mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-06 23:41:43 +01:00
Compare commits
17 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
729a1ea849 | ||
|
|
3b5493d78d | ||
|
|
6711791009 | ||
|
|
c41643ee3e | ||
|
|
2628a0e13e | ||
|
|
c8bc8b3172 | ||
|
|
24812b667c | ||
|
|
bec9a2d46b | ||
|
|
05cc82d7c5 | ||
|
|
82be996d97 | ||
|
|
d367739248 | ||
|
|
ef870ae385 | ||
|
|
466e741494 | ||
|
|
00fafb6a1b | ||
|
|
6d3e484855 | ||
|
|
845a0a3189 | ||
|
|
519db51be2 |
47
CHANGELOG.md
47
CHANGELOG.md
@@ -1,3 +1,50 @@
|
|||||||
|
## [0.5.59](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.58...v0.5.59) (2023-12-05)
|
||||||
|
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
|
||||||
|
* **helmfile:** Add configurable objectstore ([3b5493d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/3b5493d78dc027cd1f3206b26cf347dc6ce6e265))
|
||||||
|
|
||||||
|
## [0.5.58](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.57...v0.5.58) (2023-12-01)
|
||||||
|
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
|
||||||
|
* **cryptpad:** Add websocket annotation ([c41643e](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c41643ee3e5610ef27a63a0355804159030a7452))
|
||||||
|
* **openproject:** Add seederJob intent ([05cc82d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/05cc82d7c5c5f93fb5de7df555a22e8e90279621))
|
||||||
|
* **openproject:** Bump to 2.6.2 ([c8bc8b3](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c8bc8b3172cfef3396379e3969dc087d67a228ee))
|
||||||
|
* **services:** Add NetworkPolicy section to docs/security.md ([24812b6](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/24812b667cded720a0ac09b8b3eb89df39b02afb))
|
||||||
|
* **services:** Add Otterize based security settings ([bec9a2d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/bec9a2d46b2b563b7001ed8c6625c10111d5f151))
|
||||||
|
* **univention-management-stack:** Add Otterize annotations for jobs ([2628a0e](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/2628a0e13e5957475ce81b12d4230400c9ffeafe))
|
||||||
|
|
||||||
|
## [0.5.57](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.56...v0.5.57) (2023-12-01)
|
||||||
|
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
|
||||||
|
* **helmfile:** Using correct private registry for postfix helm-chart ([d367739](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/d367739248ed43b3bad6a00b059b2c949dde4cb7))
|
||||||
|
|
||||||
|
## [0.5.56](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.55...v0.5.56) (2023-11-30)
|
||||||
|
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
|
||||||
|
* **element:** Raise treshold for login rate limit to avoid too early barrier hitting normal users ([466e741](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/466e7414942837fdb1aecabfb08eae49f9dab272))
|
||||||
|
|
||||||
|
## [0.5.55](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.54...v0.5.55) (2023-11-30)
|
||||||
|
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
|
||||||
|
* **cryptpad:** Update Helm chart to enable readiness and liveness probes ([6d3e484](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6d3e484855540569be53130e133e0821a04b2ca5))
|
||||||
|
|
||||||
|
## [0.5.54](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.53...v0.5.54) (2023-11-29)
|
||||||
|
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
|
||||||
|
* **helmfile:** Add and document security context for components ([519db51](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/519db51be2be3ce292a88965ac0ec049b4c8bb8e))
|
||||||
|
|
||||||
## [0.5.53](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.52...v0.5.53) (2023-11-29)
|
## [0.5.53](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.52...v0.5.53) (2023-11-29)
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
11
README.md
11
README.md
@@ -9,14 +9,15 @@ openDesk is a Kubernetes based, open-source and cloud-native digital workplace s
|
|||||||
Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
|
Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
|
||||||
|
|
||||||
It features:
|
It features:
|
||||||
- Fully integrated Identity Management (Univention, Keycloak)
|
- Fully integrated Identity Management (Univention)
|
||||||
- File storage (Nextcloud)
|
- File storage (Nextcloud)
|
||||||
- Weboffice (Collabora)
|
- Weboffice (Collabora)
|
||||||
- Videoconference (Jitsi)
|
- Videoconference (Nordeck w/ Jitsi)
|
||||||
- Encrypted Chat (Synapse, Element)
|
- Chat and Collaboration (Element w/ Nordeck)
|
||||||
- Groupware (OX Appsuite)
|
- Groupware (OX Appsuite)
|
||||||
- Wiki (XWiki)
|
- Wiki (XWiki)
|
||||||
- Notes and Diagrams (Cryptpad, Draw.io)
|
- Project Management (OpenProject)
|
||||||
|
- Notes and Diagrams (Cryptpad)
|
||||||
|
|
||||||
openDesk integrates these components and is working towards a seamless user experience.
|
openDesk integrates these components and is working towards a seamless user experience.
|
||||||
|
|
||||||
@@ -40,7 +41,7 @@ Basic knowledge of Kubernetes and Devops is required though.
|
|||||||
|
|
||||||
# Active development notice
|
# Active development notice
|
||||||
openDesk will face breaking changes in the near future without upgrade paths before
|
openDesk will face breaking changes in the near future without upgrade paths before
|
||||||
[technical release](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases
|
[technical release](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases)
|
||||||
v1.0.0 is reached.
|
v1.0.0 is reached.
|
||||||
|
|
||||||
While most components support upgrades, major configuration or component changes may occur, therefore we recommend
|
While most components support upgrades, major configuration or component changes may occur, therefore we recommend
|
||||||
|
|||||||
@@ -9,6 +9,7 @@ This document will cover the additional configuration to use external services l
|
|||||||
|
|
||||||
<!-- TOC -->
|
<!-- TOC -->
|
||||||
* [Database](#database)
|
* [Database](#database)
|
||||||
|
* [Objectstore](#objectstore)
|
||||||
* [Cache](#cache)
|
* [Cache](#cache)
|
||||||
<!-- TOC -->
|
<!-- TOC -->
|
||||||
|
|
||||||
@@ -65,6 +66,23 @@ service.
|
|||||||
| | | | Username | `databases.xwiki.username` | `xwiki_user` |
|
| | | | Username | `databases.xwiki.username` | `xwiki_user` |
|
||||||
| | | | Password | `databases.xwiki.password` | |
|
| | | | Password | `databases.xwiki.password` | |
|
||||||
|
|
||||||
|
## Objectstore
|
||||||
|
|
||||||
|
When deploying this suite to production, you need to configure the applications to use your production grade objectstore
|
||||||
|
service.
|
||||||
|
|
||||||
|
| Component | Name | Parameter | Key | Default |
|
||||||
|
|-------------|-------------|-----------------|------------------------------------------|--------------------|
|
||||||
|
| OpenProject | OpenProject | | | |
|
||||||
|
| | | Backend | `objectstores.openproject.backend` | `minio` |
|
||||||
|
| | | Bucket | `objectstores.openproject.bucket` | `openproject` |
|
||||||
|
| | | Endpoint | `objectstores.openproject.endpoint` | |
|
||||||
|
| | | Provider | `objectstores.openproject.provider` | `AWS` |
|
||||||
|
| | | Region | `objectstores.openproject.region` | |
|
||||||
|
| | | Secret | `objectstores.openproject.secret` | |
|
||||||
|
| | | Username | `objectstores.openproject.username` | `openproject_user` |
|
||||||
|
| | | Use IAM profile | `objectstores.openproject.useIAMProfile` | |
|
||||||
|
|
||||||
## Cache
|
## Cache
|
||||||
|
|
||||||
When deploying this suite to production, you need to configure the applications to use your production grade cache
|
When deploying this suite to production, you need to configure the applications to use your production grade cache
|
||||||
|
|||||||
109
docs/security.md
109
docs/security.md
@@ -10,6 +10,7 @@ This document should cover the current status of security measurements.
|
|||||||
<!-- TOC -->
|
<!-- TOC -->
|
||||||
* [Helm Chart Trust Chain](#helm-chart-trust-chain)
|
* [Helm Chart Trust Chain](#helm-chart-trust-chain)
|
||||||
* [Kubernetes Security Enforcements](#kubernetes-security-enforcements)
|
* [Kubernetes Security Enforcements](#kubernetes-security-enforcements)
|
||||||
|
* [NetworkPolicies](#networkpolicies)
|
||||||
<!-- TOC -->
|
<!-- TOC -->
|
||||||
|
|
||||||
## Helm Chart Trust Chain
|
## Helm Chart Trust Chain
|
||||||
@@ -50,43 +51,71 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
|
|||||||
This list gives you an overview of default security settings and if they comply with security standards:
|
This list gives you an overview of default security settings and if they comply with security standards:
|
||||||
|
|
||||||
|
|
||||||
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|
||||||
|--------------|----------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
|
|-----------------|--------------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
|
||||||
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||||
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||||
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||||
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||||
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
|
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
|
||||||
| CryptPad | npm | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 |
|
| CryptPad | npm | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 |
|
||||||
| Dovecot | dovecot | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`) | :white_check_mark: | :white_check_mark: | :x: | - | - | 1000 |
|
| Dovecot | dovecot | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `KILL`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`) | :white_check_mark: | :white_check_mark: | :x: | - | - | 1000 |
|
||||||
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||||
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
|
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
|
||||||
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||||
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||||
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
|
| IntercomService | intercom-service | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
|
||||||
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||||
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
|
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||||
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
|
||||||
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||||
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||||
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
|
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||||
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||||
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||||
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
|
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||||
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
|
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
|
||||||
| Open-Xchange | core-documentconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
|
| Minio | minio | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
|
||||||
| | core-guidedtours | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
| Nextcloud | nextcloud | :x: | :white_check_mark: | :x: (`NET_BIND_SERVICE`, `SETGID`, `SETUID`) | :white_check_mark: | :x: | :x: | - | - | 33 |
|
||||||
| | core-imageconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
|
| | nextcloud-cron | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | 33 |
|
||||||
| | core-mw-default | :x: | :x: | :x: | :x: | :x: | :x: | - | - | - |
|
| | opendesk-nextcloud-bootstrap | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | 33 |
|
||||||
| | core-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
| Open-Xchange | core-documentconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
|
||||||
| | core-ui-middleware | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
| | core-guidedtours | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
| | core-ui-middleware-updater | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
| | core-imageconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
|
||||||
| | core-user-guide | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
| | core-mw-default | :x: | :x: | :x: | :x: | :x: | :x: | - | - | - |
|
||||||
| | gotenberg | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
| | core-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
| | guard-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
| | core-ui-middleware | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
| | nextlcoud-integration-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
| | core-ui-middleware-updater | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
| | public-sector-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
| | core-user-guide | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
| OpenProject | openproject | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | - |
|
| | gotenberg | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
| | guard-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
|
| | nextlcoud-integration-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
|
| | public-sector-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
|
| OpenProject | openproject | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||||
|
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
|
||||||
|
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||||
|
| Redis | redis | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 0 | 1001 |
|
||||||
|
| UCC | univention-corporate-container | :x: | :x: | :x: | :x: | :x: | :x: | - | - | - |
|
||||||
|
| XWiki | xwiki | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 101 |
|
||||||
|
| | xwiki initContainers | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
|
||||||
|
|
||||||
|
## NetworkPolicies
|
||||||
|
|
||||||
|
Kubernetes NetworkPolicies are an important measure to secure your kubernetes apps and clusters.
|
||||||
|
When applied, they restrict the traffic to your services.
|
||||||
|
This protects other deployments in your cluster or other services in your deployment to get compromised when one
|
||||||
|
component is compromised.
|
||||||
|
|
||||||
|
We ship a default set of Otterize ClientIntents via
|
||||||
|
[Otterize intents operator](https://github.com/otterize/intents-operator) which translates intent-based access control
|
||||||
|
(IBAC) into kubernetes native NetworkPolicies.
|
||||||
|
|
||||||
|
This requires the Otterize intents operator to be installed.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
security:
|
||||||
|
otterizeIntents:
|
||||||
|
enabled: true
|
||||||
|
```
|
||||||
|
|||||||
@@ -21,7 +21,7 @@ releases:
|
|||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
- name: "cryptpad"
|
- name: "cryptpad"
|
||||||
chart: "cryptpad-online-repo/cryptpad"
|
chart: "cryptpad-online-repo/cryptpad"
|
||||||
version: "0.0.13"
|
version: "0.0.14"
|
||||||
values:
|
values:
|
||||||
- "values.yaml"
|
- "values.yaml"
|
||||||
- "values.gotmpl"
|
- "values.gotmpl"
|
||||||
|
|||||||
@@ -22,6 +22,10 @@ enableEmbedding: true
|
|||||||
|
|
||||||
fullnameOverride: "cryptpad"
|
fullnameOverride: "cryptpad"
|
||||||
|
|
||||||
|
ingress:
|
||||||
|
annotations:
|
||||||
|
nginx.org/websocket-services: "cryptpad"
|
||||||
|
|
||||||
persistence:
|
persistence:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
|
||||||
|
|||||||
@@ -11,6 +11,16 @@ configuration:
|
|||||||
- "m.space.parent"
|
- "m.space.parent"
|
||||||
- "net.nordeck.meetings.metadata"
|
- "net.nordeck.meetings.metadata"
|
||||||
- "m.room.power_levels"
|
- "m.room.power_levels"
|
||||||
|
# When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
|
||||||
|
# interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
|
||||||
|
# https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
|
||||||
|
rc_login:
|
||||||
|
account:
|
||||||
|
per_second: 2
|
||||||
|
burst_count: 8
|
||||||
|
address:
|
||||||
|
per_second: 2
|
||||||
|
burst_count: 12
|
||||||
|
|
||||||
homeserver:
|
homeserver:
|
||||||
guestModule:
|
guestModule:
|
||||||
|
|||||||
@@ -26,6 +26,7 @@ releases:
|
|||||||
chart: "intercom-service-repo/intercom-service"
|
chart: "intercom-service-repo/intercom-service"
|
||||||
version: "2.0.1"
|
version: "2.0.1"
|
||||||
values:
|
values:
|
||||||
|
- "values.yaml"
|
||||||
- "values.gotmpl"
|
- "values.gotmpl"
|
||||||
installed: {{ .Values.intercom.enabled }}
|
installed: {{ .Values.intercom.enabled }}
|
||||||
|
|
||||||
|
|||||||
21
helmfile/apps/intercom-service/values.yaml
Normal file
21
helmfile/apps/intercom-service/values.yaml
Normal file
@@ -0,0 +1,21 @@
|
|||||||
|
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
---
|
||||||
|
containerSecurityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- "ALL"
|
||||||
|
enabled: true
|
||||||
|
runAsUser: 1000
|
||||||
|
runAsGroup: 1000
|
||||||
|
seccompProfile:
|
||||||
|
type: "RuntimeDefault"
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsNonRoot: true
|
||||||
|
|
||||||
|
podSecurityContext:
|
||||||
|
enabled: true
|
||||||
|
fsGroup: 1000
|
||||||
|
fsGroupChangePolicy: "Always"
|
||||||
|
...
|
||||||
@@ -27,4 +27,8 @@ image:
|
|||||||
|
|
||||||
resources:
|
resources:
|
||||||
{{ .Values.resources.keycloakBootstrap | toYaml | nindent 2 }}
|
{{ .Values.resources.keycloakBootstrap | toYaml | nindent 2 }}
|
||||||
|
|
||||||
|
additionalAnnotations:
|
||||||
|
annotations:
|
||||||
|
intents.otterize.com/service-name: "keycloak-bootstrap"
|
||||||
...
|
...
|
||||||
|
|||||||
@@ -15,4 +15,17 @@ config:
|
|||||||
|
|
||||||
cryptpad:
|
cryptpad:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|
||||||
|
containerSecurityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
enabled: true
|
||||||
|
seccompProfile:
|
||||||
|
type: "RuntimeDefault"
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
runAsNonRoot: false
|
||||||
|
|
||||||
|
podSecurityContext:
|
||||||
|
enabled: true
|
||||||
|
fsGroup: 33
|
||||||
|
fsGroupChangePolicy: "Always"
|
||||||
...
|
...
|
||||||
|
|||||||
@@ -20,6 +20,11 @@ cronjob:
|
|||||||
- >
|
- >
|
||||||
sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f
|
sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f
|
||||||
\/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data
|
\/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- "ALL"
|
||||||
|
|
||||||
ingress:
|
ingress:
|
||||||
annotations:
|
annotations:
|
||||||
@@ -52,6 +57,20 @@ nextcloud:
|
|||||||
{
|
{
|
||||||
"drawio": ["application/x-drawio"]
|
"drawio": ["application/x-drawio"]
|
||||||
}
|
}
|
||||||
|
podSecurityContext:
|
||||||
|
fsGroup: 33
|
||||||
|
seccompProfile:
|
||||||
|
type: "RuntimeDefault"
|
||||||
|
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- "ALL"
|
||||||
|
add:
|
||||||
|
- "NET_BIND_SERVICE"
|
||||||
|
- "SETGID"
|
||||||
|
- "SETUID"
|
||||||
|
|
||||||
# this is not documented but can be found in values.yaml
|
# this is not documented but can be found in values.yaml
|
||||||
service:
|
service:
|
||||||
|
|||||||
@@ -12,6 +12,8 @@ repositories:
|
|||||||
url: >-
|
url: >-
|
||||||
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
|
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
|
||||||
default "https://charts.openproject.org" }}
|
default "https://charts.openproject.org" }}
|
||||||
|
verify: true
|
||||||
|
keyring: "../../files/gpg-pubkeys/openproject-com.gpg"
|
||||||
|
|
||||||
releases:
|
releases:
|
||||||
# renovate:
|
# renovate:
|
||||||
@@ -21,7 +23,7 @@ releases:
|
|||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
- name: "openproject"
|
- name: "openproject"
|
||||||
chart: "openproject-repo/openproject"
|
chart: "openproject-repo/openproject"
|
||||||
version: "2.4.0"
|
version: "2.6.2"
|
||||||
wait: true
|
wait: true
|
||||||
waitForJobs: true
|
waitForJobs: true
|
||||||
values:
|
values:
|
||||||
|
|||||||
@@ -77,9 +77,16 @@ environment:
|
|||||||
OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}"
|
OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}"
|
||||||
# Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
|
# Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
|
||||||
OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }}
|
OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }}
|
||||||
OPENPROJECT_FOG_CREDENTIALS_HOST: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
|
{{ if ne .Values.objectstores.openproject.backend "aws" }}
|
||||||
OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: "https://{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
|
OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
|
||||||
OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: {{ .Values.secrets.minio.openprojectUser | quote }}
|
OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
|
||||||
|
{{ end }}
|
||||||
|
OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: {{ .Values.objectstores.openproject.username | quote }}
|
||||||
|
OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: {{ .Values.objectstores.openproject.secret | default .Values.secrets.minio.openprojectUser | quote }}
|
||||||
|
OPENPROJECT_FOG_CREDENTIALS_PROVIDER: {{ .Values.objectstores.openproject.provider | default "AWS" | quote }}
|
||||||
|
OPENPROJECT_FOG_CREDENTIALS_REGION: {{ .Values.objectstores.openproject.region | quote }}
|
||||||
|
OPENPROJECT_FOG_DIRECTORY: {{ .Values.objectstores.openproject.bucket | quote }}
|
||||||
|
OPENPROJECT_FOG_CREDENTIALS_USE__IAM__PROFILE : {{ .Values.objectstores.openproject.useIAMProfile | default "false" | quote }}
|
||||||
|
|
||||||
replicaCount: {{ .Values.replicas.openproject }}
|
replicaCount: {{ .Values.replicas.openproject }}
|
||||||
|
|
||||||
|
|||||||
@@ -75,11 +75,12 @@ environment:
|
|||||||
OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
|
OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
|
||||||
# Details: https://www.openproject.org/docs/installation-and-operations/configuration/#attachments-storage
|
# Details: https://www.openproject.org/docs/installation-and-operations/configuration/#attachments-storage
|
||||||
OPENPROJECT_ATTACHMENTS__STORAGE: "fog"
|
OPENPROJECT_ATTACHMENTS__STORAGE: "fog"
|
||||||
OPENPROJECT_FOG_DIRECTORY: "openproject"
|
|
||||||
OPENPROJECT_FOG_CREDENTIALS_PROVIDER: "AWS"
|
|
||||||
OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
|
OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
|
||||||
OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: "openproject_user"
|
|
||||||
# Define an admin mapping from the claim
|
# Define an admin mapping from the claim
|
||||||
# The attribute mapping cannot currently be defined in the value
|
# The attribute mapping cannot currently be defined in the value
|
||||||
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_ADMIN: "openproject_admin"
|
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_ADMIN: "openproject_admin"
|
||||||
|
|
||||||
|
seederJob:
|
||||||
|
annotations:
|
||||||
|
intents.otterize.com/service-name: "openproject-seeder"
|
||||||
...
|
...
|
||||||
|
|||||||
@@ -6,6 +6,17 @@ bases:
|
|||||||
|
|
||||||
---
|
---
|
||||||
repositories:
|
repositories:
|
||||||
|
# openDesk Otterize
|
||||||
|
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-otterize
|
||||||
|
- name: "opendesk-otterize-repo"
|
||||||
|
oci: true
|
||||||
|
# yamllint disable rule:line-length
|
||||||
|
url: >-
|
||||||
|
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
|
||||||
|
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/opendesk-otterize" }}
|
||||||
|
# yamllint enable rule:line-length
|
||||||
|
verify: true
|
||||||
|
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||||
# openDesk Certificates
|
# openDesk Certificates
|
||||||
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-certificates
|
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-certificates
|
||||||
- name: "opendesk-certificates-repo"
|
- name: "opendesk-certificates-repo"
|
||||||
@@ -40,7 +51,7 @@ repositories:
|
|||||||
- name: "postfix-repo"
|
- name: "postfix-repo"
|
||||||
oci: true
|
oci: true
|
||||||
url: >-
|
url: >-
|
||||||
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
|
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
|
||||||
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postfix" }}
|
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postfix" }}
|
||||||
verify: true
|
verify: true
|
||||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||||
@@ -75,6 +86,17 @@ repositories:
|
|||||||
releases:
|
releases:
|
||||||
# renovate:
|
# renovate:
|
||||||
# registryUrl=https://registry.souvap-univention.de
|
# registryUrl=https://registry.souvap-univention.de
|
||||||
|
# packageName=souvap/tooling/charts/opendesk-otterize/opendesk-otterize
|
||||||
|
# dataSource=docker
|
||||||
|
# dependencyType=service
|
||||||
|
- name: "opendesk-otterize"
|
||||||
|
chart: "opendesk-otterize-repo/opendesk-otterize"
|
||||||
|
version: "1.1.2"
|
||||||
|
values:
|
||||||
|
- "values-otterize.gotmpl"
|
||||||
|
installed: {{ .Values.security.otterizeIntents.enabled }}
|
||||||
|
# renovate:
|
||||||
|
# registryUrl=https://registry.souvap-univention.de
|
||||||
# packageName=souvap/tooling/charts/sovereign-workplace-certificates/opendesk-certificates
|
# packageName=souvap/tooling/charts/sovereign-workplace-certificates/opendesk-certificates
|
||||||
# dataSource=docker
|
# dataSource=docker
|
||||||
# dependencyType=service
|
# dependencyType=service
|
||||||
|
|||||||
56
helmfile/apps/services/values-otterize.gotmpl
Normal file
56
helmfile/apps/services/values-otterize.gotmpl
Normal file
@@ -0,0 +1,56 @@
|
|||||||
|
{{/*
|
||||||
|
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||||
|
SPDX-License-Identifier: Apache-2.0
|
||||||
|
*/}}
|
||||||
|
---
|
||||||
|
apps:
|
||||||
|
clamavDistributed:
|
||||||
|
enabled: {{ .Values.clamavDistributed.enabled }}
|
||||||
|
clamavSimple:
|
||||||
|
enabled: {{ .Values.clamavSimple.enabled }}
|
||||||
|
collabora:
|
||||||
|
enabled: {{ .Values.collabora.enabled }}
|
||||||
|
cryptpad:
|
||||||
|
enabled: {{ .Values.cryptpad.enabled }}
|
||||||
|
dovecot:
|
||||||
|
enabled: {{ .Values.dovecot.enabled }}
|
||||||
|
element:
|
||||||
|
enabled: {{ .Values.element.enabled }}
|
||||||
|
intercom:
|
||||||
|
enabled: {{ .Values.intercom.enabled }}
|
||||||
|
jitsi:
|
||||||
|
enabled: {{ .Values.jitsi.enabled }}
|
||||||
|
keycloak:
|
||||||
|
enabled: {{ .Values.keycloak.enabled }}
|
||||||
|
mariadb:
|
||||||
|
enabled: {{ .Values.mariadb.enabled }}
|
||||||
|
memcached:
|
||||||
|
enabled: {{ .Values.memcached.enabled }}
|
||||||
|
minio:
|
||||||
|
enabled: {{ .Values.minio.enabled }}
|
||||||
|
nextcloud:
|
||||||
|
enabled: {{ .Values.nextcloud.enabled }}
|
||||||
|
openproject:
|
||||||
|
enabled: {{ .Values.openproject.enabled }}
|
||||||
|
oxAppsuite:
|
||||||
|
enabled: {{ .Values.oxAppsuite.enabled }}
|
||||||
|
oxConnector:
|
||||||
|
enabled: {{ .Values.oxConnector.enabled }}
|
||||||
|
postfix:
|
||||||
|
enabled: {{ .Values.postfix.enabled }}
|
||||||
|
postgresql:
|
||||||
|
enabled: {{ .Values.postgresql.enabled }}
|
||||||
|
redis:
|
||||||
|
enabled: {{ .Values.redis.enabled }}
|
||||||
|
univentionCorporateServer:
|
||||||
|
enabled: {{ .Values.univentionCorporateServer.enabled }}
|
||||||
|
univentionManagementStack:
|
||||||
|
enabled: {{ .Values.univentionManagementStack.enabled }}
|
||||||
|
xwiki:
|
||||||
|
enabled: {{ .Values.xwiki.enabled }}
|
||||||
|
|
||||||
|
extraApps:
|
||||||
|
clusterPostfix:
|
||||||
|
enabled: {{ .Values.security.clusterPostfix.enabled }}
|
||||||
|
namespace: {{ .Values.security.clusterPostfix.namespace }}
|
||||||
|
...
|
||||||
@@ -101,7 +101,7 @@ releases:
|
|||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
- name: "ums-stack-data-ums"
|
- name: "ums-stack-data-ums"
|
||||||
chart: "ums-repo/stack-data-ums"
|
chart: "ums-repo/stack-data-ums"
|
||||||
version: "0.36.0"
|
version: "0.37.0"
|
||||||
values:
|
values:
|
||||||
- "values-common.gotmpl"
|
- "values-common.gotmpl"
|
||||||
- "values-common.yaml"
|
- "values-common.yaml"
|
||||||
@@ -116,7 +116,7 @@ releases:
|
|||||||
# dependencyType=vendor
|
# dependencyType=vendor
|
||||||
- name: "ums-stack-data-swp"
|
- name: "ums-stack-data-swp"
|
||||||
chart: "ums-repo/stack-data-swp"
|
chart: "ums-repo/stack-data-swp"
|
||||||
version: "0.36.0"
|
version: "0.37.0"
|
||||||
values:
|
values:
|
||||||
- "values-common.gotmpl"
|
- "values-common.gotmpl"
|
||||||
- "values-common.yaml"
|
- "values-common.yaml"
|
||||||
|
|||||||
@@ -11,4 +11,6 @@ stackDataContext:
|
|||||||
oxDefaultContext: "10"
|
oxDefaultContext: "10"
|
||||||
smtpStartTls: true
|
smtpStartTls: true
|
||||||
|
|
||||||
|
additionalAnnotations:
|
||||||
|
intents.otterize.com/service-name: "ums-stack-data-swp"
|
||||||
...
|
...
|
||||||
|
|||||||
@@ -12,4 +12,6 @@ stackDataContext:
|
|||||||
# The openDesk configuration brings its own UMC policies.
|
# The openDesk configuration brings its own UMC policies.
|
||||||
installUmcPolicies: false
|
installUmcPolicies: false
|
||||||
|
|
||||||
|
additionalAnnotations:
|
||||||
|
intents.otterize.com/service-name: "ums-stack-data-ums"
|
||||||
...
|
...
|
||||||
|
|||||||
@@ -2,7 +2,14 @@
|
|||||||
# SPDX-License-Identifier: Apache-2.0
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
---
|
---
|
||||||
containerSecurityContext:
|
containerSecurityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
enabled: true
|
enabled: true
|
||||||
|
runAsUser: 100
|
||||||
|
runAsGroup: 101
|
||||||
|
runAsNonRoot: true
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- "ALL"
|
||||||
|
|
||||||
customConfigs:
|
customConfigs:
|
||||||
xwiki.cfg:
|
xwiki.cfg:
|
||||||
@@ -87,6 +94,9 @@ properties:
|
|||||||
|
|
||||||
securityContext:
|
securityContext:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
fsGroup: 101
|
||||||
|
seccompProfile:
|
||||||
|
type: "RuntimeDefault"
|
||||||
|
|
||||||
service:
|
service:
|
||||||
externalPort: 80
|
externalPort: 80
|
||||||
|
|||||||
16
helmfile/environments/default/objectstore.gotmpl
Normal file
16
helmfile/environments/default/objectstore.gotmpl
Normal file
@@ -0,0 +1,16 @@
|
|||||||
|
{{/*
|
||||||
|
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||||
|
SPDX-License-Identifier: Apache-2.0
|
||||||
|
*/}}
|
||||||
|
---
|
||||||
|
objectstores:
|
||||||
|
openproject:
|
||||||
|
backend: "minio"
|
||||||
|
bucket: "openproject"
|
||||||
|
endpoint: ""
|
||||||
|
provider: "AWS"
|
||||||
|
region: ""
|
||||||
|
secret: ""
|
||||||
|
username: "openproject_user"
|
||||||
|
useIAMProfile: ""
|
||||||
|
...
|
||||||
10
helmfile/environments/default/security.yaml
Normal file
10
helmfile/environments/default/security.yaml
Normal file
@@ -0,0 +1,10 @@
|
|||||||
|
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
---
|
||||||
|
security:
|
||||||
|
otterizeIntents:
|
||||||
|
enabled: false
|
||||||
|
clusterPostfix:
|
||||||
|
enabled: false
|
||||||
|
namespace: ""
|
||||||
|
...
|
||||||
53
helmfile/files/gpg-pubkeys/openproject-com.gpg
Normal file
53
helmfile/files/gpg-pubkeys/openproject-com.gpg
Normal file
@@ -0,0 +1,53 @@
|
|||||||
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
||||||
|
mQINBGVSG3cBEACftfIFs1EO29wSL9kNN057w6S8qSKNRI6DNrGkgYxB/C3JsdTH
|
||||||
|
iNtpv1g1pBbze6Efz/SxaeQ43eqEPkqa9nHBE8ypSWBEzu0EzrDt5bhjpvL4yK1A
|
||||||
|
14T6A7cYm6Qtu+AvMDaJ6UVp1JS+1h4o52zmSvup0bD1xoUnpuhPa7WE0XQOgl3v
|
||||||
|
2X/YBSrQpVV6hwoTWuag9z4qyfsyP/jzTrYtw8e39ff1Fm7jUeKEvmoOuxdH/fD7
|
||||||
|
hGPDcpvDq+5uTXAlWPEMtCoN3uFRqg9BybeKo4VMzFhim334i8x+8vp3kQyT7xi8
|
||||||
|
b72UluDPQur9zwv1T+knQw5T33nP3xqc8BAWo7fy7Co+x7snwprzTWyDq8kIJxyA
|
||||||
|
l3jg/4WNUEdoJkesPtcQUl2lWIP62UZAwIINfOtjzJP7pNNnZrW21Bs/xwPB6lo/
|
||||||
|
TyeLEYQcx6SZH1rPTCE3TlGfXSGI/UpAlMbmxPf4LxcE9J8d4ixUtTxGeMftWceb
|
||||||
|
enn9SX15DIyHC1uO4E0QfUCtwmBTnfOiG7U042zRFD8fZhegq2ZuAxPDvON8sFEC
|
||||||
|
v1y8YlR/j9IYFtgRCsaCuqMlE9VIQSADWHsKTr7l+W4ne5kDzIClzlh+kV0ViJLt
|
||||||
|
SpzGlddHo5GViHmgDeOikRbAji5+jACqh6d5boNWGvflSFQX8FFyOW5rkQARAQAB
|
||||||
|
tGxPcGVuUHJvamVjdCBPcGVyYXRpb25zIFRlYW0gKE9wZW5Qcm9qZWN0IE9wZXJh
|
||||||
|
dGlvbnMgRGVwbG95bWVudCBhbmQgU2lnbmluZyBrZXkpIDxvcGVyYXRpb25zQG9w
|
||||||
|
ZW5wcm9qZWN0LmNvbT6JAk4EEwEIADgWIQTLHKBIinW3Rx6hsIfPVt1qCuJg5QUC
|
||||||
|
ZVIbdwIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRDPVt1qCuJg5fwwD/wO
|
||||||
|
hTZtfSTmWs+/lgspHtfd+FADCn4yq8eCwEWgtG1YCGjyU0yffAsOaDYaeQtujLk4
|
||||||
|
GYIZypugM9BkclZNhtSRWDQhq0kH9bZLTbD5HqZjaVw8zje3SnmqlrKNXt4R4Emp
|
||||||
|
EHhiQMlJDbjHdTHQQ3xoUqPSwhvW5icFkKO0TdM/DbF7X9CRUBo8Lp2oL6Bfd3Ji
|
||||||
|
TvlLiVVQ3xPPLkH8zN83VsdgYl3oy1TfyOQTLfh3Ws+osf748WQDHbipmuo/dnXs
|
||||||
|
8McNixeHuUaOUK78eSXMcEAesbweHG6hQcpfyMcHdB1Q/2eoqUGpTvvLLQ+ChOmJ
|
||||||
|
rNNiZAUC8GpD2dxVtODr81vSS7FJNQfXIC4pOJGPXqoZBXajuD95zbRQUO/ndG4i
|
||||||
|
CETkkcSY1m7BAbPV1uWDOpnMhxG+lzoVraQjKkXJQByakRnTyQWeZW96iLp/2E3H
|
||||||
|
vYJ54wfw1DdpnaB8c/x4izwODjTQpMVDXzJ6I/snL5Yd/GJJplDqz4d031dbcwHR
|
||||||
|
eHPUKerI8WLjj6+MF1j34gsd9pvWGPoR69RaYDrA3Hnq+DJL4omMpr7GrSr2KJ8N
|
||||||
|
/RmYP4Y4dJ5N0sNuEt096AHx1aAduYGnQv67M4d6v9E7ZqugfifTvF4Aq68Vp4Pv
|
||||||
|
eOgG5oVLLZU/h7EO6t7uHJgWw+ozJq/nTVb698nK2rkCDQRlUht3ARAAuvNrUSAA
|
||||||
|
8Dqzi98RRhQ52KUGzub9OKZ/VfsaD1AINiG0CNYNXgUcCzWqXIs+wXRfyziS+x8G
|
||||||
|
WGkqN4MCPe6k3KYuKw94t//aZZ8T1iN8QyjMCfn5VGnwq36rXLcmfvlec5r6opZe
|
||||||
|
I0I+SzSbR2gXNWbU4on4fCVP8ZJc8luNC+mD0qUqP9KGJA6moCbc4eDwKi3sdyh7
|
||||||
|
4wNdDNq0WbTPFoxuJUAlcZjrJhwgjMe+tvRTVyJl3Yi8hth83R8PKic8S84lDZxR
|
||||||
|
KTydu7zl2yFTBi+3jQS+UUIze2Gdfj4Mh5ClLQj55bIPOzHxSAakITo5RNzmiQTV
|
||||||
|
pVGTrO2XYiygO6XgvLOhsumO37nsXOR0zPldbXUrLTY1J4srcn9MB1UikWLGqKqj
|
||||||
|
fgdhyv/I9t3ARBMmj8VASOBjgKN4juNir+AAm1lg/5NZf1YGVTsCVRhwF56kQLyl
|
||||||
|
D3TXkIJPnWvNminknvgpPMzWmR+alh2+Fh16FC53zfXHp5d2Ggk6gcWh2bvD87AQ
|
||||||
|
avNiQtEGv84qEEAqAyiy03OFWeYnxh2BC+J/XWsvP8ZlCSICtEqOnNCqErabB1na
|
||||||
|
0Lb6gOmxuY4Mk4N+TK+975iYDYmAH0o7Z58x/YAfUpSWqrx4C6Jz/F6GYtV2cl9B
|
||||||
|
v3FyU0230LrMssb9XDsP6YU7SoJDaonWNPMAEQEAAYkCNgQYAQgAIBYhBMscoEiK
|
||||||
|
dbdHHqGwh89W3WoK4mDlBQJlUht3AhsMAAoJEM9W3WoK4mDlrVcP/ind6InjSM61
|
||||||
|
E3CUCrS0ahZgYGZL2lPJopnPzvB662IUWMjG8f5rfDoOweI9WiWoJkkg5XvVvt2V
|
||||||
|
RkMoG3FIpGzh760olcNhhIKxgU2IRl2a+uo8QMXakgFFdN+X7uHgro1uu0ftzas4
|
||||||
|
YFyQyBDJYobCZlHlGiF1b/z7JDpY2zQWqBR8bNXlphtDIC6pk5haaJdy8WDG3Yns
|
||||||
|
JT0R74S1xTIKXjU5YK3QE1kulMJFDB+b+c9RkqVsAmuOZyPqfU7I+KlemuxKgZgI
|
||||||
|
5rzoFzkDVcWmaozogOLOM2VSSBiTXxIhHYK9uPYuCttIF4biRjWzaVvfTJjf+KPn
|
||||||
|
6oq0+u7vLfWRomMa+y4na5vrcVifivPNqQphPVU6F6v3f3GK4FpbrQmXli2L5rUL
|
||||||
|
lIDiKDTUtoHP/BnOvz2zXHEY7hfWh4xrEskMXhIiJNIr+UmG/PSjbY/rbPFA1o5b
|
||||||
|
Ln/i8y2UMmSRGvK5i2n9OhaLkMUiL0qLyRnzPXk+2cjvNdp2q1spiz107EigHqKq
|
||||||
|
UXUdRUNX7RtW3gAZRrMple6AHTrQhZhdO2uksMg4YaP/KjKx/GqFty1qwSPF4Zum
|
||||||
|
gfslJ6EB53uJJt9awcGFdFLHHci5ClEH9aGrboWlhx0erFKEcfjCnh8dAA/1UQ0R
|
||||||
|
Ecu2CcmkBOHGAnMirYCSEZqu9Uz+9g7P
|
||||||
|
=nG7D
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----
|
||||||
2
helmfile/files/gpg-pubkeys/openproject-com.gpg.license
Normal file
2
helmfile/files/gpg-pubkeys/openproject-com.gpg.license
Normal file
@@ -0,0 +1,2 @@
|
|||||||
|
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
Reference in New Issue
Block a user