mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-06 15:31:38 +01:00
Compare commits
32 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
c69c62cd45 | ||
|
|
6a26299a75 | ||
|
|
4101e91ae6 | ||
|
|
83192b7834 | ||
|
|
3b1091bb3e | ||
|
|
e67ab8f430 | ||
|
|
da731e7d5e | ||
|
|
0ea585633b | ||
|
|
fe40b7cfa1 | ||
|
|
d04a60349d | ||
|
|
94ae3da78b | ||
|
|
3ca54159f7 | ||
|
|
bf5dcda3b5 | ||
|
|
08ca525d3e | ||
|
|
dc7ce0bc4b | ||
|
|
729a1ea849 | ||
|
|
3b5493d78d | ||
|
|
6711791009 | ||
|
|
c41643ee3e | ||
|
|
2628a0e13e | ||
|
|
c8bc8b3172 | ||
|
|
24812b667c | ||
|
|
bec9a2d46b | ||
|
|
05cc82d7c5 | ||
|
|
82be996d97 | ||
|
|
d367739248 | ||
|
|
ef870ae385 | ||
|
|
466e741494 | ||
|
|
00fafb6a1b | ||
|
|
6d3e484855 | ||
|
|
845a0a3189 | ||
|
|
519db51be2 |
@@ -620,4 +620,6 @@ release:
|
||||
}
|
||||
EOF
|
||||
- "semantic-release"
|
||||
needs:
|
||||
- "generate-release-assets"
|
||||
...
|
||||
|
||||
97
CHANGELOG.md
97
CHANGELOG.md
@@ -1,3 +1,100 @@
|
||||
## [0.5.66](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.65...v0.5.66) (2023-12-08)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **element:** Update Element and Widgets ([6a26299](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6a26299a7507ae749ffcf25288d2cf5b24d220db))
|
||||
|
||||
## [0.5.65](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.64...v0.5.65) (2023-12-08)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **univention-management-stack:** Bump OX Connector ([83192b7](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/83192b78345c62465e2979195d9a1c882ddbf0ea))
|
||||
|
||||
## [0.5.64](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.63...v0.5.64) (2023-12-06)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **openproject:** Switch to release container and set home url link ([e67ab8f](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/e67ab8f4304a525b50a3a723c86d1e610313c594))
|
||||
|
||||
## [0.5.63](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.62...v0.5.63) (2023-12-06)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **nextcloud:** Remove Talk folder ([0ea5856](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/0ea585633b4bf72fe180ca744cc99d9e9f84998f))
|
||||
|
||||
## [0.5.62](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.61...v0.5.62) (2023-12-06)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **nextcloud:** Bump image to 27.1.4 and update Helm chart to configure "Shared_with_me" folder ([d04a603](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/d04a60349dbbff2d64ca2b36b9c44b75526bf859))
|
||||
* **univention-management-stack:** Update optional UMS preview state ([94ae3da](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/94ae3da78bd79c61fd7a22db5a541d473eea6a2e))
|
||||
|
||||
## [0.5.61](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.60...v0.5.61) (2023-12-05)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **services:** Fix port declaration for Postfix ([bf5dcda](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/bf5dcda3b59e1dc98cbee7e67f50a960d344b8e0))
|
||||
|
||||
## [0.5.60](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.59...v0.5.60) (2023-12-05)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **ci:** Ensure release creation with artifacts ([dc7ce0b](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/dc7ce0bc4b9501b63274f68352e6d9e76b5424e8))
|
||||
|
||||
## [0.5.59](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.58...v0.5.59) (2023-12-05)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **helmfile:** Add configurable objectstore ([3b5493d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/3b5493d78dc027cd1f3206b26cf347dc6ce6e265))
|
||||
|
||||
## [0.5.58](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.57...v0.5.58) (2023-12-01)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **cryptpad:** Add websocket annotation ([c41643e](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c41643ee3e5610ef27a63a0355804159030a7452))
|
||||
* **openproject:** Add seederJob intent ([05cc82d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/05cc82d7c5c5f93fb5de7df555a22e8e90279621))
|
||||
* **openproject:** Bump to 2.6.2 ([c8bc8b3](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c8bc8b3172cfef3396379e3969dc087d67a228ee))
|
||||
* **services:** Add NetworkPolicy section to docs/security.md ([24812b6](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/24812b667cded720a0ac09b8b3eb89df39b02afb))
|
||||
* **services:** Add Otterize based security settings ([bec9a2d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/bec9a2d46b2b563b7001ed8c6625c10111d5f151))
|
||||
* **univention-management-stack:** Add Otterize annotations for jobs ([2628a0e](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/2628a0e13e5957475ce81b12d4230400c9ffeafe))
|
||||
|
||||
## [0.5.57](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.56...v0.5.57) (2023-12-01)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **helmfile:** Using correct private registry for postfix helm-chart ([d367739](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/d367739248ed43b3bad6a00b059b2c949dde4cb7))
|
||||
|
||||
## [0.5.56](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.55...v0.5.56) (2023-11-30)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **element:** Raise treshold for login rate limit to avoid too early barrier hitting normal users ([466e741](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/466e7414942837fdb1aecabfb08eae49f9dab272))
|
||||
|
||||
## [0.5.55](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.54...v0.5.55) (2023-11-30)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **cryptpad:** Update Helm chart to enable readiness and liveness probes ([6d3e484](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6d3e484855540569be53130e133e0821a04b2ca5))
|
||||
|
||||
## [0.5.54](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.53...v0.5.54) (2023-11-29)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **helmfile:** Add and document security context for components ([519db51](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/519db51be2be3ce292a88965ac0ec049b4c8bb8e))
|
||||
|
||||
## [0.5.53](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.52...v0.5.53) (2023-11-29)
|
||||
|
||||
|
||||
|
||||
11
README.md
11
README.md
@@ -9,14 +9,15 @@ openDesk is a Kubernetes based, open-source and cloud-native digital workplace s
|
||||
Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
|
||||
|
||||
It features:
|
||||
- Fully integrated Identity Management (Univention, Keycloak)
|
||||
- Fully integrated Identity Management (Univention)
|
||||
- File storage (Nextcloud)
|
||||
- Weboffice (Collabora)
|
||||
- Videoconference (Jitsi)
|
||||
- Encrypted Chat (Synapse, Element)
|
||||
- Videoconference (Nordeck w/ Jitsi)
|
||||
- Chat and Collaboration (Element w/ Nordeck)
|
||||
- Groupware (OX Appsuite)
|
||||
- Wiki (XWiki)
|
||||
- Notes and Diagrams (Cryptpad, Draw.io)
|
||||
- Project Management (OpenProject)
|
||||
- Notes and Diagrams (Cryptpad)
|
||||
|
||||
openDesk integrates these components and is working towards a seamless user experience.
|
||||
|
||||
@@ -40,7 +41,7 @@ Basic knowledge of Kubernetes and Devops is required though.
|
||||
|
||||
# Active development notice
|
||||
openDesk will face breaking changes in the near future without upgrade paths before
|
||||
[technical release](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases
|
||||
[technical release](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases)
|
||||
v1.0.0 is reached.
|
||||
|
||||
While most components support upgrades, major configuration or component changes may occur, therefore we recommend
|
||||
|
||||
@@ -9,6 +9,7 @@ This document will cover the additional configuration to use external services l
|
||||
|
||||
<!-- TOC -->
|
||||
* [Database](#database)
|
||||
* [Objectstore](#objectstore)
|
||||
* [Cache](#cache)
|
||||
<!-- TOC -->
|
||||
|
||||
@@ -17,53 +18,76 @@ This document will cover the additional configuration to use external services l
|
||||
When deploying this suite to production, you need to configure the applications to use your production grade database
|
||||
service.
|
||||
|
||||
| Component | Name | Type | Parameter | Key | Default |
|
||||
|-------------|--------------------|------------|-----------|----------------------------------------|----------------------------|
|
||||
| Element | Synapse | PostgreSQL | | | |
|
||||
| | | | Name | `databases.synapse.name` | `matrix` |
|
||||
| | | | Host | `databases.synapse.host` | `postgresql` |
|
||||
| | | | Port | `databases.synapse.port` | `5432` |
|
||||
| | | | Username | `databases.synapse.username` | `matrix_user` |
|
||||
| | | | Password | `databases.synapse.password` | |
|
||||
| Keycloak | Keycloak | PostgreSQL | | | |
|
||||
| | | | Name | `databases.keycloak.name` | `keycloak` |
|
||||
| | | | Host | `databases.keycloak.host` | `postgresql` |
|
||||
| | | | Port | `databases.keycloak.port` | `5432` |
|
||||
| | | | Username | `databases.keycloak.username` | `keycloak_user` |
|
||||
| | | | Password | `databases.keycloak.password` | |
|
||||
| | Keycloak Extension | PostgreSQL | | | |
|
||||
| | | | Name | `databases.keycloakExtension.name` | `keycloak_extensions` |
|
||||
| | | | Host | `databases.keycloakExtension.host` | `postgresql` |
|
||||
| | | | Port | `databases.keycloakExtension.port` | `5432` |
|
||||
| | | | Username | `databases.keycloakExtension.username` | `keycloak_extensions_user` |
|
||||
| | | | Password | `databases.keycloakExtension.password` | |
|
||||
| UMS | Notifications API | PostgreSQL | | | |
|
||||
| | | | Name | `databases.notificationsApi.name` | `notificationsapi` |
|
||||
| | | | Host | `databases.notificationsApi.host` | `postgresql` |
|
||||
| | | | Port | `databases.notificationsApi.port` | `5432` |
|
||||
| | | | Username | `databases.notificationsApi.username` | `notificationsapi_user` |
|
||||
| | | | Password | `databases.notificationsApi.password` | |
|
||||
| Nextcloud | Nextcloud | MariaDB | | | |
|
||||
| | | | Name | `databases.nextcloud.name` | `nextcloud` |
|
||||
| | | | Host | `databases.nextcloud.host` | `mariadb` |
|
||||
| | | | Username | `databases.nextcloud.username` | `nextcloud_user` |
|
||||
| | | | Password | `databases.nextcloud.password` | |
|
||||
| OpenProject | OpenProject | PostgreSQL | | | |
|
||||
| | | | Name | `databases.openproject.name` | `openproject` |
|
||||
| | | | Host | `databases.openproject.host` | `postgresql` |
|
||||
| | | | Port | `databases.openproject.port` | `5432` |
|
||||
| | | | Username | `databases.openproject.username` | `openproject_user` |
|
||||
| | | | Password | `databases.openproject.password` | |
|
||||
| OX Appsuite | OX Appsuite | MariaDB | | | |
|
||||
| | | | Name | `databases.oxAppsuite.name` | `CONFIGDB` |
|
||||
| | | | Host | `databases.oxAppsuite.host` | `mariadb` |
|
||||
| | | | Username | `databases.oxAppsuite.username` | `root` |
|
||||
| | | | Password | `databases.oxAppsuite.password` | |
|
||||
| XWiki | XWiki | MariaDB | | | |
|
||||
| | | | Name | `databases.xwiki.name` | `xwiki` |
|
||||
| | | | Host | `databases.xwiki.host` | `mariadb` |
|
||||
| | | | Username | `databases.xwiki.username` | `xwiki_user` |
|
||||
| | | | Password | `databases.xwiki.password` | |
|
||||
| Component | Name | Type | Parameter | Key | Default |
|
||||
|-------------|--------------------|------------|-----------|------------------------------------------|----------------------------|
|
||||
| Element | Synapse | PostgreSQL | | | |
|
||||
| | | | Name | `databases.synapse.name` | `matrix` |
|
||||
| | | | Host | `databases.synapse.host` | `postgresql` |
|
||||
| | | | Port | `databases.synapse.port` | `5432` |
|
||||
| | | | Username | `databases.synapse.username` | `matrix_user` |
|
||||
| | | | Password | `databases.synapse.password` | |
|
||||
| Keycloak | Keycloak | PostgreSQL | | | |
|
||||
| | | | Name | `databases.keycloak.name` | `keycloak` |
|
||||
| | | | Host | `databases.keycloak.host` | `postgresql` |
|
||||
| | | | Port | `databases.keycloak.port` | `5432` |
|
||||
| | | | Username | `databases.keycloak.username` | `keycloak_user` |
|
||||
| | | | Password | `databases.keycloak.password` | |
|
||||
| | Keycloak Extension | PostgreSQL | | | |
|
||||
| | | | Name | `databases.keycloakExtension.name` | `keycloak_extensions` |
|
||||
| | | | Host | `databases.keycloakExtension.host` | `postgresql` |
|
||||
| | | | Port | `databases.keycloakExtension.port` | `5432` |
|
||||
| | | | Username | `databases.keycloakExtension.username` | `keycloak_extensions_user` |
|
||||
| | | | Password | `databases.keycloakExtension.password` | |
|
||||
| UMS | Notifications API | PostgreSQL | | | |
|
||||
| | | | Name | `databases.umsNotificationsApi.name` | `notificationsapi` |
|
||||
| | | | Host | `databases.umsNotificationsApi.host` | `postgresql` |
|
||||
| | | | Port | `databases.umsNotificationsApi.port` | `5432` |
|
||||
| | | | Username | `databases.umsNotificationsApi.username` | `notificationsapi_user` |
|
||||
| | | | Password | `databases.umsNotificationsApi.password` | |
|
||||
| | Self Service | PostgreSQL | | | |
|
||||
| | | | Name | `databases.umsSelfservice.name` | `selfservice` |
|
||||
| | | | Host | `databases.umsSelfservice.host` | `postgresql` |
|
||||
| | | | Port | `databases.umsSelfservice.port` | `5432` |
|
||||
| | | | Username | `databases.umsSelfservice.username` | `selfservice_user` |
|
||||
| | | | Password | `databases.umsSelfservice.password` | |
|
||||
| Nextcloud | Nextcloud | MariaDB | | | |
|
||||
| | | | Name | `databases.nextcloud.name` | `nextcloud` |
|
||||
| | | | Host | `databases.nextcloud.host` | `mariadb` |
|
||||
| | | | Username | `databases.nextcloud.username` | `nextcloud_user` |
|
||||
| | | | Password | `databases.nextcloud.password` | |
|
||||
| OpenProject | OpenProject | PostgreSQL | | | |
|
||||
| | | | Name | `databases.openproject.name` | `openproject` |
|
||||
| | | | Host | `databases.openproject.host` | `postgresql` |
|
||||
| | | | Port | `databases.openproject.port` | `5432` |
|
||||
| | | | Username | `databases.openproject.username` | `openproject_user` |
|
||||
| | | | Password | `databases.openproject.password` | |
|
||||
| OX Appsuite | OX Appsuite | MariaDB | | | |
|
||||
| | | | Name | `databases.oxAppsuite.name` | `CONFIGDB` |
|
||||
| | | | Host | `databases.oxAppsuite.host` | `mariadb` |
|
||||
| | | | Username | `databases.oxAppsuite.username` | `root` |
|
||||
| | | | Password | `databases.oxAppsuite.password` | |
|
||||
| XWiki | XWiki | MariaDB | | | |
|
||||
| | | | Name | `databases.xwiki.name` | `xwiki` |
|
||||
| | | | Host | `databases.xwiki.host` | `mariadb` |
|
||||
| | | | Username | `databases.xwiki.username` | `xwiki_user` |
|
||||
| | | | Password | `databases.xwiki.password` | |
|
||||
|
||||
## Objectstore
|
||||
|
||||
When deploying this suite to production, you need to configure the applications to use your production grade objectstore
|
||||
service.
|
||||
|
||||
| Component | Name | Parameter | Key | Default |
|
||||
|-------------|-------------|-----------------|------------------------------------------|--------------------|
|
||||
| OpenProject | OpenProject | | | |
|
||||
| | | Backend | `objectstores.openproject.backend` | `minio` |
|
||||
| | | Bucket | `objectstores.openproject.bucket` | `openproject` |
|
||||
| | | Endpoint | `objectstores.openproject.endpoint` | |
|
||||
| | | Provider | `objectstores.openproject.provider` | `AWS` |
|
||||
| | | Region | `objectstores.openproject.region` | |
|
||||
| | | Secret | `objectstores.openproject.secret` | |
|
||||
| | | Username | `objectstores.openproject.username` | `openproject_user` |
|
||||
| | | Use IAM profile | `objectstores.openproject.useIAMProfile` | |
|
||||
|
||||
## Cache
|
||||
|
||||
@@ -81,3 +105,6 @@ service.
|
||||
| OpenProject | OpenProject | Memcached | | | |
|
||||
| | | | Host | `cache.openproject.host` | `memcached` |
|
||||
| | | | Port | `cache.openproject.port` | `11211` |
|
||||
| UMS | Self Service | Memcached | | | |
|
||||
| | | | Host | `cache.umsSelfservice.host` | `memcached` |
|
||||
| | | | Port | `cache.umsSelfservice.port` | `11211` |
|
||||
|
||||
109
docs/security.md
109
docs/security.md
@@ -10,6 +10,7 @@ This document should cover the current status of security measurements.
|
||||
<!-- TOC -->
|
||||
* [Helm Chart Trust Chain](#helm-chart-trust-chain)
|
||||
* [Kubernetes Security Enforcements](#kubernetes-security-enforcements)
|
||||
* [NetworkPolicies](#networkpolicies)
|
||||
<!-- TOC -->
|
||||
|
||||
## Helm Chart Trust Chain
|
||||
@@ -50,43 +51,71 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
|
||||
This list gives you an overview of default security settings and if they comply with security standards:
|
||||
|
||||
|
||||
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|
||||
|--------------|----------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
|
||||
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
|
||||
| CryptPad | npm | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 |
|
||||
| Dovecot | dovecot | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`) | :white_check_mark: | :white_check_mark: | :x: | - | - | 1000 |
|
||||
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
|
||||
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
|
||||
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
|
||||
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
|
||||
| Open-Xchange | core-documentconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
|
||||
| | core-guidedtours | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-imageconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
|
||||
| | core-mw-default | :x: | :x: | :x: | :x: | :x: | :x: | - | - | - |
|
||||
| | core-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-ui-middleware | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-ui-middleware-updater | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-user-guide | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | gotenberg | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | guard-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | nextlcoud-integration-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | public-sector-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| OpenProject | openproject | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|
||||
|-----------------|--------------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
|
||||
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
|
||||
| CryptPad | npm | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 |
|
||||
| Dovecot | dovecot | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `KILL`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`) | :white_check_mark: | :white_check_mark: | :x: | - | - | 1000 |
|
||||
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
|
||||
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| IntercomService | intercom-service | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
|
||||
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
|
||||
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
|
||||
| Minio | minio | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
|
||||
| Nextcloud | nextcloud | :x: | :white_check_mark: | :x: (`NET_BIND_SERVICE`, `SETGID`, `SETUID`) | :white_check_mark: | :x: | :x: | - | - | 33 |
|
||||
| | nextcloud-cron | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | 33 |
|
||||
| | opendesk-nextcloud-bootstrap | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | 33 |
|
||||
| Open-Xchange | core-documentconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
|
||||
| | core-guidedtours | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-imageconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
|
||||
| | core-mw-default | :x: | :x: | :x: | :x: | :x: | :x: | - | - | - |
|
||||
| | core-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-ui-middleware | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-ui-middleware-updater | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-user-guide | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | gotenberg | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | guard-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | nextlcoud-integration-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | public-sector-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| OpenProject | openproject | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
|
||||
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| Redis | redis | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 0 | 1001 |
|
||||
| UCC | univention-corporate-container | :x: | :x: | :x: | :x: | :x: | :x: | - | - | - |
|
||||
| XWiki | xwiki | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | xwiki initContainers | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
|
||||
|
||||
## NetworkPolicies
|
||||
|
||||
Kubernetes NetworkPolicies are an important measure to secure your kubernetes apps and clusters.
|
||||
When applied, they restrict the traffic to your services.
|
||||
This protects other deployments in your cluster or other services in your deployment to get compromised when one
|
||||
component is compromised.
|
||||
|
||||
We ship a default set of Otterize ClientIntents via
|
||||
[Otterize intents operator](https://github.com/otterize/intents-operator) which translates intent-based access control
|
||||
(IBAC) into kubernetes native NetworkPolicies.
|
||||
|
||||
This requires the Otterize intents operator to be installed.
|
||||
|
||||
```yaml
|
||||
security:
|
||||
otterizeIntents:
|
||||
enabled: true
|
||||
```
|
||||
|
||||
@@ -21,7 +21,7 @@ releases:
|
||||
# dependencyType=vendor
|
||||
- name: "cryptpad"
|
||||
chart: "cryptpad-online-repo/cryptpad"
|
||||
version: "0.0.13"
|
||||
version: "0.0.14"
|
||||
values:
|
||||
- "values.yaml"
|
||||
- "values.gotmpl"
|
||||
|
||||
@@ -22,6 +22,10 @@ enableEmbedding: true
|
||||
|
||||
fullnameOverride: "cryptpad"
|
||||
|
||||
ingress:
|
||||
annotations:
|
||||
nginx.org/websocket-services: "cryptpad"
|
||||
|
||||
persistence:
|
||||
enabled: false
|
||||
|
||||
|
||||
@@ -37,7 +37,7 @@ releases:
|
||||
# dependencyType=vendor
|
||||
- name: "opendesk-element"
|
||||
chart: "opendesk-element-repo/opendesk-element"
|
||||
version: "2.5.1"
|
||||
version: "2.6.0"
|
||||
values:
|
||||
- "values-element.yaml"
|
||||
- "values-element.gotmpl"
|
||||
@@ -51,7 +51,7 @@ releases:
|
||||
# dependencyType=vendor
|
||||
- name: "opendesk-well-known"
|
||||
chart: "opendesk-element-repo/opendesk-well-known"
|
||||
version: "2.5.1"
|
||||
version: "2.6.0"
|
||||
values:
|
||||
- "values-well-known.yaml"
|
||||
- "values-well-known.gotmpl"
|
||||
@@ -65,7 +65,7 @@ releases:
|
||||
# dependencyType=vendor
|
||||
- name: "opendesk-synapse-web"
|
||||
chart: "opendesk-element-repo/opendesk-synapse-web"
|
||||
version: "2.5.1"
|
||||
version: "2.6.0"
|
||||
values:
|
||||
- "values-synapse-web.yaml"
|
||||
- "values-synapse-web.gotmpl"
|
||||
@@ -79,7 +79,7 @@ releases:
|
||||
# dependencyType=vendor
|
||||
- name: "opendesk-synapse"
|
||||
chart: "opendesk-element-repo/opendesk-synapse"
|
||||
version: "2.5.1"
|
||||
version: "2.6.0"
|
||||
values:
|
||||
- "values-synapse.yaml"
|
||||
- "values-synapse.gotmpl"
|
||||
@@ -93,7 +93,7 @@ releases:
|
||||
# dependencyType=vendor
|
||||
- name: "opendesk-matrix-user-verification-service-bootstrap"
|
||||
chart: "opendesk-element-repo/opendesk-synapse-create-account"
|
||||
version: "2.5.1"
|
||||
version: "2.6.0"
|
||||
values:
|
||||
- "values-matrix-user-verification-service-bootstrap.yaml"
|
||||
- "values-matrix-user-verification-service-bootstrap.gotmpl"
|
||||
@@ -107,7 +107,7 @@ releases:
|
||||
# dependencyType=vendor
|
||||
- name: "opendesk-matrix-user-verification-service"
|
||||
chart: "opendesk-element-repo/opendesk-matrix-user-verification-service"
|
||||
version: "2.5.1"
|
||||
version: "2.6.0"
|
||||
values:
|
||||
- "values-matrix-user-verification-service.yaml"
|
||||
- "values-matrix-user-verification-service.gotmpl"
|
||||
@@ -121,7 +121,7 @@ releases:
|
||||
# dependencyType=vendor
|
||||
- name: "matrix-neoboard-widget"
|
||||
chart: "opendesk-matrix-widgets-repo/matrix-neoboard-widget"
|
||||
version: "3.2.0"
|
||||
version: "3.3.0"
|
||||
values:
|
||||
- "values-matrix-neoboard-widget.yaml"
|
||||
- "values-matrix-neoboard-widget.gotmpl"
|
||||
@@ -135,7 +135,7 @@ releases:
|
||||
# dependencyType=vendor
|
||||
- name: "matrix-neochoice-widget"
|
||||
chart: "opendesk-matrix-widgets-repo/matrix-neochoice-widget"
|
||||
version: "3.2.0"
|
||||
version: "3.3.0"
|
||||
values:
|
||||
- "values-matrix-neochoice-widget.yaml"
|
||||
- "values-matrix-neochoice-widget.gotmpl"
|
||||
@@ -149,7 +149,7 @@ releases:
|
||||
# dependencyType=vendor
|
||||
- name: "matrix-neodatefix-widget"
|
||||
chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-widget"
|
||||
version: "3.2.0"
|
||||
version: "3.3.0"
|
||||
values:
|
||||
- "values-matrix-neodatefix-widget.yaml"
|
||||
- "values-matrix-neodatefix-widget.gotmpl"
|
||||
@@ -163,7 +163,7 @@ releases:
|
||||
# dependencyType=vendor
|
||||
- name: "matrix-neodatefix-bot-bootstrap"
|
||||
chart: "opendesk-element-repo/opendesk-synapse-create-account"
|
||||
version: "2.5.1"
|
||||
version: "2.6.0"
|
||||
values:
|
||||
- "values-matrix-neodatefix-bot-bootstrap.yaml"
|
||||
- "values-matrix-neodatefix-bot-bootstrap.gotmpl"
|
||||
@@ -177,7 +177,7 @@ releases:
|
||||
# dependencyType=vendor
|
||||
- name: "matrix-neodatefix-bot"
|
||||
chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-bot"
|
||||
version: "3.2.0"
|
||||
version: "3.3.0"
|
||||
values:
|
||||
- "values-matrix-neodatefix-bot.yaml"
|
||||
- "values-matrix-neodatefix-bot.gotmpl"
|
||||
|
||||
@@ -11,6 +11,16 @@ configuration:
|
||||
- "m.space.parent"
|
||||
- "net.nordeck.meetings.metadata"
|
||||
- "m.room.power_levels"
|
||||
# When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
|
||||
# interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
|
||||
# https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
|
||||
rc_login:
|
||||
account:
|
||||
per_second: 2
|
||||
burst_count: 8
|
||||
address:
|
||||
per_second: 2
|
||||
burst_count: 12
|
||||
|
||||
homeserver:
|
||||
guestModule:
|
||||
|
||||
@@ -26,6 +26,7 @@ releases:
|
||||
chart: "intercom-service-repo/intercom-service"
|
||||
version: "2.0.1"
|
||||
values:
|
||||
- "values.yaml"
|
||||
- "values.gotmpl"
|
||||
installed: {{ .Values.intercom.enabled }}
|
||||
|
||||
|
||||
21
helmfile/apps/intercom-service/values.yaml
Normal file
21
helmfile/apps/intercom-service/values.yaml
Normal file
@@ -0,0 +1,21 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: "Always"
|
||||
...
|
||||
@@ -27,4 +27,8 @@ image:
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.keycloakBootstrap | toYaml | nindent 2 }}
|
||||
|
||||
additionalAnnotations:
|
||||
annotations:
|
||||
intents.otterize.com/service-name: "keycloak-bootstrap"
|
||||
...
|
||||
|
||||
@@ -33,7 +33,7 @@ releases:
|
||||
# dependencyType=vendor
|
||||
- name: "opendesk-nextcloud-bootstrap"
|
||||
chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap"
|
||||
version: "3.2.4"
|
||||
version: "3.2.6"
|
||||
wait: true
|
||||
waitForJobs: true
|
||||
values:
|
||||
|
||||
@@ -15,4 +15,17 @@ config:
|
||||
|
||||
cryptpad:
|
||||
enabled: true
|
||||
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
enabled: true
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
runAsNonRoot: false
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 33
|
||||
fsGroupChangePolicy: "Always"
|
||||
...
|
||||
|
||||
@@ -20,6 +20,11 @@ cronjob:
|
||||
- >
|
||||
sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f
|
||||
\/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
|
||||
ingress:
|
||||
annotations:
|
||||
@@ -52,6 +57,20 @@ nextcloud:
|
||||
{
|
||||
"drawio": ["application/x-drawio"]
|
||||
}
|
||||
podSecurityContext:
|
||||
fsGroup: 33
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
add:
|
||||
- "NET_BIND_SERVICE"
|
||||
- "SETGID"
|
||||
- "SETUID"
|
||||
|
||||
# this is not documented but can be found in values.yaml
|
||||
service:
|
||||
|
||||
@@ -12,6 +12,8 @@ repositories:
|
||||
url: >-
|
||||
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
|
||||
default "https://charts.openproject.org" }}
|
||||
verify: true
|
||||
keyring: "../../files/gpg-pubkeys/openproject-com.gpg"
|
||||
|
||||
releases:
|
||||
# renovate:
|
||||
@@ -21,7 +23,7 @@ releases:
|
||||
# dependencyType=vendor
|
||||
- name: "openproject"
|
||||
chart: "openproject-repo/openproject"
|
||||
version: "2.4.0"
|
||||
version: "2.6.2"
|
||||
wait: true
|
||||
waitForJobs: true
|
||||
values:
|
||||
|
||||
@@ -77,9 +77,17 @@ environment:
|
||||
OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}"
|
||||
# Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
|
||||
OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }}
|
||||
OPENPROJECT_FOG_CREDENTIALS_HOST: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
|
||||
OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: "https://{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
|
||||
OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: {{ .Values.secrets.minio.openprojectUser | quote }}
|
||||
{{ if ne .Values.objectstores.openproject.backend "aws" }}
|
||||
OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
|
||||
OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
|
||||
{{ end }}
|
||||
OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: {{ .Values.objectstores.openproject.username | quote }}
|
||||
OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: {{ .Values.objectstores.openproject.secret | default .Values.secrets.minio.openprojectUser | quote }}
|
||||
OPENPROJECT_FOG_CREDENTIALS_PROVIDER: {{ .Values.objectstores.openproject.provider | default "AWS" | quote }}
|
||||
OPENPROJECT_FOG_CREDENTIALS_REGION: {{ .Values.objectstores.openproject.region | quote }}
|
||||
OPENPROJECT_FOG_DIRECTORY: {{ .Values.objectstores.openproject.bucket | quote }}
|
||||
OPENPROJECT_FOG_CREDENTIALS_USE__IAM__PROFILE: {{ .Values.objectstores.openproject.useIAMProfile | default "false" | quote }}
|
||||
OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
|
||||
|
||||
replicaCount: {{ .Values.replicas.openproject }}
|
||||
|
||||
|
||||
@@ -75,11 +75,12 @@ environment:
|
||||
OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
|
||||
# Details: https://www.openproject.org/docs/installation-and-operations/configuration/#attachments-storage
|
||||
OPENPROJECT_ATTACHMENTS__STORAGE: "fog"
|
||||
OPENPROJECT_FOG_DIRECTORY: "openproject"
|
||||
OPENPROJECT_FOG_CREDENTIALS_PROVIDER: "AWS"
|
||||
OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
|
||||
OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: "openproject_user"
|
||||
# Define an admin mapping from the claim
|
||||
# The attribute mapping cannot currently be defined in the value
|
||||
OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_ADMIN: "openproject_admin"
|
||||
|
||||
seederJob:
|
||||
annotations:
|
||||
intents.otterize.com/service-name: "openproject-seeder"
|
||||
...
|
||||
|
||||
@@ -6,6 +6,17 @@ bases:
|
||||
|
||||
---
|
||||
repositories:
|
||||
# openDesk Otterize
|
||||
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-otterize
|
||||
- name: "opendesk-otterize-repo"
|
||||
oci: true
|
||||
# yamllint disable rule:line-length
|
||||
url: >-
|
||||
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
|
||||
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/opendesk-otterize" }}
|
||||
# yamllint enable rule:line-length
|
||||
verify: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
# openDesk Certificates
|
||||
# Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-certificates
|
||||
- name: "opendesk-certificates-repo"
|
||||
@@ -40,7 +51,7 @@ repositories:
|
||||
- name: "postfix-repo"
|
||||
oci: true
|
||||
url: >-
|
||||
{{ env "PRIVATE_CHART_REPOSITORY_URL" |
|
||||
{{ env "PRIVATE_IMAGE_REGISTRY_URL" |
|
||||
default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postfix" }}
|
||||
verify: true
|
||||
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
|
||||
@@ -75,6 +86,17 @@ repositories:
|
||||
releases:
|
||||
# renovate:
|
||||
# registryUrl=https://registry.souvap-univention.de
|
||||
# packageName=souvap/tooling/charts/opendesk-otterize/opendesk-otterize
|
||||
# dataSource=docker
|
||||
# dependencyType=service
|
||||
- name: "opendesk-otterize"
|
||||
chart: "opendesk-otterize-repo/opendesk-otterize"
|
||||
version: "1.1.3"
|
||||
values:
|
||||
- "values-otterize.gotmpl"
|
||||
installed: {{ .Values.security.otterizeIntents.enabled }}
|
||||
# renovate:
|
||||
# registryUrl=https://registry.souvap-univention.de
|
||||
# packageName=souvap/tooling/charts/sovereign-workplace-certificates/opendesk-certificates
|
||||
# dataSource=docker
|
||||
# dependencyType=service
|
||||
|
||||
56
helmfile/apps/services/values-otterize.gotmpl
Normal file
56
helmfile/apps/services/values-otterize.gotmpl
Normal file
@@ -0,0 +1,56 @@
|
||||
{{/*
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
apps:
|
||||
clamavDistributed:
|
||||
enabled: {{ .Values.clamavDistributed.enabled }}
|
||||
clamavSimple:
|
||||
enabled: {{ .Values.clamavSimple.enabled }}
|
||||
collabora:
|
||||
enabled: {{ .Values.collabora.enabled }}
|
||||
cryptpad:
|
||||
enabled: {{ .Values.cryptpad.enabled }}
|
||||
dovecot:
|
||||
enabled: {{ .Values.dovecot.enabled }}
|
||||
element:
|
||||
enabled: {{ .Values.element.enabled }}
|
||||
intercom:
|
||||
enabled: {{ .Values.intercom.enabled }}
|
||||
jitsi:
|
||||
enabled: {{ .Values.jitsi.enabled }}
|
||||
keycloak:
|
||||
enabled: {{ .Values.keycloak.enabled }}
|
||||
mariadb:
|
||||
enabled: {{ .Values.mariadb.enabled }}
|
||||
memcached:
|
||||
enabled: {{ .Values.memcached.enabled }}
|
||||
minio:
|
||||
enabled: {{ .Values.minio.enabled }}
|
||||
nextcloud:
|
||||
enabled: {{ .Values.nextcloud.enabled }}
|
||||
openproject:
|
||||
enabled: {{ .Values.openproject.enabled }}
|
||||
oxAppsuite:
|
||||
enabled: {{ .Values.oxAppsuite.enabled }}
|
||||
oxConnector:
|
||||
enabled: {{ .Values.oxConnector.enabled }}
|
||||
postfix:
|
||||
enabled: {{ .Values.postfix.enabled }}
|
||||
postgresql:
|
||||
enabled: {{ .Values.postgresql.enabled }}
|
||||
redis:
|
||||
enabled: {{ .Values.redis.enabled }}
|
||||
univentionCorporateServer:
|
||||
enabled: {{ .Values.univentionCorporateServer.enabled }}
|
||||
univentionManagementStack:
|
||||
enabled: {{ .Values.univentionManagementStack.enabled }}
|
||||
xwiki:
|
||||
enabled: {{ .Values.xwiki.enabled }}
|
||||
|
||||
extraApps:
|
||||
clusterPostfix:
|
||||
enabled: {{ .Values.security.clusterPostfix.enabled }}
|
||||
namespace: {{ .Values.security.clusterPostfix.namespace }}
|
||||
...
|
||||
@@ -24,7 +24,7 @@ postfix:
|
||||
- fileName: "sasl_passwd.map"
|
||||
content:
|
||||
- {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
|
||||
relayHost: {{ printf "[%s]:[%d]" .Values.smtp.host .Values.smtp.port | quote }}
|
||||
relayHost: {{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}
|
||||
relayNets: {{ .Values.cluster.networking.cidr | quote}}
|
||||
virtualTransport: "lmtps:dovecot:24"
|
||||
smtpdSASLPath: "inet:dovecot:3659"
|
||||
|
||||
@@ -24,7 +24,9 @@ job:
|
||||
- username: "matrix_user"
|
||||
password: {{ .Values.secrets.postgresql.matrixUser | quote }}
|
||||
- username: "notificationsapi_user"
|
||||
password: {{ .Values.secrets.postgresql.notificationsApiUser | quote }}
|
||||
password: {{ .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
|
||||
- username: "selfservice_user"
|
||||
password: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
|
||||
databases:
|
||||
- name: "keycloak"
|
||||
user: "keycloak_user"
|
||||
@@ -37,6 +39,8 @@ job:
|
||||
additionalParams: "ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0"
|
||||
- name: "notificationsapi"
|
||||
user: "notificationsapi_user"
|
||||
- name: "selfservice"
|
||||
user: "selfservice_user"
|
||||
|
||||
persistence:
|
||||
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
|
||||
@@ -42,7 +42,7 @@ releases:
|
||||
# dependencyType=vendor
|
||||
- name: "ums-store-dav"
|
||||
chart: "ums-repo/store-dav"
|
||||
version: "0.5.2"
|
||||
version: "0.7.0"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
@@ -101,7 +101,7 @@ releases:
|
||||
# dependencyType=vendor
|
||||
- name: "ums-stack-data-ums"
|
||||
chart: "ums-repo/stack-data-ums"
|
||||
version: "0.36.0"
|
||||
version: "0.38.1"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
@@ -116,7 +116,7 @@ releases:
|
||||
# dependencyType=vendor
|
||||
- name: "ums-stack-data-swp"
|
||||
chart: "ums-repo/stack-data-swp"
|
||||
version: "0.36.0"
|
||||
version: "0.38.1"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
@@ -131,7 +131,7 @@ releases:
|
||||
# dependencyType=vendor
|
||||
- name: "ums-portal-server"
|
||||
chart: "ums-repo/portal-server"
|
||||
version: "0.5.0"
|
||||
version: "0.6.1"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
@@ -146,7 +146,7 @@ releases:
|
||||
# dependencyType=vendor
|
||||
- name: "ums-notifications-api"
|
||||
chart: "ums-repo/notifications-api"
|
||||
version: "0.5.0"
|
||||
version: "0.6.1"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
@@ -161,7 +161,7 @@ releases:
|
||||
# dependencyType=vendor
|
||||
- name: "ums-portal-listener"
|
||||
chart: "ums-repo/portal-listener"
|
||||
version: "0.5.0"
|
||||
version: "0.6.1"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
@@ -176,7 +176,7 @@ releases:
|
||||
# dependencyType=vendor
|
||||
- name: "ums-portal-frontend"
|
||||
chart: "ums-repo/portal-frontend"
|
||||
version: "0.5.0"
|
||||
version: "0.6.1"
|
||||
values:
|
||||
- "values-common.gotmpl"
|
||||
- "values-common.yaml"
|
||||
|
||||
@@ -6,12 +6,12 @@ SPDX-License-Identifier: Apache-2.0
|
||||
postgresql:
|
||||
bundled: false
|
||||
connection:
|
||||
host: {{ .Values.databases.notificationsApi.host | quote }}
|
||||
port: {{ .Values.databases.notificationsApi.port | quote }}
|
||||
host: {{ .Values.databases.umsNotificationsApi.host | quote }}
|
||||
port: {{ .Values.databases.umsNotificationsApi.port | quote }}
|
||||
auth:
|
||||
username: {{ .Values.databases.notificationsApi.username | quote }}
|
||||
database: {{ .Values.databases.notificationsApi.name | quote }}
|
||||
password: {{ .Values.databases.notificationsApi.password | default .Values.secrets.postgresql.notificationsApiUser | quote }}
|
||||
username: {{ .Values.databases.umsNotificationsApi.username | quote }}
|
||||
database: {{ .Values.databases.umsNotificationsApi.name | quote }}
|
||||
password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
|
||||
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry }}
|
||||
|
||||
@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
|
||||
portalListener:
|
||||
adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
|
||||
assetsRoot: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-assets/" | quote }}
|
||||
ucsInternalUrl: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-data/" | quote }}
|
||||
ucsInternalUrl: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-data" | quote }}
|
||||
|
||||
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
|
||||
ldapHost: {{ .Values.ldap.host | quote }}
|
||||
|
||||
@@ -31,6 +31,9 @@ stackDataContext:
|
||||
userPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.userPassword | quote }}
|
||||
adminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
|
||||
|
||||
userPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.userPassword | quote }}
|
||||
adminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
|
||||
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.umsDataLoader.repository | quote }}
|
||||
|
||||
@@ -11,4 +11,6 @@ stackDataContext:
|
||||
oxDefaultContext: "10"
|
||||
smtpStartTls: true
|
||||
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-stack-data-swp"
|
||||
...
|
||||
|
||||
@@ -12,4 +12,6 @@ stackDataContext:
|
||||
# The openDesk configuration brings its own UMC policies.
|
||||
installUmcPolicies: false
|
||||
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-stack-data-ums"
|
||||
...
|
||||
|
||||
@@ -11,6 +11,19 @@ umcServer:
|
||||
|
||||
smtpSecret: {{ .Values.smtp.password | quote }}
|
||||
|
||||
postgresql:
|
||||
connection:
|
||||
host: {{ .Values.databases.umsSelfservice.host | quote }}
|
||||
port: {{ .Values.databases.umsSelfservice.port | quote }}
|
||||
auth:
|
||||
username: {{ .Values.databases.umsSelfservice.username | quote }}
|
||||
database: {{ .Values.databases.umsSelfservice.name | quote }}
|
||||
password: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
|
||||
postgresPassword: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
|
||||
|
||||
memcached:
|
||||
server: {{ .Values.cache.umsSelfservice.host | quote }}
|
||||
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | quote }}
|
||||
repository: {{ .Values.images.umsUmcServer.repository | quote }}
|
||||
|
||||
@@ -43,11 +43,12 @@ extraVolumeMounts:
|
||||
mountPath: "/usr/share/univention-management-console/modules/udm-portals-announcement.xml"
|
||||
subPath: "udm-portals-announcement.xml"
|
||||
|
||||
postgresql:
|
||||
bundled: false
|
||||
|
||||
memcached:
|
||||
bundled: false
|
||||
server: "memcached"
|
||||
auth:
|
||||
username: null
|
||||
password: null
|
||||
|
||||
...
|
||||
|
||||
@@ -10,3 +10,4 @@ ingress:
|
||||
- hosts:
|
||||
- {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
|
||||
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
||||
...
|
||||
|
||||
@@ -7,6 +7,8 @@ ingress:
|
||||
service:
|
||||
type: "ClusterIP"
|
||||
|
||||
fullnameOverride: "ums-stack-gateway"
|
||||
|
||||
# The content of the "serverBlock" does resemble the Ingress configuration of
|
||||
# the UMS components. The "location" entries do intentionally reflect precisely
|
||||
# the respective paths which are configured.
|
||||
@@ -15,7 +17,8 @@ serverBlock: |
|
||||
listen 8080;
|
||||
|
||||
## portal-frontend
|
||||
# The frontend does not own "/univention/portal", only these two bits
|
||||
# The frontend does not own "/univention/portal" nor
|
||||
# "/univention/selfservice", only these two bits
|
||||
location = /univention/portal/ {
|
||||
rewrite ^/univention/portal(/.*)$ $1 break;
|
||||
proxy_pass http://ums-portal-frontend:80/;
|
||||
@@ -24,6 +27,10 @@ serverBlock: |
|
||||
rewrite ^/univention/portal(/.*)$ $1 break;
|
||||
proxy_pass http://ums-portal-frontend:80/;
|
||||
}
|
||||
location = /univention/selfservice/ {
|
||||
rewrite ^/univention/selfservice(/.*)$ $1 break;
|
||||
proxy_pass http://ums-portal-frontend:80/;
|
||||
}
|
||||
|
||||
# The following prefixes are owned by the frontend
|
||||
location /univention/portal/css/ {
|
||||
@@ -50,6 +57,30 @@ serverBlock: |
|
||||
rewrite ^/univention/portal(/.*)$ $1 break;
|
||||
proxy_pass http://ums-portal-frontend:80;
|
||||
}
|
||||
location /univention/selfservice/css/ {
|
||||
rewrite ^/univention/selfservice(/.*)$ $1 break;
|
||||
proxy_pass http://ums-portal-frontend:80;
|
||||
}
|
||||
location /univention/selfservice/fonts/ {
|
||||
rewrite ^/univention/selfservice(/.*)$ $1 break;
|
||||
proxy_pass http://ums-portal-frontend:80;
|
||||
}
|
||||
location /univention/selfservice/i18n/ {
|
||||
rewrite ^/univention/selfservice(/.*)$ $1 break;
|
||||
proxy_pass http://ums-portal-frontend:80;
|
||||
}
|
||||
location /univention/selfservice/media/ {
|
||||
rewrite ^/univention/selfservice(/.*)$ $1 break;
|
||||
proxy_pass http://ums-portal-frontend:80;
|
||||
}
|
||||
location /univention/selfservice/js/ {
|
||||
rewrite ^/univention/selfservice(/.*)$ $1 break;
|
||||
proxy_pass http://ums-portal-frontend:80;
|
||||
}
|
||||
location /univention/selfservice/oidc/ {
|
||||
rewrite ^/univention/selfservice(/.*)$ $1 break;
|
||||
proxy_pass http://ums-portal-frontend:80;
|
||||
}
|
||||
|
||||
|
||||
## frontend redirects
|
||||
@@ -69,12 +100,19 @@ serverBlock: |
|
||||
absolute_redirect off;
|
||||
return 302 /univention/portal/;
|
||||
}
|
||||
location = /univention/selfservice {
|
||||
absolute_redirect off;
|
||||
return 302 /univention/selfservice/;
|
||||
}
|
||||
|
||||
|
||||
## portal-server
|
||||
location = /univention/portal/portal.json {
|
||||
proxy_pass http://ums-portal-server:80;
|
||||
}
|
||||
location = /univention/selfservice/portal.json {
|
||||
proxy_pass http://ums-portal-server:80;
|
||||
}
|
||||
location = /univention/portal/navigation.json {
|
||||
proxy_pass http://ums-portal-server:80;
|
||||
}
|
||||
@@ -89,6 +127,14 @@ serverBlock: |
|
||||
rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break;
|
||||
proxy_pass http://ums-store-dav:80;
|
||||
}
|
||||
location /univention/selfservice/icons/entries/ {
|
||||
rewrite ^/univention/selfservice(/icons/entries/.*)$ /portal-assets$1 break;
|
||||
proxy_pass http://ums-store-dav:80;
|
||||
}
|
||||
location /univention/selfservice/icons/logos/ {
|
||||
rewrite ^/univention/selfservice(/icons/logos/.*)$ /portal-assets$1 break;
|
||||
proxy_pass http://ums-store-dav:80;
|
||||
}
|
||||
|
||||
|
||||
## udm-rest-api
|
||||
@@ -128,27 +174,27 @@ serverBlock: |
|
||||
rewrite ^/univention(/.*)$ $1 break;
|
||||
proxy_pass http://ums-umc-server:80;
|
||||
}
|
||||
location /univention/logout/ {
|
||||
location /univention/logout {
|
||||
rewrite ^/univention(/.*)$ $1 break;
|
||||
proxy_pass http://ums-umc-server:80;
|
||||
}
|
||||
location /univention/saml/ {
|
||||
location /univention/saml {
|
||||
rewrite ^/univention(/.*)$ $1 break;
|
||||
proxy_pass http://ums-umc-server:80;
|
||||
}
|
||||
location /univention/get/ {
|
||||
location /univention/get {
|
||||
rewrite ^/univention(/.*)$ $1 break;
|
||||
proxy_pass http://ums-umc-server:80;
|
||||
}
|
||||
location /univention/set/ {
|
||||
location /univention/set {
|
||||
rewrite ^/univention(/.*)$ $1 break;
|
||||
proxy_pass http://ums-umc-server:80;
|
||||
}
|
||||
location /univention/command/ {
|
||||
location /univention/command {
|
||||
rewrite ^/univention(/.*)$ $1 break;
|
||||
proxy_pass http://ums-umc-server:80;
|
||||
}
|
||||
location /univention/upload/ {
|
||||
location /univention/upload {
|
||||
rewrite ^/univention(/.*)$ $1 break;
|
||||
proxy_pass http://ums-umc-server:80;
|
||||
}
|
||||
|
||||
@@ -2,7 +2,14 @@
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
enabled: true
|
||||
runAsUser: 100
|
||||
runAsGroup: 101
|
||||
runAsNonRoot: true
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
|
||||
customConfigs:
|
||||
xwiki.cfg:
|
||||
@@ -87,6 +94,9 @@ properties:
|
||||
|
||||
securityContext:
|
||||
enabled: true
|
||||
fsGroup: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
service:
|
||||
externalPort: 80
|
||||
|
||||
@@ -13,4 +13,7 @@ cache:
|
||||
openproject:
|
||||
host: "memcached"
|
||||
port: 11211
|
||||
umsSelfservice:
|
||||
host: "memcached"
|
||||
port: 11211
|
||||
...
|
||||
|
||||
@@ -19,12 +19,6 @@ databases:
|
||||
host: "mariadb"
|
||||
username: "nextcloud_user"
|
||||
password: ""
|
||||
notificationsApi:
|
||||
name: "notificationsapi"
|
||||
host: "postgresql"
|
||||
port: 5432
|
||||
username: "notificationsapi_user"
|
||||
password: ""
|
||||
openproject:
|
||||
name: "openproject"
|
||||
host: "postgresql"
|
||||
@@ -42,6 +36,18 @@ databases:
|
||||
username: "matrix_user"
|
||||
password: ""
|
||||
port: 5432
|
||||
umsNotificationsApi:
|
||||
name: "notificationsapi"
|
||||
host: "postgresql"
|
||||
port: 5432
|
||||
username: "notificationsapi_user"
|
||||
password: ""
|
||||
umsSelfservice:
|
||||
name: "selfservice"
|
||||
host: "postgresql"
|
||||
port: 5432
|
||||
username: "selfservice_user"
|
||||
password: ""
|
||||
xwiki:
|
||||
name: "xwiki"
|
||||
host: "mariadb"
|
||||
|
||||
@@ -35,7 +35,7 @@ images:
|
||||
# registryUrl=https://registry.souvap-univention.de
|
||||
# dependencyType=vendor
|
||||
repository: "souvap/tooling/images/element-web"
|
||||
tag: "1.6.0@sha256:a71cbd75ee88471e3df59f26a2a37b9b8ff83d2f71f726053acd381ecd87e234"
|
||||
tag: "1.7.0@sha256:b8b59aff8ed3eb07dc22cec123a2d04acaf435f5637148698183773a695444c2"
|
||||
# @supplier: "Element"
|
||||
freshclam:
|
||||
# renovate:
|
||||
@@ -149,21 +149,21 @@ images:
|
||||
# registryUrl=https://ghcr.io
|
||||
# dependencyType=vendor
|
||||
repository: "nordeck/matrix-neoboard-widget"
|
||||
tag: "1.0.0@sha256:584b9c18ea3dfd4b7f1e73f3e114bc1dcd5731b400a8d037576bf2a797c8b086"
|
||||
tag: "1.4.0@sha256:da04d6c3c3e07ec1fcb6ecec245adc48897f107a2ab84c39d8924de951744d9f"
|
||||
# @supplier: "Nordeck"
|
||||
matrixNeoChoiceWidget:
|
||||
# renovate:
|
||||
# registryUrl=https://ghcr.io
|
||||
# dependencyType=vendor
|
||||
repository: "nordeck/matrix-poll-widget"
|
||||
tag: "1.3.0@sha256:19d2c8c7a15fe7d12c4a83a89310831da12323fd45ff0280cce808f1be0c7e0b"
|
||||
tag: "1.3.1@sha256:ba7a0bcbcf278df523cef8d230dc44f31ef86f8aefe6dbea7d832b7234ff5c7a"
|
||||
# @supplier: "Nordeck"
|
||||
matrixNeoDateFixBot:
|
||||
# renovate:
|
||||
# registryUrl=https://ghcr.io
|
||||
# dependencyType=vendor
|
||||
repository: "nordeck/matrix-meetings-bot"
|
||||
tag: "2.4.2@sha256:f5b3362560255470076f3e6c95a0dd93a8f781398afb992c1e1212764fa87297"
|
||||
tag: "2.5.0@sha256:6ea92f7e48cd71ce2c552cb5222a1d4b3696136e61045bce8456bc52ce02b9c8"
|
||||
# @supplier: "Nordeck"
|
||||
matrixNeoDateFixWidget:
|
||||
# renovate:
|
||||
@@ -205,7 +205,7 @@ images:
|
||||
# registryUrl=https://docker.io
|
||||
# dependencyType=vendor
|
||||
repository: "nextcloud"
|
||||
tag: "27.1.3-apache@sha256:ec46e99164ee7fa5d49e84784833e022be47f9f54f401bcb5a2d789f8c0bc149"
|
||||
tag: "27.1.4-apache@sha256:bd277bec9a8cf7cc009865e15410c05e0f66ccb6269ed96841cc95dd37c214fe"
|
||||
# @supplier: "Nextcloud Community"
|
||||
nextcloudExporter:
|
||||
# renovate:
|
||||
@@ -219,7 +219,7 @@ images:
|
||||
# registryUrl=https://docker.io
|
||||
# dependencyType=vendor
|
||||
repository: "openproject/open_desk"
|
||||
tag: "dev@sha256:3c9d110c0221621530a431b5899ba16956db8253f491a55a220ec642473cb61f"
|
||||
tag: "release-13.1@sha256:1dc528de7e38d9c461188e53b2153b1a5ede374f83dde7b32d9c7c057c802178"
|
||||
# @supplier: "OpenProject"
|
||||
openprojectInitDb:
|
||||
# renovate:
|
||||
@@ -324,8 +324,7 @@ images:
|
||||
# registryUrl=https://registry.souvap-univention.de
|
||||
# dependencyType=vendor
|
||||
repository: "souvap/tooling/images/ox-connector/ox-connector-standalone"
|
||||
tag: "branch-jconde-listener-entrypoint-chaining\
|
||||
@sha256:54748d49e37d52529d4a857ff834d1217bd2cb8c89c7eed25c0873159ed6853c"
|
||||
tag: "0.3.4@sha256:db95466170613db46222e63aa0f69de9e60d08c6a409e27905ce5389e4b19074"
|
||||
# @supplier: "Univention"
|
||||
postfix:
|
||||
# renovate:
|
||||
@@ -396,7 +395,7 @@ images:
|
||||
# dependencyType=vendor
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/config-htpasswd"
|
||||
tag: "0.5.2@sha256:c8627e0b73ee1d92f74d2ae8b06e4593ac93b6bbde55d56d0497f3510912924c"
|
||||
tag: "0.7.0@sha256:8ffa8ce61fc55f67cdf740b3cd30e21d979506a1796028f5c6329da344b2e5db"
|
||||
# @supplier: "Univention"
|
||||
umsDataLoader:
|
||||
# renovate:
|
||||
@@ -404,7 +403,7 @@ images:
|
||||
# dependencyType=vendor
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/data-loader"
|
||||
tag: "0.36.0@sha256:045e0e524cbdc93e174ce803a12e67dbb341211f3abbc0029200ee638a0a1eb7"
|
||||
tag: "0.38.1@sha256:cef20b0224571eeda29f19e78340ab7d943e46b02275f9b9497605357be70e61"
|
||||
# @supplier: "Univention"
|
||||
umsLdapNotifier:
|
||||
# renovate:
|
||||
@@ -428,7 +427,7 @@ images:
|
||||
# dependencyType=vendor
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/notifications-api"
|
||||
tag: "0.5.2@sha256:192f0ebb77ec6191d1df1edb2427739c4a69a3733c7d423f55045db5b9209c64"
|
||||
tag: "0.6.1@sha256:bdf0c5ba8b15c2e7f4daaf470254b13837bdc5fbaa98d9f441f33abd565acfc3"
|
||||
# @supplier: "Univention"
|
||||
umsPortalListener:
|
||||
# renovate:
|
||||
@@ -436,7 +435,7 @@ images:
|
||||
# dependencyType=vendor
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/portal-listener"
|
||||
tag: "0.5.2@sha256:a1834a98cf4f4686a74077cb6c2b094429a49875d05801745de7ee13eee38a07"
|
||||
tag: "0.6.1@sha256:c418be054dfb2c6fe0e2e8870553c3b27269ae77b88a59cd6d790201cf7c3d17"
|
||||
# @supplier: "Univention"
|
||||
umsPortalFrontend:
|
||||
# renovate:
|
||||
@@ -444,7 +443,7 @@ images:
|
||||
# dependencyType=vendor
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/portal-frontend"
|
||||
tag: "0.5.2@sha256:aca1d481e23cbba7a33d5f261be6196690a6b7f1e593f7ff96fc6f22edab2c6b"
|
||||
tag: "0.6.1@sha256:0a4dc8ed47fd86eedd7bfd826b4538564194fe951000cff016eaa271382ed822"
|
||||
# @supplier: "Univention"
|
||||
umsPortalServer:
|
||||
# renovate:
|
||||
@@ -452,7 +451,7 @@ images:
|
||||
# dependencyType=vendor
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/portal-server"
|
||||
tag: "0.5.2@sha256:ed982e41ac5b0b81946272acf00f76463901da4f4b3ad50282ec4c73fd4b5833"
|
||||
tag: "0.6.1@sha256:dd9431c8a82e6fca89ef871de90947db2f594a349d634f0b1aa9669d0b3d5715"
|
||||
# @supplier: "Univention"
|
||||
umsWaitForDependency:
|
||||
# renovate:
|
||||
@@ -460,7 +459,7 @@ images:
|
||||
# dependencyType=vendor
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/wait-for-dependency"
|
||||
tag: "0.5.0@sha256:78cfcc52b81f620374c4b827f0055be5339a7dd469d9b8df67e3bed547abd6bc"
|
||||
tag: "0.6.1@sha256:e83fe2d7535167d1d1effe443fca0be431aa551ab31f172a84073b7d9ffec54b"
|
||||
# @supplier: "Univention"
|
||||
umsStoreDav:
|
||||
# renovate:
|
||||
@@ -468,7 +467,7 @@ images:
|
||||
# dependencyType=vendor
|
||||
# This is a preview and not part of the standard deployment.
|
||||
repository: "souvap/tooling/images/univention/store-dav"
|
||||
tag: "0.5.2@sha256:1bc01b883a5ccd2612925e123da10f9d216389701d743f1cea4050633770639f"
|
||||
tag: "0.7.0@sha256:732b0d2fdf320209de04403753d3bc80f9c73a46b237202a95305a332805f305"
|
||||
# @supplier: "Univention"
|
||||
umsUdmRestApi:
|
||||
# renovate:
|
||||
|
||||
16
helmfile/environments/default/objectstore.gotmpl
Normal file
16
helmfile/environments/default/objectstore.gotmpl
Normal file
@@ -0,0 +1,16 @@
|
||||
{{/*
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
objectstores:
|
||||
openproject:
|
||||
backend: "minio"
|
||||
bucket: "openproject"
|
||||
endpoint: ""
|
||||
provider: "AWS"
|
||||
region: ""
|
||||
secret: ""
|
||||
username: "openproject_user"
|
||||
useIAMProfile: ""
|
||||
...
|
||||
@@ -38,7 +38,8 @@ secrets:
|
||||
keycloakExtensionUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_extensions_user" | sha1sum | quote }}
|
||||
matrixUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "matrix_user" | sha1sum | quote }}
|
||||
openprojectUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "openproject_user" | sha1sum | quote }}
|
||||
notificationsApiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }}
|
||||
umsNotificationsApiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }}
|
||||
umsSelfserviceUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "selfservice_user" | sha1sum | quote }}
|
||||
mariadb:
|
||||
rootPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "root_password" | sha1sum | quote }}
|
||||
xwikiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "xwiki_user" | sha1sum | quote }}
|
||||
|
||||
10
helmfile/environments/default/security.yaml
Normal file
10
helmfile/environments/default/security.yaml
Normal file
@@ -0,0 +1,10 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
security:
|
||||
otterizeIntents:
|
||||
enabled: false
|
||||
clusterPostfix:
|
||||
enabled: false
|
||||
namespace: ""
|
||||
...
|
||||
53
helmfile/files/gpg-pubkeys/openproject-com.gpg
Normal file
53
helmfile/files/gpg-pubkeys/openproject-com.gpg
Normal file
@@ -0,0 +1,53 @@
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQINBGVSG3cBEACftfIFs1EO29wSL9kNN057w6S8qSKNRI6DNrGkgYxB/C3JsdTH
|
||||
iNtpv1g1pBbze6Efz/SxaeQ43eqEPkqa9nHBE8ypSWBEzu0EzrDt5bhjpvL4yK1A
|
||||
14T6A7cYm6Qtu+AvMDaJ6UVp1JS+1h4o52zmSvup0bD1xoUnpuhPa7WE0XQOgl3v
|
||||
2X/YBSrQpVV6hwoTWuag9z4qyfsyP/jzTrYtw8e39ff1Fm7jUeKEvmoOuxdH/fD7
|
||||
hGPDcpvDq+5uTXAlWPEMtCoN3uFRqg9BybeKo4VMzFhim334i8x+8vp3kQyT7xi8
|
||||
b72UluDPQur9zwv1T+knQw5T33nP3xqc8BAWo7fy7Co+x7snwprzTWyDq8kIJxyA
|
||||
l3jg/4WNUEdoJkesPtcQUl2lWIP62UZAwIINfOtjzJP7pNNnZrW21Bs/xwPB6lo/
|
||||
TyeLEYQcx6SZH1rPTCE3TlGfXSGI/UpAlMbmxPf4LxcE9J8d4ixUtTxGeMftWceb
|
||||
enn9SX15DIyHC1uO4E0QfUCtwmBTnfOiG7U042zRFD8fZhegq2ZuAxPDvON8sFEC
|
||||
v1y8YlR/j9IYFtgRCsaCuqMlE9VIQSADWHsKTr7l+W4ne5kDzIClzlh+kV0ViJLt
|
||||
SpzGlddHo5GViHmgDeOikRbAji5+jACqh6d5boNWGvflSFQX8FFyOW5rkQARAQAB
|
||||
tGxPcGVuUHJvamVjdCBPcGVyYXRpb25zIFRlYW0gKE9wZW5Qcm9qZWN0IE9wZXJh
|
||||
dGlvbnMgRGVwbG95bWVudCBhbmQgU2lnbmluZyBrZXkpIDxvcGVyYXRpb25zQG9w
|
||||
ZW5wcm9qZWN0LmNvbT6JAk4EEwEIADgWIQTLHKBIinW3Rx6hsIfPVt1qCuJg5QUC
|
||||
ZVIbdwIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRDPVt1qCuJg5fwwD/wO
|
||||
hTZtfSTmWs+/lgspHtfd+FADCn4yq8eCwEWgtG1YCGjyU0yffAsOaDYaeQtujLk4
|
||||
GYIZypugM9BkclZNhtSRWDQhq0kH9bZLTbD5HqZjaVw8zje3SnmqlrKNXt4R4Emp
|
||||
EHhiQMlJDbjHdTHQQ3xoUqPSwhvW5icFkKO0TdM/DbF7X9CRUBo8Lp2oL6Bfd3Ji
|
||||
TvlLiVVQ3xPPLkH8zN83VsdgYl3oy1TfyOQTLfh3Ws+osf748WQDHbipmuo/dnXs
|
||||
8McNixeHuUaOUK78eSXMcEAesbweHG6hQcpfyMcHdB1Q/2eoqUGpTvvLLQ+ChOmJ
|
||||
rNNiZAUC8GpD2dxVtODr81vSS7FJNQfXIC4pOJGPXqoZBXajuD95zbRQUO/ndG4i
|
||||
CETkkcSY1m7BAbPV1uWDOpnMhxG+lzoVraQjKkXJQByakRnTyQWeZW96iLp/2E3H
|
||||
vYJ54wfw1DdpnaB8c/x4izwODjTQpMVDXzJ6I/snL5Yd/GJJplDqz4d031dbcwHR
|
||||
eHPUKerI8WLjj6+MF1j34gsd9pvWGPoR69RaYDrA3Hnq+DJL4omMpr7GrSr2KJ8N
|
||||
/RmYP4Y4dJ5N0sNuEt096AHx1aAduYGnQv67M4d6v9E7ZqugfifTvF4Aq68Vp4Pv
|
||||
eOgG5oVLLZU/h7EO6t7uHJgWw+ozJq/nTVb698nK2rkCDQRlUht3ARAAuvNrUSAA
|
||||
8Dqzi98RRhQ52KUGzub9OKZ/VfsaD1AINiG0CNYNXgUcCzWqXIs+wXRfyziS+x8G
|
||||
WGkqN4MCPe6k3KYuKw94t//aZZ8T1iN8QyjMCfn5VGnwq36rXLcmfvlec5r6opZe
|
||||
I0I+SzSbR2gXNWbU4on4fCVP8ZJc8luNC+mD0qUqP9KGJA6moCbc4eDwKi3sdyh7
|
||||
4wNdDNq0WbTPFoxuJUAlcZjrJhwgjMe+tvRTVyJl3Yi8hth83R8PKic8S84lDZxR
|
||||
KTydu7zl2yFTBi+3jQS+UUIze2Gdfj4Mh5ClLQj55bIPOzHxSAakITo5RNzmiQTV
|
||||
pVGTrO2XYiygO6XgvLOhsumO37nsXOR0zPldbXUrLTY1J4srcn9MB1UikWLGqKqj
|
||||
fgdhyv/I9t3ARBMmj8VASOBjgKN4juNir+AAm1lg/5NZf1YGVTsCVRhwF56kQLyl
|
||||
D3TXkIJPnWvNminknvgpPMzWmR+alh2+Fh16FC53zfXHp5d2Ggk6gcWh2bvD87AQ
|
||||
avNiQtEGv84qEEAqAyiy03OFWeYnxh2BC+J/XWsvP8ZlCSICtEqOnNCqErabB1na
|
||||
0Lb6gOmxuY4Mk4N+TK+975iYDYmAH0o7Z58x/YAfUpSWqrx4C6Jz/F6GYtV2cl9B
|
||||
v3FyU0230LrMssb9XDsP6YU7SoJDaonWNPMAEQEAAYkCNgQYAQgAIBYhBMscoEiK
|
||||
dbdHHqGwh89W3WoK4mDlBQJlUht3AhsMAAoJEM9W3WoK4mDlrVcP/ind6InjSM61
|
||||
E3CUCrS0ahZgYGZL2lPJopnPzvB662IUWMjG8f5rfDoOweI9WiWoJkkg5XvVvt2V
|
||||
RkMoG3FIpGzh760olcNhhIKxgU2IRl2a+uo8QMXakgFFdN+X7uHgro1uu0ftzas4
|
||||
YFyQyBDJYobCZlHlGiF1b/z7JDpY2zQWqBR8bNXlphtDIC6pk5haaJdy8WDG3Yns
|
||||
JT0R74S1xTIKXjU5YK3QE1kulMJFDB+b+c9RkqVsAmuOZyPqfU7I+KlemuxKgZgI
|
||||
5rzoFzkDVcWmaozogOLOM2VSSBiTXxIhHYK9uPYuCttIF4biRjWzaVvfTJjf+KPn
|
||||
6oq0+u7vLfWRomMa+y4na5vrcVifivPNqQphPVU6F6v3f3GK4FpbrQmXli2L5rUL
|
||||
lIDiKDTUtoHP/BnOvz2zXHEY7hfWh4xrEskMXhIiJNIr+UmG/PSjbY/rbPFA1o5b
|
||||
Ln/i8y2UMmSRGvK5i2n9OhaLkMUiL0qLyRnzPXk+2cjvNdp2q1spiz107EigHqKq
|
||||
UXUdRUNX7RtW3gAZRrMple6AHTrQhZhdO2uksMg4YaP/KjKx/GqFty1qwSPF4Zum
|
||||
gfslJ6EB53uJJt9awcGFdFLHHci5ClEH9aGrboWlhx0erFKEcfjCnh8dAA/1UQ0R
|
||||
Ecu2CcmkBOHGAnMirYCSEZqu9Uz+9g7P
|
||||
=nG7D
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
2
helmfile/files/gpg-pubkeys/openproject-com.gpg.license
Normal file
2
helmfile/files/gpg-pubkeys/openproject-com.gpg.license
Normal file
@@ -0,0 +1,2 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
Reference in New Issue
Block a user