mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-06 07:21:36 +01:00
Compare commits
39 Commits
v0.5.75
...
feat/mon-x
| Author | SHA1 | Date | |
|---|---|---|---|
|
2a9abcebc5 | ||
|
|
47d6a8d53f | ||
|
|
8b50347bfa | ||
|
|
b525a814fc | ||
|
|
83ac645fae | ||
|
|
f2b8acfba8 | ||
|
|
49f126d169 | ||
|
|
02d04faa2a | ||
|
|
c2087efcf9 | ||
|
|
affa92cde2 | ||
|
|
d9e07ff7bd | ||
|
|
01599022f1 | ||
|
|
bc7eeb8c9d | ||
|
|
1396071865 | ||
|
|
7c9f38f06e | ||
|
|
7ebbd03bdc | ||
|
|
110ff56f74 | ||
|
|
c0fc225349 | ||
|
|
56f5e35895 | ||
|
|
ba0824bac3 | ||
|
|
250ef2bc3f | ||
|
|
d2b1f0b07b | ||
|
|
8f83261986 | ||
|
|
5d95e7ab2a | ||
|
|
ee1a337ab5 | ||
|
|
41bc09ee49 | ||
|
|
acaec3b8ac | ||
|
|
6c15dc1d66 | ||
|
|
2909e1d821 | ||
|
|
cabee0c9da | ||
|
|
c16c0ac795 | ||
|
|
6f0b1f37fc | ||
|
|
fd2a66f8f2 | ||
|
|
dd535daac0 | ||
|
|
3bcdcd06b7 | ||
|
|
f05acb57c9 | ||
|
|
bea1413b86 | ||
|
|
af63e5c18d | ||
|
|
cbb33b922d |
@@ -8,6 +8,7 @@ include:
|
||||
- "ci/common/automr.yml"
|
||||
- "ci/common/lint.yml"
|
||||
- "ci/release-automation/semantic-release.yml"
|
||||
- local: "/.gitlab/generate/generate-docs.yml"
|
||||
- project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
|
||||
file: "gitlab/environments.yaml"
|
||||
rules:
|
||||
@@ -209,8 +210,8 @@ env-start:
|
||||
kubectl create secret
|
||||
--namespace "${NAMESPACE}"
|
||||
docker-registry external-registry
|
||||
--docker-server "external-registry.souvap-univention.de"
|
||||
--docker-username sovereign-workplace
|
||||
--docker-server "${EXTERNAL_REGISTRY}"
|
||||
--docker-username "${EXTERNAL_REGISTRY_USERNAME}"
|
||||
--docker-password "${EXTERNAL_REGISTRY_PASSWORD}"
|
||||
--dry-run=client -o yaml | kubectl apply -f -
|
||||
stage: "env"
|
||||
@@ -612,7 +613,8 @@ release:
|
||||
"CHANGELOG.md",
|
||||
"charts/**/README.md",
|
||||
"helmfile/environments/default/global.generated.yaml",
|
||||
".kyverno/kyverno-test.yaml"
|
||||
".kyverno/kyverno-test.yaml",
|
||||
"docs"
|
||||
],
|
||||
"message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
|
||||
}]
|
||||
@@ -622,4 +624,5 @@ release:
|
||||
- "semantic-release"
|
||||
needs:
|
||||
- "generate-release-assets"
|
||||
- "generate-docs"
|
||||
...
|
||||
|
||||
15
.gitlab/common/common.yml
Normal file
15
.gitlab/common/common.yml
Normal file
@@ -0,0 +1,15 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
variables:
|
||||
OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.4.2\
|
||||
@sha256:7a866a34b82dddea8867862afaaccb1d1e385854ce344fc71be492800a5b16a6"
|
||||
OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.3\
|
||||
@sha256:096e649b985dd8e46e9dadff5f7e9c7a8772bf5a1b3df1bb2b4a887716c2ca85"
|
||||
|
||||
.common:
|
||||
cache: {}
|
||||
needs: []
|
||||
tags:
|
||||
- "docker"
|
||||
...
|
||||
11
.gitlab/generate/generate-common.yml
Normal file
11
.gitlab/generate/generate-common.yml
Normal file
@@ -0,0 +1,11 @@
|
||||
# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
include:
|
||||
- local: "/.gitlab/common/common.yml"
|
||||
|
||||
.generate-common:
|
||||
extends: ".common"
|
||||
stage: ".post"
|
||||
tags: []
|
||||
...
|
||||
20
.gitlab/generate/generate-docs.yml
Normal file
20
.gitlab/generate/generate-docs.yml
Normal file
@@ -0,0 +1,20 @@
|
||||
# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
include:
|
||||
- local: "/.gitlab/generate/generate-common.yml"
|
||||
|
||||
generate-docs:
|
||||
cache:
|
||||
- key: "generate-docs-${CI_COMMIT_REF_SLUG}"
|
||||
paths:
|
||||
- "${CI_PROJECT_DIR}/docs"
|
||||
policy: "push"
|
||||
extends: ".generate-common"
|
||||
image: "${OPENDESK_CI_CLI_IMAGE}"
|
||||
rules:
|
||||
- if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
|
||||
when: "on_success"
|
||||
script:
|
||||
- "node /app/src/index.js generate-docs -d ${CI_PROJECT_DIR}"
|
||||
...
|
||||
@@ -1,17 +1,11 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
variables:
|
||||
OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.2.0\
|
||||
@sha256:b36b1fc8a19605306dffef2c919c2a6bf5a3099e8a42ecb39a416394410b75d7"
|
||||
OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.1\
|
||||
@sha256:5b1bd85cc73ba0cede1f37d79fa7eeebffa653afa7944406eea9287c29a7769a"
|
||||
include:
|
||||
- local: "/.gitlab/common/common.yml"
|
||||
|
||||
.lint-common:
|
||||
cache: {}
|
||||
needs: []
|
||||
extends: ".common"
|
||||
stage: "lint"
|
||||
tags:
|
||||
- "docker"
|
||||
|
||||
...
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
include:
|
||||
@@ -27,7 +27,7 @@ lint-kyverno:
|
||||
script:
|
||||
- "cd ${CI_PROJECT_DIR}/helmfile/apps/${APP}"
|
||||
- "helmfile template -e test --include-needs > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
|
||||
- "node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests -d ${CI_PROJECT_DIR}/.kyverno -t required ${APP}"
|
||||
- "node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests -d ${CI_PROJECT_DIR}/.kyverno -t required -s manifest -f opendesk.yaml --skip-tests true ${APP}"
|
||||
- "node /app/opendesk-ci-cli/src/index.js filter-for-kinds -f ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
|
||||
- "cd ${CI_PROJECT_DIR}/.kyverno"
|
||||
- "kyverno test ."
|
||||
|
||||
@@ -1,276 +0,0 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
pod:
|
||||
- resource: "mariadb"
|
||||
kind: "StatefulSet"
|
||||
app: "services"
|
||||
- resource: "postgresql"
|
||||
kind: "StatefulSet"
|
||||
app: "services"
|
||||
- resource: "clamav-simple"
|
||||
kind: "StatefulSet"
|
||||
app: "services"
|
||||
- resource: "redis-master"
|
||||
kind: "StatefulSet"
|
||||
app: "services"
|
||||
- resource: "ums-store-dav"
|
||||
kind: "StatefulSet"
|
||||
app: "univention-management-stack"
|
||||
- resource: "ums-ldap-server"
|
||||
kind: "StatefulSet"
|
||||
app: "univention-management-stack"
|
||||
- resource: "ums-ldap-notifier"
|
||||
kind: "StatefulSet"
|
||||
app: "univention-management-stack"
|
||||
- resource: "ums-portal-listener"
|
||||
kind: "StatefulSet"
|
||||
app: "univention-management-stack"
|
||||
- resource: "ums-selfservice-listener"
|
||||
kind: "StatefulSet"
|
||||
app: "univention-management-stack"
|
||||
- resource: "ums-provisioning-nats"
|
||||
kind: "StatefulSet"
|
||||
app: "univention-management-stack"
|
||||
- resource: "ums-guardian-management-api"
|
||||
kind: "StatefulSet"
|
||||
app: "univention-management-stack"
|
||||
- resource: "ums-guardian-management-ui"
|
||||
kind: "StatefulSet"
|
||||
app: "univention-management-stack"
|
||||
- resource: "ums-guardian-authorization-api"
|
||||
kind: "StatefulSet"
|
||||
app: "univention-management-stack"
|
||||
- resource: "ums-open-policy-agent"
|
||||
kind: "StatefulSet"
|
||||
app: "univention-management-stack"
|
||||
- resource: "open-xchange-core-mw-default"
|
||||
kind: "StatefulSet"
|
||||
app: "open-xchange"
|
||||
- resource: "jitsi-prosody"
|
||||
kind: "StatefulSet"
|
||||
app: "jitsi"
|
||||
- resource: "opendesk-synapse"
|
||||
kind: "StatefulSet"
|
||||
app: "element"
|
||||
- resource: "xwiki"
|
||||
kind: "StatefulSet"
|
||||
app: "xwiki"
|
||||
- resource: "ox-connector"
|
||||
kind: "StatefulSet"
|
||||
app: "provisioning"
|
||||
- resource: "minio"
|
||||
kind: "Deployment"
|
||||
app: "services"
|
||||
- resource: "memcached"
|
||||
kind: "Deployment"
|
||||
app: "services"
|
||||
- resource: "postfix"
|
||||
kind: "Deployment"
|
||||
app: "services"
|
||||
- resource: "ums-keycloak"
|
||||
kind: "Deployment"
|
||||
app: "univention-management-stack"
|
||||
- resource: "ums-stack-gateway"
|
||||
kind: "Deployment"
|
||||
app: "univention-management-stack"
|
||||
- resource: "ums-udm-rest-api"
|
||||
kind: "Deployment"
|
||||
app: "univention-management-stack"
|
||||
- resource: "ums-portal-server"
|
||||
kind: "Deployment"
|
||||
app: "univention-management-stack"
|
||||
- resource: "ums-notifications-api"
|
||||
kind: "Deployment"
|
||||
app: "univention-management-stack"
|
||||
- resource: "ums-portal-frontend"
|
||||
kind: "Deployment"
|
||||
app: "univention-management-stack"
|
||||
- resource: "ums-umc-gateway"
|
||||
kind: "Deployment"
|
||||
app: "univention-management-stack"
|
||||
- resource: "ums-umc-server"
|
||||
kind: "Deployment"
|
||||
app: "univention-management-stack"
|
||||
- resource: "ums-provisioning-nats-box"
|
||||
kind: "Deployment"
|
||||
app: "univention-management-stack"
|
||||
- resource: "ums-keycloak-extensions-handler"
|
||||
kind: "Deployment"
|
||||
app: "univention-management-stack"
|
||||
- resource: "ums-keycloak-extensions-proxy"
|
||||
kind: "Deployment"
|
||||
app: "univention-management-stack"
|
||||
- resource: "intercom-service"
|
||||
kind: "Deployment"
|
||||
app: "intercom-service"
|
||||
- resource: "dovecot"
|
||||
kind: "Deployment"
|
||||
app: "open-xchange"
|
||||
- resource: "open-xchange-core-documentconverter"
|
||||
kind: "Deployment"
|
||||
app: "open-xchange"
|
||||
- resource: "open-xchange-core-guidedtours"
|
||||
kind: "Deployment"
|
||||
app: "open-xchange"
|
||||
- resource: "open-xchange-core-imageconverter"
|
||||
kind: "Deployment"
|
||||
app: "open-xchange"
|
||||
- resource: "open-xchange-gotenberg"
|
||||
kind: "Deployment"
|
||||
app: "open-xchange"
|
||||
- resource: "open-xchange-core-ui-middleware"
|
||||
kind: "Deployment"
|
||||
app: "open-xchange"
|
||||
- resource: "open-xchange-core-ui-middleware-updater"
|
||||
kind: "Deployment"
|
||||
app: "open-xchange"
|
||||
- resource: "open-xchange-core-ui"
|
||||
kind: "Deployment"
|
||||
app: "open-xchange"
|
||||
- resource: "open-xchange-core-user-guide"
|
||||
kind: "Deployment"
|
||||
app: "open-xchange"
|
||||
- resource: "open-xchange-guard-ui"
|
||||
kind: "Deployment"
|
||||
app: "open-xchange"
|
||||
- resource: "open-xchange-nextcloud-integration-ui"
|
||||
kind: "Deployment"
|
||||
app: "open-xchange"
|
||||
- resource: "open-xchange-public-sector-ui"
|
||||
kind: "Deployment"
|
||||
app: "open-xchange"
|
||||
- resource: "opendesk-nextcloud-apache2"
|
||||
kind: "Deployment"
|
||||
app: "nextcloud"
|
||||
- resource: "opendesk-nextcloud-exporter"
|
||||
kind: "Deployment"
|
||||
app: "nextcloud"
|
||||
- resource: "opendesk-nextcloud-php"
|
||||
kind: "Deployment"
|
||||
app: "nextcloud"
|
||||
- resource: "collabora"
|
||||
kind: "Deployment"
|
||||
app: "collabora"
|
||||
- resource: "jitsi-jibri"
|
||||
kind: "Deployment"
|
||||
app: "jitsi"
|
||||
- resource: "jitsi-jicofo"
|
||||
kind: "Deployment"
|
||||
app: "jitsi"
|
||||
- resource: "jitsi-jvb"
|
||||
kind: "Deployment"
|
||||
app: "jitsi"
|
||||
- resource: "jitsi-web"
|
||||
kind: "Deployment"
|
||||
app: "jitsi"
|
||||
- resource: "jitsi-opendesk-jitsi-keycloak-adapter"
|
||||
kind: "Deployment"
|
||||
app: "jitsi"
|
||||
- resource: "opendesk-element"
|
||||
kind: "Deployment"
|
||||
app: "element"
|
||||
- resource: "opendesk-well-known"
|
||||
kind: "Deployment"
|
||||
app: "element"
|
||||
- resource: "opendesk-synapse-web"
|
||||
kind: "Deployment"
|
||||
app: "element"
|
||||
- resource: "opendesk-matrix-user-verification-service"
|
||||
kind: "Deployment"
|
||||
app: "element"
|
||||
- resource: "matrix-neoboard-widget"
|
||||
kind: "Deployment"
|
||||
app: "element"
|
||||
- resource: "matrix-neochoice-widget"
|
||||
kind: "Deployment"
|
||||
app: "element"
|
||||
- resource: "matrix-neodatefix-widget"
|
||||
kind: "Deployment"
|
||||
app: "element"
|
||||
- resource: "matrix-neodatefix-bot"
|
||||
kind: "Deployment"
|
||||
app: "element"
|
||||
- resource: "openproject-web"
|
||||
kind: "Deployment"
|
||||
app: "openproject"
|
||||
- resource: "openproject-worker"
|
||||
kind: "Deployment"
|
||||
app: "openproject"
|
||||
- resource: "mariadb-bootstrap"
|
||||
kind: "Job"
|
||||
app: "services"
|
||||
- resource: "postgresql-bootstrap"
|
||||
kind: "Job"
|
||||
app: "services"
|
||||
- resource: "minio-provisioning"
|
||||
kind: "Job"
|
||||
app: "services"
|
||||
- resource: "ums-stack-data-ums-1"
|
||||
kind: "Job"
|
||||
app: "univention-management-stack"
|
||||
- resource: "ums-stack-data-swp-1"
|
||||
kind: "Job"
|
||||
app: "univention-management-stack"
|
||||
- resource: "ums-keycloak-bootstrap-bootstrap-1"
|
||||
kind: "Job"
|
||||
app: "univention-management-stack"
|
||||
- resource: "opendesk-keycloak-bootstrap-bootstrap-1"
|
||||
kind: "Job"
|
||||
app: "univention-management-stack"
|
||||
- resource: "opendesk-open-xchange-bootstrap"
|
||||
kind: "Job"
|
||||
app: "open-xchange"
|
||||
- resource: "opendesk-nextcloud-management-1"
|
||||
kind: "Job"
|
||||
app: "nextcloud"
|
||||
- resource: "jitsi-opendesk-jitsi"
|
||||
kind: "Job"
|
||||
app: "jitsi"
|
||||
- resource: "opendesk-matrix-user-verification-service-bootstrap"
|
||||
kind: "Job"
|
||||
app: "element"
|
||||
- resource: "matrix-neodatefix-bot-bootstrap"
|
||||
kind: "Job"
|
||||
app: "element"
|
||||
- resource: "opendesk-openproject-bootstrap-bootstrap-1"
|
||||
kind: "Job"
|
||||
app: "openproject-bootstrap"
|
||||
# # Has timestamp in resource name - not supported yet.
|
||||
# - resource: "openproject-seeder-*"
|
||||
# kind: "Job"
|
||||
# - resource: "ums-store-dav-test-connection"
|
||||
# kind: "Pod"
|
||||
# - resource: "ums-udm-rest-api-test-connection"
|
||||
# kind: "Pod"
|
||||
# - resource: "ums-portal-server-test-connection"
|
||||
# kind: "Pod"
|
||||
# - resource: "ums-notifications-api-test-connection"
|
||||
# kind: "Pod"
|
||||
# - resource: "ums-portal-frontend-test-connection"
|
||||
# kind: "Pod"
|
||||
# - resource: "ums-provisioning-nats-test-request-reply"
|
||||
# kind: "Pod"
|
||||
# - resource: "ums-provisioning-provisioning-api-test-connection"
|
||||
# kind: "Pod"
|
||||
# - resource: "open-xchange-core-guidedtours-test-connection"
|
||||
# kind: "Pod"
|
||||
# - resource: "open-xchange-gotenberg-test-connection"
|
||||
# kind: "Pod"
|
||||
# - resource: "open-xchange-core-ui-test-connection"
|
||||
# kind: "Pod"
|
||||
# - resource: "open-xchange-core-user-guide-test-connection"
|
||||
# kind: "Pod"
|
||||
# - resource: "open-xchange-guard-ui-test-connection"
|
||||
# kind: "Pod"
|
||||
# - resource: "open-xchange-nextcloud-integration-ui-test-connection"
|
||||
# kind: "Pod"
|
||||
# - resource: "open-xchange-public-sector-ui-test-connection"
|
||||
# kind: "Pod"
|
||||
# - resource: "jitsi-prosody-test-connection"
|
||||
# kind: "Pod"
|
||||
# - resource: "jitsi-web-test-connection"
|
||||
# kind: "Pod"
|
||||
# - resource: "openproject-test-connection"
|
||||
# kind: "Pod"
|
||||
...
|
||||
@@ -5,51 +5,164 @@ pod:
|
||||
- name: "require-tag-and-digest"
|
||||
rule: "require-tag-and-digest"
|
||||
type: "required"
|
||||
kinds:
|
||||
- "StatefulSet"
|
||||
- "Deployment"
|
||||
- "Job"
|
||||
- "Pod"
|
||||
- "DaemonSet"
|
||||
- name: "disallow-default-serviceaccount"
|
||||
rule: "require-sa"
|
||||
type: "required"
|
||||
kinds:
|
||||
- "StatefulSet"
|
||||
- "Deployment"
|
||||
- "Job"
|
||||
- "Pod"
|
||||
- "DaemonSet"
|
||||
- name: "require-imagepullsecrets"
|
||||
rule: "require-imagepullsecrets"
|
||||
type: "required"
|
||||
kinds:
|
||||
- "StatefulSet"
|
||||
- "Deployment"
|
||||
- "Job"
|
||||
- "Pod"
|
||||
- "DaemonSet"
|
||||
- name: "disallow-latest-tag"
|
||||
rule: "validate-image-tag"
|
||||
type: "required"
|
||||
kinds:
|
||||
- "StatefulSet"
|
||||
- "Deployment"
|
||||
- "Job"
|
||||
- "Pod"
|
||||
- "DaemonSet"
|
||||
- name: "require-imagepullpolicy-always"
|
||||
rule: "require-imagepullpolicy-always"
|
||||
type: "required"
|
||||
kinds:
|
||||
- "StatefulSet"
|
||||
- "Deployment"
|
||||
- "Job"
|
||||
- "Pod"
|
||||
- "DaemonSet"
|
||||
- name: "require-health-and-liveness-check"
|
||||
rule: "require-health-and-liveness-check"
|
||||
type: "required"
|
||||
excludeKinds:
|
||||
- "Job"
|
||||
kinds:
|
||||
- "StatefulSet"
|
||||
- "Deployment"
|
||||
- "Pod"
|
||||
- "DaemonSet"
|
||||
- name: "require-storage"
|
||||
rule: "require-storageclass-pvc"
|
||||
type: "required"
|
||||
kinds:
|
||||
- "PersistentVolumeClaim"
|
||||
- name: "require-storage"
|
||||
rule: "require-storageclass-pod"
|
||||
type: "required"
|
||||
kinds:
|
||||
- "StatefulSet"
|
||||
- name: "require-storage"
|
||||
rule: "require-storage-size-pvc"
|
||||
type: "required"
|
||||
kinds:
|
||||
- "PersistentVolumeClaim"
|
||||
- name: "require-storage"
|
||||
rule: "require-storage-size-pod"
|
||||
type: "required"
|
||||
kinds:
|
||||
- "StatefulSet"
|
||||
- name: "require-requests-limits"
|
||||
rule: "validate-resources"
|
||||
type: "required"
|
||||
kinds:
|
||||
- "StatefulSet"
|
||||
- "Deployment"
|
||||
- "Job"
|
||||
- "Pod"
|
||||
- "DaemonSet"
|
||||
- name: "restrict-image-registries"
|
||||
rule: "validate-registries"
|
||||
type: "required"
|
||||
kinds:
|
||||
- "StatefulSet"
|
||||
- "Deployment"
|
||||
- "Job"
|
||||
- "Pod"
|
||||
- "DaemonSet"
|
||||
- name: "require-containersecuritycontext"
|
||||
rule: "require-ro-rootfs"
|
||||
type: "optional"
|
||||
kinds:
|
||||
- "StatefulSet"
|
||||
- "Deployment"
|
||||
- "Job"
|
||||
- "Pod"
|
||||
- "DaemonSet"
|
||||
- name: "require-containersecuritycontext"
|
||||
rule: "require-no-privilege-escalation"
|
||||
type: "optional"
|
||||
kinds:
|
||||
- "StatefulSet"
|
||||
- "Deployment"
|
||||
- "Job"
|
||||
- "Pod"
|
||||
- "DaemonSet"
|
||||
- name: "require-containersecuritycontext"
|
||||
rule: "require-all-capabilities-dropped"
|
||||
type: "optional"
|
||||
kinds:
|
||||
- "StatefulSet"
|
||||
- "Deployment"
|
||||
- "Job"
|
||||
- "Pod"
|
||||
- "DaemonSet"
|
||||
- name: "require-containersecuritycontext"
|
||||
rule: "require-no-privileged"
|
||||
type: "optional"
|
||||
kinds:
|
||||
- "StatefulSet"
|
||||
- "Deployment"
|
||||
- "Job"
|
||||
- "Pod"
|
||||
- "DaemonSet"
|
||||
- name: "require-containersecuritycontext"
|
||||
rule: "require-run-as-user"
|
||||
type: "optional"
|
||||
kinds:
|
||||
- "StatefulSet"
|
||||
- "Deployment"
|
||||
- "Job"
|
||||
- "Pod"
|
||||
- "DaemonSet"
|
||||
- name: "require-containersecuritycontext"
|
||||
rule: "require-run-as-group"
|
||||
type: "optional"
|
||||
kinds:
|
||||
- "StatefulSet"
|
||||
- "Deployment"
|
||||
- "Job"
|
||||
- "Pod"
|
||||
- "DaemonSet"
|
||||
- name: "require-containersecuritycontext"
|
||||
rule: "require-seccomp-profile"
|
||||
type: "required"
|
||||
kinds:
|
||||
- "StatefulSet"
|
||||
- "Deployment"
|
||||
- "Job"
|
||||
- "Pod"
|
||||
- "DaemonSet"
|
||||
- name: "require-containersecuritycontext"
|
||||
rule: "require-run-as-non-root"
|
||||
type: "optional"
|
||||
kinds:
|
||||
- "StatefulSet"
|
||||
- "Deployment"
|
||||
- "Job"
|
||||
- "Pod"
|
||||
- "DaemonSet"
|
||||
...
|
||||
|
||||
61
.kyverno/policies/require-storage.yaml
Normal file
61
.kyverno/policies/require-storage.yaml
Normal file
@@ -0,0 +1,61 @@
|
||||
# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
apiVersion: "kyverno.io/v1"
|
||||
kind: "ClusterPolicy"
|
||||
metadata:
|
||||
name: "require-storage"
|
||||
spec:
|
||||
background: true
|
||||
rules:
|
||||
- match:
|
||||
resources:
|
||||
kinds:
|
||||
- "StatefulSet"
|
||||
name: "require-storageclass-pod"
|
||||
validate:
|
||||
message: "VolumeClaims inside pods need to have storageClass set when templated."
|
||||
pattern:
|
||||
spec:
|
||||
(volumeClaimTemplates):
|
||||
- spec:
|
||||
storageClassName: "kyverno-test"
|
||||
- match:
|
||||
resources:
|
||||
kinds:
|
||||
- "PersistentVolumeClaim"
|
||||
name: "require-storageclass-pvc"
|
||||
validate:
|
||||
message: "Persistent Volume Claim need to have storageClassName set when templated."
|
||||
pattern:
|
||||
spec:
|
||||
storageClassName: "kyverno-test"
|
||||
|
||||
- match:
|
||||
resources:
|
||||
kinds:
|
||||
- "StatefulSet"
|
||||
name: "require-storage-size-pod"
|
||||
validate:
|
||||
message: "VolumeClaims inside pods need to have storageClass set when templated."
|
||||
pattern:
|
||||
spec:
|
||||
(volumeClaimTemplates):
|
||||
- spec:
|
||||
resources:
|
||||
requests:
|
||||
storage: "42Gi"
|
||||
- match:
|
||||
resources:
|
||||
kinds:
|
||||
- "PersistentVolumeClaim"
|
||||
name: "require-storage-size-pvc"
|
||||
validate:
|
||||
message: "Persistent Volume Claim need to have storageClassName set when templated."
|
||||
pattern:
|
||||
spec:
|
||||
resources:
|
||||
requests:
|
||||
storage: "42Gi"
|
||||
validationFailureAction: "audit"
|
||||
...
|
||||
46
CHANGELOG.md
46
CHANGELOG.md
@@ -1,3 +1,49 @@
|
||||
## [0.5.77](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.76...v0.5.77) (2024-02-16)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **ci:** Complete CI var usage for external registry ([3bcdcd0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3bcdcd06b7c4829686f11b8f065ec38829b5a5a6))
|
||||
* **ci:** Update openDesk CI Lint to v2.3.1 ([250ef2b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/250ef2bc3fe9047b49b236b606ec3e3fa28e13ce))
|
||||
* **collabora:** Add chart validation ([0159902](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/01599022f14d447dfdadf390ca9e8e29668dfb07))
|
||||
* **collabora:** Bump to 23.05.9.1.1 ([b525a81](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b525a814fc25867c068579d5cbd8d1a993144519))
|
||||
* **cryptpad:** Update chart to v0.0.18 ([6f0b1f3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6f0b1f37fc06c40bf537dbaed60f314341211e41))
|
||||
* **docs:** Add functional component table referencing the component versions to README.md ([bc7eeb8](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bc7eeb8c9d3dd19f625d6f7ba94b15eb4b782d20))
|
||||
* **docs:** Add generated security-context.md ([d9e07ff](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d9e07ff7bd0e8be090f4fe2c370fa9978c22dfd5))
|
||||
* **element:** Change name of neodatefix bot job ([dd535da](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/dd535daac0bb0e602eefa45e8dc448fd07fbdd33))
|
||||
* **element:** Disable e2ee ([ba0824b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/ba0824bac30ae1fc43458bdc8c09a143076e874c))
|
||||
* **helmfile:** Add additional provisioning components and configuration ([110ff56](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/110ff56f7487e7ac89b1b75c8c63d04e1c2a41c0))
|
||||
* **helmfile:** Add seLinuxOptions for all applications ([02d04fa](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/02d04faa2a8d8a0b3bfc179cc8efb3fec086bc70))
|
||||
* **helmfile:** Annotations in image.yaml ([7ebbd03](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7ebbd03bdcb11abf4e459035c459b74adf8cfcda))
|
||||
* **helmfile:** Bump Collabora Chart to 1.11.1 and Image to 23.05.8.4.1 ([d2b1f0b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d2b1f0b07b5ebe4b98b2dc29b916857e28ce5706))
|
||||
* **helmfile:** Fix annotations in images.yaml ([acaec3b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/acaec3b8ac6e0ecd58167fca874cd56caa15fa98))
|
||||
* **helmfile:** Fix umsPortalFrontend image annotation ([8f83261](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8f832619864504eaa04945a9a79d6790d2ab8a48))
|
||||
* **helmfile:** Improve debugging ([56f5e35](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/56f5e35895c712440c1a7d249be672c86fc34eeb))
|
||||
* **nextcloud:** Bump openincryptpad to 0.3.3 and disable circles app ([f2b8acf](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f2b8acfba85d384ed425779fa52133935e553e86))
|
||||
* **nextcloud:** Set backchannel logout url ([c0fc225](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c0fc225349794034feea1d0c05b29068b9a455af))
|
||||
* **nextcloud:** Update image, nextcloud apps and chart ([fd2a66f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/fd2a66f8f2a987aa71872122267f29aee3d5f22a))
|
||||
* **nextcloud:** Update nextcloud image and chart to support upgrades ([5d95e7a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5d95e7ab2a71097d8c6231bff8c3a6aa3b6f163a))
|
||||
* **nextcloud:** Update to Nextcloud to v28 ([7c9f38f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7c9f38f06e1f0d000992ecdfd77921d6fc28015c))
|
||||
* **open-xchange:** Bump Gotenberg image ([49f126d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/49f126d169759b3e9dd130101e64892822750d7b))
|
||||
* **open-xchange:** Dovecot image on OpenCoDE without mirror ([1396071](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/139607186549f7a9a129023f1f72aff82cf36460))
|
||||
* **openproject:** Bump version to 13.3.0 ([c2087ef](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c2087efcf95bf2eef19556ba1a1d26b7807021c4))
|
||||
* **univention-management-stack:** New device login notifications on first login with 2FA ([ee1a337](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/ee1a337ab5dea7001045860eb6a5bee1dfc84219))
|
||||
* **univention-management-stack:** Patches not applied to uldap ([2909e1d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2909e1d821397797244d7c11c0935a3bbc902bb1))
|
||||
* **univention-management-stack:** Support for object-storage icons and portal files ([83ac645](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/83ac645faec748e773dd7940ca0ca1102bd6dff3))
|
||||
* **univention-management-stack:** Update NGINX Helm chart to 15.9.3 ([c16c0ac](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c16c0ac7955e64254214d7129ae70d5dd8808743))
|
||||
* **univention-management-stack:** Update otterize to allow umc-server communication with memcached ([6c15dc1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6c15dc1d668623ddd95090e321d1bb268e681db5))
|
||||
* **xwiki:** Add bottom border to top nav bar to be aligned with the other components ([affa92c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/affa92cde2caa175707f8ae0e8d4adedbdceb608))
|
||||
* **xwiki:** Bump XWiki chart to 1.3.0 ([cabee0c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cabee0c9da3a32e180931b3bd490ba8f83aadb79))
|
||||
|
||||
## [0.5.76](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.75...v0.5.76) (2024-01-24)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **nextcloud:** Correct indent in monitoring resources ([bea1413](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bea1413b860aa69cab3bb4a9dfb6d8593594cc25))
|
||||
* **services:** Monitoring for minio with correct labels and there are no prometheusRule ([af63e5c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/af63e5c18dbd6d7d1e1ebd79ad91c4f994fe7003))
|
||||
* **univention-management-stack:** Fix external registry for nats charts ([cbb33b9](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cbb33b922d397467d01a9227f3eb18d789cdc39c))
|
||||
|
||||
## [0.5.75](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.74...v0.5.75) (2024-01-24)
|
||||
|
||||
|
||||
|
||||
92
README.md
92
README.md
@@ -5,65 +5,59 @@ SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
<h1>openDesk Deployment Automation</h1>
|
||||
|
||||
openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the "Projektgruppe für
|
||||
Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
|
||||
|
||||
It features:
|
||||
- Fully integrated Identity Management (Univention)
|
||||
- File storage (Nextcloud)
|
||||
- Weboffice (Collabora)
|
||||
- Videoconference (Nordeck w/ Jitsi)
|
||||
- Chat and Collaboration (Element w/ Nordeck)
|
||||
- Groupware (OX Appsuite)
|
||||
- Wiki (XWiki)
|
||||
- Project Management (OpenProject)
|
||||
- Notes and Diagrams (Cryptpad)
|
||||
|
||||
openDesk integrates these components and is working towards a seamless user experience.
|
||||
|
||||
While not all components are perfectly shaped for the execution inside containers, one of the project objectives is to
|
||||
align the applications with the best practises regarding container design and operations.
|
||||
|
||||
This documentation aims to give you all that is needed to set up your own instance of the openDesk.
|
||||
Basic knowledge of Kubernetes and Devops is required though.
|
||||
|
||||
<!-- TOC -->
|
||||
* [Active development notice](#active-development-notice)
|
||||
* [Feedback](#feedback)
|
||||
* [Overview](#overview)
|
||||
* [Disclaimer](#disclaimer)
|
||||
* [Requirements](#requirements)
|
||||
* [Getting started](#getting-started)
|
||||
* [Advanced customization](#advanced-customization)
|
||||
* [Releases](#releases)
|
||||
* [Components](#components)
|
||||
* [Feedback](#feedback)
|
||||
* [License](#license)
|
||||
* [Copyright](#copyright)
|
||||
<!-- TOC -->
|
||||
|
||||
# Active development notice
|
||||
# Overview
|
||||
|
||||
openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the "Projektgruppe für
|
||||
Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
|
||||
|
||||
openDesk currently features the following functional main components:
|
||||
|
||||
| Function | Functional Component | Component<br/>Version | Upstream Documentation |
|
||||
| -------------------- | --------------------------- | --------------------- | ----------------- |
|
||||
| Chat & collaboration | Element ft. Nordeck widgets | [1.11.52](https://github.com/element-hq/element-desktop/blob/develop/CHANGELOG.md#changes-in-11152-2023-12-19) | [For the most recent release](https://element.io/user-guide) |
|
||||
| Diagram editor | Cryptpad ft. diagrams.net | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0) | [For the most recent release](https://docs.cryptpad.org/en/) |
|
||||
| File management | Nextcloud | [28.0.2](https://nextcloud.com/de/changelog/#28-0-2) | [Nextcloud 28](https://docs.nextcloud.com/) |
|
||||
| Groupware | OX Appsuite | [8.20](https://documentation.open-xchange.com/appsuite/releases/8.20/) | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
|
||||
| Knowledge management | XWiki | [15.10.4](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15104Released) | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation) |
|
||||
| Portal & IAM | Nubus | Product Preview[^1] | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html) |
|
||||
| Project management | OpenProject | [13.3.0](https://www.openproject.org/docs/release-notes/13-3-0/) | [For the most recent release](https://www.openproject.org/docs/user-guide/) |
|
||||
| Videoconferencing | Jitsi | [2.0.8922](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_8922) | [For the most recent release](https://jitsi.github.io/handbook/docs/category/user-guide/) |
|
||||
| Weboffice | Collabora | [23.05.9.1.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/) | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/) |
|
||||
|
||||
While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
|
||||
align the applications with best practises regarding container design and operations.
|
||||
|
||||
This documentation aims to give you all that is needed to set up your own instance of the openDesk.
|
||||
|
||||
Basic knowledge of Kubernetes and DevOps processes is required though.
|
||||
|
||||
# Disclaimer
|
||||
|
||||
openDesk will face breaking changes in the near future without upgrade paths before
|
||||
[technical release](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases)
|
||||
v1.0.0 is reached.
|
||||
|
||||
While most components support upgrades, major configuration or component changes may occur, therefore we recommend
|
||||
at the moment always installing from scratch.
|
||||
from scratch installations for now.
|
||||
|
||||
Components that are going to be replaced soon are:
|
||||
- the Nextcloud community container is going to be replaced by an openDesk specific Nextcloud distroless container and
|
||||
- Dovecot Community is going to be replaced by a Dovecot container tailored for the needs of the public sector.
|
||||
In the next months, we not only expect to integrate upstream updates of the functional components to include their
|
||||
most recent feature and security sets, but also to address operational topics like scalability for the openDesk
|
||||
platform.
|
||||
|
||||
In the next months, we not only expect upstream updates of the functional components within their feature scope, but we
|
||||
are also going to address operational issues like monitoring and network policies.
|
||||
|
||||
Of course, further development also includes enhancing the documentation.
|
||||
|
||||
# Feedback
|
||||
|
||||
We love to get feedback from you!
|
||||
Related to the deployment / contents of this repository,
|
||||
please use the [issues within this project](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/issues).
|
||||
|
||||
If you want to address other topics, please check the section
|
||||
["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
|
||||
Of course, further development also includes enhancing the documentation itself.
|
||||
|
||||
# Requirements
|
||||
|
||||
@@ -93,16 +87,26 @@ The following release artefacts are provided beside the default source code asse
|
||||
- `chart-index.json`: An overview of all Helm charts used by the release.
|
||||
- `image-index.json`: An overview of all container images used by the release.
|
||||
|
||||
⟶ Visit out detailed [Workflow](./docs/workflow.md) docs.
|
||||
⟶ Visit our detailed [Workflow](./docs/workflow.md) docs.
|
||||
|
||||
# Components
|
||||
|
||||
⟶ Visit our detailed [Component](./docs/components.md) docs.
|
||||
|
||||
# Feedback
|
||||
|
||||
We love to get feedback from you!
|
||||
|
||||
Related to the deployment / contents of this repository,
|
||||
please use the [issues within this project](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/issues).
|
||||
|
||||
If you want to address other topics, please check the section
|
||||
["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
|
||||
|
||||
# License
|
||||
|
||||
This project uses the following license: Apache-2.0
|
||||
|
||||
# Copyright
|
||||
Copyright (C) 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
|
||||
Copyright (C) 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
|
||||
@@ -58,12 +58,14 @@ Some use cases require inter component integration.
|
||||
```mermaid
|
||||
flowchart TD
|
||||
OXAppSuiteFrontend-->|SilentLogin, Filepicker, CentralNavigation|IntercomService
|
||||
Element-->|CentralNavigation|IntercomService
|
||||
IntercomService-->|SilentLogin, TokenExchange|IdP
|
||||
IntercomService-->|Filepicker|Nextcloud
|
||||
IntercomService-->|CentralNavigation|Portal
|
||||
OXAppSuiteBackend-->|Filepicker|Nextcloud
|
||||
Nextcloud-->|CentralNavigation|Portal
|
||||
OpenProject-->|CentralNavigation|Portal
|
||||
OpenProject-->|Filestore|Nextcloud
|
||||
XWiki-->|CentralNavigation|Portal
|
||||
Nextcloud-->|CentralContacts|OXAppSuiteBackend
|
||||
OXAppSuiteFrontend-->|Filepicker|OXAppSuiteBackend
|
||||
@@ -124,7 +126,7 @@ flowchart TD
|
||||
A[OX AppSuite]-->L
|
||||
D[OX Dovecot]-->L
|
||||
P[Portal/Admin]-->L
|
||||
X[XWiki]-->|in 2023|L
|
||||
X[XWiki]-->L
|
||||
A-->K
|
||||
N-->K
|
||||
D-->K
|
||||
|
||||
83
docs/debugging.md
Normal file
83
docs/debugging.md
Normal file
@@ -0,0 +1,83 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
<h1>Debugging</h1>
|
||||
|
||||
* [Disclaimer](#disclaimer)
|
||||
* [Enable debugging](#enable-debugging)
|
||||
* [Components](#components)
|
||||
* [MariaDB](#mariadb)
|
||||
* [Nextcloud](#nextcloud)
|
||||
* [OpenProject](#openproject)
|
||||
* [PostgreSQL](#postgresql)
|
||||
|
||||
# Disclaimer
|
||||
|
||||
This document collects information how to deal with debugging an openDesk deployment.
|
||||
|
||||
It will be extended over time as we have to deal with debugging cases.
|
||||
|
||||
We for sure do not want to reinvent the wheel, so we might link to external sources that contain helpful
|
||||
information where available.
|
||||
|
||||
**Note:** You should never enable debug in production environments! By looking up `debug.enable` in the deployment you
|
||||
will find the various places changes are applied when enabling debugging. So outside of development and test
|
||||
environments you may want to make use of them in a very thoughtful and selective manner if needed.
|
||||
|
||||
# Enable debugging
|
||||
|
||||
Set `debug.enable` to `true` in [`debug.yaml`](../helmfile/environments/default/debug.yaml) to set the
|
||||
component's loglevel to debug and it get some features like:
|
||||
- The `/admin` console is routed for Keycloak.
|
||||
- An ingress for `http://minio-console.<your_domain>` is configured.
|
||||
and set the loglevel for components to "Debug".
|
||||
|
||||
**Note:** All containers should write their log output to STDOUT, if you find (valuable) logs inside a container, please let us know!
|
||||
|
||||
# Components
|
||||
|
||||
## MariaDB
|
||||
|
||||
When using the openDesk bundled MariaDB you can explore database(s) using the MariaDB interactive terminal from the pod's command line: `mariadb -u root -p`. As password provide the value for `MARIADB_ROOT_PASSWORD` set in the pod's environment.
|
||||
|
||||
While you will find all details for the CLI tool in [the online documentation](https://mariadb.com/kb/en/mariadb-command-line-client/), some quick commands are:
|
||||
|
||||
- `help`: Get help on the psql command set
|
||||
- `show databases`: Lists all databases
|
||||
- `use <databasename>`: Connect to `<databasename>`
|
||||
- `show tables`: Lists tables within the currently connected database
|
||||
- `quit`: Quit the client
|
||||
|
||||
## Nextcloud
|
||||
|
||||
`occ` is the CLI for Nextcloud, all the details can be found in the [upstream documentation](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html).
|
||||
|
||||
You can run occ commands in the `opendesk-nextcloud-php` pod like this: `php /var/www/html/occ config:list`
|
||||
|
||||
## OpenProject
|
||||
|
||||
OpenProject is a Ruby on Rails application. Therefore you can make use of the Rails console from the pod's command line `bundle exec rails console`
|
||||
|
||||
and run debug code like this:
|
||||
|
||||
```
|
||||
uri = URI('https://nextcloud.url/index.php/apps/integration_openproject/check-config')
|
||||
Net::HTTP.start(uri.host, uri.port,
|
||||
:use_ssl => uri.scheme == 'https') do |http|
|
||||
request = Net::HTTP::Get.new uri
|
||||
response = http.request request # Net::HTTPResponse object
|
||||
end
|
||||
```
|
||||
|
||||
## PostgreSQL
|
||||
|
||||
When using the openDesk bundled PostgreSQL you can explore database(s) using the PostgreSQL interactive terminal from the pod's command line: `psql -U postgres`.
|
||||
|
||||
While you will find all details in the [psql subsection](https://www.postgresql.org/docs/current/app-psql.html)) of the PostgreSQL documentation, some quick commands are:
|
||||
|
||||
- `\?`: Get help on the psql command set
|
||||
- `\l`: Lists all databases
|
||||
- `\c <databasename>`: Connect to `<databasename>`
|
||||
- `\dt`: List (describe) tables within the currently connected database
|
||||
- `\q`: Quit the client
|
||||
@@ -356,17 +356,12 @@ by your specified subdomain.
|
||||
# Replace with your namespace
|
||||
NAMESPACE=your-namespace
|
||||
|
||||
# Get credentials from ConfigMap
|
||||
kubectl -n ${NAMESPACE} get cm ums-stack-data-swp-data -o jsonpath='{.data.dev-test-users\.yaml}' \
|
||||
| yq '.properties.username,.properties.password'
|
||||
# default.user
|
||||
# 40615..............................e9e2f
|
||||
# ---
|
||||
# default.admin
|
||||
# bdbbb..............................04db6
|
||||
# Get ConfigMap with credentials
|
||||
kubectl -n ${NAMESPACE} get cm ums-stack-data-swp-data -o jsonpath='{.data.dev-test-users\.yaml}'
|
||||
```
|
||||
|
||||
Now you can log in with obtained credentials:
|
||||
Renders you a two part ConfigMap where the `username` and `password` attributes in the `properties`
|
||||
section provide you with the desired information to login with the two default user roles:
|
||||
|
||||
| Username | Password | Description |
|
||||
|-----------------|--------------------------------------------|------------------|
|
||||
|
||||
@@ -70,3 +70,4 @@ grafana:
|
||||
|:----------|-----------------------------------|-------------------------|---------------------|
|
||||
| Collabora | :white_check_mark: | :white_check_mark: | :white_check_mark: |
|
||||
| Nextcloud | :white_check_mark: | :x: | :x: |
|
||||
| XWiki | :white_check_mark: | :x: | :x: |
|
||||
|
||||
227
docs/security-context.md
Normal file
227
docs/security-context.md
Normal file
@@ -0,0 +1,227 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
<h1>Kubernetes Security Context</h1>
|
||||
|
||||
* [Container Security Context](#container-security-context)
|
||||
* [allowPrivilegeEscalation](#allowprivilegeescalation)
|
||||
* [capabilities](#capabilities)
|
||||
* [privileged](#privileged)
|
||||
* [runAsUser](#runasuser)
|
||||
* [runAsGroup](#runasgroup)
|
||||
* [seccompProfile](#seccompprofile)
|
||||
* [readOnlyRootFilesystem](#readonlyrootfilesystem)
|
||||
* [runAsNonRoot](#runasnonroot)
|
||||
* [Status quo](#status-quo)
|
||||
|
||||
# Container Security Context
|
||||
|
||||
|
||||
The containerSecurityContext is the most important security-related section because it has the highest precedence and restricts the container to its minimal privileges.
|
||||
|
||||
## allowPrivilegeEscalation
|
||||
|
||||
|
||||
Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed (Linux only) at any time.
|
||||
|
||||
```yaml
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
```
|
||||
|
||||
## capabilities
|
||||
|
||||
|
||||
Containers must drop ALL capabilities, and are only permitted to add back the `NET_BIND_SERVICE` capability (Linux only).
|
||||
|
||||
|
||||
**Optimal:**
|
||||
|
||||
```yaml
|
||||
containerSecurityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
```
|
||||
|
||||
|
||||
**Allowed:**
|
||||
|
||||
```yaml
|
||||
containerSecurityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
add:
|
||||
- "NET_BIND_SERVICE"
|
||||
```
|
||||
|
||||
## privileged
|
||||
|
||||
|
||||
Privileged Pods disable most security mechanisms and must be disallowed.
|
||||
|
||||
```yaml
|
||||
containerSecurityContext:
|
||||
privileged: false
|
||||
```
|
||||
|
||||
## runAsUser
|
||||
|
||||
|
||||
Containers should set a user id >= 1000 and never use 0 (root) as user.
|
||||
|
||||
```yaml
|
||||
containerSecurityContext:
|
||||
runAsUser: 1000
|
||||
```
|
||||
|
||||
## runAsGroup
|
||||
|
||||
|
||||
Containers should set a group id >= 1000 and never use 0 (root) as user.
|
||||
|
||||
```yaml
|
||||
containerSecurityContext:
|
||||
runAsGroup: 1000
|
||||
```
|
||||
|
||||
## seccompProfile
|
||||
|
||||
|
||||
Seccomp profile must be explicitly set to one of the allowed values. An unconfined profile and the complete absence of the profile are prohibited.
|
||||
|
||||
```yaml
|
||||
containerSecurityContext:
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
```
|
||||
|
||||
|
||||
or
|
||||
|
||||
```yaml
|
||||
containerSecurityContext:
|
||||
seccompProfile:
|
||||
type: "Localhost"
|
||||
```
|
||||
|
||||
## readOnlyRootFilesystem
|
||||
|
||||
|
||||
Containers should have an immutable file systems, so that attackers could not modify application code or download malicious code.
|
||||
|
||||
```yaml
|
||||
containerSecurityContext:
|
||||
readOnlyRootFilesystem: true
|
||||
```
|
||||
|
||||
## runAsNonRoot
|
||||
|
||||
|
||||
Containers must be required to run as non-root users.
|
||||
|
||||
```yaml
|
||||
containerSecurityContext:
|
||||
runAsNonRoot: true
|
||||
```
|
||||
|
||||
# Status quo
|
||||
|
||||
|
||||
openDesk aims to achieve that all security relevant settings are explicitly templated and comply with security recommendations.
|
||||
|
||||
|
||||
The rendered manifests are also validated against Kyverno [policies](/.kyverno/policies) in CI to ensure that the provided values inside openDesk are also properly templated by the given Helm charts.
|
||||
|
||||
|
||||
This list gives you an overview of templated security settings and if they comply with security standards:
|
||||
|
||||
|
||||
- **yes**: Value is set to `true`
|
||||
- **no**: Value is set to `false`
|
||||
- **n/a**: No explicitly templated in openDesk and default is used.
|
||||
|
||||
| process | status | allowPrivilegeEscalation | privileged | readOnlyRootFilesystem | runAsNonRoot | runAsUser | runAsGroup | seccompProfile | capabilities |
|
||||
| ------- | ------ | ------------------------ | ---------- | ---------------------- | ------------ | --------- | ---------- | -------------- | ------------ |
|
||||
| **collabora**/collabora-online | :x: | yes | no | no | yes | 100 | 101 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT","MKNOD"] |
|
||||
| **cryptpad**/cryptpad | :x: | no | no | no | yes | 4001 | 4001 | yes | yes |
|
||||
| **element**/matrix-neoboard-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
|
||||
| **element**/matrix-neochoice-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
|
||||
| **element**/matrix-neodatefix-bot | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
|
||||
| **element**/matrix-neodatefix-bot-bootstrap | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
|
||||
| **element**/matrix-neodatefix-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
|
||||
| **element**/opendesk-element | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
|
||||
| **element**/opendesk-matrix-user-verification-service | :x: | no | no | no | no | 0 | 0 | yes | yes |
|
||||
| **element**/opendesk-matrix-user-verification-service-bootstrap | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
|
||||
| **element**/opendesk-synapse | :white_check_mark: | no | no | yes | yes | 10991 | 10991 | yes | yes |
|
||||
| **element**/opendesk-synapse-web | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
|
||||
| **element**/opendesk-well-known | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
|
||||
| **intercom-service**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
|
||||
| **jitsi**/jitsi | :white_check_mark: | no | no | yes | yes | 1993 | 1993 | yes | yes |
|
||||
| **jitsi**/jitsi/jitsi/jibri | :x: | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no ["SYS_ADMIN"] |
|
||||
| **jitsi**/jitsi/jitsi/jicofo | :x: | no | no | no | no | 0 | 0 | yes | no |
|
||||
| **jitsi**/jitsi/jitsi/jvb | :x: | no | no | no | no | 0 | 0 | yes | no |
|
||||
| **jitsi**/jitsi/jitsi/prosody | :x: | no | no | no | no | 0 | 0 | yes | no |
|
||||
| **jitsi**/jitsi/jitsi/web | :x: | no | no | no | no | 0 | 0 | yes | no |
|
||||
| **jitsi**/jitsi/patchJVB | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
|
||||
| **nextcloud**/opendesk-nextcloud-management | :x: | no | no | no | yes | 65532 | 65532 | yes | yes |
|
||||
| **nextcloud**/opendesk-nextcloud/apache2 | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
|
||||
| **nextcloud**/opendesk-nextcloud/exporter | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
|
||||
| **nextcloud**/opendesk-nextcloud/php | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
|
||||
| **open-xchange**/open-xchange/appsuite/core-documentconverter | :x: | no | no | no | yes | 987 | 1000 | yes | yes |
|
||||
| **open-xchange**/open-xchange/appsuite/core-guidedtours | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
|
||||
| **open-xchange**/open-xchange/appsuite/core-imageconverter | :x: | no | no | no | yes | 987 | 1000 | yes | yes |
|
||||
| **open-xchange**/open-xchange/appsuite/core-mw/gotenberg | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
|
||||
| **open-xchange**/open-xchange/appsuite/core-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
|
||||
| **open-xchange**/open-xchange/appsuite/core-ui-middleware | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
|
||||
| **open-xchange**/open-xchange/appsuite/core-user-guide | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
|
||||
| **open-xchange**/open-xchange/appsuite/guard-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
|
||||
| **open-xchange**/open-xchange/nextcloud-integration-ui | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
|
||||
| **open-xchange**/open-xchange/public-sector-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
|
||||
| **openproject**/openproject | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
|
||||
| **openproject-bootstrap**/opendesk-openproject-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
|
||||
| **provisioning**/ox-connector | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
|
||||
| **services**/clamav | :x: | no | no | yes | no | 0 | 0 | yes | no |
|
||||
| **services**/clamav-simple | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
|
||||
| **services**/clamav/clamd | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
|
||||
| **services**/clamav/freshclam | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
|
||||
| **services**/clamav/icap | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
|
||||
| **services**/clamav/milter | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
|
||||
| **services**/mariadb | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
|
||||
| **services**/memcached | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
|
||||
| **services**/minio | :x: | no | no | no | yes | 1000 | 0 | yes | yes |
|
||||
| **services**/postfix | :x: | yes | yes | no | no | 0 | 0 | yes | no |
|
||||
| **services**/postgresql | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
|
||||
| **services**/redis/master | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
|
||||
| **univention-management-stack**/opendesk-keycloak-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
|
||||
| **univention-management-stack**/ums-guardian-authorization-api | :x: | no | no | no | yes | 1000 | 1000 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
|
||||
| **univention-management-stack**/ums-guardian-management-api | :x: | no | no | no | yes | 1000 | 1000 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
|
||||
| **univention-management-stack**/ums-guardian-management-ui | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
|
||||
| **univention-management-stack**/ums-keycloak | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
|
||||
| **univention-management-stack**/ums-keycloak-bootstrap | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
|
||||
| **univention-management-stack**/ums-keycloak-extensions/handler | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
|
||||
| **univention-management-stack**/ums-keycloak-extensions/proxy | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
|
||||
| **univention-management-stack**/ums-ldap-notifier | :x: | no | no | no | no | 0 | 0 | yes | yes |
|
||||
| **univention-management-stack**/ums-ldap-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
|
||||
| **univention-management-stack**/ums-notifications-api | :x: | no | no | no | no | 1000 | 1000 | yes | yes |
|
||||
| **univention-management-stack**/ums-open-policy-agent | :x: | no | no | no | yes | 1000 | 1000 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
|
||||
| **univention-management-stack**/ums-portal-frontend | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
|
||||
| **univention-management-stack**/ums-portal-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
|
||||
| **univention-management-stack**/ums-portal-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
|
||||
| **univention-management-stack**/ums-provisioning/dispatcher | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
|
||||
| **univention-management-stack**/ums-provisioning/events-and-consumer-api | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
|
||||
| **univention-management-stack**/ums-provisioning/udm-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
|
||||
| **univention-management-stack**/ums-selfservice-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
|
||||
| **univention-management-stack**/ums-stack-data-swp | :x: | no | no | no | no | 0 | 0 | yes | yes |
|
||||
| **univention-management-stack**/ums-stack-data-ums | :x: | no | no | no | no | 0 | 0 | yes | yes |
|
||||
| **univention-management-stack**/ums-stack-gateway | :x: | no | no | no | yes | 1001 | 1001 | yes | yes |
|
||||
| **univention-management-stack**/ums-store-dav | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
|
||||
| **univention-management-stack**/ums-udm-rest-api | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
|
||||
| **univention-management-stack**/ums-umc-gateway | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
|
||||
| **univention-management-stack**/ums-umc-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
|
||||
| **xwiki**/xwiki | :x: | no | no | no | yes | 100 | 101 | yes | yes |
|
||||
|
||||
|
||||
This file is auto-generated by [openDesk CI CLI](https://gitlab.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli)
|
||||
@@ -15,89 +15,21 @@ This document should cover the current status of security measurements.
|
||||
|
||||
# Helm Chart Trust Chain
|
||||
|
||||
Helm charts are signed and validated against GPG keys which could be found in `helmfile/files/gpg-pubkeys`.
|
||||
Helm charts are signed and validated against GPG keys which can be found in `helmfile/files/gpg-pubkeys`.
|
||||
|
||||
All charts except these are verifiable:
|
||||
For more details on Chart validation please visit: https://helm.sh/docs/topics/provenance/
|
||||
|
||||
All charts except the ones mentioned below are verifiable:
|
||||
|
||||
| Repository | Verifiable |
|
||||
|-------------------|:----------:|
|
||||
| collabora-repo | no |
|
||||
| open-xchange-repo | no |
|
||||
|
||||
# Kubernetes Security Enforcements
|
||||
|
||||
This list gives you an overview of default security settings and if they comply with security standards:
|
||||
|
||||
|
||||
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|
||||
|-----------------------------|-------------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
|
||||
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
|
||||
| CryptPad | cryptpad | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 |
|
||||
| Dovecot | dovecot | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `KILL`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`) | :white_check_mark: | :white_check_mark: | :x: | - | - | 1000 |
|
||||
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
|
||||
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| IntercomService | intercom-service | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
|
||||
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
|
||||
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
|
||||
| Minio | minio | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
|
||||
| Nextcloud | opendesk-nextcloud-apache2 | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 65532 | 65532 | 65532 |
|
||||
| | opendesk-nextcloud-cron | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 65532 | 65532 | 65532 |
|
||||
| | opendesk-nextcloud-exporter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 65532 | 65532 | 65532 |
|
||||
| | opendesk-nextcloud-management | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 65532 | 65532 | 65532 |
|
||||
| | opendesk-nextcloud-php | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 65532 | 65532 | 65532 |
|
||||
| Open-Xchange | core-documentconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
|
||||
| | core-guidedtours | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-imageconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
|
||||
| | core-mw-default | :x: | :x: | :x: | :x: | :x: | :x: | - | - | - |
|
||||
| | core-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-ui-middleware | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-ui-middleware-updater | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | core-user-guide | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | gotenberg | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | guard-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | nextlcoud-integration-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | public-sector-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| OpenProject | openproject | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
|
||||
| | opendeskOpenprojectBootstrap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
|
||||
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
|
||||
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| Redis | redis | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 0 | 1001 |
|
||||
| Univention Management Stack | guardian-authorization-api | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | guardian-management-api | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | guardian-management-ui | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1000 | 1000 | 1000 |
|
||||
| | keycloak-bootstrap | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1000 | 1000 | 1000 |
|
||||
| | keycloak-extension-handler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | keycloak-extension-proxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | ldap-notifier | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | ldap-server | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | notifications-api | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | opendesk-keycloak-bootstrap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
|
||||
| | open-policy-agent | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | portal-frontend | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | portal-listener | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | portal-server | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | provisioning-api | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | selfservice-listener | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | stack-gateway | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | store-dav | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | udm-rest-api | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | umc-gateway | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | umc-server | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| XWiki | xwiki | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | xwiki initContainers | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
|
||||
⟶ Visit our generated detailed [Security Context](./security-context.md) overview.
|
||||
|
||||
# NetworkPolicies
|
||||
|
||||
|
||||
@@ -8,6 +8,8 @@ repositories:
|
||||
# Collabora Online
|
||||
# Source: https://github.com/CollaboraOnline/online
|
||||
- name: "collabora-online-repo"
|
||||
keyring: "../../files/gpg-pubkeys/collaboraoffice-com.gpg"
|
||||
verify: {{ .Values.charts.collabora.verify }}
|
||||
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
|
||||
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
|
||||
oci: true
|
||||
|
||||
@@ -126,7 +126,7 @@ securityContext:
|
||||
- "NET_RAW"
|
||||
- "SYS_CHROOT"
|
||||
- "MKNOD"
|
||||
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.collabora }}
|
||||
serviceAccount:
|
||||
create: true
|
||||
...
|
||||
|
||||
@@ -63,12 +63,14 @@ securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
# readOnlyRootFilesystem: true
|
||||
readOnlyRootFilesystem: false
|
||||
runAsNonRoot: true
|
||||
runAsUser: 4001
|
||||
runAsGroup: 4001
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.cryptpad }}
|
||||
|
||||
serviceAccount:
|
||||
create: true
|
||||
|
||||
@@ -2,6 +2,7 @@
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
configuration:
|
||||
endToEndEncryption: false
|
||||
additionalConfiguration:
|
||||
logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
|
||||
|
||||
@@ -109,6 +110,7 @@ containerSecurityContext:
|
||||
runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.element }}
|
||||
|
||||
global:
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
|
||||
@@ -14,6 +14,7 @@ containerSecurityContext:
|
||||
runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoBoardWidget }}
|
||||
|
||||
global:
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
|
||||
@@ -14,6 +14,7 @@ containerSecurityContext:
|
||||
runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoChoiceWidget }}
|
||||
|
||||
global:
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
|
||||
@@ -21,4 +21,20 @@ image:
|
||||
tag: {{ .Values.images.synapseCreateUser.tag | quote }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
fullnameOverride: "matrix-neodatefix-bot-bootstrap"
|
||||
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 101
|
||||
runAsNonRoot: true
|
||||
runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser }}
|
||||
|
||||
...
|
||||
|
||||
@@ -35,6 +35,7 @@ containerSecurityContext:
|
||||
runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixBot }}
|
||||
|
||||
extraEnvVars:
|
||||
- name: "ACCESS_TOKEN"
|
||||
@@ -42,6 +43,8 @@ extraEnvVars:
|
||||
secretKeyRef:
|
||||
name: "matrix-neodatefix-bot-account"
|
||||
key: "access_token"
|
||||
- name: "ENABLE_CRYPTO"
|
||||
value: "false"
|
||||
|
||||
image:
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
@@ -18,6 +18,7 @@ containerSecurityContext:
|
||||
runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixWidget }}
|
||||
|
||||
global:
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
|
||||
@@ -35,4 +35,5 @@ securityContext:
|
||||
runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser }}
|
||||
...
|
||||
|
||||
@@ -8,13 +8,13 @@ containerSecurityContext:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
privileged: false
|
||||
# TODO: the service can't run with read only filesystem or as non-root
|
||||
# readOnlyRootFilesystem: true
|
||||
# runAsGroup: 101
|
||||
# runAsNonRoot: true
|
||||
# runAsUser: 101
|
||||
readOnlyRootFilesystem: false
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
runAsUser: 0
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.matrixUserVerificationService }}
|
||||
|
||||
extraEnvVars:
|
||||
- name: "UVS_ACCESS_TOKEN"
|
||||
|
||||
@@ -14,6 +14,7 @@ containerSecurityContext:
|
||||
runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.synapseWeb }}
|
||||
|
||||
global:
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
|
||||
@@ -76,8 +76,10 @@ containerSecurityContext:
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 10991
|
||||
runAsGroup: 10991
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.synapse }}
|
||||
|
||||
global:
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
|
||||
@@ -18,6 +18,7 @@ containerSecurityContext:
|
||||
runAsUser: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.wellKnown }}
|
||||
|
||||
global:
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
|
||||
@@ -7,12 +7,14 @@ containerSecurityContext:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
privileged: false
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.intercom }}
|
||||
|
||||
global:
|
||||
domain: {{ .Values.global.domain | quote }}
|
||||
|
||||
@@ -14,6 +14,7 @@ containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
enabled: true
|
||||
readOnlyRootFilesystem: true
|
||||
privileged: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
@@ -22,6 +23,7 @@ containerSecurityContext:
|
||||
runAsUser: 1993
|
||||
runAsGroup: 1993
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.jitsiKeycloakAdapter }}
|
||||
|
||||
cleanup:
|
||||
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
|
||||
@@ -63,8 +65,17 @@ jitsi:
|
||||
resources:
|
||||
{{ .Values.resources.jitsi | toYaml | nindent 6 }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities: {}
|
||||
enabled: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
runAsUser: 0
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.jitsi }}
|
||||
prosody:
|
||||
image:
|
||||
repository: "{{ .Values.global.imageRegistry | default .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
|
||||
@@ -102,8 +113,17 @@ jitsi:
|
||||
size: {{ .Values.persistence.size.prosody | quote }}
|
||||
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities: {}
|
||||
enabled: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
runAsUser: 0
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.prosody }}
|
||||
jicofo:
|
||||
replicaCount: {{ .Values.replicas.jicofo }}
|
||||
image:
|
||||
@@ -115,8 +135,17 @@ jitsi:
|
||||
resources:
|
||||
{{ .Values.resources.jicofo | toYaml | nindent 6 }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities: {}
|
||||
enabled: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
runAsUser: 0
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.jicofo }}
|
||||
jvb:
|
||||
replicaCount: {{ .Values.replicas.jvb }}
|
||||
image:
|
||||
@@ -129,8 +158,17 @@ jitsi:
|
||||
service:
|
||||
type: {{ .Values.cluster.service.type | quote }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities: {}
|
||||
enabled: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
runAsUser: 0
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.jvb }}
|
||||
jibri:
|
||||
replicaCount: {{ .Values.replicas.jibri }}
|
||||
image:
|
||||
@@ -143,8 +181,9 @@ jitsi:
|
||||
resources:
|
||||
{{ .Values.resources.jibri | toYaml | nindent 6 }}
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
# Chart does not allow to template more
|
||||
capabilities:
|
||||
add: ["SYS_ADMIN"]
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . | quote }}
|
||||
@@ -156,10 +195,18 @@ patchJVB:
|
||||
loadbalancerStatusField: {{ .Values.cluster.networking.loadBalancerStatusField | quote }}
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser: 1001
|
||||
runAsGroup: 1001
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.jitsiPatchJVB }}
|
||||
image:
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiPatchJVB.registry | quote }}
|
||||
|
||||
@@ -14,6 +14,9 @@ global:
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "opendesk-nextcloud-php"
|
||||
|
||||
cleanup:
|
||||
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
|
||||
|
||||
configuration:
|
||||
administrator:
|
||||
username: "nextcloud"
|
||||
@@ -77,12 +80,17 @@ containerSecurityContext:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
privileged: false
|
||||
runAsUser: 65532
|
||||
runAsGroup: 65532
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudManagement }}
|
||||
|
||||
debug:
|
||||
loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
|
||||
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudManagement.registry | quote }}
|
||||
@@ -95,4 +103,5 @@ theme:
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}
|
||||
|
||||
...
|
||||
|
||||
@@ -18,12 +18,14 @@ exporter:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
privileged: false
|
||||
runAsUser: 65532
|
||||
runAsGroup: 65532
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudExporter }}
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudExporter.registry | quote }}
|
||||
repository: "{{ .Values.images.nextcloudExporter.repository }}"
|
||||
@@ -33,11 +35,11 @@ exporter:
|
||||
serviceMonitor:
|
||||
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
|
||||
labels:
|
||||
{{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
|
||||
{{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 8 }}
|
||||
prometheusRule:
|
||||
enabled: {{ .Values.prometheus.prometheusRules.enabled }}
|
||||
additionalLabels:
|
||||
{{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }}
|
||||
{{- toYaml .Values.prometheus.prometheusRules.labels | nindent 8 }}
|
||||
replicas: {{ .Values.replicas.nextcloudExporter }}
|
||||
resources:
|
||||
{{ .Values.resources.nextcloudExporter | toYaml | nindent 4 }}
|
||||
@@ -69,12 +71,18 @@ php:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
privileged: false
|
||||
runAsUser: 65532
|
||||
runAsGroup: 65532
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudPHP }}
|
||||
cron:
|
||||
successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
|
||||
debug:
|
||||
loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudPHP.registry | quote }}
|
||||
repository: "{{ .Values.images.nextcloudPHP.repository }}"
|
||||
@@ -84,11 +92,11 @@ php:
|
||||
serviceMonitor:
|
||||
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
|
||||
labels:
|
||||
{{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
|
||||
{{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 8 }}
|
||||
prometheusRule:
|
||||
enabled: {{ .Values.prometheus.prometheusRules.enabled }}
|
||||
additionalLabels:
|
||||
{{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }}
|
||||
{{- toYaml .Values.prometheus.prometheusRules.labels | nindent 8 }}
|
||||
replicas: {{ .Values.replicas.nextcloudPHP }}
|
||||
resources:
|
||||
{{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}
|
||||
@@ -103,12 +111,14 @@ apache2:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
privileged: false
|
||||
runAsUser: 65532
|
||||
runAsGroup: 65532
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudApache2 }}
|
||||
ingress:
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
|
||||
|
||||
@@ -66,6 +66,7 @@ containerSecurityContext:
|
||||
readOnlyRootFilesystem: true
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.dovecot }}
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
|
||||
@@ -32,12 +32,15 @@ nextcloud-integration-ui:
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeNextcloudIntegrationUI }}
|
||||
|
||||
public-sector-ui:
|
||||
image:
|
||||
@@ -56,12 +59,15 @@ public-sector-ui:
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangePublicSectorUI }}
|
||||
|
||||
appsuite:
|
||||
appsuite-toolkit:
|
||||
@@ -121,8 +127,11 @@ appsuite:
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1001
|
||||
runAsGroup: 1001
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGotenberg }}
|
||||
hooks:
|
||||
beforeAppsuiteStart:
|
||||
create-guard-dir.sh: |
|
||||
@@ -344,8 +353,10 @@ appsuite:
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUI }}
|
||||
|
||||
core-ui-middleware:
|
||||
enabled: true
|
||||
@@ -384,9 +395,10 @@ appsuite:
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUIMiddleware }}
|
||||
core-cacheservice:
|
||||
enabled: false
|
||||
|
||||
@@ -400,23 +412,23 @@ appsuite:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeDocumentConverter.registry | quote }}
|
||||
repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
|
||||
tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
|
||||
podSecurityContext:
|
||||
resources:
|
||||
{{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
|
||||
securityContext:
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 987
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
resources:
|
||||
{{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
|
||||
securityContext:
|
||||
# missing:
|
||||
# readOnlyRootFilesystem: true
|
||||
readOnlyRootFilesystem: false
|
||||
allowPrivilegeEscalation: false
|
||||
privileged: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeDocumentConverter }}
|
||||
|
||||
core-documents-collaboration:
|
||||
enabled: false
|
||||
@@ -455,8 +467,10 @@ appsuite:
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreGuidedtours }}
|
||||
|
||||
core-imageconverter:
|
||||
enabled: true
|
||||
@@ -470,23 +484,23 @@ appsuite:
|
||||
endpoint: "."
|
||||
accessKey: "."
|
||||
secretKey: "."
|
||||
podSecurityContext:
|
||||
resources:
|
||||
{{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
|
||||
securityContext:
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 987
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
resources:
|
||||
{{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
|
||||
securityContext:
|
||||
# missing:
|
||||
# readOnlyRootFilesystem: true
|
||||
readOnlyRootFilesystem: false
|
||||
allowPrivilegeEscalation: false
|
||||
privileged: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeImageConverter }}
|
||||
|
||||
guard-ui:
|
||||
enabled: true
|
||||
@@ -509,9 +523,10 @@ appsuite:
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGuardUI }}
|
||||
core-spellcheck:
|
||||
enabled: false
|
||||
|
||||
@@ -537,6 +552,8 @@ appsuite:
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUserGuide }}
|
||||
...
|
||||
|
||||
@@ -38,6 +38,7 @@ containerSecurityContext:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.openprojectBootstrap }}
|
||||
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectBootstrap.registry | quote }}
|
||||
|
||||
@@ -9,6 +9,7 @@ global:
|
||||
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
privileged: false
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
allowPrivilegeEscalation: false
|
||||
@@ -19,11 +20,12 @@ containerSecurityContext:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.openproject }}
|
||||
|
||||
environment:
|
||||
# For more details and more options see
|
||||
# https://www.openproject.org/docs/installation-and-operations/configuration/environment/
|
||||
OPENPROJECT_LOG__LEVEL: {{ .Values.debug.logLevel | lower | quote }}
|
||||
OPENPROJECT_LOG__LEVEL: {{ if .Values.debug.enabled }}"debug"{{ else }}"info"{{ end }}
|
||||
OPENPROJECT_LOGIN__REQUIRED: "true"
|
||||
OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
|
||||
OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
|
||||
|
||||
@@ -17,10 +17,10 @@ ingress:
|
||||
|
||||
oxConnector:
|
||||
caCert: "ucctempldapstring"
|
||||
debugLevel: "5"
|
||||
debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
|
||||
domainName: {{ .Values.global.domain | quote }}
|
||||
ldapHost: {{ .Values.ldap.host | quote }}
|
||||
logLevel: {{ .Values.debug.logLevel | quote }}
|
||||
logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
|
||||
ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
||||
ldapBaseDn: "dc=swp-ldap,dc=internal"
|
||||
ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
|
||||
@@ -79,6 +79,11 @@ securityContext:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
readOnlyRootFilesystem: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.oxConnector }}
|
||||
|
||||
serviceAccount:
|
||||
create: true
|
||||
|
||||
@@ -8,12 +8,14 @@ clamd:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
privileged: false
|
||||
runAsUser: 100
|
||||
runAsGroup: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.clamd }}
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }}
|
||||
repository: {{ .Values.images.clamd.repository | quote }}
|
||||
@@ -31,6 +33,15 @@ containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
enabled: true
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
runAsNonRoot: false
|
||||
capabilities:
|
||||
drop: []
|
||||
privileged: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.clamav }}
|
||||
|
||||
freshclam:
|
||||
containerSecurityContext:
|
||||
@@ -39,12 +50,14 @@ freshclam:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
privileged: false
|
||||
runAsUser: 100
|
||||
runAsGroup: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.freshclam }}
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.freshclam.registry | quote }}
|
||||
repository: {{ .Values.images.freshclam.repository | quote }}
|
||||
@@ -71,10 +84,12 @@ icap:
|
||||
enabled: true
|
||||
runAsUser: 100
|
||||
runAsGroup: 101
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.icap }}
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }}
|
||||
repository: {{ .Values.images.icap.repository | quote }}
|
||||
@@ -97,10 +112,12 @@ milter:
|
||||
enabled: true
|
||||
runAsUser: 100
|
||||
runAsGroup: 101
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.milter }}
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.milter.registry | quote }}
|
||||
repository: {{ .Values.images.milter.repository | quote }}
|
||||
|
||||
@@ -7,10 +7,14 @@ containerSecurityContext:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
privileged: false
|
||||
runAsUser: 100
|
||||
runAsGroup: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.clamavSimple }}
|
||||
|
||||
global:
|
||||
imagePullSecrets:
|
||||
|
||||
@@ -17,6 +17,7 @@ containerSecurityContext:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.mariadb }}
|
||||
|
||||
global:
|
||||
imagePullSecrets:
|
||||
|
||||
@@ -7,11 +7,14 @@ containerSecurityContext:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
privileged: false
|
||||
runAsUser: 1001
|
||||
runAsGroup: 1001
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.memcached }}
|
||||
|
||||
global:
|
||||
imagePullSecrets:
|
||||
|
||||
@@ -24,9 +24,12 @@ containerSecurityContext:
|
||||
- "ALL"
|
||||
privileged: false
|
||||
runAsUser: 1000
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: true
|
||||
readOnlyRootFilesystem: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.minio }}
|
||||
|
||||
defaultBuckets: "openproject,openxchange,ums,nextcloud"
|
||||
|
||||
@@ -40,6 +43,7 @@ image:
|
||||
tag: "{{ .Values.images.minio.tag }}"
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
|
||||
{{- if .Values.debug.enabled }}
|
||||
ingress:
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName }}
|
||||
@@ -50,6 +54,7 @@ ingress:
|
||||
secretName: "{{ .Values.ingress.tls.secretName }}"
|
||||
annotations:
|
||||
nginx.org/websocket-services: "minio"
|
||||
{{- end }}
|
||||
|
||||
livenessProbe:
|
||||
enabled: true
|
||||
@@ -62,8 +67,8 @@ mode: "standalone"
|
||||
metrics:
|
||||
serviceMonitor:
|
||||
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
|
||||
prometheusRule:
|
||||
enabled: {{ .Values.prometheus.prometheusRules.enabled }}
|
||||
additionalLabels:
|
||||
{{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
|
||||
|
||||
networkPolicy:
|
||||
enabled: false
|
||||
@@ -80,6 +85,8 @@ provisioning:
|
||||
enabled: true
|
||||
cleanupAfterFinished:
|
||||
enabled: true
|
||||
extraCommands:
|
||||
- "mc anonymous set download provisioning/ums/portal-assets"
|
||||
buckets:
|
||||
- name: "openproject"
|
||||
versioning: true
|
||||
@@ -87,8 +94,8 @@ provisioning:
|
||||
- name: "openxchange"
|
||||
versioning: true
|
||||
withLock: false
|
||||
- name: "ums"
|
||||
versioning: true
|
||||
- name: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
|
||||
versioning: false
|
||||
withLock: false
|
||||
- name: "nextcloud"
|
||||
versioning: true
|
||||
@@ -155,7 +162,7 @@ provisioning:
|
||||
policies:
|
||||
- "openxchange-bucket-policy"
|
||||
setPolicies: true
|
||||
- username: "ums_user"
|
||||
- username: {{ .Values.objectstores.univentionManagementStack.username | quote }}
|
||||
password: {{ .Values.secrets.minio.umsUser | quote }}
|
||||
disabled: false
|
||||
policies:
|
||||
|
||||
@@ -14,6 +14,10 @@ containerSecurityContext:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
runAsNonRoot: false
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
privileged: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.postfix }}
|
||||
|
||||
global:
|
||||
imagePullSecrets:
|
||||
@@ -27,7 +31,7 @@ image:
|
||||
|
||||
persistence:
|
||||
size: {{ .Values.persistence.size.postfix | quote }}
|
||||
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote}}
|
||||
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
|
||||
@@ -14,6 +14,7 @@ containerSecurityContext:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.postgresql }}
|
||||
|
||||
job:
|
||||
|
||||
|
||||
@@ -19,6 +19,7 @@ image:
|
||||
|
||||
master:
|
||||
containerSecurityContext:
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser: 1001
|
||||
runAsGroup: 1001
|
||||
@@ -29,6 +30,7 @@ master:
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.redis }}
|
||||
count: {{ .Values.replicas.redis }}
|
||||
persistence:
|
||||
size: {{ .Values.persistence.size.redis | quote }}
|
||||
|
||||
@@ -34,13 +34,6 @@ repositories:
|
||||
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
|
||||
oci: true
|
||||
url: "{{ .Values.global.helmRegistry | default .Values.charts.umsOpenPolicyAgent.registry }}/{{ .Values.charts.umsOpenPolicyAgent.repository }}"
|
||||
- name: "ums-store-dav-repo"
|
||||
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
|
||||
verify: {{ .Values.charts.umsStoreDav.verify }}
|
||||
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
|
||||
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
|
||||
oci: true
|
||||
url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStoreDav.registry }}/{{ .Values.charts.umsStoreDav.repository }}"
|
||||
- name: "ums-ldap-server-repo"
|
||||
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
|
||||
verify: {{ .Values.charts.umsLdapServer.verify }}
|
||||
@@ -219,15 +212,6 @@ releases:
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
timeout: 900
|
||||
|
||||
- name: "ums-store-dav"
|
||||
chart: "ums-store-dav-repo/{{ .Values.charts.umsStoreDav.name }}"
|
||||
version: "{{ .Values.charts.umsStoreDav.version }}"
|
||||
values:
|
||||
- "values-common.yaml.gotmpl"
|
||||
- "values-store-dav.yaml.gotmpl"
|
||||
installed: {{ .Values.univentionManagementStack.enabled }}
|
||||
timeout: 900
|
||||
|
||||
- name: "ums-ldap-server"
|
||||
chart: "ums-ldap-server-repo/{{ .Values.charts.umsLdapServer.name }}"
|
||||
version: "{{ .Values.charts.umsLdapServer.version }}"
|
||||
|
||||
@@ -7,7 +7,7 @@ guardianAuthorizationApi:
|
||||
guardianAuthzAdapterAppPersistencePort: "udm_data"
|
||||
guardianAuthzAdapterPolicyPort: "opa"
|
||||
guardianAuthzAdapterAuthenticationPort: "fast_api_oauth"
|
||||
guardianAuthzLoggingLevel: {{ .Values.debug.logLevel | quote }}
|
||||
guardianAuthzLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
|
||||
guardianAuthzLoggingStructured: false
|
||||
guardianAuthzLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
|
||||
home: "/guardian_service_dir"
|
||||
@@ -51,5 +51,10 @@ securityContext:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
readOnlyRootFilesystem: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi }}
|
||||
|
||||
...
|
||||
|
||||
@@ -16,7 +16,7 @@ guardianManagementApi:
|
||||
guardianManagementAdapterAuthenticationPort: "fast_api_oauth"
|
||||
guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization"
|
||||
guardianManagementAdapterResourceAuthorizationPort: "always"
|
||||
guardianManagementLoggingLevel: "DEBUG"
|
||||
guardianManagementLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
|
||||
guardianManagementLoggingStructured: false
|
||||
guardianManagementLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
|
||||
guardianManagementBaseUrl: "http://0.0.0.0:8000"
|
||||
@@ -69,5 +69,10 @@ securityContext:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
readOnlyRootFilesystem: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementApi }}
|
||||
|
||||
...
|
||||
|
||||
@@ -42,5 +42,10 @@ securityContext:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
readOnlyRootFilesystem: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementUi }}
|
||||
|
||||
...
|
||||
|
||||
@@ -22,6 +22,12 @@ securityContext:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapNotifier }}
|
||||
|
||||
volumes:
|
||||
claims:
|
||||
|
||||
@@ -45,11 +45,11 @@ ldapServer:
|
||||
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
|
||||
|
||||
persistence:
|
||||
data:
|
||||
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
sharedData:
|
||||
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
|
||||
shared:
|
||||
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
sharedRun:
|
||||
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
|
||||
|
||||
securityContext:
|
||||
@@ -72,6 +72,11 @@ securityContext:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapServer }}
|
||||
|
||||
service:
|
||||
type: "ClusterIP"
|
||||
|
||||
@@ -40,5 +40,10 @@ securityContext:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsNotificationsApi }}
|
||||
|
||||
...
|
||||
|
||||
@@ -42,5 +42,10 @@ securityContext:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsOpenPolicyAgent }}
|
||||
|
||||
...
|
||||
|
||||
@@ -195,7 +195,7 @@ config:
|
||||
authorizationServicesEnabled: false
|
||||
attributes:
|
||||
backchannel.logout.session.required: true
|
||||
backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/user_oidc/backchannel-logout/ncoidc"
|
||||
backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/index.php/apps/user_oidc/backchannel-logout/opendesk"
|
||||
post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
|
||||
protocolMappers:
|
||||
- name: "context"
|
||||
@@ -597,6 +597,7 @@ containerSecurityContext:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.opendeskKeycloakBootstrap }}
|
||||
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-keycloak-bootstrap"
|
||||
|
||||
@@ -106,5 +106,9 @@ securityContext:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
readOnlyRootFilesystem: false
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalFrontend }}
|
||||
...
|
||||
|
||||
@@ -23,8 +23,8 @@ persistence:
|
||||
|
||||
portalListener:
|
||||
adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
|
||||
assetsRoot: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-assets/" | quote }}
|
||||
ucsInternalUrl: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-data" | quote }}
|
||||
assetsRootPath: "portal-assets"
|
||||
ucsInternalPath: "portal-data"
|
||||
|
||||
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
|
||||
ldapHost: {{ .Values.ldap.host | quote }}
|
||||
@@ -35,12 +35,16 @@ portalListener:
|
||||
portalDefaultDn: {{ printf "%s,%s" "cn=domain,cn=portal,cn=portals,cn=univention" .Values.ldap.baseDn | quote }}
|
||||
udmApiUrl: "http://ums-udm-rest-api/udm/"
|
||||
udmApiUsername: "cn=admin"
|
||||
debugLevel: "4"
|
||||
debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
|
||||
tlsMode: "off"
|
||||
udmApiUrl: "http://ums-udm-rest-api/udm/"
|
||||
udmApiUsername: "cn=admin"
|
||||
umcGetUrl: "http://ums-umc-server/get"
|
||||
umcSessionUrl: "http://ums-umc-server/get/session-info"
|
||||
objectStorageEndpoint: "http://minio:9000"
|
||||
objectStorageBucket: "ums"
|
||||
objectStorageAccessKeyId: "ums_user"
|
||||
objectStorageSecretAccessKey: {{ .Values.secrets.minio.umsUser | quote }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.umsPortalListener | toYaml | nindent 2 }}
|
||||
@@ -71,5 +75,10 @@ securityContext:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalListener }}
|
||||
|
||||
...
|
||||
|
||||
@@ -16,9 +16,13 @@ portalServer:
|
||||
editable: "false"
|
||||
umcGetUrl: "http://ums-umc-server/get"
|
||||
umcSessionUrl: "http://ums-umc-server/get/session-info"
|
||||
logLevel: {{ .Values.debug.logLevel | quote }}
|
||||
logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
|
||||
adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
|
||||
ucsInternalUrl: {{ printf "%s%s%s" "http://portal-server:" .Values.secrets.univentionManagementStack.storeDavUsers.portalServer "@ums-store-dav/portal-data" | quote }}
|
||||
ucsInternalPath: "portal-data"
|
||||
objectStorageEndpoint: "http://minio:9000"
|
||||
objectStorageBucket: "ums"
|
||||
objectStorageAccessKeyId: "ums_user"
|
||||
objectStorageSecretAccessKey: {{ .Values.secrets.minio.umsUser | quote }}
|
||||
centralNavigation:
|
||||
enabled: true
|
||||
authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
|
||||
@@ -46,5 +50,10 @@ securityContext:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalServer }}
|
||||
|
||||
...
|
||||
|
||||
@@ -3,15 +3,110 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioning.registry | quote }}
|
||||
repository: {{ .Values.images.umsProvisioning.repository | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
tag: {{ .Values.images.umsProvisioning.tag | quote }}
|
||||
pullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
|
||||
dispatcher:
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningDispatcher.registry | quote }}
|
||||
repository: {{ .Values.images.umsProvisioningDispatcher.repository | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
tag: {{ .Values.images.umsProvisioningDispatcher.tag | quote }}
|
||||
pullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
resources:
|
||||
{{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
readOnlyRootFilesystem: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningDispatcher }}
|
||||
|
||||
events-and-consumer-api:
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
|
||||
repository: {{ .Values.images.umsProvisioningEventsAndConsumerApi.repository | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
tag: {{ .Values.images.umsProvisioningEventsAndConsumerApi.tag | quote }}
|
||||
pullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
rootPath: "/univention/provisioning-api"
|
||||
ingress:
|
||||
# copied from values-common.yaml.gotmpl
|
||||
# Intentionally not using the Ingress configuration of the UMS stack at the
|
||||
# moment, since it does depend on rewriting capabilities of the ingress
|
||||
# controller. Those are encapsulated into the release "stack-gateway" so that
|
||||
# the compatibility with all ingress controllers is increased.
|
||||
enabled: false
|
||||
host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
|
||||
resources:
|
||||
{{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
readOnlyRootFilesystem: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningEventsAndConsumerApi }}
|
||||
|
||||
udm-listener:
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }}
|
||||
repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }}
|
||||
pullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
config:
|
||||
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
|
||||
ldapHost: {{ .Values.ldap.host | quote }}
|
||||
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
|
||||
ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
||||
resources:
|
||||
{{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
add:
|
||||
- "CHOWN"
|
||||
- "DAC_OVERRIDE"
|
||||
- "FOWNER"
|
||||
- "FSETID"
|
||||
- "KILL"
|
||||
- "SETGID"
|
||||
- "SETUID"
|
||||
- "SETPCAP"
|
||||
- "NET_BIND_SERVICE"
|
||||
- "NET_RAW"
|
||||
- "SYS_CHROOT"
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
readOnlyRootFilesystem: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningUdmListener }}
|
||||
|
||||
nats:
|
||||
global:
|
||||
@@ -21,26 +116,22 @@ nats:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningNats.registry | quote }}
|
||||
container:
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry }}
|
||||
repository: {{ .Values.images.umsProvisioningNats.repository | quote }}
|
||||
tag: {{ .Values.images.umsProvisioningNats.tag | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
natsBox:
|
||||
container:
|
||||
image:
|
||||
registry: {{ .Values.global.imageRegistry }}
|
||||
repository: {{ .Values.images.umsProvisioningNatsBox.repository | quote }}
|
||||
tag: {{ .Values.images.umsProvisioningNatsBox.tag | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
reloader:
|
||||
image:
|
||||
repository: {{ .Values.images.umsProvisioningNatsReloader.repository | quote }}
|
||||
tag: {{ .Values.images.umsProvisioningNatsReloader.tag | quote }}
|
||||
registry: {{ .Values.global.imageRegistry }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
provisioningApi:
|
||||
rootPath: "/univention/provisioning-api"
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.umsProvisioning | toYaml | nindent 2 }}
|
||||
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
...
|
||||
|
||||
@@ -44,7 +44,7 @@ selfserviceListener:
|
||||
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
||||
notifierServer: {{ .Values.ldap.notifierHost | quote }}
|
||||
umcAdminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
|
||||
debugLevel: "4"
|
||||
debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
|
||||
tlsMode: "off"
|
||||
umcServerUrl: "http://ums-umc-server"
|
||||
umcAdminUser: "default.admin"
|
||||
@@ -69,5 +69,10 @@ securityContext:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsSelfserviceListener }}
|
||||
|
||||
...
|
||||
|
||||
@@ -25,6 +25,11 @@ securityContext:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader }}
|
||||
|
||||
stackDataContext:
|
||||
ldapBase: "dc=swp-ldap,dc=internal"
|
||||
|
||||
@@ -25,6 +25,11 @@ securityContext:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader }}
|
||||
|
||||
stackDataContext:
|
||||
idpSamlMetadataUrlInternal: null
|
||||
@@ -43,7 +48,6 @@ stackDataContext:
|
||||
ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
|
||||
initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
|
||||
|
||||
|
||||
stackDataUms:
|
||||
loadDevData: true
|
||||
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
||||
|
||||
@@ -22,8 +22,9 @@ image:
|
||||
{{- end }}
|
||||
|
||||
persistence:
|
||||
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }}
|
||||
data:
|
||||
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.umsStoreDav | toYaml | nindent 2 }}
|
||||
@@ -48,6 +49,11 @@ securityContext:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsStoreDav }}
|
||||
|
||||
storeDav:
|
||||
auth:
|
||||
|
||||
@@ -47,6 +47,11 @@ securityContext:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsUdmRestApi }}
|
||||
|
||||
udmRestApi:
|
||||
# TODO: Stub value currently
|
||||
|
||||
@@ -54,5 +54,10 @@ securityContext:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcGateway }}
|
||||
|
||||
...
|
||||
|
||||
@@ -90,6 +90,11 @@ securityContext:
|
||||
privileged: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcServer }}
|
||||
|
||||
umcServer:
|
||||
certPemFile: "/var/secrets/ssl/tls.crt"
|
||||
|
||||
@@ -60,11 +60,13 @@ containerSecurityContext:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: false
|
||||
privileged: false
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakBootstrap }}
|
||||
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-keycloak-bootstrap"
|
||||
|
||||
@@ -40,9 +40,11 @@ handler:
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
privileged: false
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler }}
|
||||
resources:
|
||||
{{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 4 }}
|
||||
postgresql:
|
||||
@@ -59,6 +61,10 @@ proxy:
|
||||
nginx.org/proxy-buffer-size: "8k"
|
||||
nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
|
||||
paths:
|
||||
{{- if .Values.debug.enabled }}
|
||||
- pathType: "Prefix"
|
||||
path: "/admin"
|
||||
{{- end }}
|
||||
- pathType: "Prefix"
|
||||
path: "/realms"
|
||||
- pathType: "Prefix"
|
||||
@@ -78,10 +84,12 @@ proxy:
|
||||
- "ALL"
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionProxy }}
|
||||
resources:
|
||||
{{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 4 }}
|
||||
...
|
||||
|
||||
@@ -25,7 +25,7 @@ config:
|
||||
user: {{ .Values.databases.keycloak.username | quote }}
|
||||
database: {{ .Values.databases.keycloak.name | quote }}
|
||||
password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
|
||||
logLevel: {{ .Values.debug.logLevel | quote }}
|
||||
logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
|
||||
enableMetrics: true
|
||||
# The availability of the admin console is already restricted through the path settings in the Keycloak Extensions
|
||||
# Proxy which is used in openDesk. The setting here is just relevant when Keycloak endpoints are exposed directly
|
||||
@@ -39,10 +39,12 @@ containerSecurityContext:
|
||||
- "ALL"
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloak }}
|
||||
|
||||
podSecurityContext:
|
||||
fsGroup: 1000
|
||||
|
||||
@@ -35,6 +35,7 @@ podSecurityContext:
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
@@ -44,6 +45,7 @@ containerSecurityContext:
|
||||
- "ALL"
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.umsStackGateway }}
|
||||
|
||||
service:
|
||||
type: "ClusterIP"
|
||||
@@ -171,22 +173,22 @@ serverBlock: |
|
||||
}
|
||||
|
||||
|
||||
## store-dav
|
||||
## object storage (minio)
|
||||
location /univention/portal/icons/entries/ {
|
||||
rewrite ^/univention/portal(/icons/entries/.*)$ /portal-assets$1 break;
|
||||
proxy_pass http://ums-store-dav:80;
|
||||
rewrite ^/univention/portal(/icons/entries/.*)$ /ums/portal-assets$1 break;
|
||||
proxy_pass http://minio:9000;
|
||||
}
|
||||
location /univention/portal/icons/logos/ {
|
||||
rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break;
|
||||
proxy_pass http://ums-store-dav:80;
|
||||
rewrite ^/univention/portal(/icons/logos/.*)$ /ums/portal-assets$1 break;
|
||||
proxy_pass http://minio:9000;
|
||||
}
|
||||
location /univention/selfservice/icons/entries/ {
|
||||
rewrite ^/univention/selfservice(/icons/entries/.*)$ /portal-assets$1 break;
|
||||
proxy_pass http://ums-store-dav:80;
|
||||
rewrite ^/univention/selfservice(/icons/entries/.*)$ /ums/portal-assets$1 break;
|
||||
proxy_pass http://minio:9000;
|
||||
}
|
||||
location /univention/selfservice/icons/logos/ {
|
||||
rewrite ^/univention/selfservice(/icons/logos/.*)$ /portal-assets$1 break;
|
||||
proxy_pass http://ums-store-dav:80;
|
||||
rewrite ^/univention/selfservice(/icons/logos/.*)$ /ums/portal-assets$1 break;
|
||||
proxy_pass http://minio:9000;
|
||||
}
|
||||
|
||||
|
||||
@@ -278,10 +280,10 @@ serverBlock: |
|
||||
proxy_pass http://ums-portal-frontend:80/;
|
||||
}
|
||||
|
||||
## provisioning-api
|
||||
## ums-provisioning
|
||||
location /univention/provisioning-api/ {
|
||||
rewrite ^/univention/provisioning-api(/.*)$ $1 break;
|
||||
proxy_pass http://ums-provisioning-provisioning-api:80;
|
||||
proxy_pass http://ums-provisioning-events-and-consumer-api:80;
|
||||
}
|
||||
|
||||
## guardian
|
||||
|
||||
@@ -18,9 +18,15 @@ externalDB:
|
||||
customKeyRef:
|
||||
enabled: false
|
||||
|
||||
|
||||
securityContext:
|
||||
enabled: true
|
||||
fsGroup: 101
|
||||
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
enabled: true
|
||||
privileged: false
|
||||
runAsUser: 100
|
||||
runAsGroup: 101
|
||||
runAsNonRoot: true
|
||||
@@ -29,6 +35,8 @@ containerSecurityContext:
|
||||
- "ALL"
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
seLinuxOptions: {{ .Values.seLinuxOptions.xwiki }}
|
||||
|
||||
customConfigs:
|
||||
xwiki.cfg:
|
||||
@@ -132,7 +140,7 @@ properties:
|
||||
"property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-bg": {{ .Values.theme.colors.white | quote }}
|
||||
"property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": {{ .Values.theme.colors.secondaryGreyLight | quote }}
|
||||
# yamllint disable-line rule:line-length
|
||||
"property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.lessCode": " li#tmWorkplaceServices { padding-left: 16px; padding-top: 5px; } .navbar-right { padding-top: 8px; } .navbar { border-bottom: 1px solid #ddd; height: 64px; } div#companylogo { width: 90px; height: auto; padding-top: 7px; padding-left: 9px; }"
|
||||
"property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.lessCode": "li#tmWorkplaceServices { padding-left: 16px; padding-top: 5px; } .navbar-right { padding-top: 8px; } .navbar { border-bottom: 1px solid #ddd !important; height: 64px;} div#companylogo { width: 90px; height: auto; padding-top: 7px; padding-left: 9px; }"
|
||||
|
||||
"property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "oidc"
|
||||
## Fields to search in when importing users from the administration UI (not completely in scope for now)
|
||||
@@ -158,12 +166,6 @@ replicaCount: {{ .Values.replicas.xwiki }}
|
||||
resources:
|
||||
{{ .Values.resources.xwiki | toYaml | nindent 2 }}
|
||||
|
||||
securityContext:
|
||||
enabled: true
|
||||
fsGroup: 101
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
|
||||
service:
|
||||
externalPort: 80
|
||||
enabled: true
|
||||
@@ -171,4 +173,11 @@ service:
|
||||
volumePermissions:
|
||||
enabled: true
|
||||
|
||||
prometheus:
|
||||
javaagent:
|
||||
enabled: {{ .Values.prometheus.podMonitors.enabled }}
|
||||
podmonitor:
|
||||
enabled: {{ .Values.prometheus.podMonitors.enabled }}
|
||||
labels:
|
||||
{{- toYaml .Values.prometheus.podMonitors.labels | nindent 6 }}
|
||||
...
|
||||
|
||||
@@ -46,7 +46,8 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/collabora/charts-mirror"
|
||||
name: "collabora-online"
|
||||
version: "1.1.8"
|
||||
version: "1.1.11"
|
||||
verify: true
|
||||
# @supplier: "Collabora"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['1', '1', '8']
|
||||
@@ -59,7 +60,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/xwiki/charts-mirror"
|
||||
name: "cryptpad"
|
||||
version: "0.0.17"
|
||||
version: "0.0.18"
|
||||
verify: true
|
||||
# @supplier: "XWiki"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
@@ -243,7 +244,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
|
||||
name: "opendesk-nextcloud"
|
||||
version: "1.3.3"
|
||||
version: "1.5.0"
|
||||
verify: true
|
||||
# @supplier: "openDesk"
|
||||
|
||||
@@ -255,7 +256,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
|
||||
name: "opendesk-nextcloud-management"
|
||||
version: "1.3.3"
|
||||
version: "1.5.0"
|
||||
verify: true
|
||||
# @supplier: "openDesk"
|
||||
|
||||
@@ -267,7 +268,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/external/charts/bitnami-charts"
|
||||
name: "nginx"
|
||||
version: "15.5.1"
|
||||
version: "15.9.3"
|
||||
verify: true
|
||||
# @supplier: "openDesk"
|
||||
|
||||
@@ -342,7 +343,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize"
|
||||
name: "opendesk-otterize"
|
||||
version: "1.7.0"
|
||||
version: "1.7.3"
|
||||
verify: true
|
||||
# @supplier: "openDesk"
|
||||
|
||||
@@ -580,7 +581,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
|
||||
name: "portal-frontend"
|
||||
version: "0.9.2"
|
||||
version: "0.14.0"
|
||||
verify: true
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
@@ -594,7 +595,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
|
||||
name: "portal-listener"
|
||||
version: "0.9.2"
|
||||
version: "0.14.0"
|
||||
verify: true
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
@@ -608,7 +609,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
|
||||
name: "portal-server"
|
||||
version: "0.9.2"
|
||||
version: "0.14.0"
|
||||
verify: true
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
@@ -617,16 +618,16 @@ charts:
|
||||
umsProvisioning:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
# upstreamRepository=souvap/tooling/charts/univention/provisioning-api
|
||||
# upstreamRepository=souvap/tooling/charts/univention/provisioning
|
||||
# dependencyType=supplier
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
|
||||
name: "provisioning-api"
|
||||
version: "0.2.1"
|
||||
name: "provisioning"
|
||||
version: "0.9.5"
|
||||
verify: true
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['0', '2', '1']
|
||||
# @mirrorFrom: ['0', '9', '5']
|
||||
|
||||
umsSelfserviceListener:
|
||||
# renovate:
|
||||
@@ -670,20 +671,6 @@ charts:
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['0', '41', '8']
|
||||
|
||||
umsStoreDav:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
# upstreamRepository=souvap/tooling/charts/univention/store-dav
|
||||
# dependencyType=supplier
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
|
||||
name: "store-dav"
|
||||
version: "0.9.3"
|
||||
verify: true
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['0', '9', '3']
|
||||
|
||||
umsUdmRestApi:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
@@ -734,7 +721,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/xwiki/charts-mirror"
|
||||
name: "xwiki"
|
||||
version: "1.2.6"
|
||||
version: "1.3.0"
|
||||
verify: false
|
||||
# @supplier: "XWiki"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
|
||||
@@ -11,6 +11,9 @@ cleanup:
|
||||
# Keep additional resources, like certificates on deletion of this release.
|
||||
keepRessourceOnDelete: true
|
||||
debug:
|
||||
# Currently used in: umsKeycloak
|
||||
logLevel: "INFO"
|
||||
# should activate debug output in all components and even allow e.g. successfully executed jobs
|
||||
# to stay available. This is going to be implemented on a case by case basis when we actually
|
||||
# need debugging in a component.
|
||||
# Use: `{{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}`
|
||||
enabled: false
|
||||
...
|
||||
|
||||
@@ -3,5 +3,5 @@
|
||||
---
|
||||
global:
|
||||
systemInformation:
|
||||
releaseVersion: "v0.5.75"
|
||||
releaseVersion: "v0.5.77"
|
||||
...
|
||||
|
||||
@@ -5,22 +5,23 @@ images:
|
||||
clamd:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
# upstreamRepository=clamav/clamav
|
||||
# dependencyType=external
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "clamav/clamav"
|
||||
tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
|
||||
# @supplier: "openDesk"
|
||||
|
||||
collabora:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
# upstreamRepository=souvap/tooling/images/collabora
|
||||
# upstreamRegistry=registry.opencode.de
|
||||
# upstreamRepository=bmi/opendesk/components/supplier/collabora/images
|
||||
# dependencyType=supplier
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/collabora/images-mirror/collabora"
|
||||
tag: "23.05.6.4.1@sha256:98e2107ba9dc7d69b146d9319473fb42249c5291ef5b570c8bd6eff941564697"
|
||||
repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
|
||||
tag: "23.05.9.1.1@sha256:9eeaf2795987d67cf6259f2942ea3318649fdf50beb939c895bef26a4c4dd146"
|
||||
# @supplier: "Collabora"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)\.\d+\.\d+$'
|
||||
# @mirrorFrom: ['23', '5', '6']
|
||||
|
||||
cryptpad:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
@@ -31,20 +32,21 @@ images:
|
||||
tag: "opendesk-20231222@sha256:f4d20d5c38c87b11ed1a1b46ef6a3633d32c6758ebdff8556458f040318fa5e2"
|
||||
# @supplier: "XWiki"
|
||||
# @mirrorFilter: '^opendesk-(\d+)$'
|
||||
|
||||
dovecot:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
# upstreamRepository=souvap/tooling/images/dovecot-public-sector
|
||||
# upstreamRegistry=registry.opencode.de
|
||||
# upstreamRepository=bmi/opendesk/components/supplier/open-xchange/images/dovecot-public-sector
|
||||
# dependencyType=supplier
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/dovecot-public-sector"
|
||||
repository: "bmi/opendesk/components/supplier/open-xchange/images/dovecot-public-sector"
|
||||
tag: "2.3.21@sha256:c76965a84d1ca527f523404eb027119f6736b199c094e4671037cb345ecad3dc"
|
||||
# @supplier: "Open-Xchange"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['2', '3', '21']
|
||||
|
||||
element:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.opencode.de
|
||||
# upstreamRepository=bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web
|
||||
# dependencyType=supplier
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
|
||||
@@ -52,22 +54,27 @@ images:
|
||||
# @supplier: "Element"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['1', '8', '0']
|
||||
|
||||
freshclam:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
# upstreamRepository=clamav/clamav
|
||||
# dependencyType=external
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "clamav/clamav"
|
||||
tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
|
||||
# @supplier: "openDesk"
|
||||
|
||||
icap:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.opencode.de
|
||||
# upstreamRepository=bmi/opendesk/components/platform-development/images/clamav-icap
|
||||
# dependencyType=platform
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/images/clamav-icap"
|
||||
tag: "0.5.10@sha256:891f267a6b2a304616854ad2f013dc5d23f6f6c84d535c8b46e76d124fe39b6a"
|
||||
# @supplier: "openDesk"
|
||||
|
||||
intercom:
|
||||
# renovate:
|
||||
# upstreamRegistry=quay.io
|
||||
@@ -79,6 +86,7 @@ images:
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['1', '6']
|
||||
|
||||
jibri:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
@@ -90,6 +98,7 @@ images:
|
||||
# @supplier: "Nordeck"
|
||||
# @mirrorFilter: '^stable-(\d+)$'
|
||||
# @mirrorFrom: ['8922']
|
||||
|
||||
jicofo:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
@@ -101,6 +110,7 @@ images:
|
||||
# @supplier: "Nordeck"
|
||||
# @mirrorFilter: '^stable-(\d+)$'
|
||||
# @mirrorFrom: ['8922']
|
||||
|
||||
jitsi:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
@@ -112,6 +122,7 @@ images:
|
||||
# @supplier: "Nordeck"
|
||||
# @mirrorFilter: '^stable-(\d+)$'
|
||||
# @mirrorFrom: ['8922']
|
||||
|
||||
jitsiKeycloakAdapter:
|
||||
# renovate:
|
||||
# upstreamRegistry=ghcr.io
|
||||
@@ -123,6 +134,7 @@ images:
|
||||
# @supplier: "Nordeck"
|
||||
# @mirrorFilter: '^v(\d\d\d\d)(\d\d)(\d\d)$'
|
||||
# @mirrorFrom: ['2023', '12', '14']
|
||||
|
||||
jitsiPatchJVB:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
@@ -132,6 +144,7 @@ images:
|
||||
repository: "bitnami/kubectl"
|
||||
tag: "1.26.8@sha256:c6902a1fdce0a24c9f93ac8d1f317039b206a4b307d8fc76cab4a92911345757"
|
||||
# @supplier: "Nordeck"
|
||||
|
||||
jvb:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
@@ -143,14 +156,17 @@ images:
|
||||
# @supplier: "Nordeck"
|
||||
# @mirrorFilter: '^stable-(\d+)$'
|
||||
# @mirrorFrom: ['8922']
|
||||
|
||||
mariadb:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
# upstreamRepository=library/mariadb
|
||||
# dependencyType=external
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "library/mariadb"
|
||||
tag: "10.5@sha256:aa1ccc18000c32d1f39ac0b055117b27bffd93e622ec961d682de40fe2a1a95f"
|
||||
# @supplier: "openDesk"
|
||||
|
||||
matrixNeoBoardWidget:
|
||||
# renovate:
|
||||
# upstreamRegistry=ghcr.io
|
||||
@@ -162,6 +178,7 @@ images:
|
||||
# @supplier: "Nordeck"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['1', '4', '0']
|
||||
|
||||
matrixNeoChoiceWidget:
|
||||
# renovate:
|
||||
# upstreamRegistry=ghcr.io
|
||||
@@ -173,6 +190,7 @@ images:
|
||||
# @supplier: "Nordeck"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['1', '4', '0']
|
||||
|
||||
matrixNeoDateFixBot:
|
||||
# renovate:
|
||||
# upstreamRegistry=ghcr.io
|
||||
@@ -184,6 +202,7 @@ images:
|
||||
# @supplier: "Nordeck"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['2', '7', '0']
|
||||
|
||||
matrixNeoDateFixWidget:
|
||||
# renovate:
|
||||
# upstreamRegistry=ghcr.io
|
||||
@@ -195,6 +214,7 @@ images:
|
||||
# @supplier: "Nordeck"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['1', '6', '0']
|
||||
|
||||
matrixUserVerificationService:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
@@ -206,70 +226,87 @@ images:
|
||||
# @supplier: "Element"
|
||||
# @mirrorFilter: '^v(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['3', '0', '0']
|
||||
|
||||
memcached:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
# upstreamRepository=bitnami/memcached
|
||||
# dependencyType=external
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "bitnami/memcached"
|
||||
tag: "1.6.21-debian-11-r107@sha256:247ec29efd6030960047a623aef025021154662edf6b6d6e88c97936f164d99d"
|
||||
# @supplier: "openDesk"
|
||||
|
||||
milter:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
# upstreamRepository=clamav/clamav
|
||||
# dependencyType=external
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "clamav/clamav"
|
||||
tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
|
||||
# @supplier: "openDesk"
|
||||
|
||||
minio:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
# upstreamRepository=bitnami/minio
|
||||
# dependencyType=external
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "bitnami/minio"
|
||||
tag: "2023@sha256:bced4f2f9fc48b755ebb3e1b35e76195a978d4331bf2d0c6699dab412d3c0be7"
|
||||
# @supplier: "openDesk"
|
||||
|
||||
nextcloudApache2:
|
||||
# renovate:
|
||||
# registryUrl=registry.opencode.de
|
||||
# upstreamRegistry=registry.opencode.de
|
||||
# upstreamRepository=bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2
|
||||
# dependencyType=platform
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
|
||||
tag: "1.1.7@sha256:f80bb93f0fda83143ebb35dab23dc02127609bed5dfa14bb659fc9ce6ebc6673"
|
||||
tag: "1.1.13@sha256:874567579cbe8604e22caa06e8d5de42c74e41deda2d47bd6b50ab3898dd3dd7"
|
||||
# @supplier: "openDesk"
|
||||
|
||||
nextcloudExporter:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.opencode.de
|
||||
# upstreamRepository=bmi/opendesk/components/platform-development/images/opendesk-nextcloud-exporter
|
||||
# dependencyType=platform
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-exporter"
|
||||
tag: "1.0.0@sha256:a05b0f7d7e919320285d2808ebcc20a7b7163204a1001d7d9fb5a97d97194081"
|
||||
tag: "1.0.1@sha256:63e63c7420e37d3989fa0ffdbcf18a07b2a603ab9b2a849c2e7e44342dd82af0"
|
||||
# @supplier: "openDesk"
|
||||
|
||||
nextcloudManagement:
|
||||
# renovate:
|
||||
# registryUrl=registry.opencode.de
|
||||
# upstreamRegistry=registry.opencode.de
|
||||
# upstreamRepository=bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management
|
||||
# dependencyType=platform
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
|
||||
tag: "1.0.11@sha256:969bdaaa24ef6091ecb8b63b4fb2f7925fa10eaf46d3997ec74f6414ac373a8d"
|
||||
tag: "1.3.1@sha256:a4b781a6926ca4e7a4c9c58af7a46e93b74364f1fc5c2fd65de2bce17f8efc30"
|
||||
# @supplier: "openDesk"
|
||||
|
||||
nextcloudPHP:
|
||||
# renovate:
|
||||
# registryUrl=registry.opencode.de
|
||||
# upstreamRegistry=registry.opencode.de
|
||||
# upstreamRepository=bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php
|
||||
# dependencyType=platform
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
|
||||
tag: "1.6.1@sha256:21e8584f10f19b263be76a93df2658e2e845e00548d1b176ee336eb1f0e15a50"
|
||||
tag: "1.8.1@sha256:4ad4a6ce6c8e01e1972fa19aae65b79d43aaf3f51083aa3c4302598fce2046c8"
|
||||
# @supplier: "openDesk"
|
||||
|
||||
opendeskKeycloakBootstrap:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.opencode.de
|
||||
# upstreamRepository=bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap
|
||||
# dependencyType=platform
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
|
||||
tag: "1.0.4@sha256:28eebb647180aef95d816a7d788891fa780f552f699c38cedddecbcef7a0bd1d"
|
||||
# @supplier: "openDesk"
|
||||
|
||||
openproject:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
@@ -277,35 +314,41 @@ images:
|
||||
# dependencyType=supplier
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
|
||||
tag: "13.2.0@sha256:79e703d814bef918acff626f12b4301818263e4c95f90d889d0b83a06a195675"
|
||||
tag: "13.3.0@sha256:276c20d648d61da94b294b23ced29f65ff7f681fdca5592b6eca400457cddb49"
|
||||
# @supplier: "OpenProject"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['13', '1', '1']
|
||||
|
||||
openprojectBootstrap:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.opencode.de
|
||||
# upstreamRepository=bmi/opendesk/components/platform-development/images/opendesk-openproject-bootstrap
|
||||
# dependencyType=platform
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/images/opendesk-openproject-bootstrap"
|
||||
tag: "1.1.3@sha256:401afe66c418fd130088edbed5cc3b4464dc667eb609f194ea68fd30dcbd1e90"
|
||||
# @supplier: "openDesk"
|
||||
|
||||
openprojectInitDb:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
# upstreamRepository=postgres
|
||||
# upstreamRepository=library/postgres
|
||||
# dependencyType=external
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "library/postgres"
|
||||
tag: "13@sha256:ced3ba927f4cf06e03eac7760f426a95367076fb31fe4e31b679f82d119a3519"
|
||||
# @supplier: "OpenProject"
|
||||
|
||||
openxchangeBootstrap:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
# upstreamRepository=alpine/k8s
|
||||
# dependencyType=external
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "alpine/k8s"
|
||||
tag: "1.26.8@sha256:acde24d2a8ebaafda76f464591a5ddc7d0acd08bb38b12560961c1b1c4fc85ec"
|
||||
# @supplier: "openDesk"
|
||||
|
||||
openxchangeCoreGuidedtours:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.open-xchange.com
|
||||
@@ -317,6 +360,7 @@ images:
|
||||
# @supplier: "Open-Xchange"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['8', '6', '0']
|
||||
|
||||
openxchangeCoreMW:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.open-xchange.com
|
||||
@@ -328,6 +372,7 @@ images:
|
||||
# @supplier: "Open-Xchange"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['8', '20', '51']
|
||||
|
||||
openxchangeCoreUI:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.open-xchange.com
|
||||
@@ -339,6 +384,7 @@ images:
|
||||
# @supplier: "Open-Xchange"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['8', '20', '1']
|
||||
|
||||
openxchangeCoreUIMiddleware:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.open-xchange.com
|
||||
@@ -350,6 +396,7 @@ images:
|
||||
# @supplier: "Open-Xchange"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['2', '0', '0']
|
||||
|
||||
openxchangeCoreUserGuide:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.open-xchange.com
|
||||
@@ -361,6 +408,7 @@ images:
|
||||
# @supplier: "Open-Xchange"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['8', '20', '799279']
|
||||
|
||||
openxchangeDocumentConverter:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.open-xchange.com
|
||||
@@ -372,6 +420,7 @@ images:
|
||||
# @supplier: "Open-Xchange"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['8', '20', '50']
|
||||
|
||||
openxchangeGotenberg:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.open-xchange.com
|
||||
@@ -379,10 +428,11 @@ images:
|
||||
# dependencyType=supplier
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/gotenberg"
|
||||
tag: "7.9.2@sha256:c97c1adb971d149222062ec46c5d749d710b38ad153c5c6ed954023e2401c9d0"
|
||||
tag: "8.0.3@sha256:1f4979e8cfde1c69f28c24604d19b3a11cf95c59b2a73db957c5af0a27a30ce8"
|
||||
# @supplier: "Open-Xchange"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['7', '9', '2']
|
||||
|
||||
openxchangeGuardUI:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.open-xchange.com
|
||||
@@ -394,6 +444,7 @@ images:
|
||||
# @supplier: "Open-Xchange"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['4', '2', '2']
|
||||
|
||||
openxchangeImageConverter:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.open-xchange.com
|
||||
@@ -405,6 +456,7 @@ images:
|
||||
# @supplier: "Open-Xchange"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['8', '20', '50']
|
||||
|
||||
openxchangeNextcloudIntegrationUI:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.open-xchange.com
|
||||
@@ -416,6 +468,7 @@ images:
|
||||
# @supplier: "Open-Xchange"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['1', '2', '0']
|
||||
|
||||
openxchangePublicSectorUI:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.open-xchange.com
|
||||
@@ -427,6 +480,7 @@ images:
|
||||
# @supplier: "Open-Xchange"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['2', '2', '1']
|
||||
|
||||
oxConnector:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
@@ -438,22 +492,27 @@ images:
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['0', '4', '2']
|
||||
|
||||
postfix:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.opencode.de
|
||||
# upstreamRepository=bmi/opendesk/components/platform-development/images/postfix
|
||||
# dependencyType=platform
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/images/postfix"
|
||||
tag: "1.0.0@sha256:61e4661a7323101dfb51c85c5a48c345c75436f3f533176f049d2660d711a8a5"
|
||||
# @supplier: "openDesk"
|
||||
|
||||
postgresql:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
# upstreamRepository=library/postgres
|
||||
# dependencyType=external
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "library/postgres"
|
||||
tag: "15.4-alpine3.18@sha256:f36c528a2dc8747ea40b4cb8578da69fa75c5063fd6a71dcea3e3b2a6404ff7b"
|
||||
# @supplier: "openDesk"
|
||||
|
||||
prosody:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
@@ -465,6 +524,7 @@ images:
|
||||
# @supplier: "Nordeck"
|
||||
# @mirrorFilter: '^stable-(\d+)$'
|
||||
# @mirrorFrom: ['8922']
|
||||
|
||||
redis:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
@@ -474,6 +534,7 @@ images:
|
||||
repository: "bitnami/redis"
|
||||
tag: "7.2.3-debian-11-r2@sha256:9ac3bbf7740969d32689e360ddcfa5f672538c47f6f6cf296173c3078de0edf2"
|
||||
# @supplier: "openDesk"
|
||||
|
||||
synapse:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
@@ -485,14 +546,17 @@ images:
|
||||
# @supplier: "Element"
|
||||
# @mirrorFilter: '^v(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['1', '91', '2']
|
||||
|
||||
synapseCreateUser:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
# upstreamRepository=alpine/k8s
|
||||
# dependencyType=external
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "alpine/k8s"
|
||||
tag: "1.26.8@sha256:acde24d2a8ebaafda76f464591a5ddc7d0acd08bb38b12560961c1b1c4fc85ec"
|
||||
# @supplier: "Nordeck"
|
||||
|
||||
synapseGuestModule:
|
||||
# renovate:
|
||||
# upstreamRegistry=ghcr.io
|
||||
@@ -504,25 +568,17 @@ images:
|
||||
# @supplier: "Nordeck"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['1', '0', '0']
|
||||
|
||||
synapseWeb:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
# upstreamRepository=rapidfort/haproxy-official
|
||||
# dependencyType=external
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "rapidfort/haproxy-official"
|
||||
tag: "2.6.6-bullseye@sha256:bf22cfb1301aae433213f5f8c687bc5d9ecc6b86daf1084be5f7a339bd27cadd"
|
||||
# @supplier: "Element"
|
||||
umsConfigHtpasswd:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
# upstreamRepository=souvap/tooling/images/univention/config-htpasswd
|
||||
# dependencyType=supplier
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/config-htpasswd"
|
||||
tag: "0.9.4@sha256:ba4f6fa2736a789c6c7413cc784bfadbeda1b3269fee29a871207f6f2ba2ee08"
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['0', '9', '4']
|
||||
|
||||
umsDataLoader:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
@@ -534,6 +590,7 @@ images:
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['0', '41', '5']
|
||||
|
||||
umsGuardianAuthorizationApi:
|
||||
# renovate:
|
||||
# upstreamRegistry=docker.software-univention.de
|
||||
@@ -545,6 +602,7 @@ images:
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['1', '0', '0']
|
||||
|
||||
umsGuardianManagementApi:
|
||||
# renovate:
|
||||
# upstreamRegistry=docker.software-univention.de
|
||||
@@ -556,6 +614,7 @@ images:
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['1', '0', '0']
|
||||
|
||||
umsGuardianManagementUi:
|
||||
# renovate:
|
||||
# upstreamRegistry=docker.software-univention.de
|
||||
@@ -567,6 +626,7 @@ images:
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['1', '0', '0']
|
||||
|
||||
umsKeycloak:
|
||||
# renovate:
|
||||
# upstreamRegistry=docker.software-univention.de
|
||||
@@ -578,6 +638,7 @@ images:
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+).+$'
|
||||
# @mirrorFrom: ['22', '0', '3']
|
||||
|
||||
umsKeycloakBootstrap:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
@@ -589,6 +650,7 @@ images:
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['1', '0', '5']
|
||||
|
||||
umsKeycloakExtensionHandler:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
@@ -596,10 +658,11 @@ images:
|
||||
# dependencyType=supplier
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-handler"
|
||||
tag: "0.0.3@sha256:b27d76b1a397bc776b0b7e652e318fd707da4bbfba81908ed3a7ca866b2ee8cc"
|
||||
tag: "0.2.0@sha256:ed3a391cb32b9bb9408a4b8e9839b6ee89cbab60149732cd51165a871a91c54d"
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['0', '0', '3']
|
||||
|
||||
umsKeycloakExtensionProxy:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
@@ -607,10 +670,11 @@ images:
|
||||
# dependencyType=supplier
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-proxy"
|
||||
tag: "0.0.3@sha256:368c57fc4e730d2ad8e24b29f4c876f7e6dbd835a9913f5d0909159409cd5042"
|
||||
tag: "0.2.0@sha256:8b924ab47771b9aee07384e3d13106406d49b1e7ef7fc46648adb1f0fb401327"
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['0', '0', '3']
|
||||
|
||||
umsLdapNotifier:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
@@ -622,6 +686,7 @@ images:
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['0', '8', '2']
|
||||
|
||||
umsLdapServer:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
@@ -633,6 +698,7 @@ images:
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['0', '8', '2']
|
||||
|
||||
umsNotificationsApi:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
@@ -644,6 +710,7 @@ images:
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['0', '9', '4']
|
||||
|
||||
umsOpenPolicyAgent:
|
||||
# renovate:
|
||||
# upstreamRegistry=docker.software-univention.de
|
||||
@@ -655,16 +722,19 @@ images:
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['1', '0', '0']
|
||||
|
||||
umsPortalFrontend:
|
||||
# renovate:
|
||||
# registryUrl=https://registry.souvap-univention.de
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
# upstreamRepository=souvap/tooling/images/univention/portal-frontend
|
||||
# dependencyType=supplier
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
|
||||
tag: "0.9.4@sha256:97887159fc4a7febdf663761a65b7fac2eb7b99b6dd042c7d63ce6b254ea6fb9"
|
||||
tag: "0.14.0@sha256:6f96a7479728e07c3d3311c85e1d14f7ef45f4d5bc5c9a008ce62203ef232f79"
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['0', '9', '4']
|
||||
|
||||
umsPortalListener:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
@@ -672,10 +742,11 @@ images:
|
||||
# dependencyType=supplier
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-listener"
|
||||
tag: "0.9.4@sha256:1e03db8153cbff0825c4370526d5d44a6b9b92c643b0e605d1bfc762ebac3a31"
|
||||
tag: "0.14.0@sha256:5c86167d3a6ff7e85ff7e870596dd9864c1802b4f622c1f2378472744d4c4c34"
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['0', '9', '4']
|
||||
|
||||
umsPortalServer:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
@@ -683,37 +754,77 @@ images:
|
||||
# dependencyType=supplier
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
|
||||
tag: "0.9.4@sha256:47c825f83b61799b287b11cf5c548e05000c21e7d071d1f2095fbba4c952d84c"
|
||||
tag: "0.14.0@sha256:d608db0692f9638e53101dabaf7749a9fbc29c316194f1977bd8986444f9f472"
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['0', '9', '4']
|
||||
umsProvisioning:
|
||||
|
||||
umsProvisioningDispatcher:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
# upstreamRepository=souvap/tooling/images/univention/provisioning-dispatch
|
||||
# upstreamRepository=souvap/tooling/images/univention/dispatcher
|
||||
# dependencyType=supplier
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatch"
|
||||
tag: "0.4.0@sha256:43fda35f02cfa7c4c6aaa42e561858f7b0b80485370c1e393cef3a4b8d7715c0"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/dispatcher"
|
||||
tag: "0.9.5@sha256:35bfe36c0f44070a514074804f740e9f3d60d2d1386757067d392bc2ebef9f84"
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['0', '4', '0']
|
||||
# @mirrorFrom: ['0', '9', '5']
|
||||
|
||||
umsProvisioningEventsAndConsumerApi:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
# upstreamRepository=souvap/tooling/images/univention/events-and-consumer-api
|
||||
# dependencyType=supplier
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/events-and-consumer-api"
|
||||
tag: "0.9.5@sha256:e8e9c40ccad460e4c837b7c0108de04b1ab9faf4d385ffd280e5326731a3116b"
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['0', '9', '5']
|
||||
|
||||
umsProvisioningNats:
|
||||
# renovate:
|
||||
# upstreamRegistry=docker.io
|
||||
# upstreamRepository=nats
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
# upstreamRepository=library/nats
|
||||
# dependencyType=external
|
||||
registry: "docker.io"
|
||||
repository: "nats"
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "library/nats"
|
||||
tag: "2.10.5-alpine@sha256:85319e5e541b6f273dbffc722e001601f391028e004c90a4fadab53475789e79"
|
||||
# @supplier: "Univention"
|
||||
|
||||
umsProvisioningNatsBox:
|
||||
# renovate:
|
||||
# upstreamRegistry=docker.io
|
||||
# upstreamRepository=nats
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
# upstreamRepository=natsio/nats-box
|
||||
# dependencyType=external
|
||||
registry: "docker.io"
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "natsio/nats-box"
|
||||
tag: "0.14.1@sha256:a67913df95f1d5b265117e49e4c83228091d13d6783d80215ddcf84aba695ef4"
|
||||
# @supplier: "Univention"
|
||||
|
||||
umsProvisioningNatsReloader:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
# upstreamRepository=natsio/nats-server-config-reloader
|
||||
# dependencyType=external
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "natsio/nats-server-config-reloader"
|
||||
tag: "0.14.1@sha256:77dd4c60001ffbf442c6b25592e73b4fca06ea9406c677607192788d80453783"
|
||||
# @supplier: "Univention"
|
||||
|
||||
umsProvisioningUdmListener:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
# upstreamRepository=souvap/tooling/images/univention/udm-listener
|
||||
# dependencyType=supplier
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-listener"
|
||||
tag: "0.9.5@sha256:4550913a415e0ab17701a4475f87461836b74546cb9a89d452ac607e5b5dfdfb"
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['0', '9', '5']
|
||||
|
||||
umsSelfserviceInvitation:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
@@ -725,6 +836,7 @@ images:
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['0', '3', '2']
|
||||
|
||||
umsSelfserviceListener:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
@@ -736,6 +848,7 @@ images:
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['0', '3', '2']
|
||||
|
||||
umsStackGateway:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
@@ -745,17 +858,7 @@ images:
|
||||
repository: "bitnami/nginx"
|
||||
tag: "1.25.3@sha256:40ce0d6b8f5fc174a4df8c59c8893164c540192ee862cb7253650a30d9dc3b73"
|
||||
# @supplier: "Univention"
|
||||
umsStoreDav:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
# upstreamRepository=souvap/tooling/images/univention/store-dav
|
||||
# dependencyType=supplier
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/store-dav"
|
||||
tag: "0.9.4@sha256:4a2c7675c15a244a3a8c002e030db425cdbe5cd7bf8c21ced4bac6f5252382bd"
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['0', '9', '4']
|
||||
|
||||
umsUdmRestApi:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
@@ -767,6 +870,7 @@ images:
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['0', '5', '2']
|
||||
|
||||
umsUmcGateway:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
@@ -774,10 +878,11 @@ images:
|
||||
# dependencyType=supplier
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
|
||||
tag: "0.7.3@sha256:e32cfe40cb0022d4084d89e9ae0367e559302c50d92223bd4c8905698141a3ef"
|
||||
tag: "0.9.0@sha256:e15b59b851b3cae2bdfde1a9de707bfbc64a124db98a8d9ac7965d7d3827519b"
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['0', '7', '3']
|
||||
|
||||
umsUmcServer:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
@@ -785,10 +890,11 @@ images:
|
||||
# dependencyType=supplier
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
|
||||
tag: "0.7.3@sha256:4de1e4164cd442cfd2e9fe0d8cc144e73872a53f493a64d735f5c635715e1437"
|
||||
tag: "0.9.0@sha256:7ef0f6a3a3024120a4dae6f0bd44fc531c88ca0b5893465d0bdbd96b5a9c87ea"
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['0', '7', '3']
|
||||
|
||||
umsWaitForDependency:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry.souvap-univention.de
|
||||
@@ -796,18 +902,21 @@ images:
|
||||
# dependencyType=supplier
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/univention/images-mirror/wait-for-dependency"
|
||||
tag: "0.9.4@sha256:63451fe519d557e52d5f99e21231594daebb2990eb734931172ad61543c443cb"
|
||||
tag: "0.14.0@sha256:fda3f99be59614115997a55ad5887bf8f6482de4c8e168706aac3e42575b4915"
|
||||
# @supplier: "Univention"
|
||||
# @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
|
||||
# @mirrorFrom: ['0', '9', '4']
|
||||
|
||||
wellKnown:
|
||||
# renovate:
|
||||
# upstreamRegistry=registry-1.docker.io
|
||||
# upstreamRepository=library/nginx
|
||||
# dependencyType=external
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "library/nginx"
|
||||
tag: "1.25.2-bookworm@sha256:9504f3f64a3f16f0eaf9adca3542ff8b2a6880e6abfb13e478cca23f6380080a"
|
||||
# @supplier: "Element"
|
||||
|
||||
xwiki:
|
||||
# renovate:
|
||||
# upstreamRegistry=git.xwikisas.com:5050
|
||||
|
||||
@@ -12,4 +12,12 @@ objectstores:
|
||||
secret: ""
|
||||
username: "openproject_user"
|
||||
useIAMProfile: ""
|
||||
univentionManagementStack:
|
||||
backend: "minio"
|
||||
bucket: "ums"
|
||||
endpoint: ""
|
||||
region: ""
|
||||
secret: ""
|
||||
username: "ums_user"
|
||||
useIAMProfile: ""
|
||||
...
|
||||
|
||||
@@ -21,6 +21,5 @@ persistence:
|
||||
ldapServerShared: "1Gi"
|
||||
portalListener: "1Gi"
|
||||
selfserviceListener: "1Gi"
|
||||
storeDav: "1Gi"
|
||||
xwiki: "1Gi"
|
||||
...
|
||||
|
||||
@@ -466,13 +466,6 @@ resources:
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "256Mi"
|
||||
umsStoreDav:
|
||||
limits:
|
||||
cpu: 99
|
||||
memory: "1Gi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "256Mi"
|
||||
umsUdmRestApi:
|
||||
limits:
|
||||
cpu: 99
|
||||
|
||||
@@ -24,9 +24,6 @@ secrets:
|
||||
administratorPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "Administrator" "ums" | sha1sum | quote }}
|
||||
userPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_password" | sha1sum | quote }}
|
||||
adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_admin" | sha1sum | quote }}
|
||||
storeDavUsers:
|
||||
portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }}
|
||||
portalListener: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum | quote }}
|
||||
postgresql:
|
||||
postgresUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "postgres_user" | sha1sum | quote }}
|
||||
keycloakUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum | quote }}
|
||||
|
||||
95
helmfile/environments/default/selinux.yaml
Normal file
95
helmfile/environments/default/selinux.yaml
Normal file
@@ -0,0 +1,95 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
# Disclaimer:
|
||||
# We assume that you are very aware of what you are doing when working wih SELinux settings and that you can easily
|
||||
# break the affected components with these settings.
|
||||
---
|
||||
seLinuxOptions:
|
||||
clamavSimple: ~
|
||||
clamd: ~
|
||||
collabora: ~
|
||||
cryptpad: ~
|
||||
dovecot: ~
|
||||
element: ~
|
||||
freshclam: ~
|
||||
icap: ~
|
||||
intercom: ~
|
||||
# The Jibri Helm chart does not support setting the securityContext externally.
|
||||
#jibri: ~
|
||||
jicofo: ~
|
||||
jitsi: ~
|
||||
jitsiKeycloakAdapter: ~
|
||||
jitsiPatchJVB: ~
|
||||
jvb: ~
|
||||
mariadb: ~
|
||||
matrixNeoBoardWidget: ~
|
||||
matrixNeoChoiceWidget: ~
|
||||
matrixNeoDateFixBot: ~
|
||||
matrixNeoDateFixWidget: ~
|
||||
matrixUserVerificationService: ~
|
||||
memcached: ~
|
||||
milter: ~
|
||||
minio: ~
|
||||
nextcloudApache2: ~
|
||||
nextcloudExporter: ~
|
||||
nextcloudManagement: ~
|
||||
nextcloudPHP: ~
|
||||
opendeskKeycloakBootstrap: ~
|
||||
openproject: ~
|
||||
openprojectBootstrap: ~
|
||||
openprojectInitDb: ~
|
||||
openxchangeBootstrap: ~
|
||||
openxchangeCoreGuidedtours: ~
|
||||
openxchangeCoreMW: ~
|
||||
openxchangeCoreUI: ~
|
||||
openxchangeCoreUIMiddleware: ~
|
||||
openxchangeCoreUserGuide: ~
|
||||
openxchangeDocumentConverter: ~
|
||||
openxchangeGotenberg: ~
|
||||
openxchangeGuardUI: ~
|
||||
openxchangeImageConverter: ~
|
||||
openxchangeNextcloudIntegrationUI: ~
|
||||
openxchangePublicSectorUI: ~
|
||||
oxConnector: ~
|
||||
postfix: ~
|
||||
postgresql: ~
|
||||
prosody: ~
|
||||
redis: ~
|
||||
synapse: ~
|
||||
synapseCreateUser: ~
|
||||
synapseGuestModule: ~
|
||||
synapseWeb: ~
|
||||
umsConfigHtpasswd: ~
|
||||
umsDataLoader: ~
|
||||
umsGuardianAuthorizationApi: ~
|
||||
umsGuardianManagementApi: ~
|
||||
umsGuardianManagementUi: ~
|
||||
umsKeycloak: ~
|
||||
umsKeycloakBootstrap: ~
|
||||
umsKeycloakExtensionHandler: ~
|
||||
umsKeycloakExtensionProxy: ~
|
||||
umsLdapNotifier: ~
|
||||
umsLdapServer: ~
|
||||
umsNotificationsApi: ~
|
||||
umsOpenPolicyAgent: ~
|
||||
umsPortalFrontend: ~
|
||||
umsPortalListener: ~
|
||||
umsPortalServer: ~
|
||||
umsProvisioningDispatcher: ~
|
||||
umsProvisioningEventsAndConsumerApi: ~
|
||||
umsProvisioningNats: ~
|
||||
umsProvisioningNatsBox: ~
|
||||
umsProvisioningNatsReloader: ~
|
||||
umsProvisioningUdmListener: ~
|
||||
umsSelfserviceInvitation: ~
|
||||
umsSelfserviceListener: ~
|
||||
umsStackGateway: ~
|
||||
umsStoreDav: ~
|
||||
umsUdmRestApi: ~
|
||||
umsUmcGateway: ~
|
||||
umsUmcServer: ~
|
||||
umsWaitForDependency: ~
|
||||
wellKnown: ~
|
||||
xwiki: ~
|
||||
...
|
||||
@@ -5,4 +5,26 @@ SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
global:
|
||||
imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
|
||||
persistence:
|
||||
storageClassNames:
|
||||
RWX: "kyverno-test"
|
||||
RWO: "kyverno-test"
|
||||
size:
|
||||
clamav: "42Gi"
|
||||
dovecot: "42Gi"
|
||||
mariadb: "42Gi"
|
||||
matrixNeoDateFixBot: "42Gi"
|
||||
minio: "42Gi"
|
||||
postfix: "42Gi"
|
||||
postgresql: "42Gi"
|
||||
prosody: "42Gi"
|
||||
redis: "42Gi"
|
||||
synapse: "42Gi"
|
||||
univentionManagementStack:
|
||||
ldapServerData: "42Gi"
|
||||
ldapServerShared: "42Gi"
|
||||
portalListener: "42Gi"
|
||||
selfserviceListener: "42Gi"
|
||||
storeDav: "42Gi"
|
||||
xwiki: "42Gi"
|
||||
...
|
||||
|
||||
6
helmfile/files/gpg-pubkeys/README.md
Normal file
6
helmfile/files/gpg-pubkeys/README.md
Normal file
@@ -0,0 +1,6 @@
|
||||
# GPG public keys
|
||||
|
||||
Place GPG public keys in binary format into this directory and reference them in the respective `helmfile.yaml`.
|
||||
|
||||
In case you have only an ASCII Armored file you can just base64 decode the payload of that file, but remember to
|
||||
**not include** the 4-letter checksum that is prefixed with an `=` sign at the end of the payload.
|
||||
BIN
helmfile/files/gpg-pubkeys/collaboraoffice-com.gpg
Normal file
BIN
helmfile/files/gpg-pubkeys/collaboraoffice-com.gpg
Normal file
Binary file not shown.
Reference in New Issue
Block a user