sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 23:41:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: sheppy:v0.5.74
Branches Tags
sheppy:develop sheppy:renovate/univention sheppy:renovate/openxchange sheppy:trossner/gpg-keys sheppy:trossner/mail_doc sheppy:tkaltenbrunner/fix-milter sheppy:ntretkowski/intercom-update sheppy:b1-boekhorst/nc_testing_encryption_bfp_nginx sheppy:trossner/ox_deputy sheppy:kuntke/size-profiles sheppy:trossner/misc_1.11.0 sheppy:feat/openproject/bump-16-6-2 sheppy:renovate/opf-helm-charts-openproject-11.x sheppy:rohland/selfsigned sheppy:sschmidt/feat_update_otterize sheppy:sell/opendesk-exporter sheppy:trossner/coco-update sheppy:renovate/lasuite-impress-y-provider-4.x sheppy:renovate/opf-helm-charts-openproject-10.x sheppy:renovate/openproject sheppy:renovate/nordeck sheppy:renovate/element sheppy:renovate/collabora sheppy:lender/test-externalsecrets sheppy:rfischer/baseline_requirements_update_2025 sheppy:chore/kyverno-sec sheppy:sell/pythonic-charts-local sheppy:trossner/ox-jitsi sheppy:irondesk-preview sheppy:chore/open-xchange/update-8.43 sheppy:b1-boekhorst/nc_basicauth_testing sheppy:lluerenbaum/develop sheppy:rfischer/nc_sharereview_app sheppy:tkaltenbrunner/fix/new-element-chart sheppy:vpracht/demo sheppy:main sheppy:b1-boekhorst/nc_status_php sheppy:gaberb1/postfix-sasl-security-options sheppy:ntretkowski/nubus-v1.15.0 sheppy:ntretkowski/ox-connector-v0.32.2 sheppy:sschmidt/feat_add_otterize_chart sheppy:b1-boekhorst/nc_bfp sheppy:trossner/nc_31-0-9 sheppy:trossner/token_exchange sheppy:boekhorst/nc_31-0-10_testing sheppy:ntretkowski/nubus-v1.14.1 sheppy:tkaltenbrunner/fix/dovecot-migration sheppy:tkaltenbrunner/fix/dovecot-caches sheppy:tkaltenbrunner/fix/postfix-transport sheppy:chore/open-xchange/update-8.42 sheppy:dkaminski/ca_certs sheppy:dpapoutsis/bundled-keycloak-secrets sheppy:boekhorst/favicon_resize sheppy:irondesk sheppy:boekhorst/nc_31-0-9 sheppy:migration_test sheppy:sschmidt/fix_services_otterize_intents sheppy:mmeschter/nats-secrets-refactor sheppy:sccon_2025 sheppy:jtorres/ox-test sheppy:lender/feat-externalsecrets-xwiki sheppy:sschmidt/fix_nubus_opendesk_keycloak_bootstrap_annotation sheppy:ntretkowski/nubus-2fa-upgrade-fix sheppy:jlohmer/ox-connector-helm-unittests sheppy:mmeschter/develop sheppy:tkaltenbrunner/fix/ox-push-notification sheppy:cgarcia/develop sheppy:trossner/fix_storageclassnames sheppy:jconde/ox-groups-deletion sheppy:ntretkowski/nubus-v1.13.1 sheppy:jtorres/develop sheppy:tkaltenbrunner/fix/opendesk-impress-customization sheppy:jconde/develop sheppy:mgcm/test/mas-upstream sheppy:document-nordeck-widgets sheppy:trossner/upd_jitsi_10431 sheppy:chaack/feat_add_jitsi_patchJVB_backoffLimit sheppy:trossner/xwiki_solr_image sheppy:1.7+harbor-fixes sheppy:lender/feat-externalsecrets-notes sheppy:tkaltenbrunner/fix/dovecot-fts sheppy:lender/feat-externalsecrets-postfix-dovecot sheppy:heading-capitalization-harmonization sheppy:lender/feat-externalsecrets-minio sheppy:jconde/debug-no-portal-tiles sheppy:hermann/feat-support-nginx-security-defaults sheppy:jtorres/ox-connector-manager-tests sheppy:jtorres/1.12.0-kc-bootstrap sheppy:sell/prometheus-nats-exporter sheppy:jconde/ics-secret-refactor sheppy:tkaltenbrunner/fix/postfix-submissions sheppy:jconde/debug-ics-with-keycloak-26.3 sheppy:data_storage_doc sheppy:tkaltenbrunner/fix/coco-internal sheppy:sell/keycloak-metrics sheppy:jconde/ox-connector-fixes sheppy:jlohmer/ox-connector-test sheppy:gaberb1/wip-ci sheppy:weber/update-notes sheppy:lender/feat-externalsecrets-redis sheppy:lender/feat-externalsecrets-opendesk-services sheppy:lender/feat-externalsecrets-collabora sheppy:lender/feat-externalsecrets-cassandra sheppy:lender/feat-externalsecrets-nextcloud sheppy:lender/feat-externalsecrets-openproject-bootstrap sheppy:thollwed/doc-bawue-migration-dev sheppy:1.5+nats-fix sheppy:trossner/nc_31.0.5 sheppy:sell/nubus-liveness-customization sheppy:integration-opendesk-family sheppy:gsautner/fix_nc_custom_baseDn sheppy:tkaltenbrunner/fix/ox-external-secrets sheppy:tlatz/portal_update sheppy:jbornhold/tmp-portal-update sheppy:trossner/temp_kc26.2.2_preview sheppy:yschmidt/nubus-v1.9.1-twofa-helpdesk sheppy:mmoura/phone-dial-in sheppy:lender/feat-externalsecrets-mariadb sheppy:lender/feat-externalsecrets-postgresql sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap-1725.191 sheppy:ys/dev-helpdesk sheppy:tkaltenbrunner/fix/dovecot-acls sheppy:ox-vpracht/dovecot-conf sheppy:renovate/major-openproject sheppy:renovate/major-platform sheppy:renovate/lasuite-impress-y-provider-3.x sheppy:renovate/lasuite-impress-y-provider-2.x sheppy:renovate/xwiki sheppy:trossner/nc_notifypush sheppy:cnegrini/load sheppy:nic/feat/ZO-155_dialin_docs sheppy:feat/dovecot-config sheppy:yschmidt/s3-region-example sheppy:trossner/nubus_ox_consumer sheppy:yschmidt/s3-region-vars sheppy:jschulz/fix_nubus-consumer-pvc-size sheppy:el/t3chguy/element-web-modules sheppy:jahlers/2fa-helpdesk sheppy:trossner/notes_guest_access sheppy:thollwed/nubus-v1.6.0-integration sheppy:jschulz/fix_set_jitsi_element_antiaffinity sheppy:jbornhold/nubus-v1.6.0-s3-ingress sheppy:chore/open-xchange/release-8.34 sheppy:jconde/test-ox-packaging sheppy:jtorres/ox-extension-integration sheppy:jschulz/feat_helmfile-enable-intents sheppy:chore/openproject/15-3-changes sheppy:nc-main sheppy:fischer/review-apps sheppy:jconde/fix-intercom-element sheppy:trossner/nc_notify_push sheppy:docs/nubus-version sheppy:schneemann/ingress-nginx-max-version sheppy:jlohmer/configurable-udm-listener-password sheppy:jtorres/hotfix-ics-secret sheppy:jtorres/ics-redis-ssl sheppy:dkaminski/feat/annotations sheppy:trossner/fix/openproject sheppy:jconde/ox-connector-kyverno sheppy:jconde/ics-kyverno-changes sheppy:chore/open-xchange/bump-8-31 sheppy:mmoura/feat_test sheppy:dkaminski/fix/nubus-v0.72.0 sheppy:jconde/ics-filepicker-fix sheppy:trossner/update_migrs sheppy:nic/qa/develop sheppy:nic/fix/widgets-no-guests sheppy:uv-jconde/plain-nubus sheppy:nubus/main sheppy:uv-jbornhold/preview-fe sheppy:nic/fix/undo-439-add-widgets sheppy:jtorres/bump-0.60-cache-http sheppy:acaceres/develop sheppy:fix/trossner/dominiks_improvements sheppy:uv-jbornhold/plain-nubus-3 sheppy:nubus-update-2024-09-16-backup sheppy:trossner/nubus-update-2024-09-16-ldap-mig sheppy:nic/feat/matrix-neoboard-widget-1.19.1 sheppy:jconde/integrate-ox-connector sheppy:jbornhold/include-ldap-migration-script sheppy:acaceres/integrate-ox-connector sheppy:uv-jbornhold/plain-nubus-2 sheppy:jtorres/clients-fixup sheppy:jconde/system-information sheppy:jtorres/remove-admin-credentials sheppy:jbornhold/develop sheppy:chore/openproject/bump-14-5-0 sheppy:temp/trossner/kcupd-fr sheppy:nubus/fix-domain-configuration sheppy:uv-fix/default-service-loglevel sheppy:uv-jlohmer/consumer-race-condition sheppy:uv-jconde/umc-plain-login sheppy:uv-jconde/statefulset-keycloak sheppy:jlohmer/develop sheppy:fix/tkaltenbrunner/oxmonitoring sheppy:jtorres/udm-loader sheppy:nubus/tkintscher/fix-fsnotify-load sheppy:nubus/wip-jbornhold-test sheppy:jbornhold/small-fixes sheppy:nubus/jconde-test-users sheppy:feat/nubus-updates sheppy:uv-jlohmer/manual-deploy-jobs sheppy:uv-jtorres/login-tiles sheppy:uv-jbornhold/fix-e2e-test-configuration sheppy:uv-jlohmer/fix-feature-flag-typo sheppy:uv-jbornhold/fix-e2e-test-configuration-test sheppy:uv-acaceres/register-ox-connector sheppy:uv-jtorres/keycloak-upgrade sheppy:uv-jtorres/create-readonly-user sheppy:uv-acaceres/update-provisioning-and-stack-data sheppy:uv-jlohmer/selfservice-consumer sheppy:uv-jlohmer/provisioning-consumer-feature-flag sheppy:uv-jconde/test-email-e2e-tests sheppy:jlohmer/nubus-updates-provisioning sheppy:nubus/provisioning-consumer-integration sheppy:uv-dkaminski/cert-manager-support sheppy:uv-jbornhold/update-portal-frontend sheppy:uv-provisioning-consumer-integration sheppy:uv-jtorres/opendesk-udm-loader sheppy:uv-jtorres/ox-extensions-to-data-loader sheppy:uv-jbornhold/update-stack-data sheppy:uv-maildev-ci-setup sheppy:uv-jconde/umc-server-session-stickyness sheppy:uv-jbornhold/cleanup sheppy:uv-dtroeder/raise-helm-timeout sheppy:uv-dtroeder/prov-int-biscet sheppy:uv-spike-plain-nubus sheppy:jtorres/univention-keycloak-provisioning sheppy:fix/trossner/proxy_ips sheppy:uv-jlohmer/provisioning-consumer-integration sheppy:uv-jconde/menu-patches sheppy:jconde/use-nubus-umbrella sheppy:jconde/udm-rest-api-fix sheppy:sandersen/develop sheppy:b1-demo1 sheppy:jbornhold/tmp-test-od-main-0.9.0 sheppy:feat/use-nubus-umbrella-2 sheppy:OC000007901454-main-patch-76476 sheppy:jtorres/allow-theme-configuration sheppy:acaceres/debug-ox-error sheppy:101-add-configmap-checksum-check-to-postfix-helm-chart sheppy:trossner/fix/op_guests sheppy:renovate/platform sheppy:feat/ldap-scalability sheppy:jlohmer/split-provisioning-listener sheppy:feat/update-keycloak-related-charts sheppy:acaceres/update-selfservice-to-use-provisioning sheppy:feat/nubus-keycloak-extensions sheppy:feat/nubus-keycloak-bootstrap sheppy:feat/nubus-provisioning-with-selfservice sheppy:refactor/ums-umbrella-values sheppy:54-issue-with-invitation-password-reset-mails sheppy:nic/fix/ew-1.11.59-widget-sync sheppy:trossner/fix/renovate sheppy:nic/test/ew-1.11.59 sheppy:feat/mon-redis sheppy:feat/mon-jitsi sheppy:feat/mon-ox sheppy:feat/mon-xwiki sheppy:v0.5.74-patch1
sheppy:v1.10.0 sheppy:v1.9.0 sheppy:v1.8.0 sheppy:v1.7.1 sheppy:v1.7.0 sheppy:v1.6.0 sheppy:v1.5.0 sheppy:v1.4.1 sheppy:v1.4.0 sheppy:v1.3.2 sheppy:v1.3.1 sheppy:v1.3.0 sheppy:v1.2.1 sheppy:v1.2.0 sheppy:v1.1.2 sheppy:v1.1.1 sheppy:v1.1.0 sheppy:v1.0.0 sheppy:v0.9.0 sheppy:v0.8.1 sheppy:v0.8.0 sheppy:v0.7.1 sheppy:v0.7.0 sheppy:v0.6.0 sheppy:v0.5.81 sheppy:v0.5.80 sheppy:v0.5.79 sheppy:v0.5.78 sheppy:v0.5.74 sheppy:24.03 sheppy:v0.5.77 sheppy:v0.5.76 sheppy:v0.5.75 sheppy:v0.5.73 sheppy:v0.5.72 sheppy:v0.5.71 sheppy:v0.5.70 sheppy:v0.5.69 sheppy:v0.5.68 sheppy:v0.5.67 sheppy:v0.5.66 sheppy:v0.5.65 sheppy:v0.5.64 sheppy:v0.5.63 sheppy:v0.5.62 sheppy:v0.5.61 sheppy:v0.5.60 sheppy:v0.5.59 sheppy:v0.5.58 sheppy:v0.5.57 sheppy:v0.5.56 sheppy:v0.5.55 sheppy:v0.5.54 sheppy:v0.5.53 sheppy:v0.5.52 sheppy:v0.5.51 sheppy:v0.5.50 sheppy:v0.5.49 sheppy:v0.5.48 sheppy:v0.5.47 sheppy:v0.5.46 sheppy:v0.5.45 sheppy:v0.5.44 sheppy:v0.5.43 sheppy:v0.5.42 sheppy:v0.5.41 sheppy:v0.5.40 sheppy:v0.5.39 sheppy:v0.5.38 sheppy:23.12 sheppy:v0.5.37 sheppy:v0.5.36 sheppy:v0.5.35 sheppy:v0.5.34 sheppy:v0.5.33 sheppy:v0.5.32 sheppy:v0.5.31 sheppy:v0.5.30 sheppy:v0.5.29 sheppy:v0.5.28 sheppy:v0.5.27 sheppy:v0.5.26 sheppy:v0.5.25 sheppy:v0.5.24 sheppy:v0.5.23 sheppy:v0.5.22 sheppy:v0.5.21 sheppy:v0.5.20 sheppy:v0.5.19 sheppy:v0.5.18 sheppy:v0.5.17 sheppy:v0.5.16 sheppy:v0.5.15 sheppy:v0.5.14 sheppy:v0.5.13 sheppy:v0.5.12 sheppy:v0.5.11 sheppy:v0.5.10 sheppy:v0.5.9 sheppy:v0.5.8 sheppy:v0.5.7 sheppy:v0.5.6 sheppy:v0.5.5 sheppy:v0.5.4 sheppy:v0.5.3 sheppy:v0.5.2 sheppy:v0.5.1 sheppy:v0.5.0 sheppy:v0.4.9 sheppy:v0.4.8 sheppy:v0.4.7 sheppy:v0.4.6 sheppy:v0.4.5 sheppy:v0.4.4 sheppy:v0.4.3 sheppy:v0.4.2 sheppy:v0.4.1 sheppy:v0.4.0 sheppy:v0.3.2 sheppy:v0.3.1 sheppy:v0.3.0 sheppy:v0.2.10 sheppy:v0.2.9 sheppy:v0.2.8 sheppy:v0.2.7 sheppy:v0.2.6 sheppy:v0.2.5 sheppy:v0.2.4 sheppy:v0.2.3 sheppy:v0.2.2 sheppy:v0.2.1 sheppy:v0.2.0 sheppy:v0.1.2 sheppy:v0.1.1 sheppy:v0.1.0 sheppy:v0.0.6 sheppy:v0.0.5 sheppy:v0.0.4 sheppy:v0.0.3 sheppy:v0.0.2 sheppy:v0.0.1
..
compare: sheppy:v0.5.76
Branches Tags
sheppy:renovate/univention sheppy:renovate/openxchange sheppy:trossner/gpg-keys sheppy:trossner/mail_doc sheppy:tkaltenbrunner/fix-milter sheppy:ntretkowski/intercom-update sheppy:b1-boekhorst/nc_testing_encryption_bfp_nginx sheppy:trossner/ox_deputy sheppy:kuntke/size-profiles sheppy:trossner/misc_1.11.0 sheppy:feat/openproject/bump-16-6-2 sheppy:renovate/opf-helm-charts-openproject-11.x sheppy:rohland/selfsigned sheppy:sschmidt/feat_update_otterize sheppy:sell/opendesk-exporter sheppy:trossner/coco-update sheppy:renovate/lasuite-impress-y-provider-4.x sheppy:renovate/opf-helm-charts-openproject-10.x sheppy:renovate/openproject sheppy:renovate/nordeck sheppy:renovate/element sheppy:renovate/collabora sheppy:lender/test-externalsecrets sheppy:develop sheppy:rfischer/baseline_requirements_update_2025 sheppy:chore/kyverno-sec sheppy:sell/pythonic-charts-local sheppy:trossner/ox-jitsi sheppy:irondesk-preview sheppy:chore/open-xchange/update-8.43 sheppy:b1-boekhorst/nc_basicauth_testing sheppy:lluerenbaum/develop sheppy:rfischer/nc_sharereview_app sheppy:tkaltenbrunner/fix/new-element-chart sheppy:vpracht/demo sheppy:main sheppy:b1-boekhorst/nc_status_php sheppy:gaberb1/postfix-sasl-security-options sheppy:ntretkowski/nubus-v1.15.0 sheppy:ntretkowski/ox-connector-v0.32.2 sheppy:sschmidt/feat_add_otterize_chart sheppy:b1-boekhorst/nc_bfp sheppy:trossner/nc_31-0-9 sheppy:trossner/token_exchange sheppy:boekhorst/nc_31-0-10_testing sheppy:ntretkowski/nubus-v1.14.1 sheppy:tkaltenbrunner/fix/dovecot-migration sheppy:tkaltenbrunner/fix/dovecot-caches sheppy:tkaltenbrunner/fix/postfix-transport sheppy:chore/open-xchange/update-8.42 sheppy:dkaminski/ca_certs sheppy:dpapoutsis/bundled-keycloak-secrets sheppy:boekhorst/favicon_resize sheppy:irondesk sheppy:boekhorst/nc_31-0-9 sheppy:migration_test sheppy:sschmidt/fix_services_otterize_intents sheppy:mmeschter/nats-secrets-refactor sheppy:sccon_2025 sheppy:jtorres/ox-test sheppy:lender/feat-externalsecrets-xwiki sheppy:sschmidt/fix_nubus_opendesk_keycloak_bootstrap_annotation sheppy:ntretkowski/nubus-2fa-upgrade-fix sheppy:jlohmer/ox-connector-helm-unittests sheppy:mmeschter/develop sheppy:tkaltenbrunner/fix/ox-push-notification sheppy:cgarcia/develop sheppy:trossner/fix_storageclassnames sheppy:jconde/ox-groups-deletion sheppy:ntretkowski/nubus-v1.13.1 sheppy:jtorres/develop sheppy:tkaltenbrunner/fix/opendesk-impress-customization sheppy:jconde/develop sheppy:mgcm/test/mas-upstream sheppy:document-nordeck-widgets sheppy:trossner/upd_jitsi_10431 sheppy:chaack/feat_add_jitsi_patchJVB_backoffLimit sheppy:trossner/xwiki_solr_image sheppy:1.7+harbor-fixes sheppy:lender/feat-externalsecrets-notes sheppy:tkaltenbrunner/fix/dovecot-fts sheppy:lender/feat-externalsecrets-postfix-dovecot sheppy:heading-capitalization-harmonization sheppy:lender/feat-externalsecrets-minio sheppy:jconde/debug-no-portal-tiles sheppy:hermann/feat-support-nginx-security-defaults sheppy:jtorres/ox-connector-manager-tests sheppy:jtorres/1.12.0-kc-bootstrap sheppy:sell/prometheus-nats-exporter sheppy:jconde/ics-secret-refactor sheppy:tkaltenbrunner/fix/postfix-submissions sheppy:jconde/debug-ics-with-keycloak-26.3 sheppy:data_storage_doc sheppy:tkaltenbrunner/fix/coco-internal sheppy:sell/keycloak-metrics sheppy:jconde/ox-connector-fixes sheppy:jlohmer/ox-connector-test sheppy:gaberb1/wip-ci sheppy:weber/update-notes sheppy:lender/feat-externalsecrets-redis sheppy:lender/feat-externalsecrets-opendesk-services sheppy:lender/feat-externalsecrets-collabora sheppy:lender/feat-externalsecrets-cassandra sheppy:lender/feat-externalsecrets-nextcloud sheppy:lender/feat-externalsecrets-openproject-bootstrap sheppy:thollwed/doc-bawue-migration-dev sheppy:1.5+nats-fix sheppy:trossner/nc_31.0.5 sheppy:sell/nubus-liveness-customization sheppy:integration-opendesk-family sheppy:gsautner/fix_nc_custom_baseDn sheppy:tkaltenbrunner/fix/ox-external-secrets sheppy:tlatz/portal_update sheppy:jbornhold/tmp-portal-update sheppy:trossner/temp_kc26.2.2_preview sheppy:yschmidt/nubus-v1.9.1-twofa-helpdesk sheppy:mmoura/phone-dial-in sheppy:lender/feat-externalsecrets-mariadb sheppy:lender/feat-externalsecrets-postgresql sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap-1725.191 sheppy:ys/dev-helpdesk sheppy:tkaltenbrunner/fix/dovecot-acls sheppy:ox-vpracht/dovecot-conf sheppy:renovate/major-openproject sheppy:renovate/major-platform sheppy:renovate/lasuite-impress-y-provider-3.x sheppy:renovate/lasuite-impress-y-provider-2.x sheppy:renovate/xwiki sheppy:trossner/nc_notifypush sheppy:cnegrini/load sheppy:nic/feat/ZO-155_dialin_docs sheppy:feat/dovecot-config sheppy:yschmidt/s3-region-example sheppy:trossner/nubus_ox_consumer sheppy:yschmidt/s3-region-vars sheppy:jschulz/fix_nubus-consumer-pvc-size sheppy:el/t3chguy/element-web-modules sheppy:jahlers/2fa-helpdesk sheppy:trossner/notes_guest_access sheppy:thollwed/nubus-v1.6.0-integration sheppy:jschulz/fix_set_jitsi_element_antiaffinity sheppy:jbornhold/nubus-v1.6.0-s3-ingress sheppy:chore/open-xchange/release-8.34 sheppy:jconde/test-ox-packaging sheppy:jtorres/ox-extension-integration sheppy:jschulz/feat_helmfile-enable-intents sheppy:chore/openproject/15-3-changes sheppy:nc-main sheppy:fischer/review-apps sheppy:jconde/fix-intercom-element sheppy:trossner/nc_notify_push sheppy:docs/nubus-version sheppy:schneemann/ingress-nginx-max-version sheppy:jlohmer/configurable-udm-listener-password sheppy:jtorres/hotfix-ics-secret sheppy:jtorres/ics-redis-ssl sheppy:dkaminski/feat/annotations sheppy:trossner/fix/openproject sheppy:jconde/ox-connector-kyverno sheppy:jconde/ics-kyverno-changes sheppy:chore/open-xchange/bump-8-31 sheppy:mmoura/feat_test sheppy:dkaminski/fix/nubus-v0.72.0 sheppy:jconde/ics-filepicker-fix sheppy:trossner/update_migrs sheppy:nic/qa/develop sheppy:nic/fix/widgets-no-guests sheppy:uv-jconde/plain-nubus sheppy:nubus/main sheppy:uv-jbornhold/preview-fe sheppy:nic/fix/undo-439-add-widgets sheppy:jtorres/bump-0.60-cache-http sheppy:acaceres/develop sheppy:fix/trossner/dominiks_improvements sheppy:uv-jbornhold/plain-nubus-3 sheppy:nubus-update-2024-09-16-backup sheppy:trossner/nubus-update-2024-09-16-ldap-mig sheppy:nic/feat/matrix-neoboard-widget-1.19.1 sheppy:jconde/integrate-ox-connector sheppy:jbornhold/include-ldap-migration-script sheppy:acaceres/integrate-ox-connector sheppy:uv-jbornhold/plain-nubus-2 sheppy:jtorres/clients-fixup sheppy:jconde/system-information sheppy:jtorres/remove-admin-credentials sheppy:jbornhold/develop sheppy:chore/openproject/bump-14-5-0 sheppy:temp/trossner/kcupd-fr sheppy:nubus/fix-domain-configuration sheppy:uv-fix/default-service-loglevel sheppy:uv-jlohmer/consumer-race-condition sheppy:uv-jconde/umc-plain-login sheppy:uv-jconde/statefulset-keycloak sheppy:jlohmer/develop sheppy:fix/tkaltenbrunner/oxmonitoring sheppy:jtorres/udm-loader sheppy:nubus/tkintscher/fix-fsnotify-load sheppy:nubus/wip-jbornhold-test sheppy:jbornhold/small-fixes sheppy:nubus/jconde-test-users sheppy:feat/nubus-updates sheppy:uv-jlohmer/manual-deploy-jobs sheppy:uv-jtorres/login-tiles sheppy:uv-jbornhold/fix-e2e-test-configuration sheppy:uv-jlohmer/fix-feature-flag-typo sheppy:uv-jbornhold/fix-e2e-test-configuration-test sheppy:uv-acaceres/register-ox-connector sheppy:uv-jtorres/keycloak-upgrade sheppy:uv-jtorres/create-readonly-user sheppy:uv-acaceres/update-provisioning-and-stack-data sheppy:uv-jlohmer/selfservice-consumer sheppy:uv-jlohmer/provisioning-consumer-feature-flag sheppy:uv-jconde/test-email-e2e-tests sheppy:jlohmer/nubus-updates-provisioning sheppy:nubus/provisioning-consumer-integration sheppy:uv-dkaminski/cert-manager-support sheppy:uv-jbornhold/update-portal-frontend sheppy:uv-provisioning-consumer-integration sheppy:uv-jtorres/opendesk-udm-loader sheppy:uv-jtorres/ox-extensions-to-data-loader sheppy:uv-jbornhold/update-stack-data sheppy:uv-maildev-ci-setup sheppy:uv-jconde/umc-server-session-stickyness sheppy:uv-jbornhold/cleanup sheppy:uv-dtroeder/raise-helm-timeout sheppy:uv-dtroeder/prov-int-biscet sheppy:uv-spike-plain-nubus sheppy:jtorres/univention-keycloak-provisioning sheppy:fix/trossner/proxy_ips sheppy:uv-jlohmer/provisioning-consumer-integration sheppy:uv-jconde/menu-patches sheppy:jconde/use-nubus-umbrella sheppy:jconde/udm-rest-api-fix sheppy:sandersen/develop sheppy:b1-demo1 sheppy:jbornhold/tmp-test-od-main-0.9.0 sheppy:feat/use-nubus-umbrella-2 sheppy:OC000007901454-main-patch-76476 sheppy:jtorres/allow-theme-configuration sheppy:acaceres/debug-ox-error sheppy:101-add-configmap-checksum-check-to-postfix-helm-chart sheppy:trossner/fix/op_guests sheppy:renovate/platform sheppy:feat/ldap-scalability sheppy:jlohmer/split-provisioning-listener sheppy:feat/update-keycloak-related-charts sheppy:acaceres/update-selfservice-to-use-provisioning sheppy:feat/nubus-keycloak-extensions sheppy:feat/nubus-keycloak-bootstrap sheppy:feat/nubus-provisioning-with-selfservice sheppy:refactor/ums-umbrella-values sheppy:54-issue-with-invitation-password-reset-mails sheppy:nic/fix/ew-1.11.59-widget-sync sheppy:trossner/fix/renovate sheppy:nic/test/ew-1.11.59 sheppy:feat/mon-redis sheppy:feat/mon-jitsi sheppy:feat/mon-ox sheppy:feat/mon-xwiki sheppy:v0.5.74-patch1
sheppy:v1.10.0 sheppy:v1.9.0 sheppy:v1.8.0 sheppy:v1.7.1 sheppy:v1.7.0 sheppy:v1.6.0 sheppy:v1.5.0 sheppy:v1.4.1 sheppy:v1.4.0 sheppy:v1.3.2 sheppy:v1.3.1 sheppy:v1.3.0 sheppy:v1.2.1 sheppy:v1.2.0 sheppy:v1.1.2 sheppy:v1.1.1 sheppy:v1.1.0 sheppy:v1.0.0 sheppy:v0.9.0 sheppy:v0.8.1 sheppy:v0.8.0 sheppy:v0.7.1 sheppy:v0.7.0 sheppy:v0.6.0 sheppy:v0.5.81 sheppy:v0.5.80 sheppy:v0.5.79 sheppy:v0.5.78 sheppy:v0.5.74 sheppy:24.03 sheppy:v0.5.77 sheppy:v0.5.76 sheppy:v0.5.75 sheppy:v0.5.73 sheppy:v0.5.72 sheppy:v0.5.71 sheppy:v0.5.70 sheppy:v0.5.69 sheppy:v0.5.68 sheppy:v0.5.67 sheppy:v0.5.66 sheppy:v0.5.65 sheppy:v0.5.64 sheppy:v0.5.63 sheppy:v0.5.62 sheppy:v0.5.61 sheppy:v0.5.60 sheppy:v0.5.59 sheppy:v0.5.58 sheppy:v0.5.57 sheppy:v0.5.56 sheppy:v0.5.55 sheppy:v0.5.54 sheppy:v0.5.53 sheppy:v0.5.52 sheppy:v0.5.51 sheppy:v0.5.50 sheppy:v0.5.49 sheppy:v0.5.48 sheppy:v0.5.47 sheppy:v0.5.46 sheppy:v0.5.45 sheppy:v0.5.44 sheppy:v0.5.43 sheppy:v0.5.42 sheppy:v0.5.41 sheppy:v0.5.40 sheppy:v0.5.39 sheppy:v0.5.38 sheppy:23.12 sheppy:v0.5.37 sheppy:v0.5.36 sheppy:v0.5.35 sheppy:v0.5.34 sheppy:v0.5.33 sheppy:v0.5.32 sheppy:v0.5.31 sheppy:v0.5.30 sheppy:v0.5.29 sheppy:v0.5.28 sheppy:v0.5.27 sheppy:v0.5.26 sheppy:v0.5.25 sheppy:v0.5.24 sheppy:v0.5.23 sheppy:v0.5.22 sheppy:v0.5.21 sheppy:v0.5.20 sheppy:v0.5.19 sheppy:v0.5.18 sheppy:v0.5.17 sheppy:v0.5.16 sheppy:v0.5.15 sheppy:v0.5.14 sheppy:v0.5.13 sheppy:v0.5.12 sheppy:v0.5.11 sheppy:v0.5.10 sheppy:v0.5.9 sheppy:v0.5.8 sheppy:v0.5.7 sheppy:v0.5.6 sheppy:v0.5.5 sheppy:v0.5.4 sheppy:v0.5.3 sheppy:v0.5.2 sheppy:v0.5.1 sheppy:v0.5.0 sheppy:v0.4.9 sheppy:v0.4.8 sheppy:v0.4.7 sheppy:v0.4.6 sheppy:v0.4.5 sheppy:v0.4.4 sheppy:v0.4.3 sheppy:v0.4.2 sheppy:v0.4.1 sheppy:v0.4.0 sheppy:v0.3.2 sheppy:v0.3.1 sheppy:v0.3.0 sheppy:v0.2.10 sheppy:v0.2.9 sheppy:v0.2.8 sheppy:v0.2.7 sheppy:v0.2.6 sheppy:v0.2.5 sheppy:v0.2.4 sheppy:v0.2.3 sheppy:v0.2.2 sheppy:v0.2.1 sheppy:v0.2.0 sheppy:v0.1.2 sheppy:v0.1.1 sheppy:v0.1.0 sheppy:v0.0.6 sheppy:v0.0.5 sheppy:v0.0.4 sheppy:v0.0.3 sheppy:v0.0.2 sheppy:v0.0.1

12 Commits
v0.5.74 ... v0.5.76

Author SHA1 Message Date
push_from_gitlab_souvap-univention_de
f05acb57c9 chore(release): 0.5.76 [skip ci] 
## [0.5.76](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.75...v0.5.76) (2024-01-24)

### Bug Fixes

* **nextcloud:** Correct indent in monitoring resources ([bea1413](bea1413b86))
* **services:** Monitoring for minio with correct labels and there are no prometheusRule ([af63e5c](af63e5c18d))
* **univention-management-stack:** Fix external registry for nats charts ([cbb33b9](cbb33b922d))
 2024-01-24 17:15:48 +00:00
Martin Müller
bea1413b86 fix(nextcloud): Correct indent in monitoring resources 2024-01-24 16:11:51 +00:00
Martin Müller
af63e5c18d fix(services): Monitoring for minio with correct labels and there are no prometheusRule 2024-01-24 16:11:51 +00:00
Dominik Kaminski
cbb33b922d fix(univention-management-stack): Fix external registry for nats charts 2024-01-24 16:48:48 +01:00
push_from_gitlab_souvap-univention_de
02f41a2f1a chore(release): 0.5.75 [skip ci] 
## [0.5.75](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.74...v0.5.75) (2024-01-24)

### Bug Fixes

* **ci:** Add Kyverno CI Lint ([e778a59](e778a59cdd))
* **helmfile:** Cleanup and small conformity fixes ([db0a544](db0a544155))
* **helmfile:** Merge .yaml and .gotmpl files for Services, Provisioning, Cryptpad, Intercom-Service and Element ([a49daa6](a49daa6fa2))
* **helmfile:** Split image and helm registry ([89c149a](89c149af95))
* **univention-management-stack:** UMC secure session cookie ([67f7c05](67f7c05038))
* **univention-management-stack:** Update guardian to version 2 ([a99f338](a99f3389dc))
 2024-01-24 11:50:24 +00:00
Dominik Kaminski
e778a59cdd fix(ci): Add Kyverno CI Lint 2024-01-23 21:07:56 +01:00
jconde
67f7c05038 fix(univention-management-stack): UMC secure session cookie 2024-01-23 06:28:43 +00:00
Martin Müller
89c149af95 fix(helmfile): Split image and helm registry 2024-01-23 07:25:38 +01:00
Oliver Günther
3630f583b5 chore(openproject): Bump version to 13.2.0 2024-01-18 13:39:53 +01:00
jconde
a99f3389dc fix(univention-management-stack): Update guardian to version 2 
fix(univention-management-stack): Otterize version for umc-server
 2024-01-17 11:39:34 +01:00
Thorsten Roßner
a49daa6fa2 fix(helmfile): Merge .yaml and .gotmpl files for Services, Provisioning, Cryptpad, Intercom-Service and Element 2024-01-16 11:50:26 +01:00
Thorsten Roßner
db0a544155 fix(helmfile): Cleanup and small conformity fixes 2024-01-16 11:49:04 +01:00
136 changed files with 2523 additions and 1899 deletions
Expand all files Collapse all files

5
.gitignore vendored
View File

@@ -6,5 +6,8 @@
# Ignore changes to sample environments # Ignore changes to sample environments
helmfile/environments/dev/values.yaml.gotmpl helmfile/environments/dev/values.yaml.gotmpl
helmfile/environments/test/values.yaml.gotmpl
helmfile/environments/prod/values.yaml.gotmpl helmfile/environments/prod/values.yaml.gotmpl
# Ignore in CI generated files
.kyverno/opendesk.yaml
.kyverno/kyverno-test.yaml

77
.gitlab-ci.yml
View File

@@ -12,6 +12,16 @@ include:
file: "gitlab/environments.yaml" file: "gitlab/environments.yaml"
rules: rules:
- if: "$INCLUDE_ENVIRONMENTS_ENABLED != 'false'" - if: "$INCLUDE_ENVIRONMENTS_ENABLED != 'false'"
- local: "/.gitlab/lint/lint-opendesk.yml"
rules:
- if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
when: "never"
- when: "always"
- local: "/.gitlab/lint/lint-kyverno.yml"
rules:
- if: "$JOB_KYVERNO_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
when: "never"
- when: "always"
stages: stages:
- ".pre" - ".pre"
@@ -132,22 +142,13 @@ variables:
TESTS_BRANCH: TESTS_BRANCH:
description: "Branch of E2E-tests on which the test pipeline is triggered" description: "Branch of E2E-tests on which the test pipeline is triggered"
value: "main" value: "main"
RUN_UMS_TESTS:
description: "Run E2E test suite of SouvAP Dev team"
value: "no"
options:
- "yes"
- "no"
UMS_TESTS_BRANCH:
description: "Branch of E2E test suite of SouvAP Dev team"
value: "main"
.deploy-common: .deploy-common:
cache: {} cache: {}
dependencies: [] dependencies: []
extends: ".environments" extends: ".environments"
image: "external-registry.souvap-univention.de/registry-souvap-univention-de/souvap/tooling/images/helm\ image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/helm:1.0.1\
@sha256:5a53455af45f4af5c97a01ee2dd5f9ef683f365b59f1ab0102505bc0fd37f6c5" @sha256:d38f41b88374e055332860018f2936db8807b763caf6089735db0484cbb2842a"
script: script:
- "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}" - "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
# MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD # MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD
@@ -443,34 +444,6 @@ run-tests:
}" \ }" \
"https://${TESTS_PROJECT_URL}/trigger/pipeline" "https://${TESTS_PROJECT_URL}/trigger/pipeline"
run-souvap-dev-tests:
extends: ".deploy-common"
environment:
name: "${NAMESPACE}"
stage: "tests"
rules:
- if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_UMS_TESTS == "yes"
when: "on_success"
script:
- *ums-default-password
- |
curl --request POST \
--header "Content-Type: application/json" \
--data "{ \
\"ref\": \"${UMS_TESTS_BRANCH}\", \
\"token\": \"${CI_JOB_TOKEN}\", \
\"variables\": { \
\"portal_base_url\": \"https://portal.${DOMAIN}\", \
\"username\": \"${DEFAULT_USER_NAME}\", \
\"password\": \"${DEFAULT_USER_PASSWORD}\", \
\"admin_username\": \"${DEFAULT_ADMIN_NAME}\", \
\"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
\"keycloak_base_url\": \"https://id.${DOMAIN}\" \
} \
}" \
"https://${UMS_TESTS_PROJECT_URL}/trigger/pipeline"
avscan-prepare: avscan-prepare:
stage: ".pre" stage: ".pre"
rules: rules:
@@ -554,22 +527,6 @@ generate-release-assets:
variables: variables:
ASSET_GENERATOR_REPO_PATH: "bmi/opendesk/tooling/opendesk-asset-generator" ASSET_GENERATOR_REPO_PATH: "bmi/opendesk/tooling/opendesk-asset-generator"
opendesk-linter:
cache: {}
image: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:1.0.1"
needs: []
rules:
- if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
when: "never"
- when: "always"
script:
- "node /app/src/index.js sort-images ${CI_PROJECT_DIR}/helmfile/environments/default/images.yaml"
- "node /app/src/index.js sort-charts ${CI_PROJECT_DIR}/helmfile/environments/default/charts.yaml"
- "git diff --exit-code"
stage: "lint"
tags:
- "docker"
# Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false. # Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.
# 'cache' is used because job must contain at least one key, so cache is just a dummy key. # 'cache' is used because job must contain at least one key, so cache is just a dummy key.
.environments: .environments:
@@ -580,14 +537,12 @@ opendesk-linter:
image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest" image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest"
tags: [] tags: []
conventional-commits-linter: conventional-commits-linter:
rules: rules:
- if: "$JOB_CONVENTIONAL_COMMITS_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'" - if: "$JOB_CONVENTIONAL_COMMITS_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
when: "never" when: "never"
- when: "always" - when: "always"
common-yaml-linter: common-yaml-linter:
rules: rules:
- if: "$JOB_COMMON_YAML_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'" - if: "$JOB_COMMON_YAML_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
@@ -652,7 +607,13 @@ release:
"@semantic-release/release-notes-generator", "@semantic-release/release-notes-generator",
"@semantic-release/changelog", "@semantic-release/changelog",
["@semantic-release/git", { ["@semantic-release/git", {
"assets": ["charts/**/Chart.yaml", "CHANGELOG.md", "charts/**/README.md", "helmfile/environments/default/global.generated.yaml"], "assets": [
"charts/**/Chart.yaml",
"CHANGELOG.md",
"charts/**/README.md",
"helmfile/environments/default/global.generated.yaml",
".kyverno/kyverno-test.yaml"
],
"message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}" "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
}] }]
] ]

17
.gitlab/lint/lint-common.yml Normal file
View File

@@ -0,0 +1,17 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
variables:
OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.2.0\
@sha256:b36b1fc8a19605306dffef2c919c2a6bf5a3099e8a42ecb39a416394410b75d7"
OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.1\
@sha256:5b1bd85cc73ba0cede1f37d79fa7eeebffa653afa7944406eea9287c29a7769a"
.lint-common:
cache: {}
needs: []
stage: "lint"
tags:
- "docker"
...

35
.gitlab/lint/lint-kyverno.yml Normal file
View File

@@ -0,0 +1,35 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
include:
- local: "/.gitlab/lint/lint-common.yml"
lint-kyverno:
allow_failure: true
extends: ".lint-common"
image: "${OPENDESK_LINT_IMAGE}"
parallel:
matrix:
- APP:
- "collabora"
- "cryptpad"
- "element"
- "intercom-service"
- "jitsi"
- "nextcloud"
- "open-xchange"
- "openproject"
- "openproject-bootstrap"
- "provisioning"
- "services"
- "univention-management-stack"
- "xwiki"
script:
- "cd ${CI_PROJECT_DIR}/helmfile/apps/${APP}"
- "helmfile template -e test --include-needs > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
- "node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests -d ${CI_PROJECT_DIR}/.kyverno -t required ${APP}"
- "node /app/opendesk-ci-cli/src/index.js filter-for-kinds -f ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
- "cd ${CI_PROJECT_DIR}/.kyverno"
- "kyverno test ."
...

13
.gitlab/lint/lint-opendesk.yml Normal file
View File

@@ -0,0 +1,13 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
include:
- local: "/.gitlab/lint/lint-common.yml"
lint-opendesk:
extends: ".lint-common"
image: "${OPENDESK_CI_CLI_IMAGE}"
script:
- "node /app/src/index.js sort-all -d ${CI_PROJECT_DIR}/helmfile"
- "git diff --exit-code"
...

279
.kyverno/_apps.yaml Normal file
View File

@@ -0,0 +1,279 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
pod:
- resource: "mariadb"
kind: "StatefulSet"
app: "services"
- resource: "postgresql"
kind: "StatefulSet"
app: "services"
- resource: "clamav-simple"
kind: "StatefulSet"
app: "services"
- resource: "redis-master"
kind: "StatefulSet"
app: "services"
- resource: "ums-store-dav"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-ldap-server"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-ldap-notifier"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-portal-listener"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-selfservice-listener"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-provisioning-nats"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-guardian-management-api"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-guardian-management-ui"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-guardian-authorization-api"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "ums-open-policy-agent"
kind: "StatefulSet"
app: "univention-management-stack"
- resource: "open-xchange-core-mw-default"
kind: "StatefulSet"
app: "open-xchange"
- resource: "jitsi-prosody"
kind: "StatefulSet"
app: "jitsi"
- resource: "opendesk-synapse"
kind: "StatefulSet"
app: "element"
- resource: "xwiki"
kind: "StatefulSet"
app: "xwiki"
- resource: "ox-connector"
kind: "StatefulSet"
app: "provisioning"
- resource: "minio"
kind: "Deployment"
app: "services"
- resource: "cryptpad"
kind: "Deployment"
app: "cryptpad"
- resource: "memcached"
kind: "Deployment"
app: "services"
- resource: "postfix"
kind: "Deployment"
app: "services"
- resource: "ums-keycloak"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-stack-gateway"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-udm-rest-api"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-portal-server"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-notifications-api"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-portal-frontend"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-umc-gateway"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-umc-server"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-provisioning-nats-box"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-keycloak-extensions-handler"
kind: "Deployment"
app: "univention-management-stack"
- resource: "ums-keycloak-extensions-proxy"
kind: "Deployment"
app: "univention-management-stack"
- resource: "intercom-service"
kind: "Deployment"
app: "intercom-service"
- resource: "dovecot"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-core-documentconverter"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-core-guidedtours"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-core-imageconverter"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-gotenberg"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-core-ui-middleware"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-core-ui-middleware-updater"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-core-ui"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-core-user-guide"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-guard-ui"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-nextcloud-integration-ui"
kind: "Deployment"
app: "open-xchange"
- resource: "open-xchange-public-sector-ui"
kind: "Deployment"
app: "open-xchange"
- resource: "opendesk-nextcloud-apache2"
kind: "Deployment"
app: "nextcloud"
- resource: "opendesk-nextcloud-exporter"
kind: "Deployment"
app: "nextcloud"
- resource: "opendesk-nextcloud-php"
kind: "Deployment"
app: "nextcloud"
- resource: "collabora"
kind: "Deployment"
app: "collabora"
- resource: "jitsi-jibri"
kind: "Deployment"
app: "jitsi"
- resource: "jitsi-jicofo"
kind: "Deployment"
app: "jitsi"
- resource: "jitsi-jvb"
kind: "Deployment"
app: "jitsi"
- resource: "jitsi-web"
kind: "Deployment"
app: "jitsi"
- resource: "jitsi-opendesk-jitsi-keycloak-adapter"
kind: "Deployment"
app: "jitsi"
- resource: "opendesk-element"
kind: "Deployment"
app: "element"
- resource: "opendesk-well-known"
kind: "Deployment"
app: "element"
- resource: "opendesk-synapse-web"
kind: "Deployment"
app: "element"
- resource: "opendesk-matrix-user-verification-service"
kind: "Deployment"
app: "element"
- resource: "matrix-neoboard-widget"
kind: "Deployment"
app: "element"
- resource: "matrix-neochoice-widget"
kind: "Deployment"
app: "element"
- resource: "matrix-neodatefix-widget"
kind: "Deployment"
app: "element"
- resource: "matrix-neodatefix-bot"
kind: "Deployment"
app: "element"
- resource: "openproject-web"
kind: "Deployment"
app: "openproject"
- resource: "openproject-worker"
kind: "Deployment"
app: "openproject"
- resource: "mariadb-bootstrap"
kind: "Job"
app: "services"
- resource: "postgresql-bootstrap"
kind: "Job"
app: "services"
- resource: "minio-provisioning"
kind: "Job"
app: "services"
- resource: "ums-stack-data-ums-1"
kind: "Job"
app: "univention-management-stack"
- resource: "ums-stack-data-swp-1"
kind: "Job"
app: "univention-management-stack"
- resource: "ums-keycloak-bootstrap-bootstrap-1"
kind: "Job"
app: "univention-management-stack"
- resource: "opendesk-keycloak-bootstrap-bootstrap-1"
kind: "Job"
app: "univention-management-stack"
- resource: "opendesk-open-xchange-bootstrap"
kind: "Job"
app: "open-xchange"
- resource: "opendesk-nextcloud-management-1"
kind: "Job"
app: "nextcloud"
- resource: "jitsi-opendesk-jitsi"
kind: "Job"
app: "jitsi"
- resource: "opendesk-matrix-user-verification-service-bootstrap"
kind: "Job"
app: "element"
- resource: "matrix-neodatefix-bot-bootstrap"
kind: "Job"
app: "element"
- resource: "opendesk-openproject-bootstrap-bootstrap-1"
kind: "Job"
app: "openproject-bootstrap"
# # Has timestamp in resource name - not supported yet.
# - resource: "openproject-seeder-*"
# kind: "Job"
# - resource: "ums-store-dav-test-connection"
# kind: "Pod"
# - resource: "ums-udm-rest-api-test-connection"
# kind: "Pod"
# - resource: "ums-portal-server-test-connection"
# kind: "Pod"
# - resource: "ums-notifications-api-test-connection"
# kind: "Pod"
# - resource: "ums-portal-frontend-test-connection"
# kind: "Pod"
# - resource: "ums-provisioning-nats-test-request-reply"
# kind: "Pod"
# - resource: "ums-provisioning-provisioning-api-test-connection"
# kind: "Pod"
# - resource: "open-xchange-core-guidedtours-test-connection"
# kind: "Pod"
# - resource: "open-xchange-gotenberg-test-connection"
# kind: "Pod"
# - resource: "open-xchange-core-ui-test-connection"
# kind: "Pod"
# - resource: "open-xchange-core-user-guide-test-connection"
# kind: "Pod"
# - resource: "open-xchange-guard-ui-test-connection"
# kind: "Pod"
# - resource: "open-xchange-nextcloud-integration-ui-test-connection"
# kind: "Pod"
# - resource: "open-xchange-public-sector-ui-test-connection"
# kind: "Pod"
# - resource: "jitsi-prosody-test-connection"
# kind: "Pod"
# - resource: "jitsi-web-test-connection"
# kind: "Pod"
# - resource: "openproject-test-connection"
# kind: "Pod"
...

55
.kyverno/policies/_policies.yaml Normal file
View File

@@ -0,0 +1,55 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
pod:
- name: "require-tag-and-digest"
rule: "require-tag-and-digest"
type: "required"
- name: "disallow-default-serviceaccount"
rule: "require-sa"
type: "required"
- name: "require-imagepullsecrets"
rule: "require-imagepullsecrets"
type: "required"
- name: "disallow-latest-tag"
rule: "validate-image-tag"
type: "required"
- name: "require-imagepullpolicy-always"
rule: "require-imagepullpolicy-always"
type: "required"
- name: "require-health-and-liveness-check"
rule: "require-health-and-liveness-check"
type: "required"
excludeKinds:
- "Job"
- name: "require-requests-limits"
rule: "validate-resources"
type: "required"
- name: "restrict-image-registries"
rule: "validate-registries"
type: "required"
- name: "require-containersecuritycontext"
rule: "require-ro-rootfs"
type: "optional"
- name: "require-containersecuritycontext"
rule: "require-no-privilege-escalation"
type: "optional"
- name: "require-containersecuritycontext"
rule: "require-all-capabilities-dropped"
type: "optional"
- name: "require-containersecuritycontext"
rule: "require-no-privileged"
type: "optional"
- name: "require-containersecuritycontext"
rule: "require-run-as-user"
type: "optional"
- name: "require-containersecuritycontext"
rule: "require-run-as-group"
type: "optional"
- name: "require-containersecuritycontext"
rule: "require-seccomp-profile"
type: "required"
- name: "require-containersecuritycontext"
rule: "require-run-as-non-root"
type: "optional"
...

22
.kyverno/policies/disallow-default-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,22 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
apiVersion: "kyverno.io/v1"
kind: "ClusterPolicy"
metadata:
name: "disallow-default-serviceaccount"
spec:
background: true
rules:
- match:
resources:
kinds:
- "Pod"
name: "require-sa"
validate:
message: "serviceAccountName must be set to anything other than 'default'."
pattern:
spec:
serviceAccountName: "!default"
validationFailureAction: "audit"
...

27
.kyverno/policies/disallow-latest-tag.yaml Normal file
View File

@@ -0,0 +1,27 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
apiVersion: "kyverno.io/v1"
kind: "ClusterPolicy"
metadata:
name: "disallow-latest-tag"
spec:
background: true
rules:
- match:
resources:
kinds:
- "Pod"
name: "validate-image-tag"
validate:
message: "Using a mutable image tag e.g. 'latest' is not allowed."
pattern:
spec:
=(ephemeralContainers):
- image: "!*:latest"
=(initContainers):
- image: "!*:latest"
containers:
- image: "!*:latest"
validationFailureAction: "audit"
...

173
.kyverno/policies/require-containersecuritycontext.yaml Normal file
View File

@@ -0,0 +1,173 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
apiVersion: "kyverno.io/v1"
kind: "ClusterPolicy"
metadata:
name: "require-containersecuritycontext"
spec:
background: true
rules:
- name: "require-ro-rootfs"
match:
resources:
kinds:
- "Pod"
validate:
message: "Root filesystem must be read-only."
pattern:
spec:
=(ephemeralContainers):
- securityContext:
readOnlyRootFilesystem: true
=(initContainers):
- securityContext:
readOnlyRootFilesystem: true
containers:
- securityContext:
readOnlyRootFilesystem: true
- name: "require-no-privilege-escalation"
match:
resources:
kinds:
- "Pod"
validate:
message: "Disallow privilege escalation."
pattern:
spec:
=(ephemeralContainers):
- securityContext:
allowPrivilegeEscalation: false
=(initContainers):
- securityContext:
allowPrivilegeEscalation: false
containers:
- securityContext:
allowPrivilegeEscalation: false
- name: "require-all-capabilities-dropped"
match:
resources:
kinds:
- "Pod"
validate:
message: "Required to drop ALL linux capabilities."
pattern:
spec:
=(ephemeralContainers):
- securityContext:
capabilities:
drop:
- "ALL"
=(initContainers):
- securityContext:
capabilities:
drop:
- "ALL"
containers:
- securityContext:
capabilities:
drop:
- "ALL"
- name: "require-no-privileged"
match:
resources:
kinds:
- "Pod"
validate:
message: "Disallow privileged container."
pattern:
spec:
=(ephemeralContainers):
- securityContext:
privileged: false
=(initContainers):
- securityContext:
privileged: false
containers:
- securityContext:
privileged: false
- name: "require-run-as-user"
match:
resources:
kinds:
- "Pod"
validate:
message: "Container must run as non-root user."
pattern:
spec:
=(ephemeralContainers):
- securityContext:
runAsUser: ">0"
=(initContainers):
- securityContext:
runAsUser: ">0"
containers:
- securityContext:
runAsUser: ">0"
- name: "require-run-as-group"
match:
resources:
kinds:
- "Pod"
validate:
message: "Container must run as non-root group."
pattern:
spec:
=(ephemeralContainers):
- securityContext:
runAsGroup: ">0"
=(initContainers):
- securityContext:
runAsGroup: ">0"
containers:
- securityContext:
runAsGroup: ">0"
- name: "require-seccomp-profile"
match:
resources:
kinds:
- "Pod"
validate:
message: "Container must have seccompProfile"
pattern:
spec:
=(ephemeralContainers):
- securityContext:
seccompProfile:
type: "RuntimeDefault | Localhost"
=(initContainers):
- securityContext:
seccompProfile:
type: "RuntimeDefault | Localhost"
containers:
- securityContext:
seccompProfile:
type: "RuntimeDefault | Localhost"
- name: "require-run-as-non-root"
match:
resources:
kinds:
- "Pod"
validate:
message: "Container must run in non-root mode."
pattern:
spec:
=(ephemeralContainers):
- securityContext:
runAsNonRoot: true
=(initContainers):
- securityContext:
runAsNonRoot: true
containers:
- securityContext:
runAsNonRoot: true
validationFailureAction: "audit"
...

27
.kyverno/policies/require-health-and-liveness-check.yaml Normal file
View File

@@ -0,0 +1,27 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
apiVersion: "kyverno.io/v1"
kind: "ClusterPolicy"
metadata:
name: "require-health-and-liveness-check"
spec:
background: true
rules:
- match:
resources:
kinds:
- "Pod"
name: "require-health-and-liveness-check"
validate:
message: "Liveness and readiness probes are required. spec.containers[*].livenessProbe.periodSeconds
must be set to a value greater than 0."
pattern:
spec:
containers:
- livenessProbe:
periodSeconds: ">0"
readinessProbe:
periodSeconds: ">0"
validationFailureAction: "audit"
...

40
.kyverno/policies/require-imagepullpolicy-always.yaml Normal file
View File

@@ -0,0 +1,40 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
apiVersion: "kyverno.io/v1"
kind: "ClusterPolicy"
metadata:
name: "require-imagepullpolicy-always"
spec:
background: true
rules:
- match:
resources:
kinds:
- "Pod"
name: "require-imagepullpolicy-always"
validate:
message: "The imagePullPolicy must be set to `Always` when the tag `latest` is used."
anyPattern:
- spec:
=(ephemeralContainers):
- (image): "*:latest"
imagePullPolicy: "Always"
=(initContainers):
- (image): "*:latest"
imagePullPolicy: "Always"
containers:
- (image): "*:latest"
imagePullPolicy: "Always"
- spec:
=(ephemeralContainers):
- (image): "!*:latest"
imagePullPolicy: "IfNotPresent"
=(initContainers):
- (image): "!*:latest"
imagePullPolicy: "IfNotPresent"
containers:
- (image): "!*:latest"
imagePullPolicy: "IfNotPresent"
validationFailureAction: "audit"
...

23
.kyverno/policies/require-imagepullsecets.yaml Normal file
View File

@@ -0,0 +1,23 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
apiVersion: "kyverno.io/v1"
kind: "ClusterPolicy"
metadata:
name: "require-imagepullsecrets"
spec:
background: true
rules:
- match:
resources:
kinds:
- "Pod"
name: "require-imagepullsecrets"
validate:
message: "ImagePullSecrets are required."
pattern:
spec:
imagePullSecrets:
- name: "*"
validationFailureAction: "audit"
...

28
.kyverno/policies/require-requests-limits.yaml Normal file
View File

@@ -0,0 +1,28 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
apiVersion: "kyverno.io/v1"
kind: "ClusterPolicy"
metadata:
name: "require-requests-limits"
spec:
background: true
rules:
- match:
resources:
kinds:
- "Pod"
name: "validate-resources"
validate:
message: "CPU and memory resource requests and limits are required."
pattern:
spec:
containers:
- resources:
limits:
memory: "?*"
requests:
cpu: "?*"
memory: "?*"
validationFailureAction: "audit"
...

27
.kyverno/policies/require-tag-and-digest.yaml Normal file
View File

@@ -0,0 +1,27 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
apiVersion: "kyverno.io/v1"
kind: "ClusterPolicy"
metadata:
name: "require-tag-and-digest"
spec:
background: true
rules:
- match:
resources:
kinds:
- "Pod"
name: "require-tag-and-digest"
validate:
message: "An image tag and digest required."
pattern:
spec:
=(ephemeralContainers):
- image: "*:*@sha256:*"
=(initContainers):
- image: "*:*@sha256:*"
containers:
- image: "*:*@sha256:*"
validationFailureAction: "audit"
...

27
.kyverno/policies/restrict-image-registries.yaml Normal file
View File

@@ -0,0 +1,27 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
apiVersion: "kyverno.io/v1"
kind: "ClusterPolicy"
metadata:
name: "restrict-image-registries"
spec:
background: true
rules:
- match:
resources:
kinds:
- "Pod"
name: "validate-registries"
validate:
message: "Unknown image registry."
pattern:
spec:
=(ephemeralContainers):
- image: "external-registry.souvap-univention.de/*"
=(initContainers):
- image: "external-registry.souvap-univention.de/*"
containers:
- image: "external-registry.souvap-univention.de/*"
validationFailureAction: "audit"
...

21
CHANGELOG.md
View File

@@ -1,3 +1,24 @@
## [0.5.76](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.75...v0.5.76) (2024-01-24)
### Bug Fixes
* **nextcloud:** Correct indent in monitoring resources ([bea1413](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bea1413b860aa69cab3bb4a9dfb6d8593594cc25))
* **services:** Monitoring for minio with correct labels and there are no prometheusRule ([af63e5c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/af63e5c18dbd6d7d1e1ebd79ad91c4f994fe7003))
* **univention-management-stack:** Fix external registry for nats charts ([cbb33b9](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cbb33b922d397467d01a9227f3eb18d789cdc39c))
## [0.5.75](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.74...v0.5.75) (2024-01-24)
### Bug Fixes
* **ci:** Add Kyverno CI Lint ([e778a59](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e778a59cddecc7c73b827e03af5e47ddd5c3dcee))
* **helmfile:** Cleanup and small conformity fixes ([db0a544](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/db0a5441550ae08450afc04ef274ff8d19e85138))
* **helmfile:** Merge .yaml and .gotmpl files for Services, Provisioning, Cryptpad, Intercom-Service and Element ([a49daa6](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a49daa6fa27dc7c51c3163b1155eec33b78949f5))
* **helmfile:** Split image and helm registry ([89c149a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/89c149af954a6f0884ae905e55b52e8db9036b05))
* **univention-management-stack:** UMC secure session cookie ([67f7c05](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/67f7c050387157808f010857395715335b42d767))
* **univention-management-stack:** Update guardian to version 2 ([a99f338](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a99f3389dc90aa89ce2ba4bcfc266a2dfdf15ab9))
## [0.5.74](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.73...v0.5.74) (2024-01-12) ## [0.5.74](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.73...v0.5.74) (2024-01-12)

2
README.md
View File

@@ -3,7 +3,7 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
SPDX-License-Identifier: Apache-2.0 SPDX-License-Identifier: Apache-2.0
--> -->
![logo](./helmfile/environments/default/theme/logo_portal_background.svg) <h1>openDesk Deployment Automation</h1>
openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the "Projektgruppe für openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the "Projektgruppe für
Aufbau ZenDiS" of Germany's Federal Ministry of the Interior. Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.

9
docs/getting-started.md
View File

@@ -12,7 +12,7 @@ This documentation should enable you to create your own evaluation instance of o
* [Customize environment](#customize-environment) * [Customize environment](#customize-environment)
* [Domain](#domain) * [Domain](#domain)
* [Apps](#apps) * [Apps](#apps)
* [Private Helm chart and container image registry](#private-helm-chart-and-container-image-registry) * [Private registries](#private-registries)
* [Cluster capabilities](#cluster-capabilities) * [Cluster capabilities](#cluster-capabilities)
* [Service](#service) * [Service](#service)
* [Networking](#networking) * [Networking](#networking)
@@ -126,7 +126,7 @@ jitsi:
enabled: false enabled: false
``` ```
## Private Helm chart and container image registry ## Private registries
By default Helm charts and container images are fetched from OCI registries. These registries can be found for most cases By default Helm charts and container images are fetched from OCI registries. These registries can be found for most cases
in the [openDesk/component section on Open CoDE](https://gitlab.opencode.de/bmi/opendesk/components). in the [openDesk/component section on Open CoDE](https://gitlab.opencode.de/bmi/opendesk/components).
@@ -137,8 +137,9 @@ like Docker Hub.
Doing a test deployment will most likely be fine with this setup. In case you want to deploy multiple times a day Doing a test deployment will most likely be fine with this setup. In case you want to deploy multiple times a day
and fetch from the same IP address you might run into rate limits at Docker Hub. In that case and in cases you and fetch from the same IP address you might run into rate limits at Docker Hub. In that case and in cases you
prefer the use of a private image registry anyway you can configure such for prefer the use of a private image registry anyway you can configure such for
[your target environment](./../helmfile/environments/dev/values.yaml.gotmpl.sample) by setting `global.imageRegistry` [your target environment](./../helmfile/environments/dev/values.yaml.gotmpl.sample) by setting
like this: - `global.imageRegistry` for a private image registry and
- `global.helmRegistry` for a private Helm chart registry.
```yaml ```yaml
global: global:

4
docs/requirements.md
View File

@@ -7,7 +7,7 @@ SPDX-License-Identifier: Apache-2.0
This section covers the internal system requirements as well as external service requirements for productive use. This section covers the internal system requirements as well as external service requirements for productive use.
<!-- TOC --> <!-- TOC -->
* [TL;DR;](#tldr) * [tl;dr](#tldr)
* [Hardware](#hardware) * [Hardware](#hardware)
* [Kubernetes](#kubernetes) * [Kubernetes](#kubernetes)
* [Ingress controller](#ingress-controller) * [Ingress controller](#ingress-controller)
@@ -17,7 +17,7 @@ This section covers the internal system requirements as well as external service
* [Deployment](#deployment) * [Deployment](#deployment)
<!-- TOC --> <!-- TOC -->
# TL;DR; # tl;dr
openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s) cluster. openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s) cluster.
- K8s cluster >= 1.24, [CNCF Certified Kubernetes Distro](https://www.cncf.io/certification/software-conformance/) - K8s cluster >= 1.24, [CNCF Certified Kubernetes Distro](https://www.cncf.io/certification/software-conformance/)

2
helmfile/apps/collabora/helmfile.yaml
View File

@@ -11,7 +11,7 @@ repositories:
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.collabora.registry }}/\ url: "{{ .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/\
{{ .Values.charts.collabora.repository }}" {{ .Values.charts.collabora.repository }}"
releases: releases:

5
helmfile/apps/cryptpad/helmfile.yaml
View File

@@ -13,15 +13,14 @@ repositories:
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
releases: releases:
- name: "cryptpad" - name: "cryptpad"
chart: "cryptpad-repo/{{ .Values.charts.cryptpad.name }}" chart: "cryptpad-repo/{{ .Values.charts.cryptpad.name }}"
version: "{{ .Values.charts.cryptpad.version }}" version: "{{ .Values.charts.cryptpad.version }}"
values: values:
- "values.yaml" - "values.yaml.gotmpl"
- "values.gotmpl"
installed: {{ .Values.cryptpad.enabled }} installed: {{ .Values.cryptpad.enabled }}
commonLabels: commonLabels:

33
helmfile/apps/cryptpad/values.gotmpl
View File

@@ -1,33 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
repository: "{{ .Values.global.imageRegistry | default .Values.images.cryptpad.registry }}/{{ .Values.images.cryptpad.repository }}"
tag: {{ .Values.images.cryptpad.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
ingress:
enabled: {{ .Values.ingress.enabled }}
className: {{ .Values.ingress.ingressClassName | quote }}
hosts:
- host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
paths:
- path: "/"
pathType: "ImplementationSpecific"
tls:
- secretName: {{ .Values.ingress.tls.secretName | quote }}
hosts:
- "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
replicaCount: {{ .Values.replicas.cryptpad }}
resources:
{{ .Values.resources.cryptpad | toYaml | nindent 2 }}
...

27
helmfile/apps/cryptpad/values.yaml → helmfile/apps/cryptpad/values.yaml.gotmpl
View File

@@ -22,9 +22,30 @@ enableEmbedding: true
fullnameOverride: "cryptpad" fullnameOverride: "cryptpad"
image:
repository: "{{ .Values.global.imageRegistry | default .Values.images.cryptpad.registry }}/{{ .Values.images.cryptpad.repository }}"
tag: {{ .Values.images.cryptpad.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
ingress: ingress:
enabled: {{ .Values.ingress.enabled }}
annotations: annotations:
nginx.org/websocket-services: "cryptpad" nginx.org/websocket-services: "cryptpad"
className: {{ .Values.ingress.ingressClassName | quote }}
hosts:
- host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
paths:
- path: "/"
pathType: "ImplementationSpecific"
tls:
- secretName: {{ .Values.ingress.tls.secretName | quote }}
hosts:
- "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
persistence: persistence:
enabled: false enabled: false
@@ -32,6 +53,11 @@ persistence:
podSecurityContext: podSecurityContext:
fsGroup: 4001 fsGroup: 4001
replicaCount: {{ .Values.replicas.cryptpad }}
resources:
{{ .Values.resources.cryptpad | toYaml | nindent 2 }}
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:
@@ -48,4 +74,5 @@ serviceAccount:
create: true create: true
workloadStateful: false workloadStateful: false
... ...

53
helmfile/apps/element/helmfile.yaml
View File

@@ -13,35 +13,35 @@ repositories:
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
- name: "element-well-known-repo" - name: "element-well-known-repo"
keyring: "../../files/gpg-pubkeys/opencode.gpg" keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.elementWellKnown.verify }} verify: {{ .Values.charts.elementWellKnown.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
- name: "synapse-web-repo" - name: "synapse-web-repo"
keyring: "../../files/gpg-pubkeys/opencode.gpg" keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.synapseWeb.verify }} verify: {{ .Values.charts.synapseWeb.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
- name: "synapse-repo" - name: "synapse-repo"
keyring: "../../files/gpg-pubkeys/opencode.gpg" keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.synapse.verify }} verify: {{ .Values.charts.synapse.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
- name: "synapse-create-account-repo" - name: "synapse-create-account-repo"
keyring: "../../files/gpg-pubkeys/opencode.gpg" keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.synapseCreateAccount.verify }} verify: {{ .Values.charts.synapseCreateAccount.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
# openDesk Matrix Widgets # openDesk Matrix Widgets
# Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets
@@ -51,7 +51,7 @@ repositories:
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.matrixUserVerificationService.registry }}/\ url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixUserVerificationService.registry }}/\
{{ .Values.charts.matrixUserVerificationService.repository }}" {{ .Values.charts.matrixUserVerificationService.repository }}"
- name: "matrix-neoboard-widget-repo" - name: "matrix-neoboard-widget-repo"
keyring: "../../files/gpg-pubkeys/opencode.gpg" keyring: "../../files/gpg-pubkeys/opencode.gpg"
@@ -59,28 +59,28 @@ repositories:
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
- name: "matrix-neochoice-widget-repo" - name: "matrix-neochoice-widget-repo"
keyring: "../../files/gpg-pubkeys/opencode.gpg" keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.matrixNeoboardWidget.verify }} verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
- name: "matrix-neodatefix-widget-repo" - name: "matrix-neodatefix-widget-repo"
keyring: "../../files/gpg-pubkeys/opencode.gpg" keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.matrixNeodatefixWidget.verify }} verify: {{ .Values.charts.matrixNeodatefixWidget.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
- name: "matrix-neodatefix-bot-repo" - name: "matrix-neodatefix-bot-repo"
keyring: "../../files/gpg-pubkeys/opencode.gpg" keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.matrixNeodatefixBot.verify }} verify: {{ .Values.charts.matrixNeodatefixBot.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
releases: releases:
@@ -88,8 +88,7 @@ releases:
chart: "element-repo/{{ .Values.charts.element.name }}" chart: "element-repo/{{ .Values.charts.element.name }}"
version: "{{ .Values.charts.element.version }}" version: "{{ .Values.charts.element.version }}"
values: values:
- "values-element.yaml" - "values-element.yaml.gotmpl"
- "values-element.gotmpl"
installed: {{ .Values.element.enabled }} installed: {{ .Values.element.enabled }}
timeout: 900 timeout: 900
@@ -97,8 +96,7 @@ releases:
chart: "element-well-known-repo/{{ .Values.charts.elementWellKnown.name }}" chart: "element-well-known-repo/{{ .Values.charts.elementWellKnown.name }}"
version: "{{ .Values.charts.elementWellKnown.version }}" version: "{{ .Values.charts.elementWellKnown.version }}"
values: values:
- "values-well-known.yaml" - "values-well-known.yaml.gotmpl"
- "values-well-known.gotmpl"
installed: {{ .Values.element.enabled }} installed: {{ .Values.element.enabled }}
timeout: 900 timeout: 900
@@ -106,8 +104,7 @@ releases:
chart: "synapse-web-repo/{{ .Values.charts.synapseWeb.name }}" chart: "synapse-web-repo/{{ .Values.charts.synapseWeb.name }}"
version: "{{ .Values.charts.synapseWeb.version }}" version: "{{ .Values.charts.synapseWeb.version }}"
values: values:
- "values-synapse-web.yaml" - "values-synapse-web.yaml.gotmpl"
- "values-synapse-web.gotmpl"
installed: {{ .Values.element.enabled }} installed: {{ .Values.element.enabled }}
timeout: 900 timeout: 900
@@ -115,8 +112,7 @@ releases:
chart: "synapse-repo/{{ .Values.charts.synapse.name }}" chart: "synapse-repo/{{ .Values.charts.synapse.name }}"
version: "{{ .Values.charts.synapse.version }}" version: "{{ .Values.charts.synapse.version }}"
values: values:
- "values-synapse.yaml" - "values-synapse.yaml.gotmpl"
- "values-synapse.gotmpl"
installed: {{ .Values.element.enabled }} installed: {{ .Values.element.enabled }}
timeout: 900 timeout: 900
@@ -124,8 +120,7 @@ releases:
chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}" chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
version: "{{ .Values.charts.synapseCreateAccount.version }}" version: "{{ .Values.charts.synapseCreateAccount.version }}"
values: values:
- "values-matrix-user-verification-service-bootstrap.yaml" - "values-matrix-user-verification-service-bootstrap.yaml.gotmpl"
- "values-matrix-user-verification-service-bootstrap.gotmpl"
installed: {{ .Values.element.enabled }} installed: {{ .Values.element.enabled }}
timeout: 900 timeout: 900
@@ -133,8 +128,7 @@ releases:
chart: "matrix-user-verification-service-repo/{{ .Values.charts.matrixUserVerificationService.name }}" chart: "matrix-user-verification-service-repo/{{ .Values.charts.matrixUserVerificationService.name }}"
version: "{{ .Values.charts.matrixUserVerificationService.version }}" version: "{{ .Values.charts.matrixUserVerificationService.version }}"
values: values:
- "values-matrix-user-verification-service.yaml" - "values-matrix-user-verification-service.yaml.gotmpl"
- "values-matrix-user-verification-service.gotmpl"
installed: {{ .Values.element.enabled }} installed: {{ .Values.element.enabled }}
timeout: 900 timeout: 900
@@ -142,8 +136,7 @@ releases:
chart: "matrix-neoboard-widget-repo/{{ .Values.charts.matrixNeoboardWidget.name }}" chart: "matrix-neoboard-widget-repo/{{ .Values.charts.matrixNeoboardWidget.name }}"
version: "{{ .Values.charts.matrixNeoboardWidget.version }}" version: "{{ .Values.charts.matrixNeoboardWidget.version }}"
values: values:
- "values-matrix-neoboard-widget.yaml" - "values-matrix-neoboard-widget.yaml.gotmpl"
- "values-matrix-neoboard-widget.gotmpl"
installed: {{ .Values.element.enabled }} installed: {{ .Values.element.enabled }}
timeout: 900 timeout: 900
@@ -151,8 +144,7 @@ releases:
chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiseWidget.name }}" chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiseWidget.name }}"
version: "{{ .Values.charts.matrixNeochoiseWidget.version }}" version: "{{ .Values.charts.matrixNeochoiseWidget.version }}"
values: values:
- "values-matrix-neochoice-widget.yaml" - "values-matrix-neochoice-widget.yaml.gotmpl"
- "values-matrix-neochoice-widget.gotmpl"
installed: {{ .Values.element.enabled }} installed: {{ .Values.element.enabled }}
timeout: 900 timeout: 900
@@ -160,8 +152,7 @@ releases:
chart: "matrix-neodatefix-widget-repo/{{ .Values.charts.matrixNeodatefixWidget.name }}" chart: "matrix-neodatefix-widget-repo/{{ .Values.charts.matrixNeodatefixWidget.name }}"
version: "{{ .Values.charts.matrixNeodatefixWidget.version }}" version: "{{ .Values.charts.matrixNeodatefixWidget.version }}"
values: values:
- "values-matrix-neodatefix-widget.yaml" - "values-matrix-neodatefix-widget.yaml.gotmpl"
- "values-matrix-neodatefix-widget.gotmpl"
installed: {{ .Values.element.enabled }} installed: {{ .Values.element.enabled }}
timeout: 900 timeout: 900
@@ -169,8 +160,7 @@ releases:
chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}" chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
version: "{{ .Values.charts.synapseCreateAccount.version }}" version: "{{ .Values.charts.synapseCreateAccount.version }}"
values: values:
- "values-matrix-neodatefix-bot-bootstrap.yaml" - "values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl"
- "values-matrix-neodatefix-bot-bootstrap.gotmpl"
installed: {{ .Values.element.enabled }} installed: {{ .Values.element.enabled }}
timeout: 900 timeout: 900
@@ -178,8 +168,7 @@ releases:
chart: "matrix-neodatefix-bot-repo/{{ .Values.charts.matrixNeodatefixBot.name }}" chart: "matrix-neodatefix-bot-repo/{{ .Values.charts.matrixNeodatefixBot.name }}"
version: "{{ .Values.charts.matrixNeodatefixBot.version }}" version: "{{ .Values.charts.matrixNeodatefixBot.version }}"
values: values:
- "values-matrix-neodatefix-bot.yaml" - "values-matrix-neodatefix-bot.yaml.gotmpl"
- "values-matrix-neodatefix-bot.gotmpl"
installed: {{ .Values.element.enabled }} installed: {{ .Values.element.enabled }}
timeout: 900 timeout: 900

21
helmfile/apps/element/values-element.yaml
View File

@@ -1,21 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
...

43
helmfile/apps/element/values-element.gotmpl → helmfile/apps/element/values-element.yaml.gotmpl
View File

@@ -1,15 +1,6 @@
{{/* # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0
SPDX-License-Identifier: Apache-2.0
*/}}
--- ---
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
configuration: configuration:
additionalConfiguration: additionalConfiguration:
logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
@@ -105,6 +96,27 @@ configuration:
welcomeUserId: "@meetings-bot:{{ .Values.global.domain }}" welcomeUserId: "@meetings-bot:{{ .Values.global.domain }}"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image: image:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | default .Values.images.element.registry | quote }} registry: {{ .Values.global.imageRegistry | default .Values.images.element.registry | quote }}
@@ -119,11 +131,16 @@ ingress:
enabled: {{ .Values.ingress.tls.enabled }} enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }} secretName: {{ .Values.ingress.tls.secretName | quote }}
theme: podSecurityContext:
{{ .Values.theme | toYaml | nindent 2 }} enabled: true
fsGroup: 101
replicaCount: {{ .Values.replicas.element }} replicaCount: {{ .Values.replicas.element }}
resources: resources:
{{ .Values.resources.element | toYaml | nindent 2 }} {{ .Values.resources.element | toYaml | nindent 2 }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}
... ...

21
helmfile/apps/element/values-matrix-neoboard-widget.yaml
View File

@@ -1,21 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
...

29
helmfile/apps/element/values-matrix-neoboard-widget.gotmpl → helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
View File

@@ -1,8 +1,20 @@
{{/* # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0
SPDX-License-Identifier: Apache-2.0
*/}}
--- ---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
global: global:
domain: {{ .Values.global.domain | quote }} domain: {{ .Values.global.domain | quote }}
hosts: hosts:
@@ -23,11 +35,16 @@ ingress:
enabled: {{ .Values.ingress.tls.enabled }} enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }} secretName: {{ .Values.ingress.tls.secretName | quote }}
theme: podSecurityContext:
{{ .Values.theme | toYaml | nindent 2 }} enabled: true
fsGroup: 101
replicaCount: {{ .Values.replicas.matrixNeoBoardWidget }} replicaCount: {{ .Values.replicas.matrixNeoBoardWidget }}
resources: resources:
{{ .Values.resources.matrixNeoBoardWidget | toYaml | nindent 2 }} {{ .Values.resources.matrixNeoBoardWidget | toYaml | nindent 2 }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}
... ...

21
helmfile/apps/element/values-matrix-neochoice-widget.yaml
View File

@@ -1,21 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
...

29
helmfile/apps/element/values-matrix-neochoice-widget.gotmpl → helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
View File

@@ -1,8 +1,20 @@
{{/* # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0
SPDX-License-Identifier: Apache-2.0
*/}}
--- ---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
global: global:
domain: {{ .Values.global.domain | quote }} domain: {{ .Values.global.domain | quote }}
hosts: hosts:
@@ -23,11 +35,16 @@ ingress:
enabled: {{ .Values.ingress.tls.enabled }} enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }} secretName: {{ .Values.ingress.tls.secretName | quote }}
theme: podSecurityContext:
{{ .Values.theme | toYaml | nindent 2 }} enabled: true
fsGroup: 101
replicaCount: {{ .Values.replicas.matrixNeoChoiceWidget }} replicaCount: {{ .Values.replicas.matrixNeoChoiceWidget }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}
resources: resources:
{{ .Values.resources.matrixNeoChoiceWidget | toYaml | nindent 2 }} {{ .Values.resources.matrixNeoChoiceWidget | toYaml | nindent 2 }}
... ...

8
helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml
View File

@@ -1,8 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
configuration:
username: "meetings-bot"
pod: "opendesk-synapse-0"
secretName: "matrix-neodatefix-bot-account"
...

18
helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.gotmpl → helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
View File

@@ -1,22 +1,24 @@
{{/* # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0
SPDX-License-Identifier: Apache-2.0
*/}}
--- ---
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
cleanup: cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }} deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }} deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
configuration: configuration:
username: "meetings-bot"
pod: "opendesk-synapse-0"
secretName: "matrix-neodatefix-bot-account"
password: {{ .Values.secrets.matrixNeoDateFixBot.password | quote }} password: {{ .Values.secrets.matrixNeoDateFixBot.password | quote }}
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image: image:
registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }} registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }}
url: {{ .Values.images.synapseCreateUser.repository | quote }} url: {{ .Values.images.synapseCreateUser.repository | quote }}
tag: {{ .Values.images.synapseCreateUser.tag | quote }} tag: {{ .Values.images.synapseCreateUser.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
... ...

50
helmfile/apps/element/values-matrix-neodatefix-bot.yaml
View File

@@ -1,50 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
configuration:
bot:
username: "meetings-bot"
displayname: "Terminplaner Bot"
strings:
breakoutSessionWidgetName: "Breakoutsessions"
calendarRoomName: "Terminplaner"
calendarWidgetName: "Terminplaner"
cockpitWidgetName: "Meeting Steuerung"
jitsiWidgetName: "Videokonferenz"
matrixNeoBoardWidgetName: "Whiteboard"
matrixNeoChoiceWidgetName: "Abstimmungen"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
extraEnvVars:
- name: "ACCESS_TOKEN"
valueFrom:
secretKeyRef:
name: "matrix-neodatefix-bot-account"
key: "access_token"
# TODO: The health endpoint does not work with the haproxy configuration, yet
livenessProbe:
enabled: false
podSecurityContext:
enabled: true
fsGroup: 101
# TODO: The health endpoint does not work with the haproxy configuration, yet
readinessProbe:
enabled: false
...

49
helmfile/apps/element/values-matrix-neodatefix-bot.gotmpl → helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
View File

@@ -1,7 +1,5 @@
{{/* # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0
SPDX-License-Identifier: Apache-2.0
*/}}
--- ---
global: global:
domain: {{ .Values.global.domain | quote }} domain: {{ .Values.global.domain | quote }}
@@ -11,7 +9,39 @@ global:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
configuration: configuration:
bot:
username: "meetings-bot"
displayname: "Terminplaner Bot"
openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
strings:
breakoutSessionWidgetName: "Breakoutsessions"
calendarRoomName: "Terminplaner"
calendarWidgetName: "Terminplaner"
cockpitWidgetName: "Meeting Steuerung"
jitsiWidgetName: "Videokonferenz"
matrixNeoBoardWidgetName: "Whiteboard"
matrixNeoChoiceWidgetName: "Abstimmungen"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
extraEnvVars:
- name: "ACCESS_TOKEN"
valueFrom:
secretKeyRef:
name: "matrix-neodatefix-bot-account"
key: "access_token"
image: image:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -26,12 +56,23 @@ ingress:
enabled: {{ .Values.ingress.tls.enabled }} enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }} secretName: {{ .Values.ingress.tls.secretName | quote }}
livenessProbe:
enabled: true
persistence: persistence:
size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }} size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }} storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
podSecurityContext:
enabled: true
fsGroup: 101
readinessProbe:
enabled: true
replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }} replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}
resources: resources:
{{ .Values.resources.matrixNeoDateFixBot | toYaml | nindent 2 }} {{ .Values.resources.matrixNeoDateFixBot | toYaml | nindent 2 }}
... ...

25
helmfile/apps/element/values-matrix-neodatefix-widget.yaml
View File

@@ -1,25 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
configuration:
bot:
username: "meetings-bot"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
...

33
helmfile/apps/element/values-matrix-neodatefix-widget.gotmpl → helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
View File

@@ -1,8 +1,24 @@
{{/* # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0
SPDX-License-Identifier: Apache-2.0
*/}}
--- ---
configuration:
bot:
username: "meetings-bot"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
global: global:
domain: {{ .Values.global.domain | quote }} domain: {{ .Values.global.domain | quote }}
hosts: hosts:
@@ -23,11 +39,16 @@ ingress:
enabled: {{ .Values.ingress.tls.enabled }} enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }} secretName: {{ .Values.ingress.tls.secretName | quote }}
theme: podSecurityContext:
{{ .Values.theme | toYaml | nindent 2 }} enabled: true
fsGroup: 101
replicaCount: {{ .Values.replicas.matrixNeoDateFixWidget }} replicaCount: {{ .Values.replicas.matrixNeoDateFixWidget }}
resources: resources:
{{ .Values.resources.matrixNeoDateFixWidget | toYaml | nindent 2 }} {{ .Values.resources.matrixNeoDateFixWidget | toYaml | nindent 2 }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}
... ...

8
helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml
View File

@@ -1,8 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
configuration:
username: "uvs"
pod: "opendesk-synapse-0"
secretName: "opendesk-matrix-user-verification-service-account"
...

32
helmfile/apps/element/values-matrix-user-verification-service-bootstrap.gotmpl → helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
View File

@@ -1,22 +1,38 @@
{{/* # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0
SPDX-License-Identifier: Apache-2.0
*/}}
--- ---
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
cleanup: cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }} deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }} deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
configuration: configuration:
username: "uvs"
pod: "opendesk-synapse-0"
secretName: "opendesk-matrix-user-verification-service-account"
password: {{ .Values.secrets.matrixUserVerificationService.password | quote }} password: {{ .Values.secrets.matrixUserVerificationService.password | quote }}
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image: image:
registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }} registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }}
url: {{ .Values.images.synapseCreateUser.repository | quote }} url: {{ .Values.images.synapseCreateUser.repository | quote }}
tag: {{ .Values.images.synapseCreateUser.tag | quote }} tag: {{ .Values.images.synapseCreateUser.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
fullnameOverride: "opendesk-matrix-user-verification-service-bootstrap"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
... ...

23
helmfile/apps/element/values-matrix-user-verification-service.gotmpl
View File

@@ -1,23 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | default .Values.images.matrixUserVerificationService.registry | quote }}
repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
resources:
{{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
...

19
helmfile/apps/element/values-matrix-user-verification-service.yaml → helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
View File

@@ -25,7 +25,26 @@ extraEnvVars:
- name: "UVS_DISABLE_IP_BLACKLIST" - name: "UVS_DISABLE_IP_BLACKLIST"
value: "true" value: "true"
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | default .Values.images.matrixUserVerificationService.registry | quote }}
repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
podSecurityContext: podSecurityContext:
enabled: true enabled: true
fsGroup: 101 fsGroup: 101
replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
resources:
{{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
... ...

21
helmfile/apps/element/values-synapse-web.yaml
View File

@@ -1,21 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
...

25
helmfile/apps/element/values-synapse-web.gotmpl → helmfile/apps/element/values-synapse-web.yaml.gotmpl
View File

@@ -1,8 +1,20 @@
{{/* # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0
SPDX-License-Identifier: Apache-2.0
*/}}
--- ---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
global: global:
domain: {{ .Values.global.domain | quote }} domain: {{ .Values.global.domain | quote }}
hosts: hosts:
@@ -24,8 +36,13 @@ ingress:
enabled: {{ .Values.ingress.tls.enabled }} enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }} secretName: {{ .Values.ingress.tls.secretName | quote }}
podSecurityContext:
enabled: true
fsGroup: 101
replicaCount: {{ .Values.replicas.synapseWeb }} replicaCount: {{ .Values.replicas.synapseWeb }}
resources: resources:
{{ .Values.resources.synapseWeb | toYaml | nindent 2 }} {{ .Values.resources.synapseWeb | toYaml | nindent 2 }}
... ...

52
helmfile/apps/element/values-synapse.yaml
View File

@@ -1,52 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
configuration:
additionalConfiguration:
user_directory:
enabled: true
search_all_users: true
room_prejoin_state:
additional_event_types:
- "m.space.parent"
- "net.nordeck.meetings.metadata"
- "m.room.power_levels"
# When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
# interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
# https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
rc_login:
account:
per_second: 2
burst_count: 8
address:
per_second: 2
burst_count: 12
homeserver:
guestModule:
enabled: true
oidc:
clientId: "opendesk-matrix"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 10991
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 10991
readinessProbe:
initialDelaySeconds: 15
periodSeconds: 5
...

76
helmfile/apps/element/values-synapse.gotmpl → helmfile/apps/element/values-synapse.yaml.gotmpl
View File

@@ -1,22 +1,27 @@
{{/* # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0
SPDX-License-Identifier: Apache-2.0
*/}}
--- ---
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | default .Values.images.synapse.registry | quote }}
repository: {{ .Values.images.synapse.repository | quote }}
tag: {{ .Values.images.synapse.tag | quote }}
configuration: configuration:
additionalConfiguration:
user_directory:
enabled: true
search_all_users: true
room_prejoin_state:
additional_event_types:
- "m.space.parent"
- "net.nordeck.meetings.metadata"
- "m.room.power_levels"
# When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
# interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
# https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
rc_login:
account:
per_second: 2
burst_count: 8
address:
per_second: 2
burst_count: 12
database: database:
host: {{ .Values.databases.synapse.host | quote }} host: {{ .Values.databases.synapse.host | quote }}
name: {{ .Values.databases.synapse.name | quote }} name: {{ .Values.databases.synapse.name | quote }}
@@ -36,6 +41,7 @@ configuration:
sender_localpart: intercom-service sender_localpart: intercom-service
oidc: oidc:
clientId: "opendesk-matrix"
clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }} clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}" issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
@@ -53,18 +59,54 @@ configuration:
{{- end }} {{- end }}
guestModule: guestModule:
enabled: true
image: image:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | default .Values.images.synapseGuestModule.registry | quote }} registry: {{ .Values.global.imageRegistry | default .Values.images.synapseGuestModule.registry | quote }}
repository: {{ .Values.images.synapseGuestModule.repository | quote }} repository: {{ .Values.images.synapseGuestModule.repository | quote }}
tag: {{ .Values.images.synapseGuestModule.tag | quote }} tag: {{ .Values.images.synapseGuestModule.tag | quote }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 10991
seccompProfile:
type: "RuntimeDefault"
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | default .Values.images.synapse.registry | quote }}
repository: {{ .Values.images.synapse.repository | quote }}
tag: {{ .Values.images.synapse.tag | quote }}
persistence: persistence:
size: {{ .Values.persistence.size.synapse | quote }} size: {{ .Values.persistence.size.synapse | quote }}
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }} storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
podSecurityContext:
enabled: true
fsGroup: 10991
readinessProbe:
initialDelaySeconds: 15
periodSeconds: 5
replicaCount: {{ .Values.replicas.synapse }} replicaCount: {{ .Values.replicas.synapse }}
resources: resources:
{{ .Values.resources.synapse | toYaml | nindent 2 }} {{ .Values.resources.synapse | toYaml | nindent 2 }}
... ...

25
helmfile/apps/element/values-well-known.yaml
View File

@@ -1,25 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
configuration:
e2ee:
forceDisable: true
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
...

29
helmfile/apps/element/values-well-known.gotmpl → helmfile/apps/element/values-well-known.yaml.gotmpl
View File

@@ -1,8 +1,24 @@
{{/* # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0
SPDX-License-Identifier: Apache-2.0
*/}}
--- ---
configuration:
e2ee:
forceDisable: true
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: "RuntimeDefault"
global: global:
domain: {{ .Values.global.domain | quote }} domain: {{ .Values.global.domain | quote }}
hosts: hosts:
@@ -24,8 +40,13 @@ ingress:
enabled: {{ .Values.ingress.tls.enabled }} enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }} secretName: {{ .Values.ingress.tls.secretName | quote }}
podSecurityContext:
enabled: true
fsGroup: 101
replicaCount: {{ .Values.replicas.wellKnown }} replicaCount: {{ .Values.replicas.wellKnown }}
resources: resources:
{{ .Values.resources.wellKnown | toYaml | nindent 2 }} {{ .Values.resources.wellKnown | toYaml | nindent 2 }}
... ...

5
helmfile/apps/intercom-service/helmfile.yaml
View File

@@ -13,15 +13,14 @@ repositories:
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
releases: releases:
- name: "intercom-service" - name: "intercom-service"
chart: "intercom-service-repo/{{ .Values.charts.intercomService.name }}" chart: "intercom-service-repo/{{ .Values.charts.intercomService.name }}"
version: "{{ .Values.charts.intercomService.version }}" version: "{{ .Values.charts.intercomService.version }}"
values: values:
- "values.yaml" - "values.yaml.gotmpl"
- "values.gotmpl"
installed: {{ .Values.intercom.enabled }} installed: {{ .Values.intercom.enabled }}
commonLabels: commonLabels:

26
helmfile/apps/intercom-service/values.yaml
View File

@@ -1,26 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
ics:
oidc:
id: "opendesk-intercom"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
podSecurityContext:
enabled: true
fsGroup: 1000
fsGroupChangePolicy: "Always"
...

26
helmfile/apps/intercom-service/values.gotmpl → helmfile/apps/intercom-service/values.yaml.gotmpl
View File

@@ -1,8 +1,19 @@
{{/* # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0
SPDX-License-Identifier: Apache-2.0
*/}}
--- ---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
global: global:
domain: {{ .Values.global.domain | quote }} domain: {{ .Values.global.domain | quote }}
hosts: hosts:
@@ -19,6 +30,7 @@ ics:
default: default:
domain: {{ .Values.global.domain | quote }} domain: {{ .Values.global.domain | quote }}
oidc: oidc:
id: "opendesk-intercom"
secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }} secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
matrix: matrix:
asSecret: {{ .Values.secrets.intercom.synapseAsToken | quote }} asSecret: {{ .Values.secrets.intercom.synapseAsToken | quote }}
@@ -52,8 +64,14 @@ ingress:
enabled: {{ .Values.ingress.tls.enabled }} enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }} secretName: {{ .Values.ingress.tls.secretName | quote }}
podSecurityContext:
enabled: true
fsGroup: 1000
fsGroupChangePolicy: "Always"
replicaCount: {{ .Values.replicas.intercomService }} replicaCount: {{ .Values.replicas.intercomService }}
resources: resources:
{{ .Values.resources.intercomService | toYaml | nindent 2 }} {{ .Values.resources.intercomService | toYaml | nindent 2 }}
... ...

2
helmfile/apps/jitsi/helmfile.yaml
View File

@@ -13,7 +13,7 @@ repositories:
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
releases: releases:
- name: "jitsi" - name: "jitsi"

17
helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
View File

@@ -62,6 +62,9 @@ jitsi:
TURN_ENABLE: "1" TURN_ENABLE: "1"
resources: resources:
{{ .Values.resources.jitsi | toYaml | nindent 6 }} {{ .Values.resources.jitsi | toYaml | nindent 6 }}
securityContext:
seccompProfile:
type: "RuntimeDefault"
prosody: prosody:
image: image:
repository: "{{ .Values.global.imageRegistry | default .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}" repository: "{{ .Values.global.imageRegistry | default .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
@@ -98,6 +101,9 @@ jitsi:
persistence: persistence:
size: {{ .Values.persistence.size.prosody | quote }} size: {{ .Values.persistence.size.prosody | quote }}
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }} storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
securityContext:
seccompProfile:
type: "RuntimeDefault"
jicofo: jicofo:
replicaCount: {{ .Values.replicas.jicofo }} replicaCount: {{ .Values.replicas.jicofo }}
image: image:
@@ -108,6 +114,9 @@ jitsi:
componentSecret: {{ .Values.secrets.jitsi.jicofoComponentPassword | quote }} componentSecret: {{ .Values.secrets.jitsi.jicofoComponentPassword | quote }}
resources: resources:
{{ .Values.resources.jicofo | toYaml | nindent 6 }} {{ .Values.resources.jicofo | toYaml | nindent 6 }}
securityContext:
seccompProfile:
type: "RuntimeDefault"
jvb: jvb:
replicaCount: {{ .Values.replicas.jvb }} replicaCount: {{ .Values.replicas.jvb }}
image: image:
@@ -119,6 +128,9 @@ jitsi:
{{ .Values.resources.jvb | toYaml | nindent 6 }} {{ .Values.resources.jvb | toYaml | nindent 6 }}
service: service:
type: {{ .Values.cluster.service.type | quote }} type: {{ .Values.cluster.service.type | quote }}
securityContext:
seccompProfile:
type: "RuntimeDefault"
jibri: jibri:
replicaCount: {{ .Values.replicas.jibri }} replicaCount: {{ .Values.replicas.jibri }}
image: image:
@@ -130,6 +142,9 @@ jitsi:
password: {{ .Values.secrets.jitsi.jibriXmppPassword | quote }} password: {{ .Values.secrets.jitsi.jibriXmppPassword | quote }}
resources: resources:
{{ .Values.resources.jibri | toYaml | nindent 6 }} {{ .Values.resources.jibri | toYaml | nindent 6 }}
securityContext:
seccompProfile:
type: "RuntimeDefault"
imagePullSecrets: imagePullSecrets:
{{- range .Values.global.imagePullSecrets }} {{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }} - name: {{ . | quote }}
@@ -143,6 +158,8 @@ patchJVB:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
enabled: true enabled: true
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
seccompProfile:
type: "RuntimeDefault"
image: image:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiPatchJVB.registry | quote }} registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiPatchJVB.registry | quote }}

4
helmfile/apps/nextcloud/helmfile.yaml
View File

@@ -13,14 +13,14 @@ repositories:
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}"
- name: "nextcloud-repo" - name: "nextcloud-repo"
keyring: "../../files/gpg-pubkeys/opencode.gpg" keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.nextcloud.verify }} verify: {{ .Values.charts.nextcloud.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
releases: releases:
- name: "opendesk-nextcloud-management" - name: "opendesk-nextcloud-management"

8
helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
View File

@@ -33,11 +33,11 @@ exporter:
serviceMonitor: serviceMonitor:
enabled: {{ .Values.prometheus.serviceMonitors.enabled }} enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
labels: labels:
{{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }} {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 8 }}
prometheusRule: prometheusRule:
enabled: {{ .Values.prometheus.prometheusRules.enabled }} enabled: {{ .Values.prometheus.prometheusRules.enabled }}
additionalLabels: additionalLabels:
{{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }} {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 8 }}
replicas: {{ .Values.replicas.nextcloudExporter }} replicas: {{ .Values.replicas.nextcloudExporter }}
resources: resources:
{{ .Values.resources.nextcloudExporter | toYaml | nindent 4 }} {{ .Values.resources.nextcloudExporter | toYaml | nindent 4 }}
@@ -84,11 +84,11 @@ php:
serviceMonitor: serviceMonitor:
enabled: {{ .Values.prometheus.serviceMonitors.enabled }} enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
labels: labels:
{{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }} {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 8 }}
prometheusRule: prometheusRule:
enabled: {{ .Values.prometheus.prometheusRules.enabled }} enabled: {{ .Values.prometheus.prometheusRules.enabled }}
additionalLabels: additionalLabels:
{{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }} {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 8 }}
replicas: {{ .Values.replicas.nextcloudPHP }} replicas: {{ .Values.replicas.nextcloudPHP }}
resources: resources:
{{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }} {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}

6
helmfile/apps/open-xchange/helmfile.yaml
View File

@@ -13,14 +13,14 @@ repositories:
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
# Open-Xchange # Open-Xchange
- name: "open-xchange-repo" - name: "open-xchange-repo"
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.openXchangeAppSuite.registry }}/{{ .Values.charts.openXchangeAppSuite.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuite.registry }}/{{ .Values.charts.openXchangeAppSuite.repository }}"
# openDesk Open-Xchange Bootstrap # openDesk Open-Xchange Bootstrap
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap
@@ -30,7 +30,7 @@ repositories:
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.openXchangeAppSuiteBootstrap.registry }}/\ url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuiteBootstrap.registry }}/\
{{ .Values.charts.openXchangeAppSuiteBootstrap.repository }}" {{ .Values.charts.openXchangeAppSuiteBootstrap.repository }}"
releases: releases:

6
helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
View File

@@ -92,6 +92,8 @@ appsuite:
masterAdmin: "admin" masterAdmin: "admin"
masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }} masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}" hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
serviceAccount:
create: true
features: features:
status: status:
# enable admin pack # enable admin pack
@@ -413,6 +415,8 @@ appsuite:
capabilities: capabilities:
drop: drop:
- "ALL" - "ALL"
seccompProfile:
type: "RuntimeDefault"
core-documents-collaboration: core-documents-collaboration:
enabled: false enabled: false
@@ -481,6 +485,8 @@ appsuite:
capabilities: capabilities:
drop: drop:
- "ALL" - "ALL"
seccompProfile:
type: "RuntimeDefault"
guard-ui: guard-ui:
enabled: true enabled: true

2
helmfile/apps/openproject-bootstrap/helmfile.yaml
View File

@@ -13,7 +13,7 @@ repositories:
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
releases: releases:
- name: "opendesk-openproject-bootstrap" - name: "opendesk-openproject-bootstrap"

2
helmfile/apps/openproject/helmfile.yaml
View File

@@ -13,7 +13,7 @@ repositories:
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
releases: releases:
- name: "openproject" - name: "openproject"

4
helmfile/apps/openproject/values.yaml.gotmpl
View File

@@ -71,7 +71,7 @@ environment:
image: image:
registry: {{ .Values.global.imageRegistry | default .Values.images.openproject.registry | quote }} registry: {{ .Values.global.imageRegistry | default .Values.images.openproject.registry | quote }}
repository: {{ .Values.images.openproject.repository | quote }} repository: {{ .Values.images.openproject.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.openproject.tag | quote }} tag: {{ .Values.images.openproject.tag | quote }}
initdb: initdb:
@@ -79,7 +79,7 @@ initdb:
registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectInitDb.registry | quote }} registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectInitDb.registry | quote }}
repository: {{ .Values.images.openprojectInitDb.repository | quote }} repository: {{ .Values.images.openprojectInitDb.repository | quote }}
tag: {{ .Values.images.openprojectInitDb.tag | quote }} tag: {{ .Values.images.openprojectInitDb.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
memcached: memcached:
bundled: false bundled: false

5
helmfile/apps/provisioning/helmfile.yaml
View File

@@ -10,15 +10,14 @@ repositories:
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
releases: releases:
- name: "ox-connector" - name: "ox-connector"
chart: "ox-connector-repo/{{ .Values.charts.oxConnector.name }}" chart: "ox-connector-repo/{{ .Values.charts.oxConnector.name }}"
version: "{{ .Values.charts.oxConnector.version }}" version: "{{ .Values.charts.oxConnector.version }}"
values: values:
- "values-oxconnector.yaml" - "values-oxconnector.yaml.gotmpl"
- "values-oxconnector.gotmpl"
installed: {{ .Values.oxConnector.enabled }} installed: {{ .Values.oxConnector.enabled }}
commonLabels: commonLabels:

34
helmfile/apps/provisioning/values-oxconnector.gotmpl
View File

@@ -1,34 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.oxConnector.registry | quote }}
repository: {{ .Values.images.oxConnector.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.oxConnector.tag | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
persistence:
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
oxConnector:
domainName: {{ .Values.global.domain | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
notifierServer: {{ .Values.ldap.notifierHost | quote }}
logLevel: {{ .Values.debug.logLevel | quote }}
#oxMasterAdmin: "(( .Values.appsuite.core-mw.masterAdmin ))"
oxMasterAdmin: "admin"
oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
oxDefaultContext: "1"
ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
resources:
{{ .Values.resources.oxConnector | toYaml | nindent 2 }}
...

41
helmfile/apps/provisioning/values-oxconnector.yaml
View File

@@ -1,41 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
ingress:
enabled: false
oxConnector:
ldapBaseDn: "dc=swp-ldap,dc=internal"
ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
tlsMode: "off"
caCert: "ucctempldapstring"
debugLevel: "5"
oxDefaultContext: "1"
oxLocalTimezone: "Europe/Berlin"
oxLanguage: "de_DE"
oxSmtpServer: "smtp://127.0.0.1:587"
oxImapServer: "imap://127.0.0.1:143"
## Container deployment probes
probes:
liveness:
enabled: true
initialDelaySeconds: 120
timeoutSeconds: 3
periodSeconds: 30
failureThreshold: 3
successThreshold: 1
readiness:
enabled: true
initialDelaySeconds: 30
timeoutSeconds: 3
periodSeconds: 15
failureThreshold: 30
successThreshold: 1
serviceAccount:
create: true
...

86
helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl Normal file
View File

@@ -0,0 +1,86 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.oxConnector.registry | quote }}
repository: {{ .Values.images.oxConnector.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.oxConnector.tag | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
ingress:
enabled: false
oxConnector:
caCert: "ucctempldapstring"
debugLevel: "5"
domainName: {{ .Values.global.domain | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
logLevel: {{ .Values.debug.logLevel | quote }}
ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
ldapBaseDn: "dc=swp-ldap,dc=internal"
ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
tlsMode: "off"
notifierServer: {{ .Values.ldap.notifierHost | quote }}
oxDefaultContext: "1"
oxImapServer: "imap://127.0.0.1:143"
oxLocalTimezone: "Europe/Berlin"
oxLanguage: "de_DE"
oxMasterAdmin: "admin"
oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
oxSmtpServer: "smtp://127.0.0.1:587"
oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
resources:
{{ .Values.resources.oxConnector | toYaml | nindent 2 }}
persistence:
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
## Container deployment probes
probes:
liveness:
enabled: true
initialDelaySeconds: 120
timeoutSeconds: 3
periodSeconds: 30
failureThreshold: 3
successThreshold: 1
readiness:
enabled: true
initialDelaySeconds: 30
timeoutSeconds: 3
periodSeconds: 15
failureThreshold: 30
successThreshold: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
serviceAccount:
create: true
...

53
helmfile/apps/services/helmfile.yaml
View File

@@ -13,7 +13,7 @@ repositories:
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
# openDesk Certificates # openDesk Certificates
# Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates
@@ -23,7 +23,7 @@ repositories:
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
# openDesk PostgreSQL # openDesk PostgreSQL
# Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postgresql # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postgresql
@@ -33,7 +33,7 @@ repositories:
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
# openDesk MariaDB # openDesk MariaDB
# Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-mariadb # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-mariadb
@@ -43,7 +43,7 @@ repositories:
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
# openDesk Postfix # openDesk Postfix
# https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postfix # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postfix
@@ -53,7 +53,7 @@ repositories:
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
# openDesk Istio Resources # openDesk Istio Resources
# https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-istio-resources # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-istio-resources
@@ -63,7 +63,7 @@ repositories:
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.istioResources.registry }}/{{ .Values.charts.istioResources.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.istioResources.registry }}/{{ .Values.charts.istioResources.repository }}"
# openDesk ClamAV # openDesk ClamAV
# https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-clamav # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-clamav
@@ -73,14 +73,14 @@ repositories:
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
- name: "clamav-simple-repo" - name: "clamav-simple-repo"
keyring: "../../files/gpg-pubkeys/opencode.gpg" keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.clamavSimple.verify }} verify: {{ .Values.charts.clamavSimple.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
# VMWare Bitnami # VMWare Bitnami
# Source: https://github.com/bitnami/charts/ # Source: https://github.com/bitnami/charts/
@@ -90,28 +90,28 @@ repositories:
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
- name: "redis-repo" - name: "redis-repo"
keyring: "../../files/gpg-pubkeys/opencode.gpg" keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.redis.verify }} verify: {{ .Values.charts.redis.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
- name: "minio-repo" - name: "minio-repo"
keyring: "../../files/gpg-pubkeys/opencode.gpg" keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.minio.verify }} verify: {{ .Values.charts.minio.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
releases: releases:
- name: "opendesk-otterize" - name: "opendesk-otterize"
chart: "otterize-repo/{{ .Values.charts.otterize.name }}" chart: "otterize-repo/{{ .Values.charts.otterize.name }}"
version: "{{ .Values.charts.otterize.version }}" version: "{{ .Values.charts.otterize.version }}"
values: values:
- "values-otterize.gotmpl" - "values-otterize.yaml.gotmpl"
installed: {{ .Values.security.otterizeIntents.enabled }} installed: {{ .Values.security.otterizeIntents.enabled }}
timeout: 900 timeout: 900
@@ -119,7 +119,7 @@ releases:
chart: "certificates-repo/{{ .Values.charts.certificates.name }}" chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
version: "{{ .Values.charts.certificates.version }}" version: "{{ .Values.charts.certificates.version }}"
values: values:
- "values-certificates.gotmpl" - "values-certificates.yaml.gotmpl"
installed: {{ .Values.certificates.enabled }} installed: {{ .Values.certificates.enabled }}
timeout: 900 timeout: 900
@@ -127,8 +127,7 @@ releases:
chart: "redis-repo/{{ .Values.charts.redis.name }}" chart: "redis-repo/{{ .Values.charts.redis.name }}"
version: "{{ .Values.charts.redis.version }}" version: "{{ .Values.charts.redis.version }}"
values: values:
- "values-redis.gotmpl" - "values-redis.yaml.gotmpl"
- "values-redis.yaml"
installed: {{ .Values.redis.enabled }} installed: {{ .Values.redis.enabled }}
timeout: 900 timeout: 900
@@ -136,8 +135,7 @@ releases:
chart: "memcached-repo/{{ .Values.charts.memcached.name }}" chart: "memcached-repo/{{ .Values.charts.memcached.name }}"
version: "{{ .Values.charts.memcached.version }}" version: "{{ .Values.charts.memcached.version }}"
values: values:
- "values-memcached.yaml" - "values-memcached.yaml.gotmpl"
- "values-memcached.gotmpl"
installed: {{ .Values.memcached.enabled }} installed: {{ .Values.memcached.enabled }}
timeout: 900 timeout: 900
@@ -145,8 +143,7 @@ releases:
chart: "postgresql-repo/{{ .Values.charts.postgresql.name }}" chart: "postgresql-repo/{{ .Values.charts.postgresql.name }}"
version: "{{ .Values.charts.postgresql.version }}" version: "{{ .Values.charts.postgresql.version }}"
values: values:
- "values-postgresql.yaml" - "values-postgresql.yaml.gotmpl"
- "values-postgresql.gotmpl"
installed: {{ .Values.postgresql.enabled }} installed: {{ .Values.postgresql.enabled }}
timeout: 900 timeout: 900
@@ -154,8 +151,7 @@ releases:
chart: "mariadb-repo/{{ .Values.charts.mariadb.name }}" chart: "mariadb-repo/{{ .Values.charts.mariadb.name }}"
version: "{{ .Values.charts.mariadb.version }}" version: "{{ .Values.charts.mariadb.version }}"
values: values:
- "values-mariadb.yaml" - "values-mariadb.yaml.gotmpl"
- "values-mariadb.gotmpl"
installed: {{ .Values.mariadb.enabled }} installed: {{ .Values.mariadb.enabled }}
timeout: 900 timeout: 900
@@ -163,8 +159,7 @@ releases:
chart: "postfix-repo/{{ .Values.charts.postfix.name }}" chart: "postfix-repo/{{ .Values.charts.postfix.name }}"
version: "{{ .Values.charts.postfix.version }}" version: "{{ .Values.charts.postfix.version }}"
values: values:
- "values-postfix.yaml" - "values-postfix.yaml.gotmpl"
- "values-postfix.gotmpl"
installed: {{ .Values.postfix.enabled }} installed: {{ .Values.postfix.enabled }}
timeout: 900 timeout: 900
@@ -172,8 +167,7 @@ releases:
chart: "clamav-repo/{{ .Values.charts.clamav.name }}" chart: "clamav-repo/{{ .Values.charts.clamav.name }}"
version: "{{ .Values.charts.clamav.version }}" version: "{{ .Values.charts.clamav.version }}"
values: values:
- "values-clamav-distributed.yaml" - "values-clamav-distributed.yaml.gotmpl"
- "values-clamav-distributed.gotmpl"
installed: {{ .Values.clamavDistributed.enabled }} installed: {{ .Values.clamavDistributed.enabled }}
timeout: 900 timeout: 900
@@ -181,8 +175,7 @@ releases:
chart: "clamav-simple-repo/{{ .Values.charts.clamavSimple.name }}" chart: "clamav-simple-repo/{{ .Values.charts.clamavSimple.name }}"
version: "{{ .Values.charts.clamavSimple.version }}" version: "{{ .Values.charts.clamavSimple.version }}"
values: values:
- "values-clamav-simple.yaml" - "values-clamav-simple.yaml.gotmpl"
- "values-clamav-simple.gotmpl"
installed: {{ .Values.clamavSimple.enabled }} installed: {{ .Values.clamavSimple.enabled }}
timeout: 900 timeout: 900
@@ -190,8 +183,7 @@ releases:
chart: "istio-resources-repo/{{ .Values.charts.istioResources.name }}" chart: "istio-resources-repo/{{ .Values.charts.istioResources.name }}"
version: "{{ .Values.charts.istioResources.version }}" version: "{{ .Values.charts.istioResources.version }}"
values: values:
- "values-istio-gateway.yaml" - "values-istio-gateway.yaml.gotmpl"
- "values-istio-gateway.gotmpl"
installed: {{ .Values.istio.enabled }} installed: {{ .Values.istio.enabled }}
timeout: 900 timeout: 900
@@ -199,8 +191,7 @@ releases:
chart: "minio-repo/{{ .Values.charts.minio.name }}" chart: "minio-repo/{{ .Values.charts.minio.name }}"
version: "{{ .Values.charts.minio.version }}" version: "{{ .Values.charts.minio.version }}"
values: values:
- "values-minio.yaml" - "values-minio.yaml.gotmpl"
- "values-minio.gotmpl"
installed: {{ .Values.minio.enabled }} installed: {{ .Values.minio.enabled }}
timeout: 900 timeout: 900

0
helmfile/apps/services/values-certificates.gotmpl → helmfile/apps/services/values-certificates.yaml.gotmpl
View File

80
helmfile/apps/services/values-clamav-distributed.yaml
View File

@@ -1,80 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
enabled: true
readOnlyRootFilesystem: true
clamd:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
freshclam:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
icap:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
milter:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
...

86
helmfile/apps/services/values-clamav-distributed.gotmpl → helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
View File

@@ -1,27 +1,60 @@
{{/* # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0
SPDX-License-Identifier: Apache-2.0
*/}}
--- ---
clamd: clamd:
podSecurityContext: containerSecurityContext:
replicaCount: {{ .Values.replicas.clamd }} allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
image: image:
registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }} registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }}
repository: {{ .Values.images.clamd.repository | quote }} repository: {{ .Values.images.clamd.repository | quote }}
tag: {{ .Values.images.clamd.tag | quote }} tag: {{ .Values.images.clamd.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
replicaCount: {{ .Values.replicas.clamd }}
resources: resources:
{{ .Values.resources.clamd | toYaml | nindent 4 }} {{ .Values.resources.clamd | toYaml | nindent 4 }}
containerSecurityContext:
allowPrivilegeEscalation: false
enabled: true
readOnlyRootFilesystem: true
freshclam: freshclam:
podSecurityContext: containerSecurityContext:
replicaCount: {{ .Values.replicas.freshclam }} allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
image: image:
registry: {{ .Values.global.imageRegistry | default .Values.images.freshclam.registry | quote }} registry: {{ .Values.global.imageRegistry | default .Values.images.freshclam.registry | quote }}
repository: {{ .Values.images.freshclam.repository | quote }} repository: {{ .Values.images.freshclam.repository | quote }}
tag: {{ .Values.images.freshclam.tag | quote }} tag: {{ .Values.images.freshclam.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
replicaCount: {{ .Values.replicas.freshclam }}
resources: resources:
{{ .Values.resources.freshclam | toYaml | nindent 4 }} {{ .Values.resources.freshclam | toYaml | nindent 4 }}
@@ -30,23 +63,54 @@ global:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
icap: icap:
replicaCount: {{ .Values.replicas.icap }} containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
image: image:
registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }} registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }}
repository: {{ .Values.images.icap.repository | quote }} repository: {{ .Values.images.icap.repository | quote }}
tag: {{ .Values.images.icap.tag | quote }} tag: {{ .Values.images.icap.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
replicaCount: {{ .Values.replicas.icap }}
resources: resources:
{{ .Values.resources.icap | toYaml | nindent 4 }} {{ .Values.resources.icap | toYaml | nindent 4 }}
milter: milter:
podSecurityContext: containerSecurityContext:
replicaCount: {{ .Values.replicas.milter }} allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
image: image:
registry: {{ .Values.global.imageRegistry | default .Values.images.milter.registry | quote }} registry: {{ .Values.global.imageRegistry | default .Values.images.milter.registry | quote }}
repository: {{ .Values.images.milter.repository | quote }} repository: {{ .Values.images.milter.repository | quote }}
tag: {{ .Values.images.milter.tag | quote }} tag: {{ .Values.images.milter.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
replicaCount: {{ .Values.replicas.milter }}
resources: resources:
{{ .Values.resources.milter | toYaml | nindent 4 }} {{ .Values.resources.milter | toYaml | nindent 4 }}

19
helmfile/apps/services/values-clamav-simple.yaml
View File

@@ -1,19 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
...

39
helmfile/apps/services/values-clamav-simple.gotmpl → helmfile/apps/services/values-clamav-simple.yaml.gotmpl
View File

@@ -1,9 +1,20 @@
{{/* # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0
SPDX-License-Identifier: Apache-2.0
*/}}
--- ---
replicaCount: {{ .Values.replicas.clamav }} containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image: image:
clamav: clamav:
@@ -17,14 +28,18 @@ image:
tag: {{ .Values.images.icap.tag | quote }} tag: {{ .Values.images.icap.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.clamd | toYaml | nindent 4 }}
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
persistence: persistence:
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }} storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.clamav | quote }} size: {{ .Values.persistence.size.clamav | quote }}
podSecurityContext:
enabled: true
fsGroup: 101
fsGroupChangePolicy: "Always"
replicaCount: {{ .Values.replicas.clamav }}
resources:
{{ .Values.resources.clamd | toYaml | nindent 4 }}
... ...

6
helmfile/apps/services/values-istio-gateway.yaml → helmfile/apps/services/values-istio-gateway.yaml.gotmpl
View File

@@ -1,6 +1,12 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
--- ---
global:
domain: {{ .Values.istio.domain | quote }}
hosts:
openxchange: {{ .Values.global.hosts.openxchange | quote }}
tls: tls:
httpsRedirect: false httpsRedirect: false
secretName: "{{ .Values.istio.domain }}-tls"
... ...

27
helmfile/apps/services/values-mariadb.yaml
View File

@@ -1,27 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1001
runAsGroup: 1001
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
job:
enabled: true
podSecurityContext:
enabled: true
fsGroup: 1001
fsGroupChangePolicy: "OnRootMismatch"
replicaCount: 1
...

37
helmfile/apps/services/values-mariadb.gotmpl → helmfile/apps/services/values-mariadb.yaml.gotmpl
View File

@@ -1,24 +1,35 @@
{{/* # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0
SPDX-License-Identifier: Apache-2.0
*/}}
--- ---
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1001
runAsGroup: 1001
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
global: global:
imagePullSecrets: imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
image: image:
registry: {{ .Values.global.imageRegistry | default .Values.images.mariadb.registry | quote }} registry: {{ .Values.global.imageRegistry | default .Values.images.mariadb.registry | quote }}
repository: {{ .Values.images.mariadb.repository | quote }} repository: {{ .Values.images.mariadb.repository | quote }}
tag: {{ .Values.images.mariadb.tag | quote }} tag: {{ .Values.images.mariadb.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
# Open-Xchange and XWiki require the permission to create database schemas, so they use the `root` account anyway.
# Please refer to `databases.yaml` for details.
job: job:
enabled: true
retries: 10 retries: 10
wait: 30 wait: 30
users: users:
@@ -43,6 +54,14 @@ persistence:
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }} storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.mariadb | quote }} size: {{ .Values.persistence.size.mariadb | quote }}
podSecurityContext:
enabled: true
fsGroup: 1001
fsGroupChangePolicy: "OnRootMismatch"
replicaCount: 1
resources: resources:
{{ .Values.resources.mariadb | toYaml | nindent 2 }} {{ .Values.resources.mariadb | toYaml | nindent 2 }}
... ...

18
helmfile/apps/services/values-memcached.yaml
View File

@@ -1,18 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1001
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
serviceAccount:
create: true
...

21
helmfile/apps/services/values-memcached.gotmpl → helmfile/apps/services/values-memcached.yaml.gotmpl
View File

@@ -1,8 +1,18 @@
{{/* # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0
SPDX-License-Identifier: Apache-2.0
*/}}
--- ---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1001
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
global: global:
imagePullSecrets: imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -17,4 +27,7 @@ replicaCount: {{ .Values.replicas.memcached }}
resources: resources:
{{ .Values.resources.memcached | toYaml | nindent 2 }} {{ .Values.resources.memcached | toYaml | nindent 2 }}
serviceAccount:
create: true
... ...

79
helmfile/apps/services/values-minio.gotmpl
View File

@@ -1,79 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.minio.registry | quote }}
repository: "{{ .Values.images.minio.repository }}"
tag: "{{ .Values.images.minio.tag }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
auth:
rootPassword: {{ .Values.secrets.minio.rootPassword | quote }}
statefulset:
replicaCount: {{ .Values.replicas.minioDistributed }}
resources:
{{ .Values.resources.minio | toYaml | nindent 2 }}
ingress:
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
hostname: "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
extraTls:
- hosts:
- "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
apiIngress:
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
hostname: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
extraTls:
- hosts:
- "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
metrics:
serviceMonitor:
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
prometheusRule:
enabled: {{ .Values.prometheus.prometheusRules.enabled }}
persistence:
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.minio }}"
provisioning:
users:
- username: "openproject_user"
password: {{ .Values.secrets.minio.openprojectUser | quote }}
disabled: false
policies:
- "openproject-bucket-policy"
setPolicies: true
- username: "openxchange_user"
password: {{ .Values.secrets.minio.openxchangeUser | quote }}
disabled: false
policies:
- "openxchange-bucket-policy"
setPolicies: true
- username: "ums_user"
password: {{ .Values.secrets.minio.umsUser | quote }}
disabled: false
policies:
- "ums-bucket-policy"
setPolicies: true
- username: "nextcloud_user"
password: {{ .Values.secrets.minio.nextcloudUser | quote }}
disabled: false
policies:
- "nextcloud-bucket-policy"
setPolicies: true
...

101
helmfile/apps/services/values-minio.yaml → helmfile/apps/services/values-minio.yaml.gotmpl
View File

@@ -1,11 +1,20 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
--- ---
mode: "standalone" apiIngress:
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
hostname: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
extraTls:
- hosts:
- "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "4G"
nginx.org/client-max-body-size: "4G"
podSecurityContext: auth:
enabled: true rootPassword: {{ .Values.secrets.minio.rootPassword | quote }}
fsGroup: 1000
containerSecurityContext: containerSecurityContext:
enabled: true enabled: true
@@ -19,19 +28,53 @@ containerSecurityContext:
seccompProfile: seccompProfile:
type: "RuntimeDefault" type: "RuntimeDefault"
defaultBuckets: "openproject,openxchange,ums,nextcloud"
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.minio.registry | quote }}
repository: "{{ .Values.images.minio.repository }}"
tag: "{{ .Values.images.minio.tag }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
ingress: ingress:
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
hostname: "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
extraTls:
- hosts:
- "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
secretName: "{{ .Values.ingress.tls.secretName }}"
annotations: annotations:
nginx.org/websocket-services: "minio" nginx.org/websocket-services: "minio"
apiIngress: livenessProbe:
annotations: enabled: true
nginx.ingress.kubernetes.io/proxy-body-size: "4G" initialDelaySeconds: 5
nginx.org/client-max-body-size: "4G" periodSeconds: 10
timeoutSeconds: 10
mode: "standalone"
metrics:
serviceMonitor:
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
additionalLabels:
{{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
networkPolicy: networkPolicy:
enabled: false enabled: false
defaultBuckets: "openproject,openxchange,ums,nextcloud" podSecurityContext:
enabled: true
fsGroup: 1000
persistence:
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
size: "{{ .Values.persistence.size.minio }}"
provisioning: provisioning:
enabled: true enabled: true
@@ -99,12 +142,33 @@ provisioning:
effect: "Allow" effect: "Allow"
actions: actions:
- "s3:*" - "s3:*"
users:
livenessProbe: - username: "openproject_user"
enabled: true password: {{ .Values.secrets.minio.openprojectUser | quote }}
initialDelaySeconds: 5 disabled: false
periodSeconds: 10 policies:
timeoutSeconds: 10 - "openproject-bucket-policy"
setPolicies: true
- username: "openxchange_user"
password: {{ .Values.secrets.minio.openxchangeUser | quote }}
disabled: false
policies:
- "openxchange-bucket-policy"
setPolicies: true
- username: "ums_user"
password: {{ .Values.secrets.minio.umsUser | quote }}
disabled: false
policies:
- "ums-bucket-policy"
setPolicies: true
- username: "nextcloud_user"
password: {{ .Values.secrets.minio.nextcloudUser | quote }}
disabled: false
policies:
- "nextcloud-bucket-policy"
setPolicies: true
resources:
{{ .Values.resources.minio | toYaml | nindent 4 }}
readinessProbe: readinessProbe:
enabled: true enabled: true
@@ -112,8 +176,15 @@ readinessProbe:
periodSeconds: 10 periodSeconds: 10
timeoutSeconds: 10 timeoutSeconds: 10
resources:
{{ .Values.resources.minio | toYaml | nindent 2 }}
startupProbe: startupProbe:
enabled: true enabled: true
periodSeconds: 10 periodSeconds: 10
timeoutSeconds: 10 timeoutSeconds: 10
statefulset:
replicaCount: {{ .Values.replicas.minioDistributed }}
... ...

0
helmfile/apps/services/values-otterize.gotmpl → helmfile/apps/services/values-otterize.yaml.gotmpl
View File

37
helmfile/apps/services/values-postfix.yaml
View File

@@ -1,37 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
certificate:
request:
enabled: false
containerSecurityContext:
allowPrivilegeEscalation: true
capabilities: {}
enabled: true
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsNonRoot: false
podSecurityContext:
enabled: true
fsGroup: 101
postfix:
hostname: "postfix"
inetProtocols: "ipv4"
smtpSASLAuthEnable: "yes"
smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
smtpUseTLS: "yes"
smtpdSASLAuthEnable: "no"
smtpdSASLSecurityOptions: "noanonymous"
smtpdSASLType: "dovecot"
smtpdUseTLS: "yes"
smtpdTLSCertFile: "/etc/tls/tls.crt"
smtpdKeyFile: "/etc/tls/tls.key"
milterDefaultAction: "accept"
rspamdHost: ""
amavisHost: ""
amavisPortIn: ""
...

52
helmfile/apps/services/values-postfix.gotmpl → helmfile/apps/services/values-postfix.yaml.gotmpl
View File

@@ -1,8 +1,20 @@
{{/* # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0
SPDX-License-Identifier: Apache-2.0
*/}}
--- ---
certificate:
secretName: {{ .Values.ingress.tls.secretName | quote }}
request:
enabled: false
containerSecurityContext:
allowPrivilegeEscalation: true
capabilities: {}
enabled: true
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsNonRoot: false
global: global:
imagePullSecrets: imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -13,29 +25,45 @@ image:
tag: {{ .Values.images.postfix.tag | quote }} tag: {{ .Values.images.postfix.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
certificate: persistence:
secretName: {{ .Values.ingress.tls.secretName | quote }} size: {{ .Values.persistence.size.postfix | quote }}
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote}}
podSecurityContext:
enabled: true
fsGroup: 101
postfix: postfix:
amavisHost: ""
amavisPortIn: ""
domain: {{ .Values.global.domain | quote }} domain: {{ .Values.global.domain | quote }}
virtualMailboxDomains: {{ .Values.global.domain | quote }} hostname: "postfix"
inetProtocols: "ipv4"
milterDefaultAction: "accept"
overrides: overrides:
- fileName: "sasl_passwd.map" - fileName: "sasl_passwd.map"
content: content:
- {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }} - {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
rspamdHost: ""
relayHost: {{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }} relayHost: {{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}
relayNets: {{ .Values.cluster.networking.cidr | quote}} relayNets: {{ .Values.cluster.networking.cidr | quote}}
virtualTransport: "lmtps:dovecot:24" smtpSASLAuthEnable: "yes"
smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
smtpUseTLS: "yes"
smtpdSASLAuthEnable: "no"
smtpdSASLSecurityOptions: "noanonymous"
smtpdSASLType: "dovecot"
smtpdUseTLS: "yes"
smtpdTLSCertFile: "/etc/tls/tls.crt"
smtpdKeyFile: "/etc/tls/tls.key"
smtpdSASLPath: "inet:dovecot:3659" smtpdSASLPath: "inet:dovecot:3659"
{{- if .Values.clamavDistributed.enabled }} {{- if .Values.clamavDistributed.enabled }}
smtpdMilters: "inet:clamav-milter:7357" smtpdMilters: "inet:clamav-milter:7357"
{{- else if .Values.clamavSimple.enabled }} {{- else if .Values.clamavSimple.enabled }}
smtpdMilters: "inet:clamav-simple:7357" smtpdMilters: "inet:clamav-simple:7357"
{{- end }} {{- end }}
virtualMailboxDomains: {{ .Values.global.domain | quote }}
persistence: virtualTransport: "lmtps:dovecot:24"
size: {{ .Values.persistence.size.postfix | quote }}
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote}}
replicaCount: {{ .Values.replicas.postfix }} replicaCount: {{ .Values.replicas.postfix }}

30
helmfile/apps/services/values-postgresql.yaml
View File

@@ -1,30 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1001
runAsGroup: 1001
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
job:
image:
digest: "sha256:de7451b563ef79eb6acb2851dbadd18388e6436cd757b65d275a3dc60dbb0b73"
podSecurityContext:
enabled: true
fsGroup: 1001
fsGroupChangePolicy: "OnRootMismatch"
postgres:
user: "postgres"
replicaCount: 1
...

34
helmfile/apps/services/values-postgresql.gotmpl → helmfile/apps/services/values-postgresql.yaml.gotmpl
View File

@@ -1,8 +1,32 @@
{{/* # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0
SPDX-License-Identifier: Apache-2.0
*/}}
--- ---
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1001
runAsGroup: 1001
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
job:
podSecurityContext:
enabled: true
fsGroup: 1001
fsGroupChangePolicy: "OnRootMismatch"
postgres:
user: "postgres"
replicaCount: 1
global: global:
imagePullSecrets: imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -12,6 +36,8 @@ image:
repository: {{ .Values.images.postgresql.repository | quote }} repository: {{ .Values.images.postgresql.repository | quote }}
tag: {{ .Values.images.postgresql.tag | quote }} tag: {{ .Values.images.postgresql.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
image:
digest: "sha256:de7451b563ef79eb6acb2851dbadd18388e6436cd757b65d275a3dc60dbb0b73"
job: job:
users: users:

15
helmfile/apps/services/values-redis.yaml
View File

@@ -1,15 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
architecture: "standalone"
sentinel:
enabled: false
metrics:
enabled: false
master:
containerSecurityContext:
readOnlyRootFilesystem: true
...

27
helmfile/apps/services/values-redis.gotmpl → helmfile/apps/services/values-redis.yaml.gotmpl
View File

@@ -1,8 +1,8 @@
{{/* # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0
SPDX-License-Identifier: Apache-2.0
*/}}
--- ---
architecture: "standalone"
auth: auth:
password: {{ .Values.secrets.redis.password | quote }} password: {{ .Values.secrets.redis.password | quote }}
@@ -18,10 +18,27 @@ image:
pullPolicy: {{ .Values.global.imagePullPolicy | quote }} pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
master: master:
containerSecurityContext:
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
allowPrivilegeEscalation: false
seccompProfile:
type: "RuntimeDefault"
capabilities:
drop:
- "ALL"
count: {{ .Values.replicas.redis }} count: {{ .Values.replicas.redis }}
persistence: persistence:
size: {{ .Values.persistence.size.redis | quote }} size: {{ .Values.persistence.size.redis | quote }}
resources: resources:
{{ .Values.resources.redis | toYaml | nindent 4 }} {{ .Values.resources.redis | toYaml | nindent 4 }}
metrics:
enabled: false
sentinel:
enabled: false
... ...

157
helmfile/apps/univention-management-stack/helmfile.yaml
View File

@@ -12,133 +12,133 @@ repositories:
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.umsGuardianManagementApi.registry }}/{{ .Values.charts.umsGuardianManagementApi.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianManagementApi.registry }}/{{ .Values.charts.umsGuardianManagementApi.repository }}"
- name: "ums-guardian-management-ui-repo" - name: "ums-guardian-management-ui-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg" keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsGuardianManagementUi.verify }} verify: {{ .Values.charts.umsGuardianManagementUi.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.umsGuardianManagementUi.registry }}/{{ .Values.charts.umsGuardianManagementUi.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianManagementUi.registry }}/{{ .Values.charts.umsGuardianManagementUi.repository }}"
- name: "ums-guardian-authorization-api-repo" - name: "ums-guardian-authorization-api-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg" keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsGuardianAuthorizationApi.verify }} verify: {{ .Values.charts.umsGuardianAuthorizationApi.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.umsGuardianAuthorizationApi.registry }}/{{ .Values.charts.umsGuardianAuthorizationApi.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianAuthorizationApi.registry }}/{{ .Values.charts.umsGuardianAuthorizationApi.repository }}"
- name: "ums-open-policy-agent-repo" - name: "ums-open-policy-agent-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg" keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsOpenPolicyAgent.verify }} verify: {{ .Values.charts.umsOpenPolicyAgent.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.umsOpenPolicyAgent.registry }}/{{ .Values.charts.umsOpenPolicyAgent.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.umsOpenPolicyAgent.registry }}/{{ .Values.charts.umsOpenPolicyAgent.repository }}"
- name: "ums-store-dav-repo" - name: "ums-store-dav-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg" keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsStoreDav.verify }} verify: {{ .Values.charts.umsStoreDav.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.umsStoreDav.registry }}/{{ .Values.charts.umsStoreDav.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStoreDav.registry }}/{{ .Values.charts.umsStoreDav.repository }}"
- name: "ums-ldap-server-repo" - name: "ums-ldap-server-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg" keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsLdapServer.verify }} verify: {{ .Values.charts.umsLdapServer.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.umsLdapServer.registry }}/{{ .Values.charts.umsLdapServer.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.umsLdapServer.registry }}/{{ .Values.charts.umsLdapServer.repository }}"
- name: "ums-ldap-notifier-repo" - name: "ums-ldap-notifier-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg" keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsLdapNotifier.verify }} verify: {{ .Values.charts.umsLdapNotifier.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.umsLdapNotifier.registry }}/{{ .Values.charts.umsLdapNotifier.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.umsLdapNotifier.registry }}/{{ .Values.charts.umsLdapNotifier.repository }}"
- name: "ums-udm-rest-api-repo" - name: "ums-udm-rest-api-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg" keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsUdmRestApi.verify }} verify: {{ .Values.charts.umsUdmRestApi.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.umsUdmRestApi.registry }}/{{ .Values.charts.umsUdmRestApi.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUdmRestApi.registry }}/{{ .Values.charts.umsUdmRestApi.repository }}"
- name: "ums-stack-data-ums-repo" - name: "ums-stack-data-ums-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg" keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsStackDataUms.verify }} verify: {{ .Values.charts.umsStackDataUms.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.umsStackDataUms.registry }}/{{ .Values.charts.umsStackDataUms.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStackDataUms.registry }}/{{ .Values.charts.umsStackDataUms.repository }}"
- name: "ums-stack-data-swp-repo" - name: "ums-stack-data-swp-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg" keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsStackDataSwp.verify }} verify: {{ .Values.charts.umsStackDataSwp.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.umsStackDataSwp.registry }}/{{ .Values.charts.umsStackDataSwp.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStackDataSwp.registry }}/{{ .Values.charts.umsStackDataSwp.repository }}"
- name: "ums-portal-server-repo" - name: "ums-portal-server-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg" keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsPortalServer.verify }} verify: {{ .Values.charts.umsPortalServer.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.umsPortalServer.registry }}/{{ .Values.charts.umsPortalServer.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalServer.registry }}/{{ .Values.charts.umsPortalServer.repository }}"
- name: "ums-notifications-api-repo" - name: "ums-notifications-api-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg" keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsNotificationsApi.verify }} verify: {{ .Values.charts.umsNotificationsApi.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.umsNotificationsApi.registry }}/{{ .Values.charts.umsNotificationsApi.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.umsNotificationsApi.registry }}/{{ .Values.charts.umsNotificationsApi.repository }}"
- name: "ums-portal-listener-repo" - name: "ums-portal-listener-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg" keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsPortalListener.verify }} verify: {{ .Values.charts.umsPortalListener.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.umsPortalListener.registry }}/{{ .Values.charts.umsPortalListener.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalListener.registry }}/{{ .Values.charts.umsPortalListener.repository }}"
- name: "ums-portal-frontend-repo" - name: "ums-portal-frontend-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg" keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsPortalFrontend.verify }} verify: {{ .Values.charts.umsPortalFrontend.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.umsPortalFrontend.registry }}/{{ .Values.charts.umsPortalFrontend.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalFrontend.registry }}/{{ .Values.charts.umsPortalFrontend.repository }}"
- name: "ums-umc-gateway-repo" - name: "ums-umc-gateway-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg" keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsUmcGateway.verify }} verify: {{ .Values.charts.umsUmcGateway.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.umsUmcGateway.registry }}/{{ .Values.charts.umsUmcGateway.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUmcGateway.registry }}/{{ .Values.charts.umsUmcGateway.repository }}"
- name: "ums-umc-server-repo" - name: "ums-umc-server-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg" keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsUmcServer.verify }} verify: {{ .Values.charts.umsUmcServer.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.umsUmcServer.registry }}/{{ .Values.charts.umsUmcServer.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUmcServer.registry }}/{{ .Values.charts.umsUmcServer.repository }}"
- name: "ums-selfservice-listener-repo" - name: "ums-selfservice-listener-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg" keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsSelfserviceListener.verify }} verify: {{ .Values.charts.umsSelfserviceListener.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.umsSelfserviceListener.registry }}/{{ .Values.charts.umsSelfserviceListener.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.umsSelfserviceListener.registry }}/{{ .Values.charts.umsSelfserviceListener.repository }}"
- name: "ums-provisioning-repo" - name: "ums-provisioning-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg" keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsProvisioning.verify }} verify: {{ .Values.charts.umsProvisioning.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.umsProvisioning.registry }}/{{ .Values.charts.umsProvisioning.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.umsProvisioning.registry }}/{{ .Values.charts.umsProvisioning.repository }}"
# Univention Keycloak Extensions # Univention Keycloak Extensions
- name: "ums-keycloak-extensions-repo" - name: "ums-keycloak-extensions-repo"
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.umsKeycloakExtensions.registry }}/{{ .Values.charts.umsKeycloakExtensions.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloakExtensions.registry }}/{{ .Values.charts.umsKeycloakExtensions.repository }}"
# Univention Keycloak # Univention Keycloak
- name: "ums-keycloak-repo" - name: "ums-keycloak-repo"
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
@@ -146,21 +146,21 @@ repositories:
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.umsKeycloak.registry }}/{{ .Values.charts.umsKeycloak.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloak.registry }}/{{ .Values.charts.umsKeycloak.repository }}"
- name: "ums-keycloak-bootstrap-repo" - name: "ums-keycloak-bootstrap-repo"
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg" keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.umsKeycloakBootstrap.verify }} verify: {{ .Values.charts.umsKeycloakBootstrap.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.umsKeycloakBootstrap.registry }}/{{ .Values.charts.umsKeycloakBootstrap.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloakBootstrap.registry }}/{{ .Values.charts.umsKeycloakBootstrap.repository }}"
- name: "opendesk-keycloak-bootstrap-repo" - name: "opendesk-keycloak-bootstrap-repo"
keyring: "../../files/gpg-pubkeys/opencode.gpg" keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.opendeskKeycloakBootstrap.verify }} verify: {{ .Values.charts.opendeskKeycloakBootstrap.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/\ url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/\
{{ .Values.charts.opendeskKeycloakBootstrap.repository }}" {{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
# VMWare Bitnami # VMWare Bitnami
# Source: https://github.com/bitnami/charts/ # Source: https://github.com/bitnami/charts/
@@ -170,7 +170,7 @@ repositories:
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true oci: true
url: "{{ .Values.global.imageRegistry | default .Values.charts.nginx.registry }}/{{ .Values.charts.nginx.repository }}" url: "{{ .Values.global.helmRegistry | default .Values.charts.nginx.registry }}/{{ .Values.charts.nginx.repository }}"
releases: releases:
- name: "ums-keycloak" - name: "ums-keycloak"
@@ -215,8 +215,7 @@ releases:
chart: "nginx-repo/{{ .Values.charts.nginx.name }}" chart: "nginx-repo/{{ .Values.charts.nginx.name }}"
version: "{{ .Values.charts.nginx.version }}" version: "{{ .Values.charts.nginx.version }}"
values: values:
- "values-ums-stack-gateway.gotmpl" - "values-ums-stack-gateway.yaml.gotmpl"
- "values-ums-stack-gateway.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900 timeout: 900
@@ -224,10 +223,8 @@ releases:
chart: "ums-store-dav-repo/{{ .Values.charts.umsStoreDav.name }}" chart: "ums-store-dav-repo/{{ .Values.charts.umsStoreDav.name }}"
version: "{{ .Values.charts.umsStoreDav.version }}" version: "{{ .Values.charts.umsStoreDav.version }}"
values: values:
- "values-common.gotmpl" - "values-common.yaml.gotmpl"
- "values-common.yaml" - "values-store-dav.yaml.gotmpl"
- "values-store-dav.gotmpl"
- "values-store-dav.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900 timeout: 900
@@ -235,10 +232,8 @@ releases:
chart: "ums-ldap-server-repo/{{ .Values.charts.umsLdapServer.name }}" chart: "ums-ldap-server-repo/{{ .Values.charts.umsLdapServer.name }}"
version: "{{ .Values.charts.umsLdapServer.version }}" version: "{{ .Values.charts.umsLdapServer.version }}"
values: values:
- "values-common.gotmpl" - "values-common.yaml.gotmpl"
- "values-common.yaml" - "values-ldap-server.yaml.gotmpl"
- "values-ldap-server.gotmpl"
- "values-ldap-server.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900 timeout: 900
@@ -246,10 +241,8 @@ releases:
chart: "ums-ldap-notifier-repo/{{ .Values.charts.umsLdapNotifier.name }}" chart: "ums-ldap-notifier-repo/{{ .Values.charts.umsLdapNotifier.name }}"
version: "{{ .Values.charts.umsLdapNotifier.version }}" version: "{{ .Values.charts.umsLdapNotifier.version }}"
values: values:
- "values-common.gotmpl" - "values-common.yaml.gotmpl"
- "values-common.yaml" - "values-ldap-notifier.yaml.gotmpl"
- "values-ldap-notifier.gotmpl"
- "values-ldap-notifier.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900 timeout: 900
@@ -257,10 +250,8 @@ releases:
chart: "ums-udm-rest-api-repo/{{ .Values.charts.umsUdmRestApi.name }}" chart: "ums-udm-rest-api-repo/{{ .Values.charts.umsUdmRestApi.name }}"
version: "{{ .Values.charts.umsUdmRestApi.version }}" version: "{{ .Values.charts.umsUdmRestApi.version }}"
values: values:
- "values-common.gotmpl" - "values-common.yaml.gotmpl"
- "values-common.yaml" - "values-udm-rest-api.yaml.gotmpl"
- "values-udm-rest-api.gotmpl"
- "values-udm-rest-api.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900 timeout: 900
@@ -268,10 +259,8 @@ releases:
chart: "ums-stack-data-ums-repo/{{ .Values.charts.umsStackDataUms.name }}" chart: "ums-stack-data-ums-repo/{{ .Values.charts.umsStackDataUms.name }}"
version: "{{ .Values.charts.umsStackDataUms.version }}" version: "{{ .Values.charts.umsStackDataUms.version }}"
values: values:
- "values-common.gotmpl" - "values-common.yaml.gotmpl"
- "values-common.yaml" - "values-stack-data-ums.yaml.gotmpl"
- "values-stack-data-ums.gotmpl"
- "values-stack-data-ums.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900 timeout: 900
@@ -279,10 +268,8 @@ releases:
chart: "ums-stack-data-swp-repo/{{ .Values.charts.umsStackDataSwp.name }}" chart: "ums-stack-data-swp-repo/{{ .Values.charts.umsStackDataSwp.name }}"
version: "{{ .Values.charts.umsStackDataSwp.version }}" version: "{{ .Values.charts.umsStackDataSwp.version }}"
values: values:
- "values-common.gotmpl" - "values-common.yaml.gotmpl"
- "values-common.yaml" - "values-stack-data-swp.yaml.gotmpl"
- "values-stack-data-swp.gotmpl"
- "values-stack-data-swp.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900 timeout: 900
@@ -290,10 +277,8 @@ releases:
chart: "ums-portal-server-repo/{{ .Values.charts.umsPortalServer.name }}" chart: "ums-portal-server-repo/{{ .Values.charts.umsPortalServer.name }}"
version: "{{ .Values.charts.umsPortalServer.version }}" version: "{{ .Values.charts.umsPortalServer.version }}"
values: values:
- "values-common.gotmpl" - "values-common.yaml.gotmpl"
- "values-common.yaml" - "values-portal-server.yaml.gotmpl"
- "values-portal-server.gotmpl"
- "values-portal-server.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900 timeout: 900
@@ -301,10 +286,8 @@ releases:
chart: "ums-notifications-api-repo/{{ .Values.charts.umsNotificationsApi.name }}" chart: "ums-notifications-api-repo/{{ .Values.charts.umsNotificationsApi.name }}"
version: "{{ .Values.charts.umsNotificationsApi.version }}" version: "{{ .Values.charts.umsNotificationsApi.version }}"
values: values:
- "values-common.gotmpl" - "values-common.yaml.gotmpl"
- "values-common.yaml" - "values-notifications-api.yaml.gotmpl"
- "values-notifications-api.gotmpl"
- "values-notifications-api.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900 timeout: 900
@@ -312,10 +295,8 @@ releases:
chart: "ums-portal-listener-repo/{{ .Values.charts.umsPortalListener.name }}" chart: "ums-portal-listener-repo/{{ .Values.charts.umsPortalListener.name }}"
version: "{{ .Values.charts.umsPortalListener.version }}" version: "{{ .Values.charts.umsPortalListener.version }}"
values: values:
- "values-common.gotmpl" - "values-common.yaml.gotmpl"
- "values-common.yaml" - "values-portal-listener.yaml.gotmpl"
- "values-portal-listener.gotmpl"
- "values-portal-listener.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900 timeout: 900
@@ -323,10 +304,8 @@ releases:
chart: "ums-portal-frontend-repo/{{ .Values.charts.umsPortalFrontend.name }}" chart: "ums-portal-frontend-repo/{{ .Values.charts.umsPortalFrontend.name }}"
version: "{{ .Values.charts.umsPortalFrontend.version }}" version: "{{ .Values.charts.umsPortalFrontend.version }}"
values: values:
- "values-common.gotmpl" - "values-common.yaml.gotmpl"
- "values-common.yaml" - "values-portal-frontend.yaml.gotmpl"
- "values-portal-frontend.gotmpl"
- "values-portal-frontend.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900 timeout: 900
@@ -334,10 +313,8 @@ releases:
chart: "ums-umc-gateway-repo/{{ .Values.charts.umsUmcGateway.name }}" chart: "ums-umc-gateway-repo/{{ .Values.charts.umsUmcGateway.name }}"
version: "{{ .Values.charts.umsUmcGateway.version }}" version: "{{ .Values.charts.umsUmcGateway.version }}"
values: values:
- "values-common.gotmpl" - "values-common.yaml.gotmpl"
- "values-common.yaml" - "values-umc-gateway.yaml.gotmpl"
- "values-umc-gateway.gotmpl"
- "values-umc-gateway.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900 timeout: 900
@@ -345,10 +322,8 @@ releases:
chart: "ums-umc-server-repo/{{ .Values.charts.umsUmcServer.name }}" chart: "ums-umc-server-repo/{{ .Values.charts.umsUmcServer.name }}"
version: "{{ .Values.charts.umsUmcServer.version }}" version: "{{ .Values.charts.umsUmcServer.version }}"
values: values:
- "values-common.gotmpl" - "values-common.yaml.gotmpl"
- "values-common.yaml" - "values-umc-server.yaml.gotmpl"
- "values-umc-server.gotmpl"
- "values-umc-server.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900 timeout: 900
@@ -356,10 +331,8 @@ releases:
chart: "ums-selfservice-listener-repo/{{ .Values.charts.umsSelfserviceListener.name }}" chart: "ums-selfservice-listener-repo/{{ .Values.charts.umsSelfserviceListener.name }}"
version: "{{ .Values.charts.umsSelfserviceListener.version }}" version: "{{ .Values.charts.umsSelfserviceListener.version }}"
values: values:
- "values-common.gotmpl" - "values-common.yaml.gotmpl"
- "values-common.yaml" - "values-selfservice-listener.yaml.gotmpl"
- "values-selfservice-listener.gotmpl"
- "values-selfservice-listener.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900 timeout: 900
@@ -367,10 +340,8 @@ releases:
chart: "ums-provisioning-repo/{{ .Values.charts.umsProvisioning.name }}" chart: "ums-provisioning-repo/{{ .Values.charts.umsProvisioning.name }}"
version: "{{ .Values.charts.umsProvisioning.version }}" version: "{{ .Values.charts.umsProvisioning.version }}"
values: values:
- "values-common.gotmpl" - "values-common.yaml.gotmpl"
- "values-common.yaml" - "values-provisioning.yaml.gotmpl"
- "values-provisioning.gotmpl"
- "values-provisioning.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900 timeout: 900
@@ -378,10 +349,8 @@ releases:
chart: "ums-guardian-management-api-repo/{{ .Values.charts.umsGuardianManagementApi.name }}" chart: "ums-guardian-management-api-repo/{{ .Values.charts.umsGuardianManagementApi.name }}"
version: "{{ .Values.charts.umsGuardianManagementApi.version }}" version: "{{ .Values.charts.umsGuardianManagementApi.version }}"
values: values:
- "values-common.gotmpl" - "values-common.yaml.gotmpl"
- "values-common.yaml" - "values-guardian-management-api.yaml.gotmpl"
- "values-guardian-management-api.gotmpl"
- "values-guardian-management-api.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900 timeout: 900
@@ -389,10 +358,8 @@ releases:
chart: "ums-guardian-management-ui-repo/{{ .Values.charts.umsGuardianManagementUi.name }}" chart: "ums-guardian-management-ui-repo/{{ .Values.charts.umsGuardianManagementUi.name }}"
version: "{{ .Values.charts.umsGuardianManagementUi.version }}" version: "{{ .Values.charts.umsGuardianManagementUi.version }}"
values: values:
- "values-common.gotmpl" - "values-common.yaml.gotmpl"
- "values-common.yaml" - "values-guardian-management-ui.yaml.gotmpl"
- "values-guardian-management-ui.gotmpl"
- "values-guardian-management-ui.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900 timeout: 900
@@ -400,10 +367,8 @@ releases:
chart: "ums-guardian-authorization-api-repo/{{ .Values.charts.umsGuardianAuthorizationApi.name }}" chart: "ums-guardian-authorization-api-repo/{{ .Values.charts.umsGuardianAuthorizationApi.name }}"
version: "{{ .Values.charts.umsGuardianAuthorizationApi.version }}" version: "{{ .Values.charts.umsGuardianAuthorizationApi.version }}"
values: values:
- "values-common.gotmpl" - "values-common.yaml.gotmpl"
- "values-common.yaml" - "values-guardian-authorization-api.yaml.gotmpl"
- "values-guardian-authorization-api.gotmpl"
- "values-guardian-authorization-api.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900 timeout: 900
@@ -411,10 +376,8 @@ releases:
chart: "ums-open-policy-agent-repo/{{ .Values.charts.umsOpenPolicyAgent.name }}" chart: "ums-open-policy-agent-repo/{{ .Values.charts.umsOpenPolicyAgent.name }}"
version: "{{ .Values.charts.umsOpenPolicyAgent.version }}" version: "{{ .Values.charts.umsOpenPolicyAgent.version }}"
values: values:
- "values-common.gotmpl" - "values-common.yaml.gotmpl"
- "values-common.yaml" - "values-open-policy-agent.yaml.gotmpl"
- "values-open-policy-agent.gotmpl"
- "values-open-policy-agent.yaml"
installed: {{ .Values.univentionManagementStack.enabled }} installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900 timeout: 900

10
helmfile/apps/univention-management-stack/values-common.gotmpl
View File

@@ -1,10 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
ingress:
host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
...

2
helmfile/apps/univention-management-stack/values-common.yaml → helmfile/apps/univention-management-stack/values-common.yaml.gotmpl
View File

@@ -12,6 +12,8 @@ ingress:
# controller. Those are encapsulated into the release "stack-gateway" so that # controller. Those are encapsulated into the release "stack-gateway" so that
# the compatibility with all ingress controllers is increased. # the compatibility with all ingress controllers is increased.
enabled: false enabled: false
host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls: tls:
# The TLS configuration is on the "master" Ingress, see "portal-frontend" # The TLS configuration is on the "master" Ingress, see "portal-frontend"
enabled: false enabled: false

21
helmfile/apps/univention-management-stack/values-guardian-authorization-api.gotmpl
View File

@@ -1,21 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
guardianAuthorizationApi:
udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianAuthorizationApi.registry | quote }}
repository: {{ .Values.images.umsGuardianAuthorizationApi.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsGuardianAuthorizationApi.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 2 }}
...

28
helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml → helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
View File

@@ -2,19 +2,34 @@
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
--- ---
guardianAuthorizationApi: guardianAuthorizationApi:
home: "/guardian_service_dir"
guardianAuthzCorsAllowedOrigins: "*" guardianAuthzCorsAllowedOrigins: "*"
guardianAuthzAdapterSettingsPort: "env" guardianAuthzAdapterSettingsPort: "env"
guardianAuthzAdapterAppPersistencePort: "udm_data" guardianAuthzAdapterAppPersistencePort: "udm_data"
guardianAuthzAdapterPolicyPort: "opa" guardianAuthzAdapterPolicyPort: "opa"
guardianAuthzAdapterAuthenticationPort: "fast_api_oauth" guardianAuthzAdapterAuthenticationPort: "fast_api_oauth"
isUniventionAppCenter: 0 guardianAuthzLoggingLevel: {{ .Values.debug.logLevel | quote }}
udmDataAdapterUrl: "http://ums-udm-rest-api/udm/"
udmDataAdapterUsername: "cn=admin"
opaAdapterUrl: "http://ums-open-policy-agent/"
guardianAuthzLoggingLevel: "DEBUG"
guardianAuthzLoggingStructured: false guardianAuthzLoggingStructured: false
guardianAuthzLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}" guardianAuthzLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
home: "/guardian_service_dir"
isUniventionAppCenter: 0
oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
opaAdapterUrl: "http://ums-open-policy-agent/"
udmDataAdapterUrl: "http://ums-udm-rest-api/udm/"
udmDataAdapterUsername: "cn=admin"
udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianAuthorizationApi.registry | quote }}
repository: {{ .Values.images.umsGuardianAuthorizationApi.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsGuardianAuthorizationApi.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 2 }}
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
@@ -36,4 +51,5 @@ securityContext:
privileged: false privileged: false
seccompProfile: seccompProfile:
type: "RuntimeDefault" type: "RuntimeDefault"
... ...

32
helmfile/apps/univention-management-stack/values-guardian-management-api.gotmpl
View File

@@ -1,32 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
guardianManagementApi:
oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
postgresql:
bundled: false
connection:
host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
auth:
username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
password: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementApi.registry | quote }}
repository: {{ .Values.images.umsGuardianManagementApi.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsGuardianManagementApi.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 2 }}
...

34
helmfile/apps/univention-management-stack/values-guardian-management-api.yaml → helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
View File

@@ -3,6 +3,7 @@
--- ---
guardianManagementApi: guardianManagementApi:
home: "/guardian_service_dir" home: "/guardian_service_dir"
isUniventionAppCenter: 0
guardianManagementCorsAllowedOrigins: "*" guardianManagementCorsAllowedOrigins: "*"
guardianManagementAdapterSettingsPort: "env" guardianManagementAdapterSettingsPort: "env"
guardianManagementAdapterAppPersistencePort: "sql" guardianManagementAdapterAppPersistencePort: "sql"
@@ -15,14 +16,38 @@ guardianManagementApi:
guardianManagementAdapterAuthenticationPort: "fast_api_oauth" guardianManagementAdapterAuthenticationPort: "fast_api_oauth"
guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization" guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization"
guardianManagementAdapterResourceAuthorizationPort: "always" guardianManagementAdapterResourceAuthorizationPort: "always"
isUniventionAppCenter: 0
sqlPersistenceAdapterDialect: "postgresql"
sqlPersistenceAdapterDbName: "postgres"
oauthAdapterM2mSecretFile: "/var/secrets/oauthAdapterM2mSecret"
guardianManagementLoggingLevel: "DEBUG" guardianManagementLoggingLevel: "DEBUG"
guardianManagementLoggingStructured: false guardianManagementLoggingStructured: false
guardianManagementLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}" guardianManagementLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
guardianManagementBaseUrl: "http://0.0.0.0:8000" guardianManagementBaseUrl: "http://0.0.0.0:8000"
oauthAdapterM2mSecretFile: "/var/secrets/oauthAdapterM2mSecret"
oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
sqlPersistenceAdapterDialect: "postgresql"
sqlPersistenceAdapterDbName: "postgres"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementApi.registry | quote }}
repository: {{ .Values.images.umsGuardianManagementApi.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsGuardianManagementApi.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
postgresql:
bundled: false
connection:
host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
auth:
username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
password: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
resources:
{{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 2 }}
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
@@ -44,4 +69,5 @@ securityContext:
privileged: false privileged: false
seccompProfile: seccompProfile:
type: "RuntimeDefault" type: "RuntimeDefault"
... ...

29
helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml
View File

@@ -1,29 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
guardianManagementUi:
viteManagementUiAdapterAuthenticationPort: "keycloak"
viteManagementUiAdapterDataPort: "api"
viteKeycloakAuthenticationAdapterClientId: "guardian-ui"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

31
helmfile/apps/univention-management-stack/values-guardian-management-ui.gotmpl → helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl
View File

@@ -1,9 +1,10 @@
{{/* # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0
SPDX-License-Identifier: Apache-2.0
*/}}
--- ---
guardianManagementUi: guardianManagementUi:
viteManagementUiAdapterAuthenticationPort: "keycloak"
viteManagementUiAdapterDataPort: "api"
viteKeycloakAuthenticationAdapterClientId: "guardian-ui"
viteApiDataAdapterUri: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/management" viteApiDataAdapterUri: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/management"
viteKeycloakAuthenticationAdapterSsoUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" viteKeycloakAuthenticationAdapterSsoUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
viteKeycloakAuthenticationAdapterRealm: {{ .Values.platform.realm | quote }} viteKeycloakAuthenticationAdapterRealm: {{ .Values.platform.realm | quote }}
@@ -20,4 +21,26 @@ image:
resources: resources:
{{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 2 }} {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
... ...

18
helmfile/apps/univention-management-stack/values-ldap-notifier.yaml
View File

@@ -1,18 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
volumes:
claims:
shared-data: "shared-data-ums-ldap-server-0"
shared-run: "shared-run-ums-ldap-server-0"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

21
helmfile/apps/univention-management-stack/values-ldap-notifier.gotmpl → helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl
View File

@@ -1,7 +1,5 @@
{{/* # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0
SPDX-License-Identifier: Apache-2.0
*/}}
--- ---
image: image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapNotifier.registry | quote }} registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapNotifier.registry | quote }}
@@ -15,4 +13,19 @@ image:
resources: resources:
{{ .Values.resources.umsLdapNotifier | toYaml | nindent 2 }} {{ .Values.resources.umsLdapNotifier | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
volumes:
claims:
shared-data: "shared-data-ums-ldap-server-0"
shared-run: "shared-run-ums-ldap-server-0"
... ...

36
helmfile/apps/univention-management-stack/values-ldap-server.gotmpl
View File

@@ -1,36 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
ldapServer:
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
repository: {{ .Values.images.umsLdapServer.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsLdapServer.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
waitForDependency:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
persistence:
data:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
shared:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
resources:
{{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}
...

42
helmfile/apps/univention-management-stack/values-ldap-server.yaml → helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
View File

@@ -1,13 +1,6 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
--- ---
ldapServer:
waitForSamlMetadata: true
service:
type: "ClusterIP"
extraVolumes: extraVolumes:
- name: "opendesk-schemas" - name: "opendesk-schemas"
configMap: configMap:
@@ -30,6 +23,34 @@ extraVolumeMounts:
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema" mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema"
subPath: "opendeskProjectmanagement.schema" subPath: "opendeskProjectmanagement.schema"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
repository: {{ .Values.images.umsLdapServer.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsLdapServer.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
waitForDependency:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
ldapServer:
waitForSamlMetadata: true
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
persistence:
data:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
shared:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
@@ -51,4 +72,11 @@ securityContext:
privileged: false privileged: false
seccompProfile: seccompProfile:
type: "RuntimeDefault" type: "RuntimeDefault"
service:
type: "ClusterIP"
resources:
{{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}
... ...

20
helmfile/apps/univention-management-stack/values-notifications-api.yaml
View File

@@ -1,20 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
notificationsapi:
apply_database_migrations: "True"
dev_mode: "False"
environment: "staging"
log_level: "DEBUG"
sql_echo: "False"
api_prefix: "/univention/portal/notifications-api"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

44
helmfile/apps/univention-management-stack/values-notifications-api.gotmpl → helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl
View File

@@ -1,18 +1,6 @@
{{/* # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0
SPDX-License-Identifier: Apache-2.0
*/}}
--- ---
postgresql:
bundled: false
connection:
host: {{ .Values.databases.umsNotificationsApi.host | quote }}
port: {{ .Values.databases.umsNotificationsApi.port | quote }}
auth:
username: {{ .Values.databases.umsNotificationsApi.username | quote }}
database: {{ .Values.databases.umsNotificationsApi.name | quote }}
password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
image: image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsNotificationsApi.registry | quote }} registry: {{ .Values.global.imageRegistry | default .Values.images.umsNotificationsApi.registry | quote }}
repository: {{ .Values.images.umsNotificationsApi.repository }} repository: {{ .Values.images.umsNotificationsApi.repository }}
@@ -23,6 +11,34 @@ image:
- name: {{ . | quote }} - name: {{ . | quote }}
{{- end }} {{- end }}
notificationsapi:
apply_database_migrations: "True"
dev_mode: "False"
environment: "staging"
log_level: "DEBUG"
sql_echo: "False"
api_prefix: "/univention/portal/notifications-api"
postgresql:
bundled: false
connection:
host: {{ .Values.databases.umsNotificationsApi.host | quote }}
port: {{ .Values.databases.umsNotificationsApi.port | quote }}
auth:
username: {{ .Values.databases.umsNotificationsApi.username | quote }}
database: {{ .Values.databases.umsNotificationsApi.name | quote }}
password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
resources: resources:
{{ .Values.resources.umsNotificationsApi | toYaml | nindent 2 }} {{ .Values.resources.umsNotificationsApi | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
... ...

18
helmfile/apps/univention-management-stack/values-open-policy-agent.gotmpl
View File

@@ -1,18 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsOpenPolicyAgent.registry | quote }}
repository: {{ .Values.images.umsOpenPolicyAgent.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsOpenPolicyAgent.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 2 }}
...

14
helmfile/apps/univention-management-stack/values-open-policy-agent.yaml → helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl
View File

@@ -1,6 +1,16 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
--- ---
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsOpenPolicyAgent.registry | quote }}
repository: {{ .Values.images.umsOpenPolicyAgent.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsOpenPolicyAgent.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
openPolicyAgent: openPolicyAgent:
isUniventionAppCenter: 0 isUniventionAppCenter: 0
opaDataBundle: "bundles/GuardianDataBundle.tar.gz" opaDataBundle: "bundles/GuardianDataBundle.tar.gz"
@@ -9,6 +19,9 @@ openPolicyAgent:
opaPollingMaxDelay: 15 opaPollingMaxDelay: 15
opaGuardianManagementUrl: "http://ums-guardian-management-api/guardian/management" opaGuardianManagementUrl: "http://ums-guardian-management-api/guardian/management"
resources:
{{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 2 }}
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:
@@ -29,4 +42,5 @@ securityContext:
privileged: false privileged: false
seccompProfile: seccompProfile:
type: "RuntimeDefault" type: "RuntimeDefault"
... ...

Some files were not shown because too many files have changed in this diff Show More