mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-06 23:41:43 +01:00
Compare commits
25 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
845a0a3189 | ||
|
|
519db51be2 | ||
|
|
7ef3a10577 | ||
|
|
1c35ca67ce | ||
|
|
e0c6c14dca | ||
|
|
3cf348c7ae | ||
|
|
b3d45c45e1 | ||
|
|
c246edd8f9 | ||
|
|
c19bca2be0 | ||
|
|
a5f263ce48 | ||
|
|
cbe8fb2d65 | ||
|
|
8b6a4b2e88 | ||
|
|
a61d00482f | ||
|
|
0c7a77c4b6 | ||
|
|
211bee94bb | ||
|
|
b3ac0ae6d9 | ||
|
|
4c52a5aaa8 | ||
|
|
7a9ecf7b85 | ||
|
|
86b48188e1 | ||
|
|
7bbab22939 | ||
|
|
1343d6c93e | ||
|
|
735fec3b4c | ||
|
|
21b9d1d024 | ||
|
|
6dc92df2eb | ||
|
|
cac6abe251 |
@@ -5,6 +5,7 @@ include:
|
|||||||
- project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
|
- project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
|
||||||
ref: "main"
|
ref: "main"
|
||||||
file:
|
file:
|
||||||
|
- "ci/common/automr.yml"
|
||||||
- "ci/common/lint.yml"
|
- "ci/common/lint.yml"
|
||||||
- "ci/release-automation/semantic-release.yml"
|
- "ci/release-automation/semantic-release.yml"
|
||||||
- project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
|
- project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
|
||||||
@@ -14,6 +15,7 @@ include:
|
|||||||
|
|
||||||
stages:
|
stages:
|
||||||
- ".pre"
|
- ".pre"
|
||||||
|
- "automr"
|
||||||
- "lint"
|
- "lint"
|
||||||
- "env-cleanup"
|
- "env-cleanup"
|
||||||
- "env"
|
- "env"
|
||||||
|
|||||||
44
CHANGELOG.md
44
CHANGELOG.md
@@ -1,3 +1,47 @@
|
|||||||
|
## [0.5.54](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.53...v0.5.54) (2023-11-29)
|
||||||
|
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
|
||||||
|
* **helmfile:** Add and document security context for components ([519db51](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/519db51be2be3ce292a88965ac0ec049b4c8bb8e))
|
||||||
|
|
||||||
|
## [0.5.53](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.52...v0.5.53) (2023-11-29)
|
||||||
|
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
|
||||||
|
* **univention-managemen-stack:** Integrate Attribute to Group Mapper into the containerized stack ([7bbab22](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/7bbab229396075c7d10f94f42bef14551faefe26))
|
||||||
|
* **univention-management-stack:** Add Announcements icon into "umc-gateway" ([7a9ecf7](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/7a9ecf7b8595edf0949d9c200d01b3409f25b9a7))
|
||||||
|
* **univention-management-stack:** Add Announcements module into "umc-server" ([4c52a5a](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/4c52a5aaa83ffb6f4c49faa039c94cb1855987bb))
|
||||||
|
* **univention-management-stack:** Add branding related configuration to stack-gateway ([a5f263c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/a5f263ce489f88b90cf1151de249f36616a51632))
|
||||||
|
* **univention-management-stack:** Apply styling ([b3d45c4](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/b3d45c45e1b754e14ab0519efcb6b6a359f0ad1e))
|
||||||
|
* **univention-management-stack:** Configure openDesk branding in frontend chart ([cbe8fb2](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/cbe8fb2d65e6ce73f9da95ef9b0ed3ffbb16d367))
|
||||||
|
* **univention-management-stack:** Document database of UMS Notifications API ([3cf348c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/3cf348c7ae8f438daf3e64addbf839230816f3d2))
|
||||||
|
* **univention-management-stack:** Move static settings from gotmpl into yaml for umc-gateway ([b3ac0ae](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/b3ac0ae6d91a058265fcd26c6653bb8a13d3e780))
|
||||||
|
* **univention-management-stack:** Quote all composed strings ([1c35ca6](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/1c35ca67ce0673e1b2f9a350bd07c82c22a05354))
|
||||||
|
* **univention-management-stack:** Remove frontend-custom ([8b6a4b2](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/8b6a4b2e88e8be1d299af91ed1ffff4405db88e6))
|
||||||
|
* **univention-management-stack:** Set SMTP host for self-service notifications ([0c7a77c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/0c7a77c4b6f20c6d83e977dabfc4e555b652f6ac))
|
||||||
|
* **univention-management-stack:** UMC uses external memcached ([211bee9](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/211bee94bb7675860f867f0335fec9f14fc96875))
|
||||||
|
* **univention-management-stack:** Update ums-dependencies ([e0c6c14](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/e0c6c14dcaefc0755495270bbf45898721e27985))
|
||||||
|
* **univention-management-stack:** Update ums-dependencies ([c246edd](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c246edd8f9753e37bc9c32683faf41f5b46d7675))
|
||||||
|
* **univention-management-stack:** Update ums-dependencies ([86b4818](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/86b48188e160c1f7d15f2c33f1f3cd0cc0e68bf2))
|
||||||
|
* **univention-management-stack:** Use "stack-gateway" in all deployments ([c19bca2](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c19bca2be0d14750bbef661e45c5c424f7da8e77))
|
||||||
|
|
||||||
|
## [0.5.52](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.51...v0.5.52) (2023-11-28)
|
||||||
|
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
|
||||||
|
* **ci:** Open automatic MRs for new branches ([735fec3](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/735fec3b4ccd33ba63e5fa6482526efb6853c64a))
|
||||||
|
|
||||||
|
## [0.5.51](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.50...v0.5.51) (2023-11-28)
|
||||||
|
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
|
||||||
|
* **nextcloud:** Bump chart to fix central navigation ([cac6abe](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/cac6abe2510b6793963633077543684a6a4e7cbc))
|
||||||
|
* **openproject:** Update container and prepare for OIDC based user admin role setting ([6dc92df](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6dc92df2ebcae435e3b3609cc163dc6c33fb1b83))
|
||||||
|
|
||||||
## [0.5.50](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.49...v0.5.50) (2023-11-27)
|
## [0.5.50](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.49...v0.5.50) (2023-11-27)
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -37,6 +37,12 @@ service.
|
|||||||
| | | | Port | `databases.keycloakExtension.port` | `5432` |
|
| | | | Port | `databases.keycloakExtension.port` | `5432` |
|
||||||
| | | | Username | `databases.keycloakExtension.username` | `keycloak_extensions_user` |
|
| | | | Username | `databases.keycloakExtension.username` | `keycloak_extensions_user` |
|
||||||
| | | | Password | `databases.keycloakExtension.password` | |
|
| | | | Password | `databases.keycloakExtension.password` | |
|
||||||
|
| UMS | Notifications API | PostgreSQL | | | |
|
||||||
|
| | | | Name | `databases.notificationsApi.name` | `notificationsapi` |
|
||||||
|
| | | | Host | `databases.notificationsApi.host` | `postgresql` |
|
||||||
|
| | | | Port | `databases.notificationsApi.port` | `5432` |
|
||||||
|
| | | | Username | `databases.notificationsApi.username` | `notificationsapi_user` |
|
||||||
|
| | | | Password | `databases.notificationsApi.password` | |
|
||||||
| Nextcloud | Nextcloud | MariaDB | | | |
|
| Nextcloud | Nextcloud | MariaDB | | | |
|
||||||
| | | | Name | `databases.nextcloud.name` | `nextcloud` |
|
| | | | Name | `databases.nextcloud.name` | `nextcloud` |
|
||||||
| | | | Host | `databases.nextcloud.host` | `mariadb` |
|
| | | | Host | `databases.nextcloud.host` | `mariadb` |
|
||||||
|
|||||||
@@ -50,43 +50,52 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
|
|||||||
This list gives you an overview of default security settings and if they comply with security standards:
|
This list gives you an overview of default security settings and if they comply with security standards:
|
||||||
|
|
||||||
|
|
||||||
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|
||||||
|--------------|----------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
|
|-----------------|--------------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
|
||||||
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||||
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||||
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||||
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||||
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
|
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
|
||||||
| CryptPad | npm | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 |
|
| CryptPad | npm | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 |
|
||||||
| Dovecot | dovecot | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`) | :white_check_mark: | :white_check_mark: | :x: | - | - | 1000 |
|
| Dovecot | dovecot | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `KILL`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`) | :white_check_mark: | :white_check_mark: | :x: | - | - | 1000 |
|
||||||
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||||
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
|
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
|
||||||
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||||
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||||
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
|
| IntercomService | intercom-service | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
|
||||||
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||||
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
|
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||||
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
|
||||||
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||||
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||||
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
|
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||||
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||||
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||||
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
|
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||||
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
|
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
|
||||||
| Open-Xchange | core-documentconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
|
| Minio | minio | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
|
||||||
| | core-guidedtours | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
| Nextcloud | nextcloud | :x: | :white_check_mark: | :x: (`NET_BIND_SERVICE`, `SETGID`, `SETUID`) | :white_check_mark: | :x: | :x: | - | - | 33 |
|
||||||
| | core-imageconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
|
| | nextcloud-cron | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | 33 |
|
||||||
| | core-mw-default | :x: | :x: | :x: | :x: | :x: | :x: | - | - | - |
|
| | opendesk-nextcloud-bootstrap | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | 33 |
|
||||||
| | core-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
| Open-Xchange | core-documentconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
|
||||||
| | core-ui-middleware | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
| | core-guidedtours | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
| | core-ui-middleware-updater | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
| | core-imageconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
|
||||||
| | core-user-guide | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
| | core-mw-default | :x: | :x: | :x: | :x: | :x: | :x: | - | - | - |
|
||||||
| | gotenberg | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
| | core-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
| | guard-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
| | core-ui-middleware | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
| | nextlcoud-integration-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
| | core-ui-middleware-updater | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
| | public-sector-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
| | core-user-guide | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
| OpenProject | openproject | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | - |
|
| | gotenberg | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
| | guard-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
|
| | nextlcoud-integration-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
|
| | public-sector-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
|
| OpenProject | openproject | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||||
|
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
|
||||||
|
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||||
|
| Redis | redis | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 0 | 1001 |
|
||||||
|
| UCC | univention-corporate-container | :x: | :x: | :x: | :x: | :x: | :x: | - | - | - |
|
||||||
|
| XWiki | xwiki | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 101 |
|
||||||
|
| | xwiki initContainers | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
|
||||||
|
|||||||
@@ -26,6 +26,7 @@ releases:
|
|||||||
chart: "intercom-service-repo/intercom-service"
|
chart: "intercom-service-repo/intercom-service"
|
||||||
version: "2.0.1"
|
version: "2.0.1"
|
||||||
values:
|
values:
|
||||||
|
- "values.yaml"
|
||||||
- "values.gotmpl"
|
- "values.gotmpl"
|
||||||
installed: {{ .Values.intercom.enabled }}
|
installed: {{ .Values.intercom.enabled }}
|
||||||
|
|
||||||
|
|||||||
21
helmfile/apps/intercom-service/values.yaml
Normal file
21
helmfile/apps/intercom-service/values.yaml
Normal file
@@ -0,0 +1,21 @@
|
|||||||
|
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
---
|
||||||
|
containerSecurityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- "ALL"
|
||||||
|
enabled: true
|
||||||
|
runAsUser: 1000
|
||||||
|
runAsGroup: 1000
|
||||||
|
seccompProfile:
|
||||||
|
type: "RuntimeDefault"
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsNonRoot: true
|
||||||
|
|
||||||
|
podSecurityContext:
|
||||||
|
enabled: true
|
||||||
|
fsGroup: 1000
|
||||||
|
fsGroupChangePolicy: "Always"
|
||||||
|
...
|
||||||
@@ -23,6 +23,7 @@ handler:
|
|||||||
appConfig:
|
appConfig:
|
||||||
smtpPassword: {{ .Values.smtp.password | quote }}
|
smtpPassword: {{ .Values.smtp.password | quote }}
|
||||||
smtpHost: {{ .Values.smtp.host | quote }}
|
smtpHost: {{ .Values.smtp.host | quote }}
|
||||||
|
smtpPort: {{ .Values.smtp.port | quote }}
|
||||||
smtpUsername: {{ .Values.smtp.username | quote }}
|
smtpUsername: {{ .Values.smtp.username | quote }}
|
||||||
mailFrom: "noreply@{{ .Values.global.domain }}"
|
mailFrom: "noreply@{{ .Values.global.domain }}"
|
||||||
resources:
|
resources:
|
||||||
|
|||||||
@@ -33,7 +33,7 @@ releases:
|
|||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
- name: "opendesk-nextcloud-bootstrap"
|
- name: "opendesk-nextcloud-bootstrap"
|
||||||
chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap"
|
chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap"
|
||||||
version: "3.2.3"
|
version: "3.2.4"
|
||||||
wait: true
|
wait: true
|
||||||
waitForJobs: true
|
waitForJobs: true
|
||||||
values:
|
values:
|
||||||
|
|||||||
@@ -44,6 +44,7 @@ config:
|
|||||||
|
|
||||||
smtp:
|
smtp:
|
||||||
host: {{ .Values.smtp.host | quote }}
|
host: {{ .Values.smtp.host | quote }}
|
||||||
|
port: {{ .Values.smtp.port | quote }}
|
||||||
username: {{ .Values.smtp.username | quote }}
|
username: {{ .Values.smtp.username | quote }}
|
||||||
password: {{ .Values.smtp.password | quote }}
|
password: {{ .Values.smtp.password | quote }}
|
||||||
|
|
||||||
|
|||||||
@@ -10,7 +10,22 @@ config:
|
|||||||
username: "phoenixusername"
|
username: "phoenixusername"
|
||||||
userOidc:
|
userOidc:
|
||||||
username: "ncoidc"
|
username: "ncoidc"
|
||||||
|
userIdAttribute: "entryuuid"
|
||||||
|
realm: "souvap"
|
||||||
|
|
||||||
cryptpad:
|
cryptpad:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|
||||||
|
containerSecurityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
enabled: true
|
||||||
|
seccompProfile:
|
||||||
|
type: "RuntimeDefault"
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
runAsNonRoot: false
|
||||||
|
|
||||||
|
podSecurityContext:
|
||||||
|
enabled: true
|
||||||
|
fsGroup: 33
|
||||||
|
fsGroupChangePolicy: "Always"
|
||||||
...
|
...
|
||||||
|
|||||||
@@ -20,6 +20,11 @@ cronjob:
|
|||||||
- >
|
- >
|
||||||
sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f
|
sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f
|
||||||
\/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data
|
\/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- "ALL"
|
||||||
|
|
||||||
ingress:
|
ingress:
|
||||||
annotations:
|
annotations:
|
||||||
@@ -52,6 +57,20 @@ nextcloud:
|
|||||||
{
|
{
|
||||||
"drawio": ["application/x-drawio"]
|
"drawio": ["application/x-drawio"]
|
||||||
}
|
}
|
||||||
|
podSecurityContext:
|
||||||
|
fsGroup: 33
|
||||||
|
seccompProfile:
|
||||||
|
type: "RuntimeDefault"
|
||||||
|
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- "ALL"
|
||||||
|
add:
|
||||||
|
- "NET_BIND_SERVICE"
|
||||||
|
- "SETGID"
|
||||||
|
- "SETUID"
|
||||||
|
|
||||||
# this is not documented but can be found in values.yaml
|
# this is not documented but can be found in values.yaml
|
||||||
service:
|
service:
|
||||||
|
|||||||
@@ -79,4 +79,7 @@ environment:
|
|||||||
OPENPROJECT_FOG_CREDENTIALS_PROVIDER: "AWS"
|
OPENPROJECT_FOG_CREDENTIALS_PROVIDER: "AWS"
|
||||||
OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
|
OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
|
||||||
OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: "openproject_user"
|
OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: "openproject_user"
|
||||||
|
# Define an admin mapping from the claim
|
||||||
|
# The attribute mapping cannot currently be defined in the value
|
||||||
|
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_ADMIN: "openproject_admin"
|
||||||
...
|
...
|
||||||
|
|||||||
@@ -24,7 +24,7 @@ postfix:
|
|||||||
- fileName: "sasl_passwd.map"
|
- fileName: "sasl_passwd.map"
|
||||||
content:
|
content:
|
||||||
- {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
|
- {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
|
||||||
relayHost: {{ printf "[%s]:587" .Values.smtp.host | quote }}
|
relayHost: {{ printf "[%s]:[%d]" .Values.smtp.host .Values.smtp.port | quote }}
|
||||||
relayNets: {{ .Values.cluster.networking.cidr | quote}}
|
relayNets: {{ .Values.cluster.networking.cidr | quote}}
|
||||||
virtualTransport: "lmtps:dovecot:24"
|
virtualTransport: "lmtps:dovecot:24"
|
||||||
smtpdSASLPath: "inet:dovecot:3659"
|
smtpdSASLPath: "inet:dovecot:3659"
|
||||||
|
|||||||
@@ -24,7 +24,7 @@ job:
|
|||||||
- username: "matrix_user"
|
- username: "matrix_user"
|
||||||
password: {{ .Values.secrets.postgresql.matrixUser | quote }}
|
password: {{ .Values.secrets.postgresql.matrixUser | quote }}
|
||||||
- username: "notificationsapi_user"
|
- username: "notificationsapi_user"
|
||||||
password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
|
password: {{ .Values.secrets.postgresql.notificationsApiUser | quote }}
|
||||||
databases:
|
databases:
|
||||||
- name: "keycloak"
|
- name: "keycloak"
|
||||||
user: "keycloak_user"
|
user: "keycloak_user"
|
||||||
|
|||||||
@@ -22,9 +22,6 @@ repositories:
|
|||||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||||
|
|
||||||
releases:
|
releases:
|
||||||
# TODO: Interim, until the UMS stack has a stack umbrella chart and provides a solution
|
|
||||||
# {{- if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}
|
|
||||||
|
|
||||||
# renovate:
|
# renovate:
|
||||||
# registryUrl=https://registry.souvap-univention.de
|
# registryUrl=https://registry.souvap-univention.de
|
||||||
# packageName=souvap/tooling/charts/bitnami-charts/nginx
|
# packageName=souvap/tooling/charts/bitnami-charts/nginx
|
||||||
@@ -35,8 +32,8 @@ releases:
|
|||||||
version: "15.3.5"
|
version: "15.3.5"
|
||||||
values:
|
values:
|
||||||
- "values-ums-stack-gateway.gotmpl"
|
- "values-ums-stack-gateway.gotmpl"
|
||||||
|
- "values-ums-stack-gateway.yaml"
|
||||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||||
# {{- end }}
|
|
||||||
|
|
||||||
# renovate:
|
# renovate:
|
||||||
# registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
|
# registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
|
||||||
@@ -94,6 +91,7 @@ releases:
|
|||||||
- "values-common.gotmpl"
|
- "values-common.gotmpl"
|
||||||
- "values-common.yaml"
|
- "values-common.yaml"
|
||||||
- "values-udm-rest-api.gotmpl"
|
- "values-udm-rest-api.gotmpl"
|
||||||
|
- "values-udm-rest-api.yaml"
|
||||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||||
|
|
||||||
# renovate:
|
# renovate:
|
||||||
@@ -103,11 +101,12 @@ releases:
|
|||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
- name: "ums-stack-data-ums"
|
- name: "ums-stack-data-ums"
|
||||||
chart: "ums-repo/stack-data-ums"
|
chart: "ums-repo/stack-data-ums"
|
||||||
version: "0.33.0"
|
version: "0.36.0"
|
||||||
values:
|
values:
|
||||||
- "values-common.gotmpl"
|
- "values-common.gotmpl"
|
||||||
- "values-common.yaml"
|
- "values-common.yaml"
|
||||||
- "values-stack-data-ums.gotmpl"
|
- "values-stack-data-ums.gotmpl"
|
||||||
|
- "values-stack-data-ums.yaml"
|
||||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||||
|
|
||||||
# renovate:
|
# renovate:
|
||||||
@@ -117,11 +116,12 @@ releases:
|
|||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
- name: "ums-stack-data-swp"
|
- name: "ums-stack-data-swp"
|
||||||
chart: "ums-repo/stack-data-swp"
|
chart: "ums-repo/stack-data-swp"
|
||||||
version: "0.33.0"
|
version: "0.36.0"
|
||||||
values:
|
values:
|
||||||
- "values-common.gotmpl"
|
- "values-common.gotmpl"
|
||||||
- "values-common.yaml"
|
- "values-common.yaml"
|
||||||
- "values-stack-data-swp.gotmpl"
|
- "values-stack-data-swp.gotmpl"
|
||||||
|
- "values-stack-data-swp.yaml"
|
||||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||||
|
|
||||||
# renovate:
|
# renovate:
|
||||||
@@ -131,11 +131,12 @@ releases:
|
|||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
- name: "ums-portal-server"
|
- name: "ums-portal-server"
|
||||||
chart: "ums-repo/portal-server"
|
chart: "ums-repo/portal-server"
|
||||||
version: "0.4.3"
|
version: "0.5.0"
|
||||||
values:
|
values:
|
||||||
- "values-common.gotmpl"
|
- "values-common.gotmpl"
|
||||||
- "values-common.yaml"
|
- "values-common.yaml"
|
||||||
- "values-portal-server.gotmpl"
|
- "values-portal-server.gotmpl"
|
||||||
|
- "values-portal-server.yaml"
|
||||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||||
|
|
||||||
# renovate:
|
# renovate:
|
||||||
@@ -145,7 +146,7 @@ releases:
|
|||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
- name: "ums-notifications-api"
|
- name: "ums-notifications-api"
|
||||||
chart: "ums-repo/notifications-api"
|
chart: "ums-repo/notifications-api"
|
||||||
version: "0.4.3"
|
version: "0.5.0"
|
||||||
values:
|
values:
|
||||||
- "values-common.gotmpl"
|
- "values-common.gotmpl"
|
||||||
- "values-common.yaml"
|
- "values-common.yaml"
|
||||||
@@ -160,7 +161,7 @@ releases:
|
|||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
- name: "ums-portal-listener"
|
- name: "ums-portal-listener"
|
||||||
chart: "ums-repo/portal-listener"
|
chart: "ums-repo/portal-listener"
|
||||||
version: "0.4.3"
|
version: "0.5.0"
|
||||||
values:
|
values:
|
||||||
- "values-common.gotmpl"
|
- "values-common.gotmpl"
|
||||||
- "values-common.yaml"
|
- "values-common.yaml"
|
||||||
@@ -175,25 +176,12 @@ releases:
|
|||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
- name: "ums-portal-frontend"
|
- name: "ums-portal-frontend"
|
||||||
chart: "ums-repo/portal-frontend"
|
chart: "ums-repo/portal-frontend"
|
||||||
version: "0.4.3"
|
version: "0.5.0"
|
||||||
values:
|
values:
|
||||||
- "values-common.gotmpl"
|
- "values-common.gotmpl"
|
||||||
- "values-common.yaml"
|
- "values-common.yaml"
|
||||||
- "values-portal-frontend.gotmpl"
|
- "values-portal-frontend.gotmpl"
|
||||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
- "values-portal-frontend.yaml"
|
||||||
|
|
||||||
# renovate:
|
|
||||||
# registryUrl=https://registry.souvap-univention.de
|
|
||||||
# packageName=souvap/tooling/charts/bitnami-charts/nginx
|
|
||||||
# dataSource=docker
|
|
||||||
# dependencyType=vendor
|
|
||||||
- name: "ums-portal-frontend-custom"
|
|
||||||
# TODO: Replace with our own Nginx chart.
|
|
||||||
chart: "bitnami-repo/nginx"
|
|
||||||
version: "15.3.5"
|
|
||||||
values:
|
|
||||||
- "values-portal-frontend-custom.yaml"
|
|
||||||
- "values-portal-frontend-custom.gotmpl"
|
|
||||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||||
|
|
||||||
# renovate:
|
# renovate:
|
||||||
@@ -203,11 +191,12 @@ releases:
|
|||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
- name: "ums-umc-gateway"
|
- name: "ums-umc-gateway"
|
||||||
chart: "ums-repo/umc-gateway"
|
chart: "ums-repo/umc-gateway"
|
||||||
version: "0.5.1"
|
version: "0.6.1"
|
||||||
values:
|
values:
|
||||||
- "values-common.gotmpl"
|
- "values-common.gotmpl"
|
||||||
- "values-common.yaml"
|
- "values-common.yaml"
|
||||||
- "values-umc-gateway.gotmpl"
|
- "values-umc-gateway.gotmpl"
|
||||||
|
- "values-umc-gateway.yaml"
|
||||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||||
|
|
||||||
# renovate:
|
# renovate:
|
||||||
@@ -217,7 +206,7 @@ releases:
|
|||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
- name: "ums-umc-server"
|
- name: "ums-umc-server"
|
||||||
chart: "ums-repo/umc-server"
|
chart: "ums-repo/umc-server"
|
||||||
version: "0.5.1"
|
version: "0.6.1"
|
||||||
values:
|
values:
|
||||||
- "values-common.gotmpl"
|
- "values-common.gotmpl"
|
||||||
- "values-common.yaml"
|
- "values-common.yaml"
|
||||||
|
|||||||
@@ -4,11 +4,7 @@ SPDX-License-Identifier: Apache-2.0
|
|||||||
*/}}
|
*/}}
|
||||||
---
|
---
|
||||||
ingress:
|
ingress:
|
||||||
enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
|
host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
|
||||||
host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
|
|
||||||
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
|
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
|
||||||
tls:
|
|
||||||
# The TLS configuration is on the "master" Ingress, see "portal-frontend"
|
|
||||||
enabled: false
|
|
||||||
secretName: ""
|
|
||||||
...
|
...
|
||||||
|
|||||||
@@ -6,5 +6,18 @@ global:
|
|||||||
configMapUcr: "ums-stack-data-swp-ucr"
|
configMapUcr: "ums-stack-data-swp-ucr"
|
||||||
configMapUcrForced: null
|
configMapUcrForced: null
|
||||||
|
|
||||||
|
ingress:
|
||||||
|
# Intentionally not using the Ingress configuration of the UMS stack at the
|
||||||
|
# moment, since it does depend on rewriting capabilities of the ingress
|
||||||
|
# controller. Those are encapsulated into the release "stack-gateway" so that
|
||||||
|
# the compatibility with all ingress controllers is increased.
|
||||||
|
enabled: false
|
||||||
|
tls:
|
||||||
|
# The TLS configuration is on the "master" Ingress, see "portal-frontend"
|
||||||
|
enabled: false
|
||||||
|
secretName: ""
|
||||||
|
|
||||||
istio:
|
istio:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
|
||||||
|
...
|
||||||
|
|||||||
@@ -5,15 +5,7 @@ SPDX-License-Identifier: Apache-2.0
|
|||||||
---
|
---
|
||||||
ldapServer:
|
ldapServer:
|
||||||
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
||||||
ldapBaseDn: "dc=swp-ldap,dc=internal"
|
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
|
||||||
|
|
||||||
waitForSamlMetadata: true
|
|
||||||
|
|
||||||
# TODO: Certificates handling
|
|
||||||
# caCert: ""
|
|
||||||
# certPem: ""
|
|
||||||
# privateKey: ""
|
|
||||||
# dhParam: ""
|
|
||||||
|
|
||||||
image:
|
image:
|
||||||
registry: {{ .Values.global.imageRegistry | quote }}
|
registry: {{ .Values.global.imageRegistry | quote }}
|
||||||
@@ -26,12 +18,11 @@ image:
|
|||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
waitForDependency:
|
waitForDependency:
|
||||||
registry: "{{ .Values.global.imageRegistry }}"
|
registry: {{ .Values.global.imageRegistry | quote }}
|
||||||
repository: "{{ .Values.images.umsWaitForDependency.repository }}"
|
repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
|
||||||
imagePullPolicy: "Always"
|
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||||
tag: "{{ .Values.images.umsWaitForDependency.tag }}"
|
tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
|
||||||
|
|
||||||
# TODO: Pending upstream support, #199
|
|
||||||
persistence:
|
persistence:
|
||||||
data:
|
data:
|
||||||
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||||
|
|||||||
@@ -2,6 +2,9 @@
|
|||||||
# SPDX-License-Identifier: Apache-2.0
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
---
|
---
|
||||||
|
|
||||||
|
ldapServer:
|
||||||
|
waitForSamlMetadata: true
|
||||||
|
|
||||||
service:
|
service:
|
||||||
type: "ClusterIP"
|
type: "ClusterIP"
|
||||||
|
|
||||||
|
|||||||
@@ -6,12 +6,12 @@ SPDX-License-Identifier: Apache-2.0
|
|||||||
postgresql:
|
postgresql:
|
||||||
bundled: false
|
bundled: false
|
||||||
connection:
|
connection:
|
||||||
host: "postgresql"
|
host: {{ .Values.databases.notificationsApi.host | quote }}
|
||||||
port: 5432
|
port: {{ .Values.databases.notificationsApi.port | quote }}
|
||||||
auth:
|
auth:
|
||||||
username: "notificationsapi_user"
|
username: {{ .Values.databases.notificationsApi.username | quote }}
|
||||||
database: "notificationsapi"
|
database: {{ .Values.databases.notificationsApi.name | quote }}
|
||||||
password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
|
password: {{ .Values.databases.notificationsApi.password | default .Values.secrets.postgresql.notificationsApiUser | quote }}
|
||||||
|
|
||||||
image:
|
image:
|
||||||
registry: {{ .Values.global.imageRegistry }}
|
registry: {{ .Values.global.imageRegistry }}
|
||||||
|
|||||||
@@ -1,53 +0,0 @@
|
|||||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
|
||||||
# SPDX-License-Identifier: Apache-2.0
|
|
||||||
---
|
|
||||||
|
|
||||||
ingress:
|
|
||||||
enabled: true
|
|
||||||
hostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
|
|
||||||
ingressClassName: "nginx"
|
|
||||||
annotations:
|
|
||||||
nginx.org/mergeable-ingress-type: "minion"
|
|
||||||
tls: false
|
|
||||||
|
|
||||||
pathType: Exact
|
|
||||||
path: /favicon.ico
|
|
||||||
|
|
||||||
extraPaths:
|
|
||||||
- pathType: Exact
|
|
||||||
path: /univention/portal/css/custom.css
|
|
||||||
backend:
|
|
||||||
service:
|
|
||||||
name: ums-portal-frontend-custom-nginx
|
|
||||||
port:
|
|
||||||
name: http
|
|
||||||
- pathType: Exact
|
|
||||||
path: /univention/portal/icons/logo.svg
|
|
||||||
backend:
|
|
||||||
service:
|
|
||||||
name: ums-portal-frontend-custom-nginx
|
|
||||||
port:
|
|
||||||
name: http
|
|
||||||
- pathType: Exact
|
|
||||||
path: /univention/portal/icons/logo_small_border.svg
|
|
||||||
backend:
|
|
||||||
service:
|
|
||||||
name: ums-portal-frontend-custom-nginx
|
|
||||||
port:
|
|
||||||
name: http
|
|
||||||
- pathType: Exact
|
|
||||||
path: /univention/portal/custom/portal_background_image.png
|
|
||||||
backend:
|
|
||||||
service:
|
|
||||||
name: ums-portal-frontend-custom-nginx
|
|
||||||
port:
|
|
||||||
name: http
|
|
||||||
- pathType: Exact
|
|
||||||
path: /univention/portal/custom/portal_background_image.svg
|
|
||||||
backend:
|
|
||||||
service:
|
|
||||||
name: ums-portal-frontend-custom-nginx
|
|
||||||
port:
|
|
||||||
name: http
|
|
||||||
|
|
||||||
...
|
|
||||||
@@ -1,33 +0,0 @@
|
|||||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
|
||||||
# SPDX-License-Identifier: Apache-2.0
|
|
||||||
---
|
|
||||||
|
|
||||||
service:
|
|
||||||
type: "ClusterIP"
|
|
||||||
|
|
||||||
extraVolumes:
|
|
||||||
- name: "opendesk-branding"
|
|
||||||
configMap:
|
|
||||||
name: "ums-stack-data-swp-branding"
|
|
||||||
|
|
||||||
extraVolumeMounts:
|
|
||||||
- name: "opendesk-branding"
|
|
||||||
mountPath: "/app/favicon.ico"
|
|
||||||
subPath: "favicon.ico"
|
|
||||||
- name: "opendesk-branding"
|
|
||||||
mountPath: "/app/univention/portal/css/custom.css"
|
|
||||||
subPath: "custom.css"
|
|
||||||
- name: "opendesk-branding"
|
|
||||||
mountPath: "/app/univention/portal/icons/logo.svg"
|
|
||||||
subPath: "logo.svg"
|
|
||||||
- name: "opendesk-branding"
|
|
||||||
mountPath: "/app/univention/portal/icons/logo_small_border.svg"
|
|
||||||
subPath: "logo_small_border.svg"
|
|
||||||
- name: "opendesk-branding"
|
|
||||||
mountPath: "/app/univention/portal/custom/portal_background_image.png"
|
|
||||||
subPath: "portal_background_image.png"
|
|
||||||
- name: "opendesk-branding"
|
|
||||||
mountPath: "/app/univention/portal/custom/portal_background_image.svg"
|
|
||||||
subPath: "portal_background_image.svg"
|
|
||||||
|
|
||||||
...
|
|
||||||
@@ -14,13 +14,7 @@ image:
|
|||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
extraIngresses:
|
extraIngresses:
|
||||||
redirects:
|
|
||||||
enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
|
|
||||||
# The TLS configuration is on the "master" Ingress, see below.
|
|
||||||
tls:
|
|
||||||
enabled: false
|
|
||||||
master:
|
master:
|
||||||
enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
|
|
||||||
tls:
|
tls:
|
||||||
enabled: {{ .Values.ingress.tls.enabled }}
|
enabled: {{ .Values.ingress.tls.enabled }}
|
||||||
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||||
|
|||||||
@@ -0,0 +1,73 @@
|
|||||||
|
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
---
|
||||||
|
|
||||||
|
extraIngresses:
|
||||||
|
redirects:
|
||||||
|
# Using "stack-gateway" currently.
|
||||||
|
enabled: false
|
||||||
|
# The TLS configuration is on the "master" Ingress, see below.
|
||||||
|
tls:
|
||||||
|
enabled: false
|
||||||
|
master:
|
||||||
|
# Using "stack-gateway" currently.
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
# See "extraVolumeMounts" below
|
||||||
|
custom-favicon:
|
||||||
|
# Using "stack-gateway" at the moment
|
||||||
|
enabled: false
|
||||||
|
annotations:
|
||||||
|
nginx.org/mergeable-ingress-type: "minion"
|
||||||
|
paths:
|
||||||
|
- pathType: "Exact"
|
||||||
|
path: "/favicon.ico"
|
||||||
|
tls: {}
|
||||||
|
|
||||||
|
# See "extraVolumeMounts" below
|
||||||
|
custom-branding:
|
||||||
|
# Using "stack-gateway" at the moment
|
||||||
|
enabled: false
|
||||||
|
annotations:
|
||||||
|
nginx.ingress.kubernetes.io/configuration-snippet: |
|
||||||
|
rewrite ^/univention/portal(/.*)$ $1 break;
|
||||||
|
nginx.org/location-snippets: |
|
||||||
|
rewrite ^/univention/portal(/.*)$ $1 break;
|
||||||
|
nginx.org/mergeable-ingress-type: "minion"
|
||||||
|
paths:
|
||||||
|
# This relies on the correct implementation of the matching for paths of
|
||||||
|
# type "Prefix" since "/univention/portal/icons/entries/" is owned by
|
||||||
|
# store-dav.
|
||||||
|
# See: https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches
|
||||||
|
- pathType: "Prefix"
|
||||||
|
path: "/univention/portal/icons/"
|
||||||
|
- pathType: "Prefix"
|
||||||
|
path: "/univention/portal/custom/"
|
||||||
|
tls: {}
|
||||||
|
|
||||||
|
extraVolumes:
|
||||||
|
- name: "opendesk-branding"
|
||||||
|
configMap:
|
||||||
|
name: "ums-stack-data-swp-branding"
|
||||||
|
|
||||||
|
extraVolumeMounts:
|
||||||
|
- name: "opendesk-branding"
|
||||||
|
mountPath: "/var/www/html/favicon.ico"
|
||||||
|
subPath: "favicon.ico"
|
||||||
|
- name: "opendesk-branding"
|
||||||
|
mountPath: "/var/www/html/css/custom.css"
|
||||||
|
subPath: "custom.css"
|
||||||
|
- name: "opendesk-branding"
|
||||||
|
mountPath: "/var/www/html/icons/logo.svg"
|
||||||
|
subPath: "logo.svg"
|
||||||
|
- name: "opendesk-branding"
|
||||||
|
mountPath: "/var/www/html/icons/logo_small_border.svg"
|
||||||
|
subPath: "logo_small_border.svg"
|
||||||
|
- name: "opendesk-branding"
|
||||||
|
mountPath: "/var/www/html/custom/portal_background_image.png"
|
||||||
|
subPath: "portal_background_image.png"
|
||||||
|
- name: "opendesk-branding"
|
||||||
|
mountPath: "/var/www/html/custom/portal_background_image.svg"
|
||||||
|
subPath: "portal_background_image.svg"
|
||||||
|
|
||||||
|
...
|
||||||
@@ -4,25 +4,20 @@ SPDX-License-Identifier: Apache-2.0
|
|||||||
*/}}
|
*/}}
|
||||||
---
|
---
|
||||||
portalListener:
|
portalListener:
|
||||||
adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
|
adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
|
||||||
environment: "staging"
|
assetsRoot: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-assets/" | quote }}
|
||||||
debugLevel: "4"
|
ucsInternalUrl: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-data/" | quote }}
|
||||||
assetsRoot: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-assets/"
|
|
||||||
ucsInternalUrl: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-data/"
|
|
||||||
umcGetUrl: "http://ums-umc-server/get"
|
|
||||||
umcSessionUrl: "http://ums-umc-server/get/session-info"
|
|
||||||
|
|
||||||
ldapBaseDn: "dc=swp-ldap,dc=internal"
|
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
|
||||||
ldapHost: "{{ .Values.ldap.host }}"
|
ldapHost: {{ .Values.ldap.host | quote }}
|
||||||
ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
|
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
|
||||||
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
||||||
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
||||||
notifierServer: {{ .Values.ldap.notifierHost | quote }}
|
notifierServer: {{ .Values.ldap.notifierHost | quote }}
|
||||||
portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,dc=swp-ldap,dc=internal"
|
portalDefaultDn: {{ printf "%s,%s" "cn=domain,cn=portal,cn=portals,cn=univention" .Values.ldap.baseDn | quote }}
|
||||||
udmApiUrl: "http://ums-udm-rest-api/udm/"
|
udmApiUrl: "http://ums-udm-rest-api/udm/"
|
||||||
udmApiUsername: "cn=admin"
|
udmApiUsername: "cn=admin"
|
||||||
|
|
||||||
tlsMode: "off"
|
|
||||||
|
|
||||||
image:
|
image:
|
||||||
registry: {{ .Values.global.imageRegistry | quote }}
|
registry: {{ .Values.global.imageRegistry | quote }}
|
||||||
@@ -37,10 +32,9 @@ image:
|
|||||||
waitForDependency:
|
waitForDependency:
|
||||||
registry: {{ .Values.global.imageRegistry | quote }}
|
registry: {{ .Values.global.imageRegistry | quote }}
|
||||||
repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
|
repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
|
||||||
imagePullPolicy: "Always"
|
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||||
tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
|
tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
|
||||||
|
|
||||||
# TODO: Pending upstream support, #200
|
|
||||||
persistence:
|
persistence:
|
||||||
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||||
size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }}
|
size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }}
|
||||||
|
|||||||
@@ -2,6 +2,14 @@
|
|||||||
# SPDX-License-Identifier: Apache-2.0
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
---
|
---
|
||||||
|
|
||||||
|
portalListener:
|
||||||
|
debugLevel: "4"
|
||||||
|
tlsMode: "off"
|
||||||
|
udmApiUrl: "http://ums-udm-rest-api/udm/"
|
||||||
|
udmApiUsername: "cn=admin"
|
||||||
|
umcGetUrl: "http://ums-umc-server/get"
|
||||||
|
umcSessionUrl: "http://ums-umc-server/get/session-info"
|
||||||
|
|
||||||
store-dav:
|
store-dav:
|
||||||
bundled: false
|
bundled: false
|
||||||
|
|
||||||
|
|||||||
@@ -4,16 +4,9 @@ SPDX-License-Identifier: Apache-2.0
|
|||||||
*/}}
|
*/}}
|
||||||
---
|
---
|
||||||
portalServer:
|
portalServer:
|
||||||
adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
|
adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
|
||||||
authMode: "saml"
|
ucsInternalUrl: {{ printf "%s%s%s" "http://portal-server:" .Values.secrets.univentionManagementStack.storeDavUsers.portalServer "@ums-store-dav/portal-data" | quote }}
|
||||||
environment: "staging"
|
|
||||||
editable: "false"
|
|
||||||
logLevel: "DEBUG"
|
|
||||||
ucsInternalUrl: "http://portal-server:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}@ums-store-dav/portal-data"
|
|
||||||
umcGetUrl: "http://ums-umc-server/get"
|
|
||||||
umcSessionUrl: "http://ums-umc-server/get/session-info"
|
|
||||||
centralNavigation:
|
centralNavigation:
|
||||||
enabled: true
|
|
||||||
authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
|
authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
|
||||||
|
|
||||||
image:
|
image:
|
||||||
|
|||||||
@@ -0,0 +1,14 @@
|
|||||||
|
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
---
|
||||||
|
|
||||||
|
portalServer:
|
||||||
|
authMode: "saml"
|
||||||
|
editable: "false"
|
||||||
|
logLevel: "DEBUG"
|
||||||
|
umcGetUrl: "http://ums-umc-server/get"
|
||||||
|
umcSessionUrl: "http://ums-umc-server/get/session-info"
|
||||||
|
centralNavigation:
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
...
|
||||||
@@ -4,31 +4,29 @@ SPDX-License-Identifier: Apache-2.0
|
|||||||
*/}}
|
*/}}
|
||||||
---
|
---
|
||||||
stackDataSwp:
|
stackDataSwp:
|
||||||
udmApiUser: "cn=admin"
|
|
||||||
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
||||||
udmApiUrl: "http://ums-udm-rest-api/udm/"
|
|
||||||
loadDevData: true
|
|
||||||
|
|
||||||
stackDataContext:
|
stackDataContext:
|
||||||
ldapBase: "dc=swp-ldap,dc=internal"
|
|
||||||
ldapSearchUsers:
|
ldapSearchUsers:
|
||||||
{{- range $k, $v := .Values.secrets.univentionCorporateServer.ldapSearch }}
|
{{- range $username, $password := .Values.secrets.univentionCorporateServer.ldapSearch }}
|
||||||
- username: {{ printf "ldapsearch_%s" $k | quote }}
|
- username: {{ printf "ldapsearch_%s" $username | quote }}
|
||||||
password: {{ $v | quote }}
|
password: {{ $password | quote }}
|
||||||
lastname: {{ "LDAP-Search-User" }}
|
lastname: "LDAP-Search-User"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
externalDomainName: "{{ .Values.global.domain }}"
|
externalDomainName: {{ .Values.global.domain | quote }}
|
||||||
externalMailDomain: "{{ .Values.global.domain }}"
|
externalMailDomain: {{ .Values.global.domain | quote }}
|
||||||
|
|
||||||
portalGroupwareLinkBase: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
|
portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.istio.domain | quote }}
|
||||||
portalFileshareLinkBase: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
|
portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain | quote }}
|
||||||
portalRealtimeCollaborationLinkBase: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
|
portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain | quote }}
|
||||||
portalRealtimeVideoconferenceLinkBase: "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
|
portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain | quote }}
|
||||||
portalManagementProjectLinkBase: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
|
portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain | quote }}
|
||||||
portalManagementKnowledgeLinkBase: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
|
portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain | quote }}
|
||||||
|
|
||||||
oxDefaultContext: "10"
|
smtpHost: {{ .Values.smtp.host | quote }}
|
||||||
|
smtpPort: {{ .Values.smtp.port | quote }}
|
||||||
|
smtpUser: {{ .Values.smtp.username | quote }}
|
||||||
|
|
||||||
userPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.userPassword | quote }}
|
userPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.userPassword | quote }}
|
||||||
adminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
|
adminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
|
||||||
|
|||||||
@@ -0,0 +1,14 @@
|
|||||||
|
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
---
|
||||||
|
stackDataSwp:
|
||||||
|
udmApiUser: "cn=admin"
|
||||||
|
udmApiUrl: "http://ums-udm-rest-api/udm/"
|
||||||
|
loadDevData: true
|
||||||
|
|
||||||
|
stackDataContext:
|
||||||
|
ldapBase: "dc=swp-ldap,dc=internal"
|
||||||
|
oxDefaultContext: "10"
|
||||||
|
smtpStartTls: true
|
||||||
|
|
||||||
|
...
|
||||||
@@ -4,32 +4,22 @@ SPDX-License-Identifier: Apache-2.0
|
|||||||
*/}}
|
*/}}
|
||||||
---
|
---
|
||||||
stackDataUms:
|
stackDataUms:
|
||||||
udmApiUser: "cn=admin"
|
|
||||||
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
||||||
udmApiUrl: "http://ums-udm-rest-api/udm/"
|
|
||||||
loadDevData: true
|
|
||||||
|
|
||||||
stackDataContext:
|
stackDataContext:
|
||||||
domainname: "{{ .Values.global.domain }}"
|
domainname: {{ .Values.global.domain | quote }}
|
||||||
externalMailDomain: "{{ .Values.global.domain }}"
|
externalMailDomain: {{ .Values.global.domain | quote }}
|
||||||
hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
|
hostname: {{ .Values.global.hosts.univentionManagementStack | quote }}
|
||||||
ldapHost: "{{ .Values.ldap.host }}"
|
ldapHost: {{ .Values.ldap.host | quote }}
|
||||||
ldapBase: "dc=swp-ldap,dc=internal"
|
ldapBase: {{ .Values.ldap.baseDn | quote }}
|
||||||
# TODO: This should not be required, the machine account is not there
|
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
|
||||||
# ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
|
|
||||||
ldapHostDn: cn=admin,dc=swp-ldap,dc=internal
|
|
||||||
|
|
||||||
idpSamlMetadataUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/saml/descriptor"
|
idpSamlMetadataUrl: {{ printf "https://%s.%s%s" .Values.global.hosts.keycloak .Values.global.domain "/realms/souvap/protocol/saml/descriptor" | quote }}
|
||||||
idpSamlMetadataUrlInternal: null
|
umcSamlSpFqdn: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
|
||||||
umcSamlSpFqdn: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
|
idpFqdn: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
|
||||||
umcSamlSchemes: "https"
|
ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
|
||||||
idpFqdn: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
|
|
||||||
ldapSamlSpUrls: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/saml/metadata"
|
|
||||||
|
|
||||||
initialPasswordAdministrator: "{{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword }}"
|
initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
|
||||||
|
|
||||||
# The SWP configuration brings its own UMC policies.
|
|
||||||
installUmcPolicies: false
|
|
||||||
|
|
||||||
image:
|
image:
|
||||||
registry: {{ .Values.global.imageRegistry | quote }}
|
registry: {{ .Values.global.imageRegistry | quote }}
|
||||||
|
|||||||
@@ -0,0 +1,15 @@
|
|||||||
|
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
---
|
||||||
|
stackDataUms:
|
||||||
|
loadDevData: true
|
||||||
|
udmApiUrl: "http://ums-udm-rest-api/udm/"
|
||||||
|
udmApiUser: "cn=admin"
|
||||||
|
|
||||||
|
stackDataContext:
|
||||||
|
idpSamlMetadataUrlInternal: null
|
||||||
|
umcSamlSchemes: "https"
|
||||||
|
# The openDesk configuration brings its own UMC policies.
|
||||||
|
installUmcPolicies: false
|
||||||
|
|
||||||
|
...
|
||||||
@@ -21,7 +21,6 @@ image:
|
|||||||
configHtpasswd:
|
configHtpasswd:
|
||||||
registry: {{ .Values.global.imageRegistry | quote }}
|
registry: {{ .Values.global.imageRegistry | quote }}
|
||||||
repository: {{ .Values.images.umsConfigHtpasswd.repository | quote }}
|
repository: {{ .Values.images.umsConfigHtpasswd.repository | quote }}
|
||||||
pullPolicy: "Always"
|
|
||||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||||
tag: {{ .Values.images.umsConfigHtpasswd.tag | quote }}
|
tag: {{ .Values.images.umsConfigHtpasswd.tag | quote }}
|
||||||
pullSecrets:
|
pullSecrets:
|
||||||
@@ -29,7 +28,6 @@ image:
|
|||||||
- name: {{ . | quote }}
|
- name: {{ . | quote }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
# TODO: Pending upstream support, #201
|
|
||||||
persistence:
|
persistence:
|
||||||
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||||
size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }}
|
size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }}
|
||||||
|
|||||||
@@ -7,12 +7,7 @@ udmRestApi:
|
|||||||
# TODO: Secret should be entered without b64enc
|
# TODO: Secret should be entered without b64enc
|
||||||
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
|
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
|
||||||
# TODO: Secret should be entered without b64enc
|
# TODO: Secret should be entered without b64enc
|
||||||
machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
|
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
|
||||||
# TODO: Stub value currently
|
|
||||||
caCert: ""
|
|
||||||
# TODO: This should not be part of the udm-rest-api anymore
|
|
||||||
loadJoinData:
|
|
||||||
enabled: true
|
|
||||||
|
|
||||||
image:
|
image:
|
||||||
registry: {{ .Values.global.imageRegistry | quote }}
|
registry: {{ .Values.global.imageRegistry | quote }}
|
||||||
|
|||||||
@@ -0,0 +1,21 @@
|
|||||||
|
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
---
|
||||||
|
udmRestApi:
|
||||||
|
# TODO: Stub value currently
|
||||||
|
caCert: ""
|
||||||
|
|
||||||
|
extraVolumes:
|
||||||
|
- name: "attribute-to-group-mapper-hook"
|
||||||
|
configMap:
|
||||||
|
name: "ums-stack-data-swp-attribute-to-group-mapper-hook"
|
||||||
|
|
||||||
|
extraVolumeMounts:
|
||||||
|
- name: "attribute-to-group-mapper-hook"
|
||||||
|
mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py"
|
||||||
|
subPath: "AttributeToGroupMapper.py"
|
||||||
|
- name: "attribute-to-group-mapper-hook"
|
||||||
|
mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
|
||||||
|
subPath: "flag_to_group_mapping.json"
|
||||||
|
|
||||||
|
...
|
||||||
@@ -3,19 +3,6 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
|
|||||||
SPDX-License-Identifier: Apache-2.0
|
SPDX-License-Identifier: Apache-2.0
|
||||||
*/}}
|
*/}}
|
||||||
---
|
---
|
||||||
umcGateway:
|
|
||||||
|
|
||||||
extraVolumes:
|
|
||||||
- name: "entrypoint-swp-patches"
|
|
||||||
configMap:
|
|
||||||
name: "ums-stack-data-swp-umc-gateway-entrypoint"
|
|
||||||
defaultMode: 0555
|
|
||||||
|
|
||||||
extraVolumeMounts:
|
|
||||||
- name: "entrypoint-swp-patches"
|
|
||||||
mountPath: "/entrypoint.d/90-swp.sh"
|
|
||||||
subPath: "90-swp.sh"
|
|
||||||
|
|
||||||
image:
|
image:
|
||||||
registry: {{ .Values.global.imageRegistry | quote }}
|
registry: {{ .Values.global.imageRegistry | quote }}
|
||||||
repository: {{ .Values.images.umsUmcGateway.repository | quote }}
|
repository: {{ .Values.images.umsUmcGateway.repository | quote }}
|
||||||
|
|||||||
@@ -0,0 +1,23 @@
|
|||||||
|
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
---
|
||||||
|
extraVolumes:
|
||||||
|
- name: "entrypoint-swp-patches"
|
||||||
|
configMap:
|
||||||
|
name: "ums-stack-data-swp-umc-gateway-entrypoint"
|
||||||
|
defaultMode: 0555
|
||||||
|
- name: "announcements-customization"
|
||||||
|
configMap:
|
||||||
|
name: "ums-stack-data-swp-umc-server-announcements"
|
||||||
|
defaultMode: 0444
|
||||||
|
|
||||||
|
extraVolumeMounts:
|
||||||
|
- name: "entrypoint-swp-patches"
|
||||||
|
mountPath: "/entrypoint.d/90-swp.sh"
|
||||||
|
subPath: "90-swp.sh"
|
||||||
|
- name: "announcements-customization"
|
||||||
|
mountPath:
|
||||||
|
"/usr/share/univention-management-console-frontend/js/dijit/themes\
|
||||||
|
/umc/icons/16x16/udm-portals-announcement.png"
|
||||||
|
subPath: "udm-portals-announcement.png"
|
||||||
|
...
|
||||||
@@ -9,6 +9,8 @@ umcServer:
|
|||||||
# TODO: Secret should be entered without b64enc
|
# TODO: Secret should be entered without b64enc
|
||||||
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
|
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
|
||||||
|
|
||||||
|
smtpSecret: {{ .Values.smtp.password | quote }}
|
||||||
|
|
||||||
image:
|
image:
|
||||||
registry: {{ .Values.global.imageRegistry | quote }}
|
registry: {{ .Values.global.imageRegistry | quote }}
|
||||||
repository: {{ .Values.images.umsUmcServer.repository | quote }}
|
repository: {{ .Values.images.umsUmcServer.repository | quote }}
|
||||||
|
|||||||
@@ -17,6 +17,13 @@ extraVolumes:
|
|||||||
configMap:
|
configMap:
|
||||||
name: "ums-stack-data-swp-self-service-emails"
|
name: "ums-stack-data-swp-self-service-emails"
|
||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
|
- name: "attribute-to-group-mapper-hook"
|
||||||
|
configMap:
|
||||||
|
name: "ums-stack-data-swp-attribute-to-group-mapper-hook"
|
||||||
|
- name: "announcements-customization"
|
||||||
|
configMap:
|
||||||
|
name: "ums-stack-data-swp-umc-server-announcements"
|
||||||
|
defaultMode: 0444
|
||||||
|
|
||||||
extraVolumeMounts:
|
extraVolumeMounts:
|
||||||
- name: "certificates"
|
- name: "certificates"
|
||||||
@@ -26,5 +33,21 @@ extraVolumeMounts:
|
|||||||
subPath: "90-customization.sh"
|
subPath: "90-customization.sh"
|
||||||
- name: "self-service-emails"
|
- name: "self-service-emails"
|
||||||
mountPath: "/usr/share/univention-self-service/email_bodies"
|
mountPath: "/usr/share/univention-self-service/email_bodies"
|
||||||
|
- name: "attribute-to-group-mapper-hook"
|
||||||
|
mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py"
|
||||||
|
subPath: "AttributeToGroupMapper.py"
|
||||||
|
- name: "attribute-to-group-mapper-hook"
|
||||||
|
mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
|
||||||
|
subPath: "flag_to_group_mapping.json"
|
||||||
|
- name: "announcements-customization"
|
||||||
|
mountPath: "/usr/share/univention-management-console/modules/udm-portals-announcement.xml"
|
||||||
|
subPath: "udm-portals-announcement.xml"
|
||||||
|
|
||||||
|
memcached:
|
||||||
|
bundled: false
|
||||||
|
server: "memcached"
|
||||||
|
auth:
|
||||||
|
username: null
|
||||||
|
password: null
|
||||||
|
|
||||||
...
|
...
|
||||||
|
|||||||
@@ -3,171 +3,10 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
ingress:
|
ingress:
|
||||||
enabled: true
|
enabled: {{ .Values.ingress.enabled }}
|
||||||
hostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
|
hostname: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
|
||||||
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
|
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
|
||||||
tls: false
|
|
||||||
extraTls:
|
extraTls:
|
||||||
- hosts:
|
- hosts:
|
||||||
- "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
|
- {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
|
||||||
secretName: "{{ .Values.ingress.tls.secretName }}"
|
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||||
|
|
||||||
service:
|
|
||||||
type: "ClusterIP"
|
|
||||||
|
|
||||||
# The content of the "serverBlock" does resemble the Ingress configuration of
|
|
||||||
# the UMS components. The "location" entries do intentionally reflect precisely
|
|
||||||
# the respective paths which are configured.
|
|
||||||
serverBlock: |
|
|
||||||
server {
|
|
||||||
listen 8080;
|
|
||||||
|
|
||||||
## portal-frontend
|
|
||||||
# The frontend does not own "/univention/portal", only these two bits
|
|
||||||
location = /univention/portal/ {
|
|
||||||
rewrite ^/univention/portal(/.*)$ $1 break;
|
|
||||||
proxy_pass http://ums-portal-frontend:80/;
|
|
||||||
}
|
|
||||||
location = /univention/portal/index.html {
|
|
||||||
rewrite ^/univention/portal(/.*)$ $1 break;
|
|
||||||
proxy_pass http://ums-portal-frontend:80/;
|
|
||||||
}
|
|
||||||
|
|
||||||
# The following prefixes are owned by the frontend
|
|
||||||
location /univention/portal/css/ {
|
|
||||||
rewrite ^/univention/portal(/.*)$ $1 break;
|
|
||||||
proxy_pass http://ums-portal-frontend:80;
|
|
||||||
}
|
|
||||||
location /univention/portal/fonts/ {
|
|
||||||
rewrite ^/univention/portal(/.*)$ $1 break;
|
|
||||||
proxy_pass http://ums-portal-frontend:80;
|
|
||||||
}
|
|
||||||
location /univention/portal/i18n/ {
|
|
||||||
rewrite ^/univention/portal(/.*)$ $1 break;
|
|
||||||
proxy_pass http://ums-portal-frontend:80;
|
|
||||||
}
|
|
||||||
location /univention/portal/media/ {
|
|
||||||
rewrite ^/univention/portal(/.*)$ $1 break;
|
|
||||||
proxy_pass http://ums-portal-frontend:80;
|
|
||||||
}
|
|
||||||
location /univention/portal/js/ {
|
|
||||||
rewrite ^/univention/portal(/.*)$ $1 break;
|
|
||||||
proxy_pass http://ums-portal-frontend:80;
|
|
||||||
}
|
|
||||||
location /univention/portal/oidc/ {
|
|
||||||
rewrite ^/univention/portal(/.*)$ $1 break;
|
|
||||||
proxy_pass http://ums-portal-frontend:80;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
## frontend redirects
|
|
||||||
|
|
||||||
location = / {
|
|
||||||
absolute_redirect off;
|
|
||||||
return 302 /univention/portal/;
|
|
||||||
}
|
|
||||||
location = /univention {
|
|
||||||
absolute_redirect off;
|
|
||||||
return 302 /univention/portal/;
|
|
||||||
}
|
|
||||||
location = /univention/ {
|
|
||||||
absolute_redirect off;
|
|
||||||
return 302 /univention/portal/;
|
|
||||||
}
|
|
||||||
location = /univention/portal {
|
|
||||||
absolute_redirect off;
|
|
||||||
return 302 /univention/portal/;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
## portal-server
|
|
||||||
location = /univention/portal/portal.json {
|
|
||||||
proxy_pass http://ums-portal-server:80;
|
|
||||||
}
|
|
||||||
location = /univention/portal/navigation.json {
|
|
||||||
proxy_pass http://ums-portal-server:80;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
## store-dav
|
|
||||||
location /univention/portal/icons/entries/ {
|
|
||||||
rewrite ^/univention/portal(/icons/entries/.*)$ /portal-assets$1 break;
|
|
||||||
proxy_pass http://ums-store-dav:80;
|
|
||||||
}
|
|
||||||
location /univention/portal/icons/logos/ {
|
|
||||||
rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break;
|
|
||||||
proxy_pass http://ums-store-dav:80;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
## udm-rest-api
|
|
||||||
location /univention/udm/ {
|
|
||||||
rewrite ^/univention(/udm/.*)$ $1 break;
|
|
||||||
proxy_pass http://ums-udm-rest-api:80;
|
|
||||||
proxy_set_header X-Forwarded-Host $host;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
## umc-gateway
|
|
||||||
location = /univention/languages.json {
|
|
||||||
proxy_pass http://ums-umc-gateway:80;
|
|
||||||
}
|
|
||||||
location = /univention/meta.json {
|
|
||||||
proxy_pass http://ums-umc-gateway:80;
|
|
||||||
}
|
|
||||||
location = /univention/theme.css {
|
|
||||||
proxy_pass http://ums-umc-gateway:80;
|
|
||||||
}
|
|
||||||
location /univention/js/ {
|
|
||||||
proxy_pass http://ums-umc-gateway:80;
|
|
||||||
}
|
|
||||||
location /univention/login/ {
|
|
||||||
proxy_pass http://ums-umc-gateway:80;
|
|
||||||
}
|
|
||||||
location /univention/management/ {
|
|
||||||
proxy_pass http://ums-umc-gateway:80;
|
|
||||||
}
|
|
||||||
location /univention/themes/ {
|
|
||||||
proxy_pass http://ums-umc-gateway:80;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
## umc-server
|
|
||||||
location = /univention/auth {
|
|
||||||
rewrite ^/univention(/.*)$ $1 break;
|
|
||||||
proxy_pass http://ums-umc-server:80;
|
|
||||||
}
|
|
||||||
location /univention/logout/ {
|
|
||||||
rewrite ^/univention(/.*)$ $1 break;
|
|
||||||
proxy_pass http://ums-umc-server:80;
|
|
||||||
}
|
|
||||||
location /univention/saml/ {
|
|
||||||
rewrite ^/univention(/.*)$ $1 break;
|
|
||||||
proxy_pass http://ums-umc-server:80;
|
|
||||||
}
|
|
||||||
location /univention/get/ {
|
|
||||||
rewrite ^/univention(/.*)$ $1 break;
|
|
||||||
proxy_pass http://ums-umc-server:80;
|
|
||||||
}
|
|
||||||
location /univention/set/ {
|
|
||||||
rewrite ^/univention(/.*)$ $1 break;
|
|
||||||
proxy_pass http://ums-umc-server:80;
|
|
||||||
}
|
|
||||||
location /univention/command/ {
|
|
||||||
rewrite ^/univention(/.*)$ $1 break;
|
|
||||||
proxy_pass http://ums-umc-server:80;
|
|
||||||
}
|
|
||||||
location /univention/upload/ {
|
|
||||||
rewrite ^/univention(/.*)$ $1 break;
|
|
||||||
proxy_pass http://ums-umc-server:80;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
## notifications-api
|
|
||||||
|
|
||||||
location /univention/portal/notifications-api/ {
|
|
||||||
rewrite ^/univention/portal/notifications-api(/.*)$ $1 break;
|
|
||||||
proxy_pass http://ums-notifications-api:80;
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|||||||
@@ -0,0 +1,177 @@
|
|||||||
|
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
---
|
||||||
|
ingress:
|
||||||
|
tls: false
|
||||||
|
|
||||||
|
service:
|
||||||
|
type: "ClusterIP"
|
||||||
|
|
||||||
|
# The content of the "serverBlock" does resemble the Ingress configuration of
|
||||||
|
# the UMS components. The "location" entries do intentionally reflect precisely
|
||||||
|
# the respective paths which are configured.
|
||||||
|
serverBlock: |
|
||||||
|
server {
|
||||||
|
listen 8080;
|
||||||
|
|
||||||
|
## portal-frontend
|
||||||
|
# The frontend does not own "/univention/portal", only these two bits
|
||||||
|
location = /univention/portal/ {
|
||||||
|
rewrite ^/univention/portal(/.*)$ $1 break;
|
||||||
|
proxy_pass http://ums-portal-frontend:80/;
|
||||||
|
}
|
||||||
|
location = /univention/portal/index.html {
|
||||||
|
rewrite ^/univention/portal(/.*)$ $1 break;
|
||||||
|
proxy_pass http://ums-portal-frontend:80/;
|
||||||
|
}
|
||||||
|
|
||||||
|
# The following prefixes are owned by the frontend
|
||||||
|
location /univention/portal/css/ {
|
||||||
|
rewrite ^/univention/portal(/.*)$ $1 break;
|
||||||
|
proxy_pass http://ums-portal-frontend:80;
|
||||||
|
}
|
||||||
|
location /univention/portal/fonts/ {
|
||||||
|
rewrite ^/univention/portal(/.*)$ $1 break;
|
||||||
|
proxy_pass http://ums-portal-frontend:80;
|
||||||
|
}
|
||||||
|
location /univention/portal/i18n/ {
|
||||||
|
rewrite ^/univention/portal(/.*)$ $1 break;
|
||||||
|
proxy_pass http://ums-portal-frontend:80;
|
||||||
|
}
|
||||||
|
location /univention/portal/media/ {
|
||||||
|
rewrite ^/univention/portal(/.*)$ $1 break;
|
||||||
|
proxy_pass http://ums-portal-frontend:80;
|
||||||
|
}
|
||||||
|
location /univention/portal/js/ {
|
||||||
|
rewrite ^/univention/portal(/.*)$ $1 break;
|
||||||
|
proxy_pass http://ums-portal-frontend:80;
|
||||||
|
}
|
||||||
|
location /univention/portal/oidc/ {
|
||||||
|
rewrite ^/univention/portal(/.*)$ $1 break;
|
||||||
|
proxy_pass http://ums-portal-frontend:80;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
## frontend redirects
|
||||||
|
location = / {
|
||||||
|
absolute_redirect off;
|
||||||
|
return 302 /univention/portal/;
|
||||||
|
}
|
||||||
|
location = /univention {
|
||||||
|
absolute_redirect off;
|
||||||
|
return 302 /univention/portal/;
|
||||||
|
}
|
||||||
|
location = /univention/ {
|
||||||
|
absolute_redirect off;
|
||||||
|
return 302 /univention/portal/;
|
||||||
|
}
|
||||||
|
location = /univention/portal {
|
||||||
|
absolute_redirect off;
|
||||||
|
return 302 /univention/portal/;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
## portal-server
|
||||||
|
location = /univention/portal/portal.json {
|
||||||
|
proxy_pass http://ums-portal-server:80;
|
||||||
|
}
|
||||||
|
location = /univention/portal/navigation.json {
|
||||||
|
proxy_pass http://ums-portal-server:80;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
## store-dav
|
||||||
|
location /univention/portal/icons/entries/ {
|
||||||
|
rewrite ^/univention/portal(/icons/entries/.*)$ /portal-assets$1 break;
|
||||||
|
proxy_pass http://ums-store-dav:80;
|
||||||
|
}
|
||||||
|
location /univention/portal/icons/logos/ {
|
||||||
|
rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break;
|
||||||
|
proxy_pass http://ums-store-dav:80;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
## udm-rest-api
|
||||||
|
location /univention/udm/ {
|
||||||
|
rewrite ^/univention(/udm/.*)$ $1 break;
|
||||||
|
proxy_pass http://ums-udm-rest-api:80;
|
||||||
|
proxy_set_header X-Forwarded-Host $host;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
## umc-gateway
|
||||||
|
location = /univention/languages.json {
|
||||||
|
proxy_pass http://ums-umc-gateway:80;
|
||||||
|
}
|
||||||
|
location = /univention/meta.json {
|
||||||
|
proxy_pass http://ums-umc-gateway:80;
|
||||||
|
}
|
||||||
|
location = /univention/theme.css {
|
||||||
|
proxy_pass http://ums-umc-gateway:80;
|
||||||
|
}
|
||||||
|
location /univention/js/ {
|
||||||
|
proxy_pass http://ums-umc-gateway:80;
|
||||||
|
}
|
||||||
|
location /univention/login/ {
|
||||||
|
proxy_pass http://ums-umc-gateway:80;
|
||||||
|
}
|
||||||
|
location /univention/management/ {
|
||||||
|
proxy_pass http://ums-umc-gateway:80;
|
||||||
|
}
|
||||||
|
location /univention/themes/ {
|
||||||
|
proxy_pass http://ums-umc-gateway:80;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
## umc-server
|
||||||
|
location = /univention/auth {
|
||||||
|
rewrite ^/univention(/.*)$ $1 break;
|
||||||
|
proxy_pass http://ums-umc-server:80;
|
||||||
|
}
|
||||||
|
location /univention/logout/ {
|
||||||
|
rewrite ^/univention(/.*)$ $1 break;
|
||||||
|
proxy_pass http://ums-umc-server:80;
|
||||||
|
}
|
||||||
|
location /univention/saml/ {
|
||||||
|
rewrite ^/univention(/.*)$ $1 break;
|
||||||
|
proxy_pass http://ums-umc-server:80;
|
||||||
|
}
|
||||||
|
location /univention/get/ {
|
||||||
|
rewrite ^/univention(/.*)$ $1 break;
|
||||||
|
proxy_pass http://ums-umc-server:80;
|
||||||
|
}
|
||||||
|
location /univention/set/ {
|
||||||
|
rewrite ^/univention(/.*)$ $1 break;
|
||||||
|
proxy_pass http://ums-umc-server:80;
|
||||||
|
}
|
||||||
|
location /univention/command/ {
|
||||||
|
rewrite ^/univention(/.*)$ $1 break;
|
||||||
|
proxy_pass http://ums-umc-server:80;
|
||||||
|
}
|
||||||
|
location /univention/upload/ {
|
||||||
|
rewrite ^/univention(/.*)$ $1 break;
|
||||||
|
proxy_pass http://ums-umc-server:80;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
## notifications-api
|
||||||
|
location /univention/portal/notifications-api/ {
|
||||||
|
rewrite ^/univention/portal/notifications-api(/.*)$ $1 break;
|
||||||
|
proxy_pass http://ums-notifications-api:80;
|
||||||
|
}
|
||||||
|
|
||||||
|
## openDesk branding
|
||||||
|
location = /favicon.ico {
|
||||||
|
proxy_pass http://ums-portal-frontend:80/;
|
||||||
|
}
|
||||||
|
location /univention/portal/custom/ {
|
||||||
|
rewrite ^/univention/portal(/.*)$ $1 break;
|
||||||
|
proxy_pass http://ums-portal-frontend:80/;
|
||||||
|
}
|
||||||
|
location /univention/portal/icons/ {
|
||||||
|
rewrite ^/univention/portal(/.*)$ $1 break;
|
||||||
|
proxy_pass http://ums-portal-frontend:80/;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
...
|
||||||
@@ -2,7 +2,14 @@
|
|||||||
# SPDX-License-Identifier: Apache-2.0
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
---
|
---
|
||||||
containerSecurityContext:
|
containerSecurityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
enabled: true
|
enabled: true
|
||||||
|
runAsUser: 100
|
||||||
|
runAsGroup: 101
|
||||||
|
runAsNonRoot: true
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- "ALL"
|
||||||
|
|
||||||
customConfigs:
|
customConfigs:
|
||||||
xwiki.cfg:
|
xwiki.cfg:
|
||||||
@@ -87,6 +94,9 @@ properties:
|
|||||||
|
|
||||||
securityContext:
|
securityContext:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
fsGroup: 101
|
||||||
|
seccompProfile:
|
||||||
|
type: "RuntimeDefault"
|
||||||
|
|
||||||
service:
|
service:
|
||||||
externalPort: 80
|
externalPort: 80
|
||||||
|
|||||||
@@ -7,4 +7,5 @@ SPDX-License-Identifier: Apache-2.0
|
|||||||
ldap:
|
ldap:
|
||||||
host: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-server" {{ else }} "univention-corporate-container" {{ end }}
|
host: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-server" {{ else }} "univention-corporate-container" {{ end }}
|
||||||
notifierHost: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-notifier" {{ else }} "univention-corporate-container" {{ end }}
|
notifierHost: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-notifier" {{ else }} "univention-corporate-container" {{ end }}
|
||||||
|
baseDn: "dc=swp-ldap,dc=internal"
|
||||||
...
|
...
|
||||||
|
|||||||
@@ -19,6 +19,12 @@ databases:
|
|||||||
host: "mariadb"
|
host: "mariadb"
|
||||||
username: "nextcloud_user"
|
username: "nextcloud_user"
|
||||||
password: ""
|
password: ""
|
||||||
|
notificationsApi:
|
||||||
|
name: "notificationsapi"
|
||||||
|
host: "postgresql"
|
||||||
|
port: 5432
|
||||||
|
username: "notificationsapi_user"
|
||||||
|
password: ""
|
||||||
openproject:
|
openproject:
|
||||||
name: "openproject"
|
name: "openproject"
|
||||||
host: "postgresql"
|
host: "postgresql"
|
||||||
|
|||||||
@@ -219,7 +219,7 @@ images:
|
|||||||
# registryUrl=https://docker.io
|
# registryUrl=https://docker.io
|
||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
repository: "openproject/open_desk"
|
repository: "openproject/open_desk"
|
||||||
tag: "dev@sha256:732b5d0efe9fc64fe411c9d8143ec3f4a3c731d03c0caddb5fa4c614ff426e8d"
|
tag: "dev@sha256:3c9d110c0221621530a431b5899ba16956db8253f491a55a220ec642473cb61f"
|
||||||
# @supplier: "OpenProject"
|
# @supplier: "OpenProject"
|
||||||
openprojectInitDb:
|
openprojectInitDb:
|
||||||
# renovate:
|
# renovate:
|
||||||
@@ -396,7 +396,7 @@ images:
|
|||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
# This is a preview and not part of the standard deployment.
|
# This is a preview and not part of the standard deployment.
|
||||||
repository: "souvap/tooling/images/univention/config-htpasswd"
|
repository: "souvap/tooling/images/univention/config-htpasswd"
|
||||||
tag: "0.5.2@sha256:b63887af87ed4c496688d422a8881e806de4a2364eb07c7e24bb1635b539e7f3"
|
tag: "0.5.2@sha256:c8627e0b73ee1d92f74d2ae8b06e4593ac93b6bbde55d56d0497f3510912924c"
|
||||||
# @supplier: "Univention"
|
# @supplier: "Univention"
|
||||||
umsDataLoader:
|
umsDataLoader:
|
||||||
# renovate:
|
# renovate:
|
||||||
@@ -404,7 +404,7 @@ images:
|
|||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
# This is a preview and not part of the standard deployment.
|
# This is a preview and not part of the standard deployment.
|
||||||
repository: "souvap/tooling/images/univention/data-loader"
|
repository: "souvap/tooling/images/univention/data-loader"
|
||||||
tag: "0.33.0@sha256:2e9baf28cfe3eb6c740ce604d60ebc1ee6b3e0e2e8741730716a1c7375046039"
|
tag: "0.36.0@sha256:045e0e524cbdc93e174ce803a12e67dbb341211f3abbc0029200ee638a0a1eb7"
|
||||||
# @supplier: "Univention"
|
# @supplier: "Univention"
|
||||||
umsLdapNotifier:
|
umsLdapNotifier:
|
||||||
# renovate:
|
# renovate:
|
||||||
@@ -412,7 +412,7 @@ images:
|
|||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
# This is a preview and not part of the standard deployment.
|
# This is a preview and not part of the standard deployment.
|
||||||
repository: "souvap/tooling/images/univention/ldap-notifier"
|
repository: "souvap/tooling/images/univention/ldap-notifier"
|
||||||
tag: "0.7.0@sha256:c5bd680dc85990aec2c3dde14f8e6b72f5a5d2d3c648bc434c57117836464faf"
|
tag: "0.7.0@sha256:ae9acf8f1a5e28645edea62a25040b6dd77bb1c8773964f0cb0e885397586bbe"
|
||||||
# @supplier: "Univention"
|
# @supplier: "Univention"
|
||||||
umsLdapServer:
|
umsLdapServer:
|
||||||
# renovate:
|
# renovate:
|
||||||
@@ -420,7 +420,7 @@ images:
|
|||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
# This is a preview and not part of the standard deployment.
|
# This is a preview and not part of the standard deployment.
|
||||||
repository: "souvap/tooling/images/univention/ldap-server"
|
repository: "souvap/tooling/images/univention/ldap-server"
|
||||||
tag: "0.7.0@sha256:a87b615fc97c574316f41e1e6dc9bef41d80583ba450aece9d9830bab4d5a09a"
|
tag: "0.7.0@sha256:a637f8d11c3a17d18b8f4dfce252fd55150188ea16ed3b1605a779b7ff535f3e"
|
||||||
# @supplier: "Univention"
|
# @supplier: "Univention"
|
||||||
umsNotificationsApi:
|
umsNotificationsApi:
|
||||||
# renovate:
|
# renovate:
|
||||||
@@ -428,7 +428,7 @@ images:
|
|||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
# This is a preview and not part of the standard deployment.
|
# This is a preview and not part of the standard deployment.
|
||||||
repository: "souvap/tooling/images/univention/notifications-api"
|
repository: "souvap/tooling/images/univention/notifications-api"
|
||||||
tag: "0.4.4@sha256:630905fd503ea5f4b17ccd4adccd68c20b85405a7372e7c71ac2c88aa6e1e47c"
|
tag: "0.5.2@sha256:192f0ebb77ec6191d1df1edb2427739c4a69a3733c7d423f55045db5b9209c64"
|
||||||
# @supplier: "Univention"
|
# @supplier: "Univention"
|
||||||
umsPortalListener:
|
umsPortalListener:
|
||||||
# renovate:
|
# renovate:
|
||||||
@@ -436,7 +436,7 @@ images:
|
|||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
# This is a preview and not part of the standard deployment.
|
# This is a preview and not part of the standard deployment.
|
||||||
repository: "souvap/tooling/images/univention/portal-listener"
|
repository: "souvap/tooling/images/univention/portal-listener"
|
||||||
tag: "0.4.4@sha256:689065bad9ab735be1cfd12e519934616e8c049afee4f78c46b630ab7c1a7aef"
|
tag: "0.5.2@sha256:a1834a98cf4f4686a74077cb6c2b094429a49875d05801745de7ee13eee38a07"
|
||||||
# @supplier: "Univention"
|
# @supplier: "Univention"
|
||||||
umsPortalFrontend:
|
umsPortalFrontend:
|
||||||
# renovate:
|
# renovate:
|
||||||
@@ -444,7 +444,7 @@ images:
|
|||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
# This is a preview and not part of the standard deployment.
|
# This is a preview and not part of the standard deployment.
|
||||||
repository: "souvap/tooling/images/univention/portal-frontend"
|
repository: "souvap/tooling/images/univention/portal-frontend"
|
||||||
tag: "0.4.4@sha256:b8955718ad4d2c973b4c1ee80867ac47c2d90e422234c7a2401b13ed606fd4d4"
|
tag: "0.5.2@sha256:aca1d481e23cbba7a33d5f261be6196690a6b7f1e593f7ff96fc6f22edab2c6b"
|
||||||
# @supplier: "Univention"
|
# @supplier: "Univention"
|
||||||
umsPortalServer:
|
umsPortalServer:
|
||||||
# renovate:
|
# renovate:
|
||||||
@@ -452,7 +452,7 @@ images:
|
|||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
# This is a preview and not part of the standard deployment.
|
# This is a preview and not part of the standard deployment.
|
||||||
repository: "souvap/tooling/images/univention/portal-server"
|
repository: "souvap/tooling/images/univention/portal-server"
|
||||||
tag: "0.4.4@sha256:21d279ede3a7cbdaf3a5c4e83375bb389785db4f2569cfaf8362896a9b30e287"
|
tag: "0.5.2@sha256:ed982e41ac5b0b81946272acf00f76463901da4f4b3ad50282ec4c73fd4b5833"
|
||||||
# @supplier: "Univention"
|
# @supplier: "Univention"
|
||||||
umsWaitForDependency:
|
umsWaitForDependency:
|
||||||
# renovate:
|
# renovate:
|
||||||
@@ -460,7 +460,7 @@ images:
|
|||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
# This is a preview and not part of the standard deployment.
|
# This is a preview and not part of the standard deployment.
|
||||||
repository: "souvap/tooling/images/univention/wait-for-dependency"
|
repository: "souvap/tooling/images/univention/wait-for-dependency"
|
||||||
tag: "0.4.3@sha256:ff4b7f762860baa1415cfe9a24131cb28c2660a14058ca8a1e7a697468f72d69"
|
tag: "0.5.0@sha256:78cfcc52b81f620374c4b827f0055be5339a7dd469d9b8df67e3bed547abd6bc"
|
||||||
# @supplier: "Univention"
|
# @supplier: "Univention"
|
||||||
umsStoreDav:
|
umsStoreDav:
|
||||||
# renovate:
|
# renovate:
|
||||||
@@ -468,7 +468,7 @@ images:
|
|||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
# This is a preview and not part of the standard deployment.
|
# This is a preview and not part of the standard deployment.
|
||||||
repository: "souvap/tooling/images/univention/store-dav"
|
repository: "souvap/tooling/images/univention/store-dav"
|
||||||
tag: "0.5.2@sha256:a3cbb1df2024edf58aea029a280f660bcd2fb8e684eed638901f5d7cbf9db467"
|
tag: "0.5.2@sha256:1bc01b883a5ccd2612925e123da10f9d216389701d743f1cea4050633770639f"
|
||||||
# @supplier: "Univention"
|
# @supplier: "Univention"
|
||||||
umsUdmRestApi:
|
umsUdmRestApi:
|
||||||
# renovate:
|
# renovate:
|
||||||
@@ -484,7 +484,7 @@ images:
|
|||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
# This is a preview and not part of the standard deployment.
|
# This is a preview and not part of the standard deployment.
|
||||||
repository: "souvap/tooling/images/univention/umc-gateway"
|
repository: "souvap/tooling/images/univention/umc-gateway"
|
||||||
tag: "0.5.1@sha256:9937efd54020e0782a26a1670d0cb8b29edbc802b1fd9eed5e308a594d4ce010"
|
tag: "0.6.1@sha256:e023c6b4a66eb80dc165310aff9b869cf35c102196514741676a9dba68cfae89"
|
||||||
# @supplier: "Univention"
|
# @supplier: "Univention"
|
||||||
umsUmcServer:
|
umsUmcServer:
|
||||||
# renovate:
|
# renovate:
|
||||||
@@ -492,7 +492,7 @@ images:
|
|||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
# This is a preview and not part of the standard deployment.
|
# This is a preview and not part of the standard deployment.
|
||||||
repository: "souvap/tooling/images/univention/umc-server"
|
repository: "souvap/tooling/images/univention/umc-server"
|
||||||
tag: "0.5.1@sha256:cfb626f8d0a949ce0ed36d7e01791006eae24d984573dfa3ed3f031808437da3"
|
tag: "0.6.1@sha256:9fc3ad7c45c436698223fe3219c314420b4687c9c694f5d255612beb51df9347"
|
||||||
# @supplier: "Univention"
|
# @supplier: "Univention"
|
||||||
wellKnown:
|
wellKnown:
|
||||||
# renovate:
|
# renovate:
|
||||||
|
|||||||
@@ -38,7 +38,7 @@ secrets:
|
|||||||
keycloakExtensionUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_extensions_user" | sha1sum | quote }}
|
keycloakExtensionUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_extensions_user" | sha1sum | quote }}
|
||||||
matrixUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "matrix_user" | sha1sum | quote }}
|
matrixUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "matrix_user" | sha1sum | quote }}
|
||||||
openprojectUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "openproject_user" | sha1sum | quote }}
|
openprojectUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "openproject_user" | sha1sum | quote }}
|
||||||
notificationsapiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }}
|
notificationsApiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }}
|
||||||
mariadb:
|
mariadb:
|
||||||
rootPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "root_password" | sha1sum | quote }}
|
rootPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "root_password" | sha1sum | quote }}
|
||||||
xwikiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "xwiki_user" | sha1sum | quote }}
|
xwikiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "xwiki_user" | sha1sum | quote }}
|
||||||
|
|||||||
Reference in New Issue
Block a user