|
||||
{{ .Values.global.hosts | toYaml | nindent 4 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
configuration:
|
||||
openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
|
||||
|
||||
image:
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
repository: {{ .Values.images.matrixNeoDateFixBot.repository | quote }}
|
||||
tag: {{ .Values.images.matrixNeoDateFixBot.tag | quote }}
|
||||
|
||||
ingress:
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
|
||||
tls:
|
||||
enabled: {{ .Values.ingress.tls.enabled }}
|
||||
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
|
||||
persistence:
|
||||
size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
|
||||
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
|
||||
replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.matrixNeoDateFixBot | toYaml | nindent 2 }}
|
||||
...
|
||||
50
helmfile/apps/element/values-matrix-neodatefix-bot.yaml
Normal file
50
helmfile/apps/element/values-matrix-neodatefix-bot.yaml
Normal file
@@ -0,0 +1,50 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
configuration:
|
||||
bot:
|
||||
username: "meetings-bot"
|
||||
displayname: "Terminplaner Bot"
|
||||
|
||||
strings:
|
||||
breakoutSessionWidgetName: "Breakoutsessions"
|
||||
calendarRoomName: "Terminplaner"
|
||||
calendarWidgetName: "Terminplaner"
|
||||
cockpitWidgetName: "Meeting Steuerung"
|
||||
jitsiWidgetName: "Videokonferenz"
|
||||
matrixNeoBoardWidgetName: "Whiteboard"
|
||||
matrixNeoChoiceWidgetName: "Abstimmungen"
|
||||
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 101
|
||||
runAsNonRoot: true
|
||||
runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
extraEnvVars:
|
||||
- name: "ACCESS_TOKEN"
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: "matrix-neodatefix-bot-account"
|
||||
key: "access_token"
|
||||
|
||||
# TODO: The health endpoint does not work with the haproxy configuration, yet
|
||||
livenessProbe:
|
||||
enabled: false
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 101
|
||||
|
||||
# TODO: The health endpoint does not work with the haproxy configuration, yet
|
||||
readinessProbe:
|
||||
enabled: false
|
||||
...
|
||||
33
helmfile/apps/element/values-matrix-neodatefix-widget.gotmpl
Normal file
33
helmfile/apps/element/values-matrix-neodatefix-widget.gotmpl
Normal file
@@ -0,0 +1,33 @@
|
||||
{{/*
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
imageRegistry: {{ .Values.global.imageRegistry | quote }}
|
||||
hosts:
|
||||
{{ .Values.global.hosts | toYaml | nindent 4 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
image:
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
repository: {{ .Values.images.matrixNeoDateFixWidget.repository | quote }}
|
||||
tag: {{ .Values.images.matrixNeoDateFixWidget.tag | quote }}
|
||||
|
||||
ingress:
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
|
||||
tls:
|
||||
enabled: {{ .Values.ingress.tls.enabled }}
|
||||
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
|
||||
theme:
|
||||
{{ .Values.theme | toYaml | nindent 2 }}
|
||||
|
||||
replicaCount: {{ .Values.replicas.matrixNeoDateFixWidget }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.matrixNeoDateFixWidget | toYaml | nindent 2 }}
|
||||
...
|
||||
25
helmfile/apps/element/values-matrix-neodatefix-widget.yaml
Normal file
25
helmfile/apps/element/values-matrix-neodatefix-widget.yaml
Normal file
@@ -0,0 +1,25 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
configuration:
|
||||
bot:
|
||||
username: "meetings-bot"
|
||||
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 101
|
||||
runAsNonRoot: true
|
||||
runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 101
|
||||
...
|
||||
@@ -0,0 +1,23 @@
|
||||
{{/*
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
imageRegistry: {{ .Values.global.imageRegistry | quote }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
cleanup:
|
||||
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
|
||||
deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
|
||||
|
||||
configuration:
|
||||
password: {{ .Values.secrets.matrixUserVerificationService.password | quote }}
|
||||
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
url: {{ .Values.images.synapseCreateUser.repository | quote }}
|
||||
tag: {{ .Values.images.synapseCreateUser.tag | quote }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
...
|
||||
@@ -0,0 +1,8 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
configuration:
|
||||
username: "uvs"
|
||||
pod: "opendesk-synapse-0"
|
||||
secretName: "opendesk-matrix-user-verification-service-account"
|
||||
...
|
||||
@@ -0,0 +1,23 @@
|
||||
{{/*
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
imageRegistry: {{ .Values.global.imageRegistry | quote }}
|
||||
hosts:
|
||||
{{ .Values.global.hosts | toYaml | nindent 4 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
image:
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
|
||||
tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
|
||||
|
||||
replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
|
||||
...
|
||||
@@ -0,0 +1,31 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
privileged: false
|
||||
# TODO: the service can't run with read only filesystem or as non-root
|
||||
# readOnlyRootFilesystem: true
|
||||
# runAsGroup: 101
|
||||
# runAsNonRoot: true
|
||||
# runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
extraEnvVars:
|
||||
- name: "UVS_ACCESS_TOKEN"
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: "opendesk-matrix-user-verification-service-account"
|
||||
key: "access_token"
|
||||
- name: "UVS_DISABLE_IP_BLACKLIST"
|
||||
value: "true"
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 101
|
||||
...
|
||||
@@ -4,26 +4,26 @@ SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
domain: "{{ .Values.global.domain }}"
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
hosts:
|
||||
{{ .Values.global.hosts | toYaml | nindent 4 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
image:
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.synapseWeb.repository }}"
|
||||
tag: "{{ .Values.images.synapseWeb.tag }}"
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.synapseWeb.repository | quote }}
|
||||
tag: {{ .Values.images.synapseWeb.tag | quote }}
|
||||
|
||||
ingress:
|
||||
host: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
|
||||
enabled: "{{ .Values.ingress.enabled }}"
|
||||
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
|
||||
tls:
|
||||
enabled: "{{ .Values.ingress.tls.enabled }}"
|
||||
secretName: "{{ .Values.ingress.tls.secretName }}"
|
||||
enabled: {{ .Values.ingress.tls.enabled }}
|
||||
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
|
||||
replicaCount: {{ .Values.replicas.synapseWeb }}
|
||||
|
||||
|
||||
@@ -4,54 +4,65 @@ SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
domain: "{{ .Values.global.domain }}"
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
hosts:
|
||||
{{ .Values.global.hosts | toYaml | nindent 4 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
image:
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.synapse.repository }}"
|
||||
tag: "{{ .Values.images.synapse.tag }}"
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.synapse.repository | quote }}
|
||||
tag: {{ .Values.images.synapse.tag | quote }}
|
||||
|
||||
configuration:
|
||||
database:
|
||||
host: "{{ .Values.databases.synapse.host }}"
|
||||
name: "{{ .Values.databases.synapse.name }}"
|
||||
user: "{{ .Values.databases.synapse.username }}"
|
||||
password: "{{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser }}"
|
||||
host: {{ .Values.databases.synapse.host | quote }}
|
||||
name: {{ .Values.databases.synapse.name | quote }}
|
||||
user: {{ .Values.databases.synapse.username | quote }}
|
||||
password: {{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser | quote }}
|
||||
|
||||
homeserver:
|
||||
appServiceConfigs:
|
||||
- as_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
|
||||
hs_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
|
||||
id: intercom-service
|
||||
namespaces:
|
||||
users:
|
||||
- exclusive: false
|
||||
regex: "@.*"
|
||||
url: null
|
||||
sender_localpart: intercom-service
|
||||
|
||||
oidc:
|
||||
clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix }}
|
||||
clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
|
||||
issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
|
||||
|
||||
turn:
|
||||
sharedSecret: {{ .Values.turn.credentials }}
|
||||
sharedSecret: {{ .Values.turn.credentials | quote }}
|
||||
servers:
|
||||
{{- if .Values.turn.tls.host }}
|
||||
- server: {{ .Values.turn.tls.host }}
|
||||
- server: {{ .Values.turn.tls.host | quote }}
|
||||
port: {{ .Values.turn.tls.port }}
|
||||
transport: {{ .Values.turn.transport }}
|
||||
transport: {{ .Values.turn.transport | quote }}
|
||||
{{- else if .Values.turn.server.host }}
|
||||
- server: {{ .Values.turn.server.host }}
|
||||
- server: {{ .Values.turn.server.host | quote }}
|
||||
port: {{ .Values.turn.server.port }}
|
||||
transport: {{ .Values.turn.transport }}
|
||||
transport: {{ .Values.turn.transport | quote }}
|
||||
{{- end }}
|
||||
|
||||
guestModule:
|
||||
image:
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.synapseGuestModule.repository }}"
|
||||
tag: "{{ .Values.images.synapseGuestModule.tag }}"
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.synapseGuestModule.repository | quote }}
|
||||
tag: {{ .Values.images.synapseGuestModule.tag | quote }}
|
||||
|
||||
persistence:
|
||||
size: "{{ .Values.persistence.size.synapse }}"
|
||||
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
|
||||
size: {{ .Values.persistence.size.synapse | quote }}
|
||||
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
|
||||
replicaCount: {{ .Values.replicas.synapse }}
|
||||
|
||||
|
||||
@@ -2,9 +2,29 @@
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
configuration:
|
||||
additionalConfiguration:
|
||||
user_directory:
|
||||
enabled: true
|
||||
search_all_users: true
|
||||
room_prejoin_state:
|
||||
additional_event_types:
|
||||
- "m.space.parent"
|
||||
- "net.nordeck.meetings.metadata"
|
||||
- "m.room.power_levels"
|
||||
# When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
|
||||
# interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
|
||||
# https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
|
||||
rc_login:
|
||||
account:
|
||||
per_second: 2
|
||||
burst_count: 8
|
||||
address:
|
||||
per_second: 2
|
||||
burst_count: 12
|
||||
|
||||
homeserver:
|
||||
guestModule:
|
||||
enabled: false
|
||||
enabled: true
|
||||
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
|
||||
@@ -4,26 +4,26 @@ SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
domain: "{{ .Values.global.domain }}"
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
hosts:
|
||||
{{ .Values.global.hosts | toYaml | nindent 4 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
image:
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.wellKnown.repository }}"
|
||||
tag: "{{ .Values.images.wellKnown.tag }}"
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.wellKnown.repository | quote }}
|
||||
tag: {{ .Values.images.wellKnown.tag | quote }}
|
||||
|
||||
ingress:
|
||||
host: "{{ .Values.global.domain }}"
|
||||
enabled: "{{ .Values.ingress.enabled }}"
|
||||
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
|
||||
host: {{ .Values.global.domain | quote }}
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
|
||||
tls:
|
||||
enabled: "{{ .Values.ingress.tls.enabled }}"
|
||||
secretName: "{{ .Values.ingress.tls.secretName }}"
|
||||
enabled: {{ .Values.ingress.tls.enabled }}
|
||||
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
|
||||
replicaCount: {{ .Values.replicas.wellKnown }}
|
||||
|
||||
|
||||
@@ -1,30 +1,30 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
---
|
||||
repositories:
|
||||
# Intercom Service
|
||||
# Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
|
||||
- name: "intercom-service-repo"
|
||||
oci: true
|
||||
url: >-
|
||||
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
|
||||
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/intercom-service" }}
|
||||
verify: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.intercomService.verify }}
|
||||
username: "{{ .Values.charts.intercomService.username }}"
|
||||
password: {{ .Values.charts.intercomService.password | quote }}
|
||||
url: "{{ .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
|
||||
|
||||
releases:
|
||||
- name: "intercom-service"
|
||||
chart: "intercom-service-repo/intercom-service"
|
||||
version: "1.1.3"
|
||||
chart: "intercom-service-repo/{{ .Values.charts.intercomService.name }}"
|
||||
version: "{{ .Values.charts.intercomService.version }}"
|
||||
values:
|
||||
- "values.yaml"
|
||||
- "values.gotmpl"
|
||||
condition: "intercom.enabled"
|
||||
installed: {{ .Values.intercom.enabled }}
|
||||
|
||||
commonLabels:
|
||||
deploy-stage: "component-1"
|
||||
component: "intercom-service"
|
||||
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
...
|
||||
|
||||
@@ -4,41 +4,49 @@ SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
domain: "{{ .Values.global.domain }}"
|
||||
imageRegistry: {{ .Values.global.imageRegistry | quote }}
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
hosts:
|
||||
{{ .Values.global.hosts | toYaml | nindent 4 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
ics:
|
||||
secret: {{ .Values.secrets.intercom.secret }}
|
||||
secret: {{ .Values.secrets.intercom.secret | quote }}
|
||||
issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
|
||||
originRegex: "{{ .Values.istio.domain }}"
|
||||
originRegex: "{{ .Values.istio.domain }}|{{ .Values.global.domain }}"
|
||||
default:
|
||||
domain: "{{ .Values.global.domain }}"
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
oidc:
|
||||
secret: {{ .Values.secrets.keycloak.clientSecret.intercom }}
|
||||
secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
|
||||
matrix:
|
||||
asSecret: {{ .Values.secrets.jitsi.synapseAsToken }}
|
||||
serverName: "matrix.{{ .Values.global.domain }}"
|
||||
asSecret: {{ .Values.secrets.intercom.synapseAsToken | quote }}
|
||||
subdomain: {{ .Values.global.hosts.synapse | quote }}
|
||||
serverName: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
|
||||
nordeck:
|
||||
subdomain: {{ .Values.global.hosts.matrixNeoDateFixBot | quote }}
|
||||
portal:
|
||||
apiKey: {{ .Values.secrets.centralnavigation.apiKey }}
|
||||
apiKey: {{ .Values.secrets.centralnavigation.apiKey | quote }}
|
||||
redis:
|
||||
password: {{ .Values.secrets.redis.password }}
|
||||
host: {{ .Values.cache.intercomService.host | quote }}
|
||||
port: {{ .Values.cache.intercomService.port }}
|
||||
password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }}
|
||||
openxchange:
|
||||
url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
|
||||
|
||||
image:
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.intercom.repository }}"
|
||||
tag: "{{ .Values.images.intercom.tag }}"
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
repository: {{ .Values.images.intercom.repository | quote }}
|
||||
tag: {{ .Values.images.intercom.tag | quote }}
|
||||
|
||||
ingress:
|
||||
host: "{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
|
||||
enabled: "{{ .Values.ingress.enabled }}"
|
||||
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
|
||||
tls:
|
||||
enabled: "{{ .Values.ingress.tls.enabled }}"
|
||||
secretName: "{{ .Values.ingress.tls.secretName }}"
|
||||
enabled: {{ .Values.ingress.tls.enabled }}
|
||||
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.intercomService | toYaml | nindent 2 }}
|
||||
...
|
||||
|
||||
@@ -1,8 +1,21 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
istio:
|
||||
enabled: false
|
||||
virtualService:
|
||||
enabled: false
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: "Always"
|
||||
...
|
||||
|
||||
@@ -1,30 +1,30 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
---
|
||||
repositories:
|
||||
# openDesk Jitsi
|
||||
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-jitsi
|
||||
- name: "jitsi-repo"
|
||||
oci: true
|
||||
url: >-
|
||||
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
|
||||
"external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-jitsi" }}
|
||||
verify: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.jitsi.verify }}
|
||||
username: "{{ .Values.charts.jitsi.username }}"
|
||||
password: {{ .Values.charts.jitsi.password | quote }}
|
||||
url: "{{ .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
|
||||
|
||||
releases:
|
||||
- name: "jitsi"
|
||||
chart: "jitsi-repo/sovereign-workplace-jitsi"
|
||||
version: "1.5.1"
|
||||
chart: "jitsi-repo/{{ .Values.charts.jitsi.name }}"
|
||||
version: "{{ .Values.charts.jitsi.version }}"
|
||||
values:
|
||||
- "values-jitsi.gotmpl"
|
||||
condition: "jitsi.enabled"
|
||||
installed: {{ .Values.jitsi.enabled }}
|
||||
timeout: 900
|
||||
|
||||
commonLabels:
|
||||
deploy-stage: "component-1"
|
||||
component: "jitsi"
|
||||
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
...
|
||||
|
||||
@@ -4,8 +4,8 @@ SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
domain: "{{ .Values.global.domain }}"
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
hosts:
|
||||
{{ .Values.global.hosts | toYaml | nindent 4 }}
|
||||
imagePullSecrets:
|
||||
@@ -15,13 +15,13 @@ cleanup:
|
||||
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
|
||||
|
||||
image:
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.jitsiKeycloakAdapter.repository }}"
|
||||
tag: "{{ .Values.images.jitsiKeycloakAdapter.tag }}"
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.jitsiKeycloakAdapter.repository | quote }}
|
||||
tag: {{ .Values.images.jitsiKeycloakAdapter.tag | quote }}
|
||||
|
||||
settings:
|
||||
jwtAppSecret: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
|
||||
jwtAppSecret: {{ .Values.secrets.jitsi.jwtAppSecret | quote }}
|
||||
|
||||
theme:
|
||||
{{ .Values.theme | toYaml | nindent 2 }}
|
||||
@@ -32,16 +32,16 @@ jitsi:
|
||||
replicaCount: {{ .Values.replicas.jitsi }}
|
||||
image:
|
||||
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jitsi.repository }}"
|
||||
tag: "{{ .Values.images.jitsi.tag }}"
|
||||
tag: {{ .Values.images.jitsi.tag | quote }}
|
||||
ingress:
|
||||
enabled: "{{ .Values.ingress.enabled }}"
|
||||
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
|
||||
hosts:
|
||||
- host: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
|
||||
paths:
|
||||
- "/"
|
||||
tls:
|
||||
- secretName: "{{ .Values.ingress.tls.secretName }}"
|
||||
- secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
hosts:
|
||||
- "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
|
||||
extraEnvs:
|
||||
@@ -51,81 +51,85 @@ jitsi:
|
||||
prosody:
|
||||
image:
|
||||
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.prosody.repository }}"
|
||||
tag: "{{ .Values.images.prosody.tag }}"
|
||||
tag: {{ .Values.images.prosody.tag | quote }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
extraEnvs:
|
||||
- name: "AUTH_TYPE"
|
||||
value: "hybrid_matrix_token"
|
||||
- name: "JWT_APP_ID"
|
||||
value: "myappid"
|
||||
value: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
|
||||
- name: "JWT_APP_SECRET"
|
||||
value: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
|
||||
value: {{ .Values.secrets.jitsi.jwtAppSecret | quote }}
|
||||
- name: "MATRIX_UVS_SYNC_POWER_LEVELS"
|
||||
value: "true"
|
||||
- name: "MATRIX_UVS_URL"
|
||||
value: "http://opendesk-matrix-user-verification-service.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}"
|
||||
- name: TURNS_HOST
|
||||
value: "{{ .Values.turn.tls.host }}"
|
||||
value: {{ .Values.turn.tls.host | quote }}
|
||||
- name: TURNS_PORT
|
||||
value: "{{ .Values.turn.tls.port }}"
|
||||
value: {{ .Values.turn.tls.port | quote }}
|
||||
- name: TURN_HOST
|
||||
value: "{{ .Values.turn.server.host }}"
|
||||
value: {{ .Values.turn.server.host | quote }}
|
||||
- name: TURN_PORT
|
||||
value: "{{ .Values.turn.server.port }}"
|
||||
value: {{ .Values.turn.server.port | quote }}
|
||||
- name: TURN_TRANSPORT
|
||||
value: "{{ .Values.turn.transport }}"
|
||||
value: {{ .Values.turn.transport | quote }}
|
||||
- name: TURN_CREDENTIALS
|
||||
value: "{{ .Values.turn.credentials }}"
|
||||
value: {{ .Values.turn.credentials | quote }}
|
||||
resources:
|
||||
{{ .Values.resources.prosody | toYaml | nindent 6 }}
|
||||
persistence:
|
||||
size: "{{ .Values.persistence.size.prosody }}"
|
||||
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
|
||||
size: {{ .Values.persistence.size.prosody | quote }}
|
||||
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
jicofo:
|
||||
replicaCount: {{ .Values.replicas.jicofo }}
|
||||
image:
|
||||
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jicofo.repository }}"
|
||||
tag: "{{ .Values.images.jicofo.tag }}"
|
||||
tag: {{ .Values.images.jicofo.tag | quote }}
|
||||
xmpp:
|
||||
password: "{{ .Values.secrets.jitsi.jicofoAuthPassword }}"
|
||||
componentSecret: "{{ .Values.secrets.jitsi.jicofoComponentPassword }}"
|
||||
password: {{ .Values.secrets.jitsi.jicofoAuthPassword | quote }}
|
||||
componentSecret: {{ .Values.secrets.jitsi.jicofoComponentPassword | quote }}
|
||||
resources:
|
||||
{{ .Values.resources.jicofo | toYaml | nindent 6 }}
|
||||
jvb:
|
||||
replicaCount: {{ .Values.replicas.jvb }}
|
||||
image:
|
||||
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jvb.repository }}"
|
||||
tag: "{{ .Values.images.jvb.tag }}"
|
||||
tag: {{ .Values.images.jvb.tag | quote }}
|
||||
xmpp:
|
||||
password: "{{ .Values.secrets.jitsi.jvbAuthPassword }}"
|
||||
password: {{ .Values.secrets.jitsi.jvbAuthPassword | quote }}
|
||||
resources:
|
||||
{{ .Values.resources.jvb | toYaml | nindent 6 }}
|
||||
service:
|
||||
type: "{{ .Values.cluster.service.type }}"
|
||||
type: {{ .Values.cluster.service.type | quote }}
|
||||
jibri:
|
||||
replicaCount: {{ .Values.replicas.jibri }}
|
||||
image:
|
||||
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jibri.repository }}"
|
||||
tag: "{{ .Values.images.jibri.tag }}"
|
||||
tag: {{ .Values.images.jibri.tag | quote }}
|
||||
recorder:
|
||||
password: "{{ .Values.secrets.jitsi.jibriRecorderPassword }}"
|
||||
password: {{ .Values.secrets.jitsi.jibriRecorderPassword | quote }}
|
||||
xmpp:
|
||||
password: "{{ .Values.secrets.jitsi.jibriXmppPassword }}"
|
||||
password: {{ .Values.secrets.jitsi.jibriXmppPassword | quote }}
|
||||
resources:
|
||||
{{ .Values.resources.jibri | toYaml | nindent 6 }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
|
||||
patchJVB:
|
||||
configuration:
|
||||
staticLoadbalancerIP: "{{ .Values.cluster.networking.ingressGatewayIP }}"
|
||||
loadbalancerStatusField: "{{ .Values.cluster.networking.loadBalancerStatusField }}"
|
||||
staticLoadbalancerIP: {{ .Values.cluster.networking.ingressGatewayIP | quote }}
|
||||
loadbalancerStatusField: {{ .Values.cluster.networking.loadBalancerStatusField | quote }}
|
||||
image:
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.jitsiPatchJVB.repository }}"
|
||||
tag: "{{ .Values.images.jitsiPatchJVB.tag }}"
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.jitsiPatchJVB.repository | quote }}
|
||||
tag: {{ .Values.images.jitsiPatchJVB.tag | quote }}
|
||||
replicaCount: {{ .Values.replicas.jitsiKeycloakAdapter }}
|
||||
|
||||
resources:
|
||||
|
||||
@@ -1,34 +1,32 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
---
|
||||
repositories:
|
||||
# openDesk Keycloak Bootstrap
|
||||
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-keycloak-bootstrap
|
||||
- name: "opendesk-keycloak-bootstrap-repo"
|
||||
oci: true
|
||||
# yamllint disable rule:line-length
|
||||
url: >-
|
||||
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
|
||||
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-keycloak-bootstrap" }}
|
||||
# yamllint enable rule:line-length
|
||||
verify: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.keycloakBootstrap.verify }}
|
||||
username: "{{ .Values.charts.keycloakBootstrap.username }}"
|
||||
password: {{ .Values.charts.keycloakBootstrap.password | quote }}
|
||||
url: "{{ .Values.charts.keycloakBootstrap.registry }}/{{ .Values.charts.keycloakBootstrap.repository }}"
|
||||
|
||||
releases:
|
||||
- name: "opendesk-keycloak-bootstrap"
|
||||
chart: "opendesk-keycloak-bootstrap-repo/sovereign-workplace-keycloak-bootstrap"
|
||||
version: "1.1.11"
|
||||
chart: "opendesk-keycloak-bootstrap-repo/{{ .Values.charts.keycloakBootstrap.name }}"
|
||||
version: "{{ .Values.charts.keycloakBootstrap.version }}"
|
||||
values:
|
||||
- "values-bootstrap.gotmpl"
|
||||
- "values-bootstrap.yaml"
|
||||
condition: "keycloak.enabled"
|
||||
installed: {{ .Values.keycloak.enabled }}
|
||||
# as we have seen some slow clusters we want to ensure we not just fail due to a timeout.
|
||||
timeout: 1800
|
||||
|
||||
commonLabels:
|
||||
deploy-stage: "component-1"
|
||||
component: "keycloak-bootstrap"
|
||||
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
...
|
||||
|
||||
@@ -4,10 +4,10 @@ SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
domain: "{{ .Values.global.domain }}"
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
hosts:
|
||||
{{ .Values.global.hosts | toYaml | nindent 4 }}
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
@@ -17,14 +17,18 @@ cleanup:
|
||||
|
||||
config:
|
||||
administrator:
|
||||
password: "{{ .Values.secrets.keycloak.adminPassword }}"
|
||||
password: {{ .Values.secrets.keycloak.adminPassword | quote }}
|
||||
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.keycloakBootstrap.repository }}"
|
||||
tag: "{{ .Values.images.keycloakBootstrap.tag }}"
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.keycloakBootstrap.repository | quote }}
|
||||
tag: {{ .Values.images.keycloakBootstrap.tag | quote }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.keycloakBootstrap | toYaml | nindent 2 }}
|
||||
|
||||
additionalAnnotations:
|
||||
annotations:
|
||||
intents.otterize.com/service-name: "keycloak-bootstrap"
|
||||
...
|
||||
|
||||
@@ -1,61 +1,65 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
---
|
||||
repositories:
|
||||
# VMWare Bitnami
|
||||
# Source: https://github.com/bitnami/charts/
|
||||
- name: "bitnami-repo"
|
||||
- name: "keycloak-repo"
|
||||
oci: true
|
||||
url: >-
|
||||
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
|
||||
default "registry-1.docker.io/bitnamicharts" }}
|
||||
# Bitnami charts are not signed, see https://github.com/bitnami/charts/issues/14491
|
||||
verify: false
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.keycloak.verify }}
|
||||
username: "{{ .Values.charts.keycloak.username }}"
|
||||
password: {{ .Values.charts.keycloak.password | quote }}
|
||||
url: "{{ .Values.charts.keycloak.registry }}/{{ .Values.charts.keycloak.repository }}"
|
||||
|
||||
# openDesk Keycloak Theme
|
||||
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-keycloak-theme
|
||||
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-keycloak-theme
|
||||
- name: "keycloak-theme-repo"
|
||||
oci: true
|
||||
url: >-
|
||||
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
|
||||
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/keycloak-theme" }}
|
||||
verify: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.keycloakTheme.verify }}
|
||||
username: "{{ .Values.charts.keycloakTheme.username }}"
|
||||
password: {{ .Values.charts.keycloakTheme.password | quote }}
|
||||
url: "{{ .Values.charts.keycloakTheme.registry }}/{{ .Values.charts.keycloakTheme.repository }}"
|
||||
|
||||
# openDesk Keycloak Extensions
|
||||
- name: "keycloak-extensions-repo"
|
||||
url: >-
|
||||
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
|
||||
default "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable" }}
|
||||
username: "{{ .Values.charts.keycloakExtensions.username }}"
|
||||
password: {{ .Values.charts.keycloakExtensions.password | quote }}
|
||||
url: "{{ .Values.charts.keycloakExtensions.registry }}/{{ .Values.charts.keycloakExtensions.repository }}"
|
||||
|
||||
releases:
|
||||
- name: "keycloak-theme"
|
||||
chart: "keycloak-theme-repo/opendesk-keycloak-theme"
|
||||
version: "2.0.0"
|
||||
chart: "keycloak-theme-repo/{{ .Values.charts.keycloakTheme.name }}"
|
||||
version: "{{ .Values.charts.keycloakTheme.version }}"
|
||||
values:
|
||||
- "values-theme.gotmpl"
|
||||
condition: "keycloak.enabled"
|
||||
installed: {{ .Values.keycloak.enabled }}
|
||||
|
||||
- name: "keycloak"
|
||||
chart: "bitnami-repo/keycloak"
|
||||
version: "12.2.0"
|
||||
chart: "keycloak-repo/{{ .Values.charts.keycloak.name }}"
|
||||
version: "{{ .Values.charts.keycloak.version }}"
|
||||
values:
|
||||
- "values-keycloak.gotmpl"
|
||||
- "values-keycloak.yaml"
|
||||
- "values-keycloak-idp.yaml"
|
||||
wait: true
|
||||
condition: "keycloak.enabled"
|
||||
installed: {{ .Values.keycloak.enabled }}
|
||||
|
||||
- name: "keycloak-extensions"
|
||||
chart: "keycloak-extensions-repo/keycloak-extensions"
|
||||
version: "0.1.0"
|
||||
chart: "keycloak-extensions-repo/{{ .Values.charts.keycloakExtensions.name }}"
|
||||
version: "{{ .Values.charts.keycloakExtensions.version }}"
|
||||
needs:
|
||||
- "keycloak"
|
||||
values:
|
||||
- "values-extensions.yaml"
|
||||
- "values-extensions.gotmpl"
|
||||
condition: "keycloak.enabled"
|
||||
installed: {{ .Values.keycloak.enabled }}
|
||||
|
||||
commonLabels:
|
||||
deploy-stage: "component-1"
|
||||
component: "keycloak"
|
||||
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
...
|
||||
|
||||
@@ -5,42 +5,42 @@ SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
global:
|
||||
keycloak:
|
||||
adminPassword: {{ .Values.secrets.keycloak.adminPassword }}
|
||||
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
|
||||
postgresql:
|
||||
connection:
|
||||
host: "{{ .Values.databases.keycloakExtension.host }}"
|
||||
port: "{{ .Values.databases.keycloakExtension.port }}"
|
||||
host: {{ .Values.databases.keycloakExtension.host | quote }}
|
||||
port: {{ .Values.databases.keycloakExtension.port }}
|
||||
auth:
|
||||
database: "{{ .Values.databases.keycloakExtension.name }}"
|
||||
username: "{{ .Values.databases.keycloakExtension.username }}"
|
||||
password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser }}
|
||||
database: {{ .Values.databases.keycloakExtension.name | quote }}
|
||||
username: {{ .Values.databases.keycloakExtension.username | quote }}
|
||||
password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
|
||||
handler:
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.keycloakExtensionHandler.repository }}"
|
||||
tag: "{{ .Values.images.keycloakExtensionHandler.tag }}"
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.keycloakExtensionHandler.repository | quote }}
|
||||
tag: {{ .Values.images.keycloakExtensionHandler.tag | quote }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
appConfig:
|
||||
smtpPassword: "{{ .Values.smtp.password }}"
|
||||
smtpHost: "{{ .Values.smtp.host }}"
|
||||
smtpUsername: "{{ .Values.smtp.username }}"
|
||||
smtpPassword: {{ .Values.smtp.password | quote }}
|
||||
smtpHost: {{ .Values.smtp.host | quote }}
|
||||
smtpPort: {{ .Values.smtp.port | quote }}
|
||||
smtpUsername: {{ .Values.smtp.username | quote }}
|
||||
mailFrom: "noreply@{{ .Values.global.domain }}"
|
||||
resources:
|
||||
{{ .Values.resources.keycloakExtension | toYaml | nindent 4 }}
|
||||
proxy:
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.keycloakExtensionProxy.repository }}"
|
||||
tag: "{{ .Values.images.keycloakExtensionProxy.tag }}"
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.keycloakExtensionProxy.repository | quote }}
|
||||
tag: {{ .Values.images.keycloakExtensionProxy.tag | quote }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
ingress:
|
||||
enabled: "{{ .Values.ingress.enabled }}"
|
||||
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
|
||||
host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
|
||||
tls:
|
||||
enabled: "{{ .Values.ingress.tls.enabled }}"
|
||||
secretName: "{{ .Values.ingress.tls.secretName }}"
|
||||
enabled: {{ .Values.ingress.tls.enabled }}
|
||||
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
resources:
|
||||
{{ .Values.resources.keycloakProxy | toYaml | nindent 4 }}
|
||||
|
||||
...
|
||||
|
||||
@@ -181,7 +181,7 @@ keycloakConfigCli:
|
||||
"attributes": {
|
||||
"backchannel.logout.revoke.offline.tokens": "true",
|
||||
"backchannel.logout.session.required": "true",
|
||||
"backchannel.logout.url": "https://$(ELEMENT_DOMAIN)/_synapse/client/oidc/backchannel_logout",
|
||||
"backchannel.logout.url": "https://$(MATRIX_DOMAIN)/_synapse/client/oidc/backchannel_logout",
|
||||
"post.logout.redirect.uris": "https://$(ELEMENT_DOMAIN)/*##https://$(MATRIX_DOMAIN)/*##https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*"
|
||||
},
|
||||
"authenticationFlowBindingOverrides": {},
|
||||
|
||||
@@ -4,26 +4,26 @@ SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
imageRegistry: "{{ .Values.global.imageRegistry }}"
|
||||
imageRegistry: {{ .Values.global.imageRegistry | quote }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
|
||||
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.keycloak.repository }}"
|
||||
tag: "{{ .Values.images.keycloak.tag }}"
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.keycloak.repository | quote }}
|
||||
tag: {{ .Values.images.keycloak.tag | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
externalDatabase:
|
||||
host: "{{ .Values.databases.keycloak.host }}"
|
||||
host: {{ .Values.databases.keycloak.host | quote }}
|
||||
port: {{ .Values.databases.keycloak.port }}
|
||||
user: "{{ .Values.databases.keycloak.username }}"
|
||||
database: "{{ .Values.databases.keycloak.name }}"
|
||||
password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser }}
|
||||
user: {{ .Values.databases.keycloak.username | quote }}
|
||||
database: {{ .Values.databases.keycloak.name | quote }}
|
||||
password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
|
||||
|
||||
auth:
|
||||
adminPassword: {{ .Values.secrets.keycloak.adminPassword }}
|
||||
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
|
||||
|
||||
replicaCount: {{ .Values.replicas.keycloak }}
|
||||
|
||||
@@ -34,7 +34,7 @@ keycloakConfigCli:
|
||||
- name: "LDAP_USERS_DN"
|
||||
value: "cn=users,dc=swp-ldap,dc=internal"
|
||||
- name: "LDAP_SERVER_URL"
|
||||
value: "univention-corporate-container"
|
||||
value: {{ .Values.ldap.host | quote }}
|
||||
- name: "IDENTIFIER"
|
||||
value: "souvap"
|
||||
- name: "THEME"
|
||||
@@ -62,23 +62,23 @@ keycloakConfigCli:
|
||||
- name: "INTERCOM_SERVICE_DOMAIN"
|
||||
value: "{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
|
||||
- name: "CLIENT_SECRET_INTERCOM_PASSWORD"
|
||||
value: {{ .Values.secrets.keycloak.clientSecret.intercom }}
|
||||
value: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
|
||||
- name: "CLIENT_SECRET_MATRIX_PASSWORD"
|
||||
value: {{ .Values.secrets.keycloak.clientSecret.matrix }}
|
||||
value: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
|
||||
- name: "CLIENT_SECRET_JITSI_PASSWORD"
|
||||
value: {{ .Values.secrets.keycloak.clientSecret.jitsi }}
|
||||
value: {{ .Values.secrets.keycloak.clientSecret.jitsi | quote }}
|
||||
- name: "CLIENT_SECRET_NCOIDC_PASSWORD"
|
||||
value: {{ .Values.secrets.keycloak.clientSecret.ncoidc }}
|
||||
value: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
|
||||
- name: "CLIENT_SECRET_OPENPROJECT_PASSWORD"
|
||||
value: {{ .Values.secrets.keycloak.clientSecret.openproject }}
|
||||
value: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
|
||||
- name: "CLIENT_SECRET_XWIKI_PASSWORD"
|
||||
value: {{ .Values.secrets.keycloak.clientSecret.xwiki }}
|
||||
value: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
|
||||
- name: "CLIENT_SECRET_AS8OIDC_PASSWORD"
|
||||
value: {{ .Values.secrets.keycloak.clientSecret.as8oidc }}
|
||||
value: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
|
||||
- name: "KEYCLOAK_STORAGEPROVICER_UCSLDAP_NAME"
|
||||
value: "storage_provider_ucsldap"
|
||||
- name: "LDAPSEARCH_PASSWORD"
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak }}
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak | quote }}
|
||||
- name: "LDAPSEARCH_USERNAME"
|
||||
value: "ldapsearch_keycloak"
|
||||
resources:
|
||||
|
||||
@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
domain: "{{ .Values.global.domain }}"
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
hosts:
|
||||
{{ .Values.global.hosts | toYaml | nindent 4 }}
|
||||
|
||||
|
||||
@@ -1,53 +1,52 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
---
|
||||
repositories:
|
||||
# openDesk Keycloak Bootstrap
|
||||
# Source:
|
||||
# https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/sovereign-workplace-nextcloud-bootstrap
|
||||
- name: "opendesk-nextcloud-bootstrap-repo"
|
||||
# https://gitlab.opencode.de/bmi/opendesk/components/charts/sovereign-workplace-nextcloud-bootstrap
|
||||
- name: "nextcloud-bootstrap-repo"
|
||||
oci: true
|
||||
# yamllint disable rule:line-length
|
||||
url: >-
|
||||
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
|
||||
"external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap" }}
|
||||
# yamllint enable rule:line-length
|
||||
verify: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.nextcloudBootstrap.verify }}
|
||||
username: "{{ .Values.charts.nextcloudBootstrap.username }}"
|
||||
password: {{ .Values.charts.nextcloudBootstrap.password | quote }}
|
||||
url: "{{ .Values.charts.nextcloudBootstrap.registry }}/{{ .Values.charts.nextcloudBootstrap.repository }}"
|
||||
|
||||
# Nextcloud
|
||||
# Source: https://github.com/nextcloud/helm/
|
||||
- name: "nextcloud-repo"
|
||||
url: >-
|
||||
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
|
||||
default "https://nextcloud.github.io/helm/" }}
|
||||
username: "{{ .Values.charts.nextcloud.username }}"
|
||||
password: {{ .Values.charts.nextcloud.password | quote }}
|
||||
url: "{{ .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
|
||||
|
||||
releases:
|
||||
- name: "opendesk-nextcloud-bootstrap"
|
||||
chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap"
|
||||
version: "3.1.2"
|
||||
chart: "nextcloud-bootstrap-repo/{{ .Values.charts.nextcloudBootstrap.name }}"
|
||||
version: "{{ .Values.charts.nextcloudBootstrap.version }}"
|
||||
wait: true
|
||||
waitForJobs: true
|
||||
values:
|
||||
- "values-bootstrap.gotmpl"
|
||||
- "values-bootstrap.yaml"
|
||||
condition: "nextcloud.enabled"
|
||||
installed: {{ .Values.nextcloud.enabled }}
|
||||
timeout: 900
|
||||
|
||||
- name: "nextcloud"
|
||||
chart: "nextcloud-repo/nextcloud"
|
||||
version: "3.5.19"
|
||||
chart: "nextcloud-repo/{{ .Values.charts.nextcloud.name }}"
|
||||
version: "{{ .Values.charts.nextcloud.version }}"
|
||||
needs:
|
||||
- "opendesk-nextcloud-bootstrap"
|
||||
values:
|
||||
- "values-nextcloud.gotmpl"
|
||||
- "values-nextcloud.yaml"
|
||||
condition: "nextcloud.enabled"
|
||||
installed: {{ .Values.nextcloud.enabled }}
|
||||
timeout: 900
|
||||
|
||||
commonLabels:
|
||||
deploy-stage: "component-1"
|
||||
component: "nextcloud"
|
||||
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
...
|
||||
|
||||
@@ -4,17 +4,17 @@ SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
domain: "{{ .Values.global.domain }}"
|
||||
istioDomain: "{{ .Values.istio.domain }}"
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
istioDomain: {{ .Values.istio.domain | quote }}
|
||||
hosts:
|
||||
{{ .Values.global.hosts | toYaml | nindent 4 }}
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
config:
|
||||
administrator:
|
||||
password: {{ .Values.secrets.nextcloud.adminPassword }}
|
||||
password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
|
||||
|
||||
antivirus:
|
||||
{{- if .Values.clamavDistributed.enabled }}
|
||||
@@ -25,23 +25,28 @@ config:
|
||||
|
||||
apps:
|
||||
integrationSwp:
|
||||
password: {{ .Values.secrets.centralnavigation.apiKey }}
|
||||
password: {{ .Values.secrets.centralnavigation.apiKey | quote }}
|
||||
userOidc:
|
||||
password: {{ .Values.secrets.keycloak.clientSecret.ncoidc }}
|
||||
password: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
|
||||
|
||||
database:
|
||||
host: "{{ .Values.databases.nextcloud.host }}"
|
||||
name: "{{ .Values.databases.nextcloud.name }}"
|
||||
user: "{{ .Values.databases.nextcloud.username }}"
|
||||
password: "{{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser }}"
|
||||
host: {{ .Values.databases.nextcloud.host | quote }}
|
||||
name: {{ .Values.databases.nextcloud.name | quote }}
|
||||
user: {{ .Values.databases.nextcloud.username | quote }}
|
||||
password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
|
||||
|
||||
ldapSearch:
|
||||
password: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud }}"
|
||||
host: {{ .Values.ldap.host | quote }}
|
||||
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud | quote }}
|
||||
|
||||
serverinfo:
|
||||
token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
|
||||
|
||||
smtp:
|
||||
host: "{{ .Values.smtp.host }}"
|
||||
username: "{{ .Values.smtp.username }}"
|
||||
password: "{{ .Values.smtp.password }}"
|
||||
host: {{ .Values.smtp.host | quote }}
|
||||
port: {{ .Values.smtp.port | quote }}
|
||||
username: {{ .Values.smtp.username | quote }}
|
||||
password: {{ .Values.smtp.password | quote }}
|
||||
|
||||
cleanup:
|
||||
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
|
||||
@@ -49,24 +54,24 @@ cleanup:
|
||||
keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
|
||||
|
||||
image:
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.nextcloud.repository }}"
|
||||
tag: "{{ .Values.images.nextcloud.tag }}"
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.nextcloud.repository | quote }}
|
||||
tag: {{ .Values.images.nextcloud.tag | quote }}
|
||||
|
||||
persistence:
|
||||
{{- if .Values.cluster.persistence.readWriteMany.enabled }}
|
||||
accessModes:
|
||||
- "ReadWriteMany"
|
||||
storageClass: "{{ .Values.persistence.storageClassNames.RWX }}"
|
||||
storageClass: {{ .Values.persistence.storageClassNames.RWX | quote }}
|
||||
{{- else }}
|
||||
accessModes:
|
||||
- "ReadWriteOnce"
|
||||
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
|
||||
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
{{- end }}
|
||||
size:
|
||||
main: "{{ .Values.persistence.size.nextcloud.main }}"
|
||||
data: "{{ .Values.persistence.size.nextcloud.data }}"
|
||||
main: {{ .Values.persistence.size.nextcloud.main | quote }}
|
||||
data: {{ .Values.persistence.size.nextcloud.data | quote }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.nextcloud | toYaml | nindent 2 }}
|
||||
|
||||
@@ -10,7 +10,22 @@ config:
|
||||
username: "phoenixusername"
|
||||
userOidc:
|
||||
username: "ncoidc"
|
||||
userIdAttribute: "entryuuid"
|
||||
realm: "souvap"
|
||||
|
||||
ldapSearch:
|
||||
host: "univention-corporate-container"
|
||||
cryptpad:
|
||||
enabled: true
|
||||
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
enabled: true
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
runAsNonRoot: false
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 33
|
||||
fsGroupChangePolicy: "Always"
|
||||
...
|
||||
|
||||
@@ -6,32 +6,51 @@ SPDX-License-Identifier: Apache-2.0
|
||||
nextcloud:
|
||||
host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
|
||||
username: "nextcloud"
|
||||
password: {{ .Values.secrets.nextcloud.adminPassword }}
|
||||
password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
|
||||
externalDatabase:
|
||||
database: "{{ .Values.databases.nextcloud.name }}"
|
||||
user: "{{ .Values.databases.nextcloud.username }}"
|
||||
host: "{{ .Values.databases.nextcloud.host }}"
|
||||
password: "{{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser }}"
|
||||
database: {{ .Values.databases.nextcloud.name | quote }}
|
||||
user: {{ .Values.databases.nextcloud.username | quote }}
|
||||
host: {{ .Values.databases.nextcloud.host | quote }}
|
||||
password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
|
||||
extraEnv:
|
||||
REDIS_HOST: {{ .Values.cache.nextcloud.host | quote }}
|
||||
REDIS_HOST_PORT: {{ .Values.cache.nextcloud.port | quote }}
|
||||
REDIS_HOST_PASSWORD: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
|
||||
redis:
|
||||
auth:
|
||||
enabled: true
|
||||
password: {{ .Values.secrets.redis.password }}
|
||||
password: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
|
||||
ingress:
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
className: {{ .Values.ingress.ingressClassName }}
|
||||
className: {{ .Values.ingress.ingressClassName | quote }}
|
||||
tls:
|
||||
- secretName: "{{ .Values.ingress.tls.secretName }}"
|
||||
- secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
hosts:
|
||||
- "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
|
||||
image:
|
||||
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloud.repository }}"
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
tag: "{{ .Values.images.nextcloud.tag }}"
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
tag: {{ .Values.images.nextcloud.tag | quote }}
|
||||
pullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
metrics:
|
||||
token: "{{ .Values.secrets.nextcloud.metricsToken }}"
|
||||
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
|
||||
https: true
|
||||
token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
|
||||
image:
|
||||
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloudExporter.repository }}"
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
tag: {{ .Values.images.nextcloudExporter.tag | quote }}
|
||||
pullSecrets:
|
||||
{{- toYaml .Values.global.imagePullSecrets | nindent 4 }}
|
||||
|
||||
serviceMonitor:
|
||||
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
|
||||
labels:
|
||||
{{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
|
||||
resources:
|
||||
{{ .Values.resources.nextcloudMetrics | toYaml | nindent 4 }}
|
||||
|
||||
{{- if .Values.cluster.persistence.readWriteMany.enabled }}
|
||||
replicaCount: {{ .Values.replicas.nextcloud }}
|
||||
|
||||
@@ -20,6 +20,11 @@ cronjob:
|
||||
- >
|
||||
sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f
|
||||
\/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
|
||||
ingress:
|
||||
annotations:
|
||||
@@ -41,8 +46,31 @@ externalDatabase:
|
||||
# to the mariadb:
|
||||
type: "mysql"
|
||||
|
||||
metrics:
|
||||
enabled: false
|
||||
nextcloud:
|
||||
configs:
|
||||
mimetypealiases.json: |-
|
||||
{
|
||||
"application/x-drawio": "image"
|
||||
}
|
||||
|
||||
mimetypemapping.json: |-
|
||||
{
|
||||
"drawio": ["application/x-drawio"]
|
||||
}
|
||||
podSecurityContext:
|
||||
fsGroup: 33
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
add:
|
||||
- "NET_BIND_SERVICE"
|
||||
- "SETGID"
|
||||
- "SETUID"
|
||||
|
||||
# this is not documented but can be found in values.yaml
|
||||
service:
|
||||
|
||||
@@ -1,66 +1,68 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
---
|
||||
repositories:
|
||||
# openDesk Dovecot
|
||||
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-dovecot
|
||||
- name: "opendesk-dovecot-repo"
|
||||
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-dovecot
|
||||
- name: "dovecot-repo"
|
||||
oci: true
|
||||
url: >-
|
||||
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
|
||||
"external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/dovecot" }}
|
||||
verify: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.dovecot.verify }}
|
||||
username: "{{ .Values.charts.dovecot.username }}"
|
||||
password: {{ .Values.charts.dovecot.password | quote }}
|
||||
url: "{{ .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
|
||||
|
||||
# Open-Xchange
|
||||
- name: "openxchange-repo"
|
||||
- name: "open-xchange-repo"
|
||||
oci: true
|
||||
url: >-
|
||||
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "registry.open-xchange.com" }}
|
||||
username: "{{ .Values.charts.openXchangeAppSuite.username }}"
|
||||
password: {{ .Values.charts.openXchangeAppSuite.password | quote }}
|
||||
url: "{{ .Values.charts.openXchangeAppSuite.registry }}/{{ .Values.charts.openXchangeAppSuite.repository }}"
|
||||
|
||||
# openDesk Open-Xchange Bootstrap
|
||||
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-open-xchange-bootstrap
|
||||
- name: "opendesk-open-xchange-bootstrap-repo"
|
||||
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap
|
||||
- name: "open-xchange-bootstrap-repo"
|
||||
oci: true
|
||||
# yamllint disable rule:line-length
|
||||
url: >-
|
||||
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
|
||||
"external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-open-xchange-bootstrap" }}
|
||||
# yamllint enable rule:line-length
|
||||
verify: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.openXchangeAppSuiteBootstrap.verify }}
|
||||
username: "{{ .Values.charts.openXchangeAppSuiteBootstrap.username }}"
|
||||
password: {{ .Values.charts.openXchangeAppSuiteBootstrap.password | quote }}
|
||||
url: "{{ .Values.charts.openXchangeAppSuiteBootstrap.registry }}/\
|
||||
{{ .Values.charts.openXchangeAppSuiteBootstrap.repository }}"
|
||||
|
||||
releases:
|
||||
- name: "dovecot"
|
||||
chart: "opendesk-dovecot-repo/dovecot"
|
||||
version: "1.3.1"
|
||||
chart: "dovecot-repo/{{ .Values.charts.dovecot.name }}"
|
||||
version: "{{ .Values.charts.dovecot.version }}"
|
||||
values:
|
||||
- "values-dovecot.yaml"
|
||||
- "values-dovecot.gotmpl"
|
||||
condition: "dovecot.enabled"
|
||||
installed: {{ .Values.dovecot.enabled }}
|
||||
timeout: 900
|
||||
|
||||
- name: "open-xchange"
|
||||
chart: "openxchange-repo/appsuite-public-sector/charts/appsuite-public-sector"
|
||||
version: "2.0.4"
|
||||
chart: "open-xchange-repo/{{ .Values.charts.openXchangeAppSuite.name }}"
|
||||
version: "{{ .Values.charts.openXchangeAppSuite.version }}"
|
||||
values:
|
||||
- "values-openxchange.yaml"
|
||||
- "values-openxchange.gotmpl"
|
||||
- "values-openxchange-enterprise-contact-picker.yaml"
|
||||
- "values-openxchange-enterprise-contact-picker.gotmpl"
|
||||
condition: "oxAppsuite.enabled"
|
||||
installed: {{ .Values.oxAppsuite.enabled }}
|
||||
timeout: 900
|
||||
|
||||
- name: "opendesk-open-xchange-bootstrap"
|
||||
chart: "opendesk-open-xchange-bootstrap-repo/sovereign-workplace-open-xchange-bootstrap"
|
||||
version: "1.3.1"
|
||||
chart: "open-xchange-bootstrap-repo/{{ .Values.charts.openXchangeAppSuiteBootstrap.name }}"
|
||||
version: "{{ .Values.charts.openXchangeAppSuiteBootstrap.version }}"
|
||||
values:
|
||||
- "values-openxchange-bootstrap.gotmpl"
|
||||
condition: "oxAppsuite.enabled"
|
||||
installed: {{ .Values.oxAppsuite.enabled }}
|
||||
timeout: 900
|
||||
|
||||
commonLabels:
|
||||
deploy-stage: "component-1"
|
||||
component: "open-xchange"
|
||||
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
...
|
||||
|
||||
@@ -4,30 +4,32 @@ SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
url: "{{ .Values.images.dovecot.repository }}"
|
||||
tag: "{{ .Values.images.dovecot.tag }}"
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
url: {{ .Values.images.dovecot.repository | quote }}
|
||||
tag: {{ .Values.images.dovecot.tag | quote }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
|
||||
dovecot:
|
||||
mailDomain: "{{ .Values.global.domain }}"
|
||||
password: {{ .Values.secrets.dovecot.doveadm }}
|
||||
mailDomain: {{ .Values.global.domain | quote }}
|
||||
password: {{ .Values.secrets.dovecot.doveadm | quote }}
|
||||
ldap:
|
||||
dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
|
||||
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot }}
|
||||
host: {{ .Values.ldap.host | quote }}
|
||||
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
|
||||
oidc:
|
||||
introspectionURL: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token/introspect"
|
||||
clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc }}
|
||||
introspectionHost: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
|
||||
introspectionPath: "/realms/souvap/protocol/openid-connect/token/introspect"
|
||||
clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
|
||||
clientID: "as8oidc"
|
||||
loginTrustedNetworks: "{{ .Values.cluster.networking.cidr }}"
|
||||
loginTrustedNetworks: {{ .Values.cluster.networking.cidr | quote }}
|
||||
|
||||
certificate:
|
||||
secretName: "{{ .Values.ingress.tls.secretName }}"
|
||||
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
|
||||
{{- if .Values.cluster.persistence.readWriteMany.enabled }}
|
||||
replicaCount: {{ .Values.replicas.dovecot }}
|
||||
@@ -37,15 +39,15 @@ replicaCount: 1
|
||||
|
||||
persistence:
|
||||
{{- if .Values.cluster.persistence.readWriteMany.enabled }}
|
||||
storageClassName: "{{ .Values.persistence.storageClassNames.RWX }}"
|
||||
storageClassName: {{ .Values.persistence.storageClassNames.RWX | quote }}
|
||||
accessModes:
|
||||
- "ReadWriteMany"
|
||||
{{- else }}
|
||||
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
|
||||
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
accessModes:
|
||||
- "ReadWriteOnce"
|
||||
{{- end }}
|
||||
size: "{{ .Values.persistence.size.dovecot }}"
|
||||
size: {{ .Values.persistence.size.dovecot | quote }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.dovecot | toYaml | nindent 2 }}
|
||||
|
||||
@@ -2,12 +2,26 @@
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
containerSecurityContext:
|
||||
readOnlyRootFilesystem: false
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
add:
|
||||
- "CHOWN"
|
||||
- "DAC_OVERRIDE"
|
||||
- "KILL"
|
||||
- "NET_BIND_SERVICE"
|
||||
- "SETGID"
|
||||
- "SETUID"
|
||||
- "SYS_CHROOT"
|
||||
enabled: true
|
||||
readOnlyRootFilesystem: true
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
dovecot:
|
||||
ldap:
|
||||
enabled: true
|
||||
host: "univention-corporate-container"
|
||||
port: 389
|
||||
base: "dc=swp-ldap,dc=internal"
|
||||
|
||||
@@ -15,4 +29,13 @@ dovecot:
|
||||
enabled: true
|
||||
clientID: "as8oidc"
|
||||
usernameAttribute: "phoenixusername"
|
||||
|
||||
submission:
|
||||
enabled: true
|
||||
ssl: "no"
|
||||
host: "postfix:25"
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 1000
|
||||
...
|
||||
|
||||
@@ -8,13 +8,13 @@ cleanup:
|
||||
deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
|
||||
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
url: "{{ .Values.images.openxchangeBootstrap.repository }}"
|
||||
tag: "{{ .Values.images.openxchangeBootstrap.tag }}"
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
url: {{ .Values.images.openxchangeBootstrap.repository | quote }}
|
||||
tag: {{ .Values.images.openxchangeBootstrap.tag | quote }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
...
|
||||
|
||||
@@ -8,6 +8,10 @@ appsuite:
|
||||
secretYAMLFiles:
|
||||
ldap-client-config.yml:
|
||||
contactsLdapClient:
|
||||
pool:
|
||||
host:
|
||||
address: {{ .Values.ldap.host | quote }}
|
||||
port: 389
|
||||
auth:
|
||||
adminDN:
|
||||
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
|
||||
|
||||
@@ -6,7 +6,7 @@ appsuite:
|
||||
|
||||
properties:
|
||||
# Enterprise contact picker
|
||||
com.openexchange.contacts.ldap.accounts: "opendesk"
|
||||
com.openexchange.contacts.ldap.accounts: "opendesk,other,functional"
|
||||
com.openexchange.admin.bypassAccessCombinationChecks: "true"
|
||||
ENABLE_INTERNAL_USER_EDIT: "false"
|
||||
|
||||
@@ -16,9 +16,6 @@ appsuite:
|
||||
contactsLdapClient:
|
||||
pool:
|
||||
type: "simple"
|
||||
host:
|
||||
address: "univention-corporate-container"
|
||||
port: 389
|
||||
auth:
|
||||
type: "adminDN"
|
||||
adminDN:
|
||||
@@ -153,7 +150,7 @@ appsuite:
|
||||
# allows to sort the attributes lexicographically, either "ascending" or "descending".
|
||||
dynamicAttributes:
|
||||
attributeName: "o"
|
||||
contactFilterTemplate: "(&(univentionObjectType=users/user)(o=[value]))"
|
||||
contactFilterTemplate: "(&(univentionObjectType=users/user)(isOxUser=OK)(o=[value]))"
|
||||
contactSearchScope: "sub"
|
||||
# refreshInterval: 1h
|
||||
refreshInterval: "5m"
|
||||
@@ -174,6 +171,48 @@ appsuite:
|
||||
- "Management"
|
||||
- "Human Resources"
|
||||
|
||||
other:
|
||||
name: "Other contacts"
|
||||
ldapClientId: "contactsLdapClient"
|
||||
mappings: "ucs"
|
||||
folders:
|
||||
mode: "static"
|
||||
usedForSync:
|
||||
protected: true
|
||||
defaultValue: false
|
||||
usedInPicker:
|
||||
protected: false
|
||||
defaultValue: true
|
||||
shownInTree:
|
||||
protected: false
|
||||
defaultValue: true
|
||||
static:
|
||||
commonContactFilter: "(&(univentionObjectType=users/user)(isOxUser=OK)(!(o=*)))"
|
||||
folders:
|
||||
- name: "Ohne Organisation"
|
||||
contactFilter: "(&(univentionObjectType=users/user)(isOxUser=OK)(!(o=*)))"
|
||||
|
||||
functional:
|
||||
name: "Functional mailboxes"
|
||||
ldapClientId: "contactsLdapClient"
|
||||
mappings: "functional"
|
||||
folders:
|
||||
mode: "static"
|
||||
usedForSync:
|
||||
protected: true
|
||||
defaultValue: false
|
||||
usedInPicker:
|
||||
protected: false
|
||||
defaultValue: true
|
||||
shownInTree:
|
||||
protected: false
|
||||
defaultValue: true
|
||||
static:
|
||||
commonContactFilter: "(univentionObjectType=oxmail/functional_account)"
|
||||
folders:
|
||||
- name: "Funktionale Postfächer"
|
||||
contactFilter: "(univentionObjectType=oxmail/functional_account)"
|
||||
|
||||
contacts-provider-ldap-mappings.yml:
|
||||
# Example definitions of contact property <-> LDAP attribute mappings.
|
||||
#
|
||||
@@ -347,3 +386,9 @@ appsuite:
|
||||
# image_last_modified :
|
||||
# Will be set automatically to "image/jpeg" if not defined.
|
||||
# image1_content_type :
|
||||
|
||||
functional:
|
||||
objectid: "mailPrimaryAddress"
|
||||
displayname: "oxPersonal,cn,mailPrimaryAddress"
|
||||
file_as: "oxPersonal,cn,mailPrimaryAddress"
|
||||
email1: "mailPrimaryAddress"
|
||||
|
||||
@@ -4,37 +4,41 @@ SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
imageRegistry: "{{ .Values.global.imageRegistry }}"
|
||||
imageRegistry: {{ .Values.global.imageRegistry | quote }}
|
||||
hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
|
||||
mysql:
|
||||
host: "{{ .Values.databases.oxAppsuite.host }}"
|
||||
database: "{{ .Values.databases.oxAppsuite.name }}"
|
||||
host: {{ .Values.databases.oxAppsuite.host | quote }}
|
||||
database: {{ .Values.databases.oxAppsuite.name | quote }}
|
||||
auth:
|
||||
user: "{{ .Values.databases.oxAppsuite.username }}"
|
||||
password: "{{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword }}"
|
||||
rootPassword: "{{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword }}"
|
||||
user: {{ .Values.databases.oxAppsuite.username | quote }}
|
||||
password: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
|
||||
rootPassword: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
|
||||
|
||||
istio:
|
||||
enabled: {{ .Values.istio.enabled }}
|
||||
|
||||
nextcloud-integration-ui:
|
||||
image:
|
||||
repository: {{ .Values.images.openxchangeNextcloudIntegrationUI.repository }}
|
||||
tag: {{ .Values.images.openxchangeNextcloudIntegrationUI.tag }}
|
||||
repository: {{ .Values.images.openxchangeNextcloudIntegrationUI.repository | quote }}
|
||||
tag: {{ .Values.images.openxchangeNextcloudIntegrationUI.tag | quote }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
resources:
|
||||
{{ .Values.resources.openxchangeNextcloudIntegrationUI | toYaml | nindent 4 }}
|
||||
|
||||
public-sector-ui:
|
||||
image:
|
||||
repository: {{ .Values.images.openxchangePublicSectorUI.repository }}
|
||||
tag: {{ .Values.images.openxchangePublicSectorUI.tag }}
|
||||
repository: {{ .Values.images.openxchangePublicSectorUI.repository | quote }}
|
||||
tag: {{ .Values.images.openxchangePublicSectorUI.tag | quote }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
resources:
|
||||
{{ .Values.resources.openxchangePublicSectorUI | toYaml | nindent 4 }}
|
||||
|
||||
appsuite:
|
||||
istio:
|
||||
@@ -56,12 +60,14 @@ appsuite:
|
||||
gotenberg:
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
image:
|
||||
repository: {{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGotenberg.repository }}
|
||||
tag: {{ .Values.images.openxchangeGotenberg.tag }}
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGotenberg.repository }}"
|
||||
tag: {{ .Values.images.openxchangeGotenberg.tag | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
resources:
|
||||
{{ .Values.resources.openxchangeGotenberg | toYaml | nindent 8 }}
|
||||
properties:
|
||||
"com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/certs"
|
||||
"com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
|
||||
@@ -83,19 +89,20 @@ appsuite:
|
||||
propertiesFiles:
|
||||
"/opt/open-xchange/etc/ldapauth.properties":
|
||||
bindDNPassword: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
|
||||
java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal"
|
||||
uiSettings:
|
||||
"io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
|
||||
"io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"
|
||||
# Dynamic theme
|
||||
io.ox/dynamic-theme//mainColor: "{{ .Values.theme.colors.primary }}"
|
||||
io.ox/dynamic-theme//mainColor: {{ .Values.theme.colors.primary | quote }}
|
||||
io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
|
||||
io.ox/dynamic-theme//topbarBackground: "{{ .Values.theme.colors.white }}"
|
||||
io.ox/dynamic-theme//topbarColor: "{{ .Values.theme.colors.black }}"
|
||||
io.ox/dynamic-theme//listSelected: "{{ .Values.theme.colors.primary15 }}"
|
||||
io.ox/dynamic-theme//listHover: "{{ .Values.theme.colors.secondaryGreyLight }}"
|
||||
io.ox/dynamic-theme//folderBackground: "{{ .Values.theme.colors.white }}"
|
||||
io.ox/dynamic-theme//folderSelected: "{{ .Values.theme.colors.primary15 }}"
|
||||
io.ox/dynamic-theme//folderHover: "{{ .Values.theme.colors.secondaryGreyLight }}"
|
||||
io.ox/dynamic-theme//topbarBackground: {{ .Values.theme.colors.white | quote }}
|
||||
io.ox/dynamic-theme//topbarColor: {{ .Values.theme.colors.black | quote }}
|
||||
io.ox/dynamic-theme//listSelected: {{ .Values.theme.colors.primary15 | quote }}
|
||||
io.ox/dynamic-theme//listHover: {{ .Values.theme.colors.secondaryGreyLight | quote }}
|
||||
io.ox/dynamic-theme//folderBackground: {{ .Values.theme.colors.white | quote }}
|
||||
io.ox/dynamic-theme//folderSelected: {{ .Values.theme.colors.primary15 | quote }}
|
||||
io.ox/dynamic-theme//folderHover: {{ .Values.theme.colors.secondaryGreyLight | quote }}
|
||||
secretETCFiles:
|
||||
# Format of the OX Guard master key:
|
||||
# MC+base64(20 random bytes)
|
||||
@@ -103,28 +110,35 @@ appsuite:
|
||||
oxguardpass: |
|
||||
{{ .Values.secrets.oxAppsuite.oxguardMC }}
|
||||
{{ .Values.secrets.oxAppsuite.oxguardRC }}
|
||||
redis:
|
||||
auth:
|
||||
password: {{ .Values.secrets.redis.password | quote }}
|
||||
image:
|
||||
repository: {{ .Values.images.openxchangeCoreMW.repository }}
|
||||
tag: {{ .Values.images.openxchangeCoreMW.tag }}
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
|
||||
tag: {{ .Values.images.openxchangeCoreMW.tag | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
update:
|
||||
image:
|
||||
repository: {{ .Values.images.openxchangeCoreMW.repository }}
|
||||
tag: {{ .Values.images.openxchangeCoreMW.tag }}
|
||||
repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
|
||||
tag: {{ .Values.images.openxchangeCoreMW.tag | quote }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
resources:
|
||||
{{ .Values.resources.openxchangeCoreMW | toYaml | nindent 6 }}
|
||||
|
||||
core-ui:
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
image:
|
||||
repository: {{ .Values.images.openxchangeCoreUI.repository }}
|
||||
tag: {{ .Values.images.openxchangeCoreUI.tag }}
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
repository: {{ .Values.images.openxchangeCoreUI.repository | quote }}
|
||||
tag: {{ .Values.images.openxchangeCoreUI.tag | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
resources:
|
||||
{{ .Values.resources.openxchangeCoreUI | toYaml | nindent 6 }}
|
||||
|
||||
core-ui-middleware:
|
||||
ingress:
|
||||
@@ -133,40 +147,68 @@ appsuite:
|
||||
enabled: false
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
image:
|
||||
repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository }}
|
||||
tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag }}
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository | quote }}
|
||||
tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
redis:
|
||||
auth:
|
||||
password: {{ .Values.secrets.redis.password | quote }}
|
||||
resources:
|
||||
{{ .Values.resources.openxchangeCoreUIMiddleware | toYaml | nindent 6 }}
|
||||
updater:
|
||||
resources:
|
||||
{{ .Values.resources.openxchangeCoreUIMiddlewareUpdater | toYaml | nindent 6 }}
|
||||
|
||||
core-documentconverter:
|
||||
image:
|
||||
repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
|
||||
tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
|
||||
resources:
|
||||
{{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
|
||||
|
||||
core-guidedtours:
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
image:
|
||||
repository: {{ .Values.images.openxchangeCoreGuidedtours.repository }}
|
||||
tag: {{ .Values.images.openxchangeCoreGuidedtours.tag }}
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
repository: {{ .Values.images.openxchangeCoreGuidedtours.repository | quote }}
|
||||
tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
resources:
|
||||
{{- .Values.resources.openxchangeCoreGuidedtours | toYaml | nindent 6 }}
|
||||
|
||||
core-imageconverter:
|
||||
image:
|
||||
repository: {{ .Values.images.openxchangeImageConverter.repository | quote }}
|
||||
tag: {{ .Values.images.openxchangeImageConverter.tag | quote }}
|
||||
resources:
|
||||
{{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
|
||||
|
||||
guard-ui:
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
image:
|
||||
repository: {{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}
|
||||
tag: {{ .Values.images.openxchangeGuardUI.tag }}
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}"
|
||||
tag: {{ .Values.images.openxchangeGuardUI.tag | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
resources:
|
||||
{{- .Values.resources.openxchangeGuardUI | toYaml | nindent 6 }}
|
||||
|
||||
core-user-guide:
|
||||
image:
|
||||
repository: {{ .Values.images.openxchangeCoreUserGuide.repository }}
|
||||
tag: {{ .Values.images.openxchangeCoreUserGuide.tag }}
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
repository: {{ .Values.images.openxchangeCoreUserGuide.repository | quote }}
|
||||
tag: {{ .Values.images.openxchangeCoreUserGuide.tag | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
resources:
|
||||
{{- .Values.resources.openxchangeCoreUserGuide | toYaml | nindent 6 }}
|
||||
...
|
||||
|
||||
@@ -6,11 +6,25 @@ appsuite:
|
||||
ingressGateway:
|
||||
name: "opendesk-gateway-istio-gateway"
|
||||
|
||||
switchboard:
|
||||
enabled: false
|
||||
|
||||
core-mw:
|
||||
enabled: true
|
||||
masterAdmin: "admin"
|
||||
gotenberg:
|
||||
enabled: true
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1001
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
features:
|
||||
status:
|
||||
# enable admin pack
|
||||
@@ -24,6 +38,7 @@ appsuite:
|
||||
open-xchange-authentication-oauth: "enabled"
|
||||
properties:
|
||||
com.openexchange.UIWebPath: "/appsuite/"
|
||||
com.openexchange.showAdmin: "false"
|
||||
# PDF Export
|
||||
com.openexchange.capability.mail_export_pdf: "true"
|
||||
com.openexchange.mail.exportpdf.gotenberg.enabled: "true"
|
||||
@@ -63,11 +78,13 @@ appsuite:
|
||||
com.openexchange.mail.filter.credentialSource: "mail"
|
||||
com.openexchange.mail.filter.server: "dovecot"
|
||||
com.openexchange.mail.filter.preferredSaslMech: "XOAUTH2"
|
||||
# Dovecot
|
||||
com.openexchange.imap.attachmentMarker.enabled: "true"
|
||||
# Capabilities
|
||||
# Old capability can be used to toggle all integrations with a single switch
|
||||
com.openexchange.capability.public-sector: "true"
|
||||
# New capabilities in 2.0
|
||||
com.openexchange.capability.public-sector-element: "false"
|
||||
com.openexchange.capability.public-sector-element: "true"
|
||||
com.openexchange.capability.public-sector-navigation: "true"
|
||||
com.openexchange.capability.client-onboarding: "true"
|
||||
com.openexchange.capability.dynamic-theme: "true"
|
||||
@@ -78,6 +95,7 @@ appsuite:
|
||||
com.openexchange.capability.smime: "true"
|
||||
com.openexchange.capability.share_links: "false"
|
||||
com.openexchange.capability.invite_guests: "false"
|
||||
com.openexchange.capability.document_preview: "true"
|
||||
# Secondary Accounts
|
||||
com.openexchange.mail.secondary.authType: "XOAUTH2"
|
||||
com.openexchange.mail.transport.secondary.authType: "xoauth2"
|
||||
@@ -89,6 +107,8 @@ appsuite:
|
||||
com.openexchange.gdpr.dataexport.enabled: "false"
|
||||
com.openexchange.gdpr.dataexport.active: "false"
|
||||
# Guard
|
||||
com.openexchange.guard.storage.file.fileStorageType: "file"
|
||||
com.openexchange.guard.storage.file.uploadDirectory: "/opt/open-xchange/guard-files/"
|
||||
com.openexchange.guard.guestSMTPServer: "postfix"
|
||||
# S/MIME
|
||||
# Usage (in browser console after login):
|
||||
@@ -103,7 +123,6 @@ appsuite:
|
||||
/opt/open-xchange/etc/system.properties:
|
||||
SERVER_NAME: "oxserver"
|
||||
/opt/open-xchange/etc/ldapauth.properties:
|
||||
java.naming.provider.url: "ldap://univention-corporate-container:389/dc=swp-ldap,dc=internal"
|
||||
bindOnly: "false"
|
||||
bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
|
||||
|
||||
@@ -131,6 +150,9 @@ appsuite:
|
||||
io.ox/core//coloredIcons: "false"
|
||||
# Mail templates
|
||||
io.ox/core//features/templates: "true"
|
||||
# Contact Collector
|
||||
io.ox/mail//contactCollectOnMailTransport: "true"
|
||||
# io.ox/mail//contactCollectOnMailAccess: "true"
|
||||
|
||||
asConfig:
|
||||
default:
|
||||
@@ -139,24 +161,147 @@ appsuite:
|
||||
oidcLogin: true
|
||||
oidcPath: "/oidc"
|
||||
|
||||
redis:
|
||||
enabled: true
|
||||
mode: "standalone"
|
||||
hosts:
|
||||
- "redis-master"
|
||||
|
||||
hooks:
|
||||
beforeAppsuiteStart:
|
||||
create-guard-dir.sh: |
|
||||
mkdir -p /opt/open-xchange/guard-files
|
||||
chown open-xchange:open-xchange /opt/open-xchange/guard-files
|
||||
|
||||
# Security context for core-mw has no effect yet
|
||||
# podSecurityContext: {}
|
||||
# securityContext: {}
|
||||
|
||||
core-ui:
|
||||
enabled: true
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
core-ui-middleware:
|
||||
enabled: true
|
||||
overrides: {}
|
||||
redis:
|
||||
mode: "standalone"
|
||||
hosts:
|
||||
- "redis-master:6379"
|
||||
auth:
|
||||
enabled: true
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
core-guidedtours:
|
||||
enabled: true
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
guard-ui:
|
||||
enabled: true
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
core-cacheservice:
|
||||
enabled: false
|
||||
|
||||
core-user-guide:
|
||||
enabled: true
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
core-imageconverter:
|
||||
enabled: false
|
||||
enabled: true
|
||||
objectCache:
|
||||
s3ObjectStores:
|
||||
- id: -1
|
||||
endpoint: "."
|
||||
accessKey: "."
|
||||
secretKey: "."
|
||||
podSecurityContext:
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 987
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
securityContext:
|
||||
# missing:
|
||||
# readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
|
||||
core-spellcheck:
|
||||
enabled: false
|
||||
|
||||
core-documentconverter:
|
||||
enabled: false
|
||||
enabled: true
|
||||
documentConverter:
|
||||
cache:
|
||||
remoteCache:
|
||||
enabled: false
|
||||
podSecurityContext:
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 987
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
securityContext:
|
||||
# missing:
|
||||
# readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
|
||||
core-documents-collaboration:
|
||||
enabled: false
|
||||
office-web:
|
||||
@@ -171,3 +316,30 @@ appsuite:
|
||||
enabled: false
|
||||
core-drive-help:
|
||||
enabled: false
|
||||
|
||||
nextcloud-integration-ui:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
public-sector-ui:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
...
|
||||
|
||||
33
helmfile/apps/openproject-bootstrap/helmfile.yaml
Normal file
33
helmfile/apps/openproject-bootstrap/helmfile.yaml
Normal file
@@ -0,0 +1,33 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
---
|
||||
repositories:
|
||||
# openDesk OpenProject Bootstrap
|
||||
# Source: Set when repo is managed on Open CoDE
|
||||
- name: "openproject-bootstrap-repo"
|
||||
oci: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.openprojectBootstrap.verify }}
|
||||
username: "{{ .Values.charts.openprojectBootstrap.username }}"
|
||||
password: {{ .Values.charts.openprojectBootstrap.password | quote }}
|
||||
url: "{{ .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
|
||||
|
||||
releases:
|
||||
- name: "opendesk-openproject-bootstrap"
|
||||
chart: "openproject-bootstrap-repo/{{ .Values.charts.openprojectBootstrap.name }}"
|
||||
version: "{{ .Values.charts.openprojectBootstrap.version }}"
|
||||
wait: true
|
||||
waitForJobs: true
|
||||
values:
|
||||
- "values.yaml"
|
||||
- "values.gotmpl"
|
||||
installed: {{ .Values.openproject.enabled }}
|
||||
timeout: 900
|
||||
|
||||
commonLabels:
|
||||
deploy-stage: "component-2"
|
||||
component: "opendesk-openproject-bootstrap"
|
||||
...
|
||||
34
helmfile/apps/openproject-bootstrap/values.gotmpl
Normal file
34
helmfile/apps/openproject-bootstrap/values.gotmpl
Normal file
@@ -0,0 +1,34 @@
|
||||
{{/*
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
domain: "{{ .Values.global.domain }}"
|
||||
hosts:
|
||||
{{ .Values.global.hosts | toYaml | nindent 4 }}
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry }}
|
||||
repository: "{{ .Values.images.openprojectBootstrap.repository }}"
|
||||
tag: "{{ .Values.images.openprojectBootstrap.tag }}"
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
|
||||
cleanup:
|
||||
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
|
||||
keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
|
||||
|
||||
config:
|
||||
openproject:
|
||||
fileshareName: "Nextcloud at {{ .Values.global.domain }}"
|
||||
admin:
|
||||
username: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
|
||||
password: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
|
||||
nextcloud:
|
||||
admin:
|
||||
username: "nextcloud"
|
||||
password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
|
||||
...
|
||||
25
helmfile/apps/openproject-bootstrap/values.yaml
Normal file
25
helmfile/apps/openproject-bootstrap/values.yaml
Normal file
@@ -0,0 +1,25 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
privileged: false
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
|
||||
job:
|
||||
enabled: true
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: "OnRootMismatch"
|
||||
...
|
||||
@@ -1,27 +1,33 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
---
|
||||
repositories:
|
||||
# OpenProject
|
||||
# Source: https://github.com/opf/helm-charts
|
||||
- name: "openproject-repo"
|
||||
url: >-
|
||||
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
|
||||
default "https://charts.openproject.org" }}
|
||||
oci: true
|
||||
keyring: "../../files/gpg-pubkeys/openproject-com.gpg"
|
||||
verify: {{ .Values.charts.openproject.verify }}
|
||||
username: "{{ .Values.charts.openproject.username }}"
|
||||
password: {{ .Values.charts.openproject.password | quote }}
|
||||
url: "{{ .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
|
||||
|
||||
releases:
|
||||
- name: "openproject"
|
||||
chart: "openproject-repo/openproject"
|
||||
version: "1.8.0"
|
||||
chart: "openproject-repo/{{ .Values.charts.openproject.name }}"
|
||||
version: "{{ .Values.charts.openproject.version }}"
|
||||
wait: true
|
||||
waitForJobs: true
|
||||
values:
|
||||
- "values.yaml"
|
||||
- "values.gotmpl"
|
||||
condition: "openproject.enabled"
|
||||
installed: {{ .Values.openproject.enabled }}
|
||||
timeout: 900
|
||||
|
||||
commonLabels:
|
||||
deploy-stage: "component-1"
|
||||
component: "openproject"
|
||||
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
...
|
||||
|
||||
@@ -8,68 +8,89 @@ global:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.openproject.repository }}"
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
tag: "{{ .Values.images.openproject.tag }}"
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.openproject.repository | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
tag: {{ .Values.images.openproject.tag | quote }}
|
||||
|
||||
memcached:
|
||||
initdb:
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.memcached.repository }}"
|
||||
tag: "{{ .Values.images.memcached.tag }}"
|
||||
repository: "{{ .Values.images.openprojectInitDb.repository }}"
|
||||
tag: "{{ .Values.images.openprojectInitDb.tag }}"
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
|
||||
memcached:
|
||||
connection:
|
||||
host: {{ .Values.cache.openproject.host | quote }}
|
||||
port: {{ .Values.cache.openproject.port }}
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.memcached.repository | quote }}
|
||||
tag: {{ .Values.images.memcached.tag | quote }}
|
||||
|
||||
postgresql:
|
||||
auth:
|
||||
password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser }}
|
||||
username: "{{ .Values.databases.openproject.username }}"
|
||||
database: "{{ .Values.databases.openproject.name }}"
|
||||
password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser | quote }}
|
||||
username: {{ .Values.databases.openproject.username | quote }}
|
||||
database: {{ .Values.databases.openproject.name | quote }}
|
||||
connection:
|
||||
host: "{{ .Values.databases.openproject.host }}"
|
||||
port: "{{ .Values.databases.openproject.port }}"
|
||||
host: {{ .Values.databases.openproject.host | quote }}
|
||||
port: {{ .Values.databases.openproject.port }}
|
||||
|
||||
openproject:
|
||||
host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
|
||||
# Will only be set on initial seed / installation
|
||||
admin_user:
|
||||
name: "OpenProject Interal Admin"
|
||||
name: "OpenProject Internal Admin"
|
||||
mail: "openproject-admin@swp-domain.internal"
|
||||
password_reset: "false"
|
||||
password: "{{ .Values.secrets.openproject.adminPassword }}"
|
||||
password: {{ .Values.secrets.openproject.adminPassword | quote }}
|
||||
|
||||
ingress:
|
||||
host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
|
||||
tls:
|
||||
enabled: {{ .Values.ingress.tls.enabled }}
|
||||
secretName: "{{ .Values.ingress.tls.secretName }}"
|
||||
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
|
||||
environment:
|
||||
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: {{ .Values.secrets.keycloak.clientSecret.openproject }}
|
||||
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
|
||||
OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
|
||||
OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
|
||||
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
|
||||
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
|
||||
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
|
||||
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
|
||||
# Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
|
||||
OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }}
|
||||
OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
|
||||
OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
|
||||
OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
|
||||
OPENPROJECT_SMTP__DOMAIN: "{{ .Values.global.domain }}"
|
||||
OPENPROJECT_SMTP__USER__NAME: "{{ .Values.smtp.username }}"
|
||||
OPENPROJECT_SMTP__PASSWORD: "{{ .Values.smtp.password }}"
|
||||
OPENPROJECT_SMTP__PORT: "{{ .Values.smtp.port }}"
|
||||
OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.domain | quote }}
|
||||
OPENPROJECT_SMTP__USER__NAME: {{ .Values.smtp.username | quote }}
|
||||
OPENPROJECT_SMTP__PASSWORD: {{ .Values.smtp.password | quote }}
|
||||
OPENPROJECT_SMTP__PORT: {{ .Values.smtp.port | quote }}
|
||||
OPENPROJECT_SMTP__SSL: "false" # (default=false)
|
||||
OPENPROJECT_SMTP__ADDRESS: "{{ .Values.smtp.host }}"
|
||||
OPENPROJECT_MAIL__FROM="do-not-reply@{{ .Values.global.domain }}"
|
||||
OPENPROJECT_SMTP__ADDRESS: {{ .Values.smtp.host | quote }}
|
||||
OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}"
|
||||
# Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
|
||||
OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject }}"
|
||||
|
||||
persistence:
|
||||
size: "{{ .Values.persistence.size.openproject }}"
|
||||
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
|
||||
OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }}
|
||||
{{ if ne .Values.objectstores.openproject.backend "aws" }}
|
||||
OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
|
||||
OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
|
||||
{{ end }}
|
||||
OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: {{ .Values.objectstores.openproject.username | quote }}
|
||||
OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: {{ .Values.objectstores.openproject.secret | default .Values.secrets.minio.openprojectUser | quote }}
|
||||
OPENPROJECT_FOG_CREDENTIALS_PROVIDER: {{ .Values.objectstores.openproject.provider | default "AWS" | quote }}
|
||||
OPENPROJECT_FOG_CREDENTIALS_REGION: {{ .Values.objectstores.openproject.region | quote }}
|
||||
OPENPROJECT_FOG_DIRECTORY: {{ .Values.objectstores.openproject.bucket | quote }}
|
||||
OPENPROJECT_FOG_CREDENTIALS_USE__IAM__PROFILE: {{ .Values.objectstores.openproject.useIAMProfile | default "false" | quote }}
|
||||
OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
|
||||
|
||||
replicaCount: {{ .Values.replicas.openproject }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.openproject | toYaml | nindent 2 }}
|
||||
|
||||
...
|
||||
|
||||
@@ -4,6 +4,9 @@
|
||||
image:
|
||||
registry: "registry.souvap-univention.de"
|
||||
|
||||
memcached:
|
||||
bundled: false
|
||||
|
||||
probes:
|
||||
liveness:
|
||||
initialDelaySeconds: 300
|
||||
@@ -27,6 +30,25 @@ openproject:
|
||||
# seed will only be executed on initial installation
|
||||
seed_locale: "de"
|
||||
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
|
||||
persistence:
|
||||
enabled: false
|
||||
|
||||
s3:
|
||||
enabled: true
|
||||
|
||||
# For more details and more options see
|
||||
# https://www.openproject.org/docs/installation-and-operations/configuration/environment/
|
||||
environment:
|
||||
@@ -42,9 +64,6 @@ environment:
|
||||
OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
|
||||
OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
|
||||
OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc"
|
||||
# Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
|
||||
OPENPROJECT_SEED_LDAP_OPENDESK_HOST: "univention-corporate-container"
|
||||
OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
|
||||
OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
|
||||
OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
|
||||
OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"
|
||||
@@ -61,5 +80,14 @@ environment:
|
||||
"(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
|
||||
OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
|
||||
OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
|
||||
# Details: https://www.openproject.org/docs/installation-and-operations/configuration/#attachments-storage
|
||||
OPENPROJECT_ATTACHMENTS__STORAGE: "fog"
|
||||
OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
|
||||
# Define an admin mapping from the claim
|
||||
# The attribute mapping cannot currently be defined in the value
|
||||
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_ADMIN: "openproject_admin"
|
||||
|
||||
seederJob:
|
||||
annotations:
|
||||
intents.otterize.com/service-name: "openproject-seeder"
|
||||
...
|
||||
|
||||
@@ -1,26 +1,26 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
---
|
||||
repositories:
|
||||
# OX Connector
|
||||
- name: "ox-connector-repo"
|
||||
url: >-
|
||||
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
|
||||
default "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable" }}
|
||||
username: "{{ .Values.charts.oxConnector.username }}"
|
||||
password: {{ .Values.charts.oxConnector.password | quote }}
|
||||
url: "{{ .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
|
||||
|
||||
releases:
|
||||
- name: "ox-connector"
|
||||
chart: "ox-connector-repo/ox-connector"
|
||||
version: "0.1.0-pre-jconde-listener-entrypoint-chaining"
|
||||
chart: "ox-connector-repo/{{ .Values.charts.oxConnector.name }}"
|
||||
version: "{{ .Values.charts.oxConnector.version }}"
|
||||
values:
|
||||
- "values-oxconnector.yaml"
|
||||
- "values-oxconnector.gotmpl"
|
||||
condition: "oxConnector.enabled"
|
||||
installed: {{ .Values.oxConnector.enabled }}
|
||||
|
||||
commonLabels:
|
||||
deploy-stage: "component-2"
|
||||
component: "provisioning"
|
||||
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
...
|
||||
|
||||
@@ -4,26 +4,29 @@ SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.oxConnector.repository }}"
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
tag: "{{ .Values.images.oxConnector.tag }}"
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.oxConnector.repository | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
tag: {{ .Values.images.oxConnector.tag | quote }}
|
||||
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
|
||||
persistence:
|
||||
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
|
||||
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
|
||||
oxConnector:
|
||||
domainName: "{{ .Values.global.domain }}"
|
||||
domainName: {{ .Values.global.domain | quote }}
|
||||
ldapHost: {{ .Values.ldap.host | quote }}
|
||||
notifierServer: {{ .Values.ldap.notifierHost | quote }}
|
||||
#oxMasterAdmin: "(( .Values.appsuite.core-mw.masterAdmin ))"
|
||||
oxMasterAdmin: "admin"
|
||||
oxMasterPassword: "{{ .Values.secrets.oxAppsuite.adminPassword }}"
|
||||
oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
|
||||
oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
|
||||
oxDefaultContext: "1"
|
||||
ldapPassword: {{ if eq .Values.ldap.host "univention-corporate-container" }} "ucctempldapstring" {{ else }} {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} {{ end }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.oxConnector | toYaml | nindent 2 }}
|
||||
|
||||
@@ -5,14 +5,9 @@ ingress:
|
||||
enabled: false
|
||||
|
||||
oxConnector:
|
||||
ldapHost: "univention-corporate-container"
|
||||
# ldapHostIp: ""
|
||||
ldapBaseDn: "dc=swp-ldap,dc=internal"
|
||||
ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
|
||||
notifierServer: "univention-corporate-container"
|
||||
tlsMode: "off"
|
||||
# current static password for UCC
|
||||
ldapPassword: "ucctempldapstring"
|
||||
caCert: "ucctempldapstring"
|
||||
debugLevel: "5"
|
||||
logLevel: "DEBUG"
|
||||
|
||||
@@ -1,136 +1,202 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
---
|
||||
repositories:
|
||||
# openDesk Otterize
|
||||
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-otterize
|
||||
- name: "otterize-repo"
|
||||
oci: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.otterize.verify }}
|
||||
username: "{{ .Values.charts.otterize.username }}"
|
||||
password: {{ .Values.charts.otterize.password | quote }}
|
||||
url: "{{ .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
|
||||
|
||||
# openDesk Certificates
|
||||
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-certificates
|
||||
- name: "opendesk-certificates-repo"
|
||||
- name: "certificates-repo"
|
||||
oci: true
|
||||
# yamllint disable rule:line-length
|
||||
url: >-
|
||||
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
|
||||
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-certificates" }}
|
||||
# yamllint enable rule:line-length
|
||||
verify: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.certificates.verify }}
|
||||
username: "{{ .Values.charts.certificates.username }}"
|
||||
password: {{ .Values.charts.certificates.password | quote }}
|
||||
url: "{{ .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
|
||||
|
||||
# openDesk PostgreSQL
|
||||
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postgresql
|
||||
- name: "postgresql-repo"
|
||||
oci: true
|
||||
url: >-
|
||||
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
|
||||
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postgresql" }}
|
||||
verify: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.postgresql.verify }}
|
||||
username: "{{ .Values.charts.postgresql.username }}"
|
||||
password: {{ .Values.charts.postgresql.password | quote }}
|
||||
url: "{{ .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
|
||||
|
||||
# openDesk MariaDB
|
||||
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-mariadb
|
||||
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-mariadb
|
||||
- name: "mariadb-repo"
|
||||
oci: true
|
||||
url: >-
|
||||
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
|
||||
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/mariadb" }}
|
||||
verify: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
keyring: "../../files/gpg-pubkeys/opencode.gpg"
|
||||
verify: {{ .Values.charts.mariadb.verify }}
|
||||
username: "{{ .Values.charts.mariadb.username }}"
|
||||
password: {{ .Values.charts.mariadb.password | quote }}
|
||||
url: "{{ .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
|
||||
|
||||
# openDesk Postfix
|
||||
# https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postfix
|
||||
- name: "postfix-repo"
|
||||
oci: true
|
||||
url: >-
|
||||
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
|
||||
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postfix" }}
|
||||
verify: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.postfix.verify }}
|
||||
username: "{{ .Values.charts.postfix.username }}"
|
||||
password: {{ .Values.charts.postfix.password | quote }}
|
||||
url: "{{ .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
|
||||
|
||||
# openDesk Istio Resources
|
||||
# https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-istio-resources
|
||||
- name: "istio-resources-repo"
|
||||
oci: true
|
||||
url: >-
|
||||
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
|
||||
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/istio-ressources" }}
|
||||
verify: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.istioResources.verify }}
|
||||
username: "{{ .Values.charts.istioResources.username }}"
|
||||
password: {{ .Values.charts.istioResources.password | quote }}
|
||||
url: "{{ .Values.charts.istioResources.registry }}/{{ .Values.charts.istioResources.repository }}"
|
||||
|
||||
# openDesk ClamAV
|
||||
# https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-clamav
|
||||
- name: "clamav-repo"
|
||||
oci: true
|
||||
url: >-
|
||||
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
|
||||
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/clamav" }}
|
||||
verify: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.clamav.verify }}
|
||||
username: "{{ .Values.charts.clamav.username }}"
|
||||
password: {{ .Values.charts.clamav.password | quote }}
|
||||
url: "{{ .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
|
||||
- name: "clamav-simple-repo"
|
||||
oci: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.clamavSimple.verify }}
|
||||
username: "{{ .Values.charts.clamavSimple.username }}"
|
||||
password: {{ .Values.charts.clamavSimple.password | quote }}
|
||||
url: "{{ .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
|
||||
|
||||
# VMWare Bitnami
|
||||
# Source: https://github.com/bitnami/charts/
|
||||
- name: "bitnami-repo"
|
||||
- name: "memcached-repo"
|
||||
oci: true
|
||||
url: >-
|
||||
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
|
||||
default "registry-1.docker.io/bitnamicharts" }}
|
||||
# Bitnami charts are not signed, see https://github.com/bitnami/charts/issues/14491
|
||||
verify: false
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.memcached.verify }}
|
||||
username: "{{ .Values.charts.memcached.username }}"
|
||||
password: {{ .Values.charts.memcached.password | quote }}
|
||||
url: "{{ .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
|
||||
- name: "redis-repo"
|
||||
oci: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.redis.verify }}
|
||||
username: "{{ .Values.charts.redis.username }}"
|
||||
password: {{ .Values.charts.redis.password | quote }}
|
||||
url: "{{ .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
|
||||
- name: "minio-repo"
|
||||
oci: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.minio.verify }}
|
||||
username: "{{ .Values.charts.minio.username }}"
|
||||
password: {{ .Values.charts.minio.password | quote }}
|
||||
url: "{{ .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
|
||||
|
||||
|
||||
releases:
|
||||
- name: "opendesk-otterize"
|
||||
chart: "otterize-repo/{{ .Values.charts.otterize.name }}"
|
||||
version: "{{ .Values.charts.otterize.version }}"
|
||||
values:
|
||||
- "values-otterize.gotmpl"
|
||||
installed: {{ .Values.security.otterizeIntents.enabled }}
|
||||
|
||||
- name: "opendesk-certificates"
|
||||
chart: "opendesk-certificates-repo/opendesk-certificates"
|
||||
version: "2.1.0"
|
||||
chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
|
||||
version: "{{ .Values.charts.certificates.version }}"
|
||||
values:
|
||||
- "values-certificates.gotmpl"
|
||||
condition: "certificates.enabled"
|
||||
installed: {{ .Values.certificates.enabled }}
|
||||
|
||||
- name: "redis"
|
||||
chart: "bitnami-repo/redis"
|
||||
version: "18.0.4"
|
||||
chart: "redis-repo/{{ .Values.charts.redis.name }}"
|
||||
version: "{{ .Values.charts.redis.version }}"
|
||||
values:
|
||||
- "values-redis.gotmpl"
|
||||
- "values-redis.yaml"
|
||||
condition: "redis.enabled"
|
||||
installed: {{ .Values.redis.enabled }}
|
||||
|
||||
- name: "memcached"
|
||||
chart: "memcached-repo/{{ .Values.charts.memcached.name }}"
|
||||
version: "{{ .Values.charts.memcached.version }}"
|
||||
values:
|
||||
- "values-memcached.yaml"
|
||||
- "values-memcached.gotmpl"
|
||||
installed: {{ .Values.memcached.enabled }}
|
||||
|
||||
- name: "postgresql"
|
||||
chart: "postgresql-repo/postgresql"
|
||||
version: "2.0.2"
|
||||
chart: "postgresql-repo/{{ .Values.charts.postgresql.name }}"
|
||||
version: "{{ .Values.charts.postgresql.version }}"
|
||||
values:
|
||||
- "values-postgresql.yaml"
|
||||
- "values-postgresql.gotmpl"
|
||||
condition: "postgresql.enabled"
|
||||
installed: {{ .Values.postgresql.enabled }}
|
||||
timeout: 900
|
||||
|
||||
- name: "mariadb"
|
||||
chart: "mariadb-repo/mariadb"
|
||||
version: "2.0.2"
|
||||
chart: "mariadb-repo/{{ .Values.charts.mariadb.name }}"
|
||||
version: "{{ .Values.charts.mariadb.version }}"
|
||||
values:
|
||||
- "values-mariadb.yaml"
|
||||
- "values-mariadb.gotmpl"
|
||||
condition: "mariadb.enabled"
|
||||
installed: {{ .Values.mariadb.enabled }}
|
||||
timeout: 900
|
||||
|
||||
- name: "postfix"
|
||||
chart: "postfix-repo/postfix"
|
||||
version: "2.0.3"
|
||||
chart: "postfix-repo/{{ .Values.charts.postfix.name }}"
|
||||
version: "{{ .Values.charts.postfix.version }}"
|
||||
values:
|
||||
- "values-postfix.yaml"
|
||||
- "values-postfix.gotmpl"
|
||||
condition: "postfix.enabled"
|
||||
installed: {{ .Values.postfix.enabled }}
|
||||
|
||||
- name: "clamav"
|
||||
chart: "clamav-repo/opendesk-clamav"
|
||||
version: "4.0.0"
|
||||
chart: "clamav-repo/{{ .Values.charts.clamav.name }}"
|
||||
version: "{{ .Values.charts.clamav.version }}"
|
||||
values:
|
||||
- "values-clamav-distributed.yaml"
|
||||
- "values-clamav-distributed.gotmpl"
|
||||
condition: "clamavDistributed.enabled"
|
||||
installed: {{ .Values.clamavDistributed.enabled }}
|
||||
|
||||
- name: "clamav-simple"
|
||||
chart: "clamav-repo/clamav-simple"
|
||||
version: "4.0.0"
|
||||
chart: "clamav-simple-repo/{{ .Values.charts.clamavSimple.name }}"
|
||||
version: "{{ .Values.charts.clamavSimple.version }}"
|
||||
values:
|
||||
- "values-clamav-simple.yaml"
|
||||
- "values-clamav-simple.gotmpl"
|
||||
condition: "clamavSimple.enabled"
|
||||
installed: {{ .Values.clamavSimple.enabled }}
|
||||
|
||||
- name: "opendesk-gateway"
|
||||
chart: "istio-resources-repo/istio-gateway"
|
||||
version: "2.0.0"
|
||||
chart: "istio-resources-repo/{{ .Values.charts.istioResources.name }}"
|
||||
version: "{{ .Values.charts.istioResources.version }}"
|
||||
values:
|
||||
- "values-istio-gateway.yaml"
|
||||
- "values-istio-gateway.gotmpl"
|
||||
condition: "istio.enabled"
|
||||
installed: {{ .Values.istio.enabled }}
|
||||
|
||||
- name: "minio"
|
||||
chart: "minio-repo/{{ .Values.charts.minio.name }}"
|
||||
version: "{{ .Values.charts.minio.version }}"
|
||||
values:
|
||||
- "values-minio.yaml"
|
||||
- "values-minio.gotmpl"
|
||||
installed: {{ .Values.minio.enabled }}
|
||||
|
||||
commonLabels:
|
||||
deploy-stage: "services"
|
||||
component: "services"
|
||||
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
...
|
||||
|
||||
@@ -4,19 +4,19 @@ SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
domain: "{{ .Values.global.domain }}"
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
hosts:
|
||||
{{ .Values.global.hosts | toYaml | nindent 4 }}
|
||||
|
||||
issuerRef:
|
||||
name: "{{ .Values.certificate.issuerRef.name }}"
|
||||
name: {{ .Values.certificate.issuerRef.name | quote }}
|
||||
|
||||
{{- if .Values.istio.enabled }}
|
||||
istio:
|
||||
enabled: {{ .Values.istio.enabled }}
|
||||
domain: {{ .Values.istio.domain }}
|
||||
domain: {{ .Values.istio.domain | quote }}
|
||||
issuerRef:
|
||||
name: "{{ .Values.istio.issuerRef.name }}"
|
||||
name: {{ .Values.istio.issuerRef.name | quote }}
|
||||
{{- end }}
|
||||
|
||||
cleanup:
|
||||
|
||||
@@ -7,10 +7,10 @@ clamd:
|
||||
podSecurityContext:
|
||||
replicaCount: {{ .Values.replicas.clamd }}
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.clamd.repository }}"
|
||||
tag: "{{ .Values.images.clamd.tag }}"
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.clamd.repository | quote }}
|
||||
tag: {{ .Values.images.clamd.tag | quote }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
resources:
|
||||
{{ .Values.resources.clamd | toYaml | nindent 4 }}
|
||||
|
||||
@@ -18,10 +18,10 @@ freshclam:
|
||||
podSecurityContext:
|
||||
replicaCount: {{ .Values.replicas.freshclam }}
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.freshclam.repository }}"
|
||||
tag: "{{ .Values.images.freshclam.tag }}"
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.freshclam.repository | quote }}
|
||||
tag: {{ .Values.images.freshclam.tag | quote }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
resources:
|
||||
{{ .Values.resources.freshclam | toYaml | nindent 4 }}
|
||||
|
||||
@@ -32,10 +32,10 @@ global:
|
||||
icap:
|
||||
replicaCount: {{ .Values.replicas.icap }}
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.icap.repository }}"
|
||||
tag: "{{ .Values.images.icap.tag }}"
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.icap.repository | quote }}
|
||||
tag: {{ .Values.images.icap.tag | quote }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
resources:
|
||||
{{ .Values.resources.icap | toYaml | nindent 4 }}
|
||||
|
||||
@@ -43,14 +43,14 @@ milter:
|
||||
podSecurityContext:
|
||||
replicaCount: {{ .Values.replicas.milter }}
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.milter.repository }}"
|
||||
tag: "{{ .Values.images.milter.tag }}"
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.milter.repository | quote }}
|
||||
tag: {{ .Values.images.milter.tag | quote }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
resources:
|
||||
{{ .Values.resources.milter | toYaml | nindent 4 }}
|
||||
|
||||
persistence:
|
||||
storageClass: "{{ .Values.persistence.storageClassNames.RWX }}"
|
||||
size: "{{ .Values.persistence.size.clamav }}"
|
||||
storageClass: {{ .Values.persistence.storageClassNames.RWX | quote }}
|
||||
size: {{ .Values.persistence.size.clamav | quote }}
|
||||
...
|
||||
|
||||
@@ -7,15 +7,15 @@ replicaCount: {{ .Values.replicas.clamav }}
|
||||
|
||||
image:
|
||||
clamav:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.clamd.repository }}"
|
||||
tag: "{{ .Values.images.clamd.tag }}"
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.clamd.repository | quote }}
|
||||
tag: {{ .Values.images.clamd.tag | quote }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
icap:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.icap.repository }}"
|
||||
tag: "{{ .Values.images.icap.tag }}"
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.icap.repository | quote }}
|
||||
tag: {{ .Values.images.icap.tag | quote }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.clamd | toYaml | nindent 4 }}
|
||||
@@ -25,6 +25,6 @@ global:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
persistence:
|
||||
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
|
||||
size: "{{ .Values.persistence.size.clamav }}"
|
||||
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
size: {{ .Values.persistence.size.clamav | quote }}
|
||||
...
|
||||
|
||||
@@ -4,9 +4,9 @@ SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
domain: "{{ .Values.istio.domain }}"
|
||||
domain: {{ .Values.istio.domain | quote }}
|
||||
hosts:
|
||||
openxchange: "{{ .Values.global.hosts.openxchange }}"
|
||||
openxchange: {{ .Values.global.hosts.openxchange | quote }}
|
||||
|
||||
tls:
|
||||
secretName: "{{ .Values.istio.domain }}-tls"
|
||||
|
||||
@@ -4,25 +4,28 @@ SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
cleanup:
|
||||
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
|
||||
|
||||
image:
|
||||
repository: "{{ .Values.images.mariadb.repository }}"
|
||||
tag: "{{ .Values.images.mariadb.tag }}"
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
repository: {{ .Values.images.mariadb.repository | quote }}
|
||||
tag: {{ .Values.images.mariadb.tag | quote }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
# Open-Xchange and XWiki require the permission to create database schemas, so they use the `root` account anyway.
|
||||
# Please refer to `databases.yaml` for details.
|
||||
job:
|
||||
users:
|
||||
- username: "xwiki_user"
|
||||
password: "{{ .Values.secrets.mariadb.xwikiUser }}"
|
||||
password: {{ .Values.secrets.mariadb.xwikiUser | quote }}
|
||||
- username: "openxchange_user"
|
||||
password: "{{ .Values.secrets.mariadb.openxchangeUser }}"
|
||||
password: {{ .Values.secrets.mariadb.openxchangeUser | quote }}
|
||||
- username: "nextcloud_user"
|
||||
password: "{{ .Values.secrets.mariadb.nextcloudUser }}"
|
||||
password: {{ .Values.secrets.mariadb.nextcloudUser | quote}}
|
||||
databases:
|
||||
- name: "xwiki"
|
||||
user: "xwiki_user"
|
||||
@@ -32,11 +35,11 @@ job:
|
||||
user: "openxchange_user"
|
||||
|
||||
mariadb:
|
||||
rootPassword: "{{ .Values.secrets.mariadb.rootPassword }}"
|
||||
rootPassword: {{ .Values.secrets.mariadb.rootPassword | quote }}
|
||||
|
||||
persistence:
|
||||
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
|
||||
size: "{{ .Values.persistence.size.mariadb }}"
|
||||
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
size: {{ .Values.persistence.size.mariadb | quote }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.mariadb | toYaml | nindent 2 }}
|
||||
|
||||
19
helmfile/apps/services/values-memcached.gotmpl
Normal file
19
helmfile/apps/services/values-memcached.gotmpl
Normal file
@@ -0,0 +1,19 @@
|
||||
{{/*
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
imageRegistry: {{ .Values.global.imageRegistry | quote }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.memcached.repository | quote }}
|
||||
tag: {{ .Values.images.memcached.tag | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.memcached | toYaml | nindent 2 }}
|
||||
...
|
||||
18
helmfile/apps/services/values-memcached.yaml
Normal file
18
helmfile/apps/services/values-memcached.yaml
Normal file
@@ -0,0 +1,18 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 1001
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
|
||||
serviceAccount:
|
||||
create: true
|
||||
...
|
||||
80
helmfile/apps/services/values-minio.gotmpl
Normal file
80
helmfile/apps/services/values-minio.gotmpl
Normal file
@@ -0,0 +1,80 @@
|
||||
{{/*
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.minio.repository }}"
|
||||
tag: "{{ .Values.images.minio.tag }}"
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
|
||||
auth:
|
||||
rootPassword: {{ .Values.secrets.minio.rootPassword | quote }}
|
||||
|
||||
statefulset:
|
||||
replicaCount: {{ .Values.replicas.minioDistributed }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.minio | toYaml | nindent 2 }}
|
||||
|
||||
ingress:
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName }}
|
||||
hostname: "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
|
||||
extraTls:
|
||||
- hosts:
|
||||
- "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
|
||||
secretName: "{{ .Values.ingress.tls.secretName }}"
|
||||
|
||||
apiIngress:
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName }}
|
||||
hostname: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
|
||||
extraTls:
|
||||
- hosts:
|
||||
- "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
|
||||
secretName: "{{ .Values.ingress.tls.secretName }}"
|
||||
|
||||
metrics:
|
||||
serviceMonitor:
|
||||
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
|
||||
prometheusRule:
|
||||
enabled: {{ .Values.prometheus.prometheusRules.enabled }}
|
||||
|
||||
persistence:
|
||||
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
|
||||
size: "{{ .Values.persistence.size.minio }}"
|
||||
|
||||
provisioning:
|
||||
users:
|
||||
- username: "openproject_user"
|
||||
password: {{ .Values.secrets.minio.openprojectUser | quote }}
|
||||
disabled: false
|
||||
policies:
|
||||
- "openproject-bucket-policy"
|
||||
setPolicies: true
|
||||
- username: "openxchange_user"
|
||||
password: {{ .Values.secrets.minio.openxchangeUser | quote }}
|
||||
disabled: false
|
||||
policies:
|
||||
- "openxchange-bucket-policy"
|
||||
setPolicies: true
|
||||
- username: "ums_user"
|
||||
password: {{ .Values.secrets.minio.umsUser | quote }}
|
||||
disabled: false
|
||||
policies:
|
||||
- "ums-bucket-policy"
|
||||
setPolicies: true
|
||||
- username: "nextcloud_user"
|
||||
password: {{ .Values.secrets.minio.nextcloudUser | quote }}
|
||||
disabled: false
|
||||
policies:
|
||||
- "nextcloud-bucket-policy"
|
||||
setPolicies: true
|
||||
...
|
||||
114
helmfile/apps/services/values-minio.yaml
Normal file
114
helmfile/apps/services/values-minio.yaml
Normal file
@@ -0,0 +1,114 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
mode: "standalone"
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 1000
|
||||
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
privileged: false
|
||||
runAsUser: 1000
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
ingress:
|
||||
annotations:
|
||||
nginx.org/websocket-services: "minio"
|
||||
|
||||
networkPolicy:
|
||||
enabled: false
|
||||
|
||||
defaultBuckets: "openproject,openxchange,ums,nextcloud"
|
||||
|
||||
provisioning:
|
||||
enabled: true
|
||||
cleanupAfterFinished:
|
||||
enabled: true
|
||||
buckets:
|
||||
- name: "openproject"
|
||||
versioning: true
|
||||
withLock: false
|
||||
- name: "openxchange"
|
||||
versioning: true
|
||||
withLock: false
|
||||
- name: "ums"
|
||||
versioning: true
|
||||
withLock: false
|
||||
- name: "nextcloud"
|
||||
versioning: true
|
||||
withLock: false
|
||||
policies:
|
||||
- name: "openproject-bucket-policy"
|
||||
statements:
|
||||
- resources:
|
||||
- "arn:aws:s3:::openproject"
|
||||
effect: "Allow"
|
||||
actions:
|
||||
- "s3:*"
|
||||
- resources:
|
||||
- "arn:aws:s3:::openproject/*"
|
||||
effect: "Allow"
|
||||
actions:
|
||||
- "s3:*"
|
||||
- name: "openxchange-bucket-policy"
|
||||
statements:
|
||||
- resources:
|
||||
- "arn:aws:s3:::openxchange"
|
||||
effect: "Allow"
|
||||
actions:
|
||||
- "s3:*"
|
||||
- resources:
|
||||
- "arn:aws:s3:::openxchange/*"
|
||||
effect: "Allow"
|
||||
actions:
|
||||
- "s3:*"
|
||||
- name: "ums-bucket-policy"
|
||||
statements:
|
||||
- resources:
|
||||
- "arn:aws:s3:::ums"
|
||||
effect: "Allow"
|
||||
actions:
|
||||
- "s3:*"
|
||||
- resources:
|
||||
- "arn:aws:s3:::ums/*"
|
||||
effect: "Allow"
|
||||
actions:
|
||||
- "s3:*"
|
||||
- name: "nextcloud-bucket-policy"
|
||||
statements:
|
||||
- resources:
|
||||
- "arn:aws:s3:::nextcloud"
|
||||
effect: "Allow"
|
||||
actions:
|
||||
- "s3:*"
|
||||
- resources:
|
||||
- "arn:aws:s3:::nextcloud/*"
|
||||
effect: "Allow"
|
||||
actions:
|
||||
- "s3:*"
|
||||
|
||||
livenessProbe:
|
||||
enabled: true
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 10
|
||||
|
||||
readinessProbe:
|
||||
enabled: true
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 10
|
||||
|
||||
startupProbe:
|
||||
enabled: true
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 10
|
||||
...
|
||||
56
helmfile/apps/services/values-otterize.gotmpl
Normal file
56
helmfile/apps/services/values-otterize.gotmpl
Normal file
@@ -0,0 +1,56 @@
|
||||
{{/*
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
apps:
|
||||
clamavDistributed:
|
||||
enabled: {{ .Values.clamavDistributed.enabled }}
|
||||
clamavSimple:
|
||||
enabled: {{ .Values.clamavSimple.enabled }}
|
||||
collabora:
|
||||
enabled: {{ .Values.collabora.enabled }}
|
||||
cryptpad:
|
||||
enabled: {{ .Values.cryptpad.enabled }}
|
||||
dovecot:
|
||||
enabled: {{ .Values.dovecot.enabled }}
|
||||
element:
|
||||
enabled: {{ .Values.element.enabled }}
|
||||
intercom:
|
||||
enabled: {{ .Values.intercom.enabled }}
|
||||
jitsi:
|
||||
enabled: {{ .Values.jitsi.enabled }}
|
||||
keycloak:
|
||||
enabled: {{ .Values.keycloak.enabled }}
|
||||
mariadb:
|
||||
enabled: {{ .Values.mariadb.enabled }}
|
||||
memcached:
|
||||
enabled: {{ .Values.memcached.enabled }}
|
||||
minio:
|
||||
enabled: {{ .Values.minio.enabled }}
|
||||
nextcloud:
|
||||
enabled: {{ .Values.nextcloud.enabled }}
|
||||
openproject:
|
||||
enabled: {{ .Values.openproject.enabled }}
|
||||
oxAppsuite:
|
||||
enabled: {{ .Values.oxAppsuite.enabled }}
|
||||
oxConnector:
|
||||
enabled: {{ .Values.oxConnector.enabled }}
|
||||
postfix:
|
||||
enabled: {{ .Values.postfix.enabled }}
|
||||
postgresql:
|
||||
enabled: {{ .Values.postgresql.enabled }}
|
||||
redis:
|
||||
enabled: {{ .Values.redis.enabled }}
|
||||
univentionCorporateServer:
|
||||
enabled: {{ .Values.univentionCorporateServer.enabled }}
|
||||
univentionManagementStack:
|
||||
enabled: {{ .Values.univentionManagementStack.enabled }}
|
||||
xwiki:
|
||||
enabled: {{ .Values.xwiki.enabled }}
|
||||
|
||||
extraApps:
|
||||
clusterPostfix:
|
||||
enabled: {{ .Values.security.clusterPostfix.enabled }}
|
||||
namespace: {{ .Values.security.clusterPostfix.namespace }}
|
||||
...
|
||||
@@ -4,28 +4,28 @@ SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
registry: {{ .Values.global.imageRegistry }}
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry }}
|
||||
repository: "{{ .Values.images.postfix.repository }}"
|
||||
tag: "{{ .Values.images.postfix.tag }}"
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.postfix.repository | quote }}
|
||||
tag: {{ .Values.images.postfix.tag | quote }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
certificate:
|
||||
secretName: "{{ .Values.ingress.tls.secretName }}"
|
||||
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
|
||||
postfix:
|
||||
domain: "{{ .Values.global.domain }}"
|
||||
virtualMailboxDomains: "{{ .Values.global.domain }}"
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
virtualMailboxDomains: {{ .Values.global.domain | quote }}
|
||||
overrides:
|
||||
- fileName: "sasl_passwd.map"
|
||||
content:
|
||||
- "{{ .Values.smtp.host }} {{ .Values.smtp.username }}:{{ .Values.smtp.password }}"
|
||||
relayHost: "[{{ .Values.smtp.host }}]:587"
|
||||
relayNets: {{ .Values.cluster.networking.cidr }}
|
||||
- {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
|
||||
relayHost: {{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}
|
||||
relayNets: {{ .Values.cluster.networking.cidr | quote}}
|
||||
virtualTransport: "lmtps:dovecot:24"
|
||||
smtpdSASLPath: "inet:dovecot:3659"
|
||||
{{- if .Values.clamavDistributed.enabled }}
|
||||
@@ -35,8 +35,8 @@ postfix:
|
||||
{{- end }}
|
||||
|
||||
persistence:
|
||||
size: "{{ .Values.persistence.size.postfix }}"
|
||||
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
|
||||
size: {{ .Values.persistence.size.postfix | quote }}
|
||||
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote}}
|
||||
|
||||
replicaCount: {{ .Values.replicas.postfix }}
|
||||
|
||||
|
||||
@@ -4,27 +4,29 @@ SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
registry: {{ .Values.global.imageRegistry }}
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
image:
|
||||
repository: "{{ .Values.images.postgresql.repository }}"
|
||||
tag: "{{ .Values.images.postgresql.tag }}"
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
repository: {{ .Values.images.postgresql.repository | quote }}
|
||||
tag: {{ .Values.images.postgresql.tag | quote }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
job:
|
||||
users:
|
||||
- username: "keycloak_user"
|
||||
password: {{ .Values.secrets.postgresql.keycloakUser }}
|
||||
password: {{ .Values.secrets.postgresql.keycloakUser | quote }}
|
||||
- username: "openproject_user"
|
||||
password: {{ .Values.secrets.postgresql.openprojectUser }}
|
||||
password: {{ .Values.secrets.postgresql.openprojectUser | quote }}
|
||||
- username: "keycloak_extensions_user"
|
||||
password: {{ .Values.secrets.postgresql.keycloakExtensionUser }}
|
||||
password: {{ .Values.secrets.postgresql.keycloakExtensionUser | quote }}
|
||||
- username: "matrix_user"
|
||||
password: {{ .Values.secrets.postgresql.matrixUser }}
|
||||
password: {{ .Values.secrets.postgresql.matrixUser | quote }}
|
||||
- username: "notificationsapi_user"
|
||||
password: {{ .Values.secrets.postgresql.notificationsapiUser }}
|
||||
password: {{ .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
|
||||
- username: "selfservice_user"
|
||||
password: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
|
||||
databases:
|
||||
- name: "keycloak"
|
||||
user: "keycloak_user"
|
||||
@@ -37,13 +39,15 @@ job:
|
||||
additionalParams: "ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0"
|
||||
- name: "notificationsapi"
|
||||
user: "notificationsapi_user"
|
||||
- name: "selfservice"
|
||||
user: "selfservice_user"
|
||||
|
||||
persistence:
|
||||
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
|
||||
size: "{{ .Values.persistence.size.postgresql }}"
|
||||
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
size: {{ .Values.persistence.size.postgresql | quote }}
|
||||
|
||||
postgres:
|
||||
password: {{ .Values.secrets.postgresql.postgresUser }}
|
||||
password: {{ .Values.secrets.postgresql.postgresUser | quote }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.postgresql | toYaml | nindent 2 }}
|
||||
|
||||
@@ -4,23 +4,23 @@ SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
auth:
|
||||
password: {{ .Values.secrets.redis.password }}
|
||||
password: {{ .Values.secrets.redis.password | quote }}
|
||||
|
||||
global:
|
||||
imageRegistry: "{{ .Values.global.imageRegistry }}"
|
||||
imageRegistry: {{ .Values.global.imageRegistry | quote }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
|
||||
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.redis.repository }}"
|
||||
tag: "{{ .Values.images.redis.tag }}"
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.redis.repository | quote }}
|
||||
tag: {{ .Values.images.redis.tag | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
master:
|
||||
persistence:
|
||||
size: "{{ .Values.persistence.size.redis }}"
|
||||
size: {{ .Values.persistence.size.redis | quote }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.redis | toYaml | nindent 4 }}
|
||||
|
||||
@@ -1,31 +1,30 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
---
|
||||
repositories:
|
||||
# openDesk Univention Corporate Server (as eval Container)
|
||||
- name: "univention-corporate-container-repo"
|
||||
oci: true
|
||||
# yamllint disable rule:line-length
|
||||
url: >-
|
||||
{{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
|
||||
"external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/univention-corporate-container" }}
|
||||
# yamllint enable rule:line-length
|
||||
verify: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.univentionCorporateServer.verify }}
|
||||
username: "{{ .Values.charts.univentionCorporateServer.username }}"
|
||||
password: {{ .Values.charts.univentionCorporateServer.password | quote }}
|
||||
url: "{{ .Values.charts.univentionCorporateServer.registry }}/\
|
||||
{{ .Values.charts.univentionCorporateServer.repository }}"
|
||||
|
||||
releases:
|
||||
- name: "univention-corporate-container"
|
||||
chart: "univention-corporate-container-repo/univention-corporate-container"
|
||||
version: "1.0.10"
|
||||
chart: "univention-corporate-container-repo/{{ .Values.charts.univentionCorporateServer.name }}"
|
||||
version: "{{ .Values.charts.univentionCorporateServer.version }}"
|
||||
values:
|
||||
- "values.yaml"
|
||||
- "values.gotmpl"
|
||||
condition: "univentionCorporateServer.enabled"
|
||||
installed: {{ .Values.univentionCorporateServer.enabled }}
|
||||
|
||||
commonLabels:
|
||||
deploy-stage: "component-1"
|
||||
component: "univention-corporate-container"
|
||||
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
...
|
||||
|
||||
@@ -4,64 +4,64 @@ SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
domain: "{{ .Values.global.domain }}"
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
hosts:
|
||||
{{ .Values.global.hosts | toYaml | nindent 4 }}
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
repository: "{{ .Values.images.univentionCorporateServer.repository }}"
|
||||
tag: "{{ .Values.images.univentionCorporateServer.tag }}"
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
repository: {{ .Values.images.univentionCorporateServer.repository | quote }}
|
||||
tag: {{ .Values.images.univentionCorporateServer.tag | quote }}
|
||||
|
||||
ingress:
|
||||
host: "{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
|
||||
tls:
|
||||
enabled: {{ .Values.ingress.tls.enabled }}
|
||||
secretName: "{{ .Values.ingress.tls.secretName }}"
|
||||
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
|
||||
persistence:
|
||||
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
|
||||
size: "{{ .Values.persistence.size.univentionCorporateServer }}"
|
||||
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
size: {{ .Values.persistence.size.univentionCorporateServer | quote }}
|
||||
|
||||
extraEnvVars:
|
||||
- name: ISTIO_DOMAIN
|
||||
value: {{ .Values.istio.domain }}
|
||||
value: {{ .Values.istio.domain | quote }}
|
||||
- name: CENTRALNAVIGATION_API_SECRET
|
||||
value: {{ .Values.secrets.centralnavigation.apiKey }}
|
||||
value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
|
||||
- name: LDAPSEARCH_OX_USERNAME
|
||||
value: "ldapsearch_ox"
|
||||
- name: LDAPSEARCH_OX_PASSWORD
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox }}
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
|
||||
- name: LDAPSEARCH_DOVECOT_USERNAME
|
||||
value: "ldapsearch_dovecot"
|
||||
- name: LDAPSEARCH_DOVECOT_PASSWORD
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot }}
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
|
||||
- name: LDAPSEARCH_KEYCLOAK_USERNAME
|
||||
value: "ldapsearch_keycloak"
|
||||
- name: LDAPSEARCH_KEYCLOAK_PASSWORD
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak }}
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak | quote }}
|
||||
- name: LDAPSEARCH_NEXTCLOUD_USERNAME
|
||||
value: "ldapsearch_nextcloud"
|
||||
- name: LDAPSEARCH_NEXTCLOUD_PASSWORD
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud }}
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud | quote }}
|
||||
- name: LDAPSEARCH_OPENPROJECT_USERNAME
|
||||
value: "ldapsearch_openproject"
|
||||
- name: LDAPSEARCH_OPENPROJECT_PASSWORD
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject }}
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }}
|
||||
- name: LDAPSEARCH_XWIKI_USERNAME
|
||||
value: "ldapsearch_xwiki"
|
||||
- name: LDAPSEARCH_XWIKI_PASSWORD
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki }}
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki | quote }}
|
||||
- name: DEFAULT_ACCOUNT_USER_PASSWORD
|
||||
value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.userPassword }}
|
||||
value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.userPassword | quote }}
|
||||
- name: DEFAULT_ACCOUNT_ADMIN_PASSWORD
|
||||
value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.adminPassword }}
|
||||
value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.adminPassword | quote }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.univentionCorporateServer | toYaml | nindent 2 }}
|
||||
|
||||
@@ -3,116 +3,162 @@
|
||||
---
|
||||
bases:
|
||||
- "../../bases/environments.yaml"
|
||||
|
||||
---
|
||||
repositories:
|
||||
# Univention Management Stack
|
||||
- name: "ums-repo"
|
||||
url: >-
|
||||
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
|
||||
default "https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable" }}
|
||||
# VMWare Bitnami
|
||||
# Source: https://github.com/bitnami/charts/
|
||||
- name: "nginx-repo"
|
||||
oci: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
verify: {{ .Values.charts.nginx.verify }}
|
||||
username: "{{ .Values.charts.nginx.username }}"
|
||||
password: {{ .Values.charts.nginx.password | quote }}
|
||||
url: "{{ .Values.charts.nginx.registry }}/{{ .Values.charts.nginx.repository }}"
|
||||
|
||||
releases:
|
||||
- name: "ums-stack-gateway"
|
||||
chart: "nginx-repo/{{ .Values.charts.nginx.name }}"
|
||||
version: "{{ .Values.charts.nginx.version }}"
|
||||
values:
|
||||
- "values-ums-stack-gateway.gotmpl"
|
||||
- "values-ums-stack-gateway.yaml"
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
|
||||
- name: "ums-store-dav"
|
||||
chart: "ums-repo/store-dav"
|
||||
version: "0.2.0"
|
||||
chart: "ums-repo/{{ .Values.charts.umsStoreDav.name }}"
|
||||
version: "{{ .Values.charts.umsStoreDav.version }}"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
- "values-store-dav.gotmpl"
|
||||
condition: "univentionManagementStack.enabled"
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
|
||||
- name: "ums-ldap-server"
|
||||
chart: "ums-repo/ldap-server"
|
||||
version: "0.1.0"
|
||||
chart: "ums-repo/{{ .Values.charts.umsLdapServer.name }}"
|
||||
version: "{{ .Values.charts.umsLdapServer.version }}"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
- "values-ldap-server.gotmpl"
|
||||
condition: "univentionManagementStack.enabled"
|
||||
- "values-ldap-server.yaml"
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
|
||||
- name: "ums-ldap-notifier"
|
||||
chart: "ums-repo/ldap-notifier"
|
||||
version: "0.1.0"
|
||||
chart: "ums-repo/{{ .Values.charts.umsLdapNotifier.name }}"
|
||||
version: "{{ .Values.charts.umsLdapNotifier.version }}"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
- "values-ldap-notifier.gotmpl"
|
||||
- "values-ldap-notifier.yaml"
|
||||
condition: "univentionManagementStack.enabled"
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
|
||||
- name: "ums-udm-rest-api"
|
||||
chart: "ums-repo/udm-rest-api"
|
||||
version: "0.1.0"
|
||||
chart: "ums-repo/{{ .Values.charts.umsUdmRestApi.name }}"
|
||||
version: "{{ .Values.charts.umsUdmRestApi.version }}"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
- "values-udm-rest-api.gotmpl"
|
||||
condition: "univentionManagementStack.enabled"
|
||||
- "values-udm-rest-api.yaml"
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
|
||||
- name: "ums-stack-data-ums"
|
||||
chart: "ums-repo/stack-data-ums"
|
||||
version: "0.1.0"
|
||||
chart: "ums-repo/{{ .Values.charts.umsStackDataUms.name }}"
|
||||
version: "{{ .Values.charts.umsStackDataUms.version }}"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
- "values-stack-data-ums.gotmpl"
|
||||
condition: "univentionManagementStack.enabled"
|
||||
- "values-stack-data-ums.yaml"
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
|
||||
- name: "ums-stack-data-swp"
|
||||
chart: "ums-repo/stack-data-swp"
|
||||
version: "0.1.0"
|
||||
chart: "ums-repo/{{ .Values.charts.umsStackDataSwp.name }}"
|
||||
version: "{{ .Values.charts.umsStackDataSwp.version }}"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
- "values-stack-data-swp.gotmpl"
|
||||
condition: "univentionManagementStack.enabled"
|
||||
- "values-stack-data-swp.yaml"
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
|
||||
- name: "ums-portal-server"
|
||||
chart: "ums-repo/portal-server"
|
||||
version: "0.1.0"
|
||||
chart: "ums-repo/{{ .Values.charts.umsPortalServer.name }}"
|
||||
version: "{{ .Values.charts.umsPortalServer.version }}"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
- "values-portal-server.gotmpl"
|
||||
condition: "univentionManagementStack.enabled"
|
||||
- "values-portal-server.yaml"
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
|
||||
- name: "ums-notifications-api"
|
||||
chart: "ums-repo/notifications-api"
|
||||
version: "0.1.0"
|
||||
chart: "ums-repo/{{ .Values.charts.umsNotificationsApi.name }}"
|
||||
version: "{{ .Values.charts.umsNotificationsApi.version }}"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
- "values-notifications-api.gotmpl"
|
||||
- "values-notifications-api.yaml"
|
||||
condition: "univentionManagementStack.enabled"
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
|
||||
- name: "ums-portal-listener"
|
||||
chart: "ums-repo/portal-listener"
|
||||
version: "0.1.0"
|
||||
chart: "ums-repo/{{ .Values.charts.umsPortalListener.name }}"
|
||||
version: "{{ .Values.charts.umsPortalListener.version }}"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
- "values-portal-listener.gotmpl"
|
||||
- "values-portal-listener.yaml"
|
||||
condition: "univentionManagementStack.enabled"
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
|
||||
- name: "ums-portal-frontend"
|
||||
chart: "ums-repo/portal-frontend"
|
||||
version: "0.1.0"
|
||||
chart: "ums-repo/{{ .Values.charts.umsPortalFrontend.name }}"
|
||||
version: "{{ .Values.charts.umsPortalFrontend.version }}"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
- "values-portal-frontend.gotmpl"
|
||||
condition: "univentionManagementStack.enabled"
|
||||
- "values-portal-frontend.yaml"
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
|
||||
- name: "ums-umc-gateway"
|
||||
chart: "ums-repo/umc-gateway"
|
||||
version: "0.1.0"
|
||||
chart: "ums-repo/{{ .Values.charts.umsUmcGateway.name }}"
|
||||
version: "{{ .Values.charts.umsUmcGateway.version }}"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
- "values-umc-gateway.gotmpl"
|
||||
- "values-umc-gateway.yaml"
|
||||
condition: "univentionManagementStack.enabled"
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
|
||||
- name: "ums-umc-server"
|
||||
chart: "ums-repo/umc-server"
|
||||
version: "0.1.0"
|
||||
chart: "ums-repo/{{ .Values.charts.umsUmcServer.name }}"
|
||||
version: "{{ .Values.charts.umsUmcServer.version }}"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
- "values-umc-server.gotmpl"
|
||||
condition: "univentionManagementStack.enabled"
|
||||
- "values-umc-server.yaml"
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
|
||||
- name: "ums-selfservice-listener"
|
||||
chart: "ums-repo/{{ .Values.charts.umsSelfserviceListener.name }}"
|
||||
version: "{{ .Values.charts.umsSelfserviceListener.version }}"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
- "values-selfservice-listener.gotmpl"
|
||||
- "values-selfservice-listener.yaml"
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
|
||||
commonLabels:
|
||||
deploy-stage: "component-1"
|
||||
component: "univention-management-stack"
|
||||
...
|
||||
|
||||
@@ -3,12 +3,8 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
|
||||
ingress:
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
|
||||
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
|
||||
tls:
|
||||
# The TLS configuration is on the "master" Ingress, see "portal-frontend"
|
||||
enabled: false
|
||||
secretName: ""
|
||||
host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
|
||||
|
||||
...
|
||||
|
||||
@@ -1,6 +1,23 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
global:
|
||||
configMapUcrDefaults: "ums-stack-data-ums-ucr"
|
||||
configMapUcr: "ums-stack-data-swp-ucr"
|
||||
configMapUcrForced: null
|
||||
|
||||
ingress:
|
||||
# Intentionally not using the Ingress configuration of the UMS stack at the
|
||||
# moment, since it does depend on rewriting capabilities of the ingress
|
||||
# controller. Those are encapsulated into the release "stack-gateway" so that
|
||||
# the compatibility with all ingress controllers is increased.
|
||||
enabled: false
|
||||
tls:
|
||||
# The TLS configuration is on the "master" Ingress, see "portal-frontend"
|
||||
enabled: false
|
||||
secretName: ""
|
||||
|
||||
istio:
|
||||
enabled: false
|
||||
|
||||
...
|
||||
|
||||
@@ -3,18 +3,16 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.umsLdapNotifier.repository }}"
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
tag: "{{ .Values.images.umsLdapNotifier.tag }}"
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.umsLdapNotifier.repository | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
tag: {{ .Values.images.umsLdapNotifier.tag | quote }}
|
||||
pullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.umsLdapNotifier | toYaml | nindent 2 }}
|
||||
|
||||
...
|
||||
|
||||
@@ -4,40 +4,32 @@ SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
ldapServer:
|
||||
ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
|
||||
ldapBaseDn: "dc=swp-ldap,dc=internal"
|
||||
|
||||
# TODO: Certificates handling
|
||||
# caCert: ""
|
||||
# certPem: ""
|
||||
# privateKey: ""
|
||||
# dhParam: ""
|
||||
tlsMode: "off"
|
||||
|
||||
# TODO: SAML integration
|
||||
# samlMetadataUrl: "http://localhost:8097/realms/ucs/protocol/saml/descriptor"
|
||||
# samlMetadataUrlInternal: "http://keycloak.default/realms/ucs/protocol/saml/descriptor"
|
||||
# serviceProviders: "http://localhost:8000/univention/saml/metadata,http://localhost:8000/auth/realms/ucs"
|
||||
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
||||
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
|
||||
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.umsLdapServer.repository }}"
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
tag: "{{ .Values.images.umsLdapServer.tag }}"
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.umsLdapServer.repository | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
tag: {{ .Values.images.umsLdapServer.tag | quote }}
|
||||
pullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
|
||||
# TODO: Pending upstream support, #199
|
||||
waitForDependency:
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
|
||||
|
||||
persistence:
|
||||
data:
|
||||
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
|
||||
size: "{{ .Values.persistence.size.univentionManagementStack.ldapServerData }}"
|
||||
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
|
||||
shared:
|
||||
storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
|
||||
size: "{{ .Values.persistence.size.univentionManagementStack.ldapServerShared }}"
|
||||
|
||||
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}
|
||||
|
||||
@@ -0,0 +1,33 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
|
||||
ldapServer:
|
||||
waitForSamlMetadata: true
|
||||
|
||||
service:
|
||||
type: "ClusterIP"
|
||||
|
||||
extraVolumes:
|
||||
- name: "opendesk-schemas"
|
||||
configMap:
|
||||
name: "ums-stack-data-swp-schemas"
|
||||
|
||||
extraVolumeMounts:
|
||||
- name: "opendesk-schemas"
|
||||
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskFileshare.schema"
|
||||
subPath: "opendeskFileshare.schema"
|
||||
- name: "opendesk-schemas"
|
||||
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskKnowledgemanagement.schema"
|
||||
subPath: "opendeskKnowledgemanagement.schema"
|
||||
- name: "opendesk-schemas"
|
||||
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLearnmanagement.schema"
|
||||
subPath: "opendeskLearnmanagement.schema"
|
||||
- name: "opendesk-schemas"
|
||||
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLivecollaboration.schema"
|
||||
subPath: "opendeskLivecollaboration.schema"
|
||||
- name: "opendesk-schemas"
|
||||
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema"
|
||||
subPath: "opendeskProjectmanagement.schema"
|
||||
|
||||
...
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user