sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-07 07:51:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: sheppy:v0.5.80
Branches Tags
sheppy:develop sheppy:renovate/univention sheppy:renovate/openxchange sheppy:trossner/gpg-keys sheppy:trossner/mail_doc sheppy:tkaltenbrunner/fix-milter sheppy:ntretkowski/intercom-update sheppy:b1-boekhorst/nc_testing_encryption_bfp_nginx sheppy:trossner/ox_deputy sheppy:kuntke/size-profiles sheppy:trossner/misc_1.11.0 sheppy:feat/openproject/bump-16-6-2 sheppy:renovate/opf-helm-charts-openproject-11.x sheppy:rohland/selfsigned sheppy:sschmidt/feat_update_otterize sheppy:sell/opendesk-exporter sheppy:trossner/coco-update sheppy:renovate/lasuite-impress-y-provider-4.x sheppy:renovate/opf-helm-charts-openproject-10.x sheppy:renovate/openproject sheppy:renovate/nordeck sheppy:renovate/element sheppy:renovate/collabora sheppy:lender/test-externalsecrets sheppy:rfischer/baseline_requirements_update_2025 sheppy:chore/kyverno-sec sheppy:sell/pythonic-charts-local sheppy:trossner/ox-jitsi sheppy:irondesk-preview sheppy:chore/open-xchange/update-8.43 sheppy:b1-boekhorst/nc_basicauth_testing sheppy:lluerenbaum/develop sheppy:rfischer/nc_sharereview_app sheppy:tkaltenbrunner/fix/new-element-chart sheppy:vpracht/demo sheppy:main sheppy:b1-boekhorst/nc_status_php sheppy:gaberb1/postfix-sasl-security-options sheppy:ntretkowski/nubus-v1.15.0 sheppy:ntretkowski/ox-connector-v0.32.2 sheppy:sschmidt/feat_add_otterize_chart sheppy:b1-boekhorst/nc_bfp sheppy:trossner/nc_31-0-9 sheppy:trossner/token_exchange sheppy:boekhorst/nc_31-0-10_testing sheppy:ntretkowski/nubus-v1.14.1 sheppy:tkaltenbrunner/fix/dovecot-migration sheppy:tkaltenbrunner/fix/dovecot-caches sheppy:tkaltenbrunner/fix/postfix-transport sheppy:chore/open-xchange/update-8.42 sheppy:dkaminski/ca_certs sheppy:dpapoutsis/bundled-keycloak-secrets sheppy:boekhorst/favicon_resize sheppy:irondesk sheppy:boekhorst/nc_31-0-9 sheppy:migration_test sheppy:sschmidt/fix_services_otterize_intents sheppy:mmeschter/nats-secrets-refactor sheppy:sccon_2025 sheppy:jtorres/ox-test sheppy:lender/feat-externalsecrets-xwiki sheppy:sschmidt/fix_nubus_opendesk_keycloak_bootstrap_annotation sheppy:ntretkowski/nubus-2fa-upgrade-fix sheppy:jlohmer/ox-connector-helm-unittests sheppy:mmeschter/develop sheppy:tkaltenbrunner/fix/ox-push-notification sheppy:cgarcia/develop sheppy:trossner/fix_storageclassnames sheppy:jconde/ox-groups-deletion sheppy:ntretkowski/nubus-v1.13.1 sheppy:jtorres/develop sheppy:tkaltenbrunner/fix/opendesk-impress-customization sheppy:jconde/develop sheppy:mgcm/test/mas-upstream sheppy:document-nordeck-widgets sheppy:trossner/upd_jitsi_10431 sheppy:chaack/feat_add_jitsi_patchJVB_backoffLimit sheppy:trossner/xwiki_solr_image sheppy:1.7+harbor-fixes sheppy:lender/feat-externalsecrets-notes sheppy:tkaltenbrunner/fix/dovecot-fts sheppy:lender/feat-externalsecrets-postfix-dovecot sheppy:heading-capitalization-harmonization sheppy:lender/feat-externalsecrets-minio sheppy:jconde/debug-no-portal-tiles sheppy:hermann/feat-support-nginx-security-defaults sheppy:jtorres/ox-connector-manager-tests sheppy:jtorres/1.12.0-kc-bootstrap sheppy:sell/prometheus-nats-exporter sheppy:jconde/ics-secret-refactor sheppy:tkaltenbrunner/fix/postfix-submissions sheppy:jconde/debug-ics-with-keycloak-26.3 sheppy:data_storage_doc sheppy:tkaltenbrunner/fix/coco-internal sheppy:sell/keycloak-metrics sheppy:jconde/ox-connector-fixes sheppy:jlohmer/ox-connector-test sheppy:gaberb1/wip-ci sheppy:weber/update-notes sheppy:lender/feat-externalsecrets-redis sheppy:lender/feat-externalsecrets-opendesk-services sheppy:lender/feat-externalsecrets-collabora sheppy:lender/feat-externalsecrets-cassandra sheppy:lender/feat-externalsecrets-nextcloud sheppy:lender/feat-externalsecrets-openproject-bootstrap sheppy:thollwed/doc-bawue-migration-dev sheppy:1.5+nats-fix sheppy:trossner/nc_31.0.5 sheppy:sell/nubus-liveness-customization sheppy:integration-opendesk-family sheppy:gsautner/fix_nc_custom_baseDn sheppy:tkaltenbrunner/fix/ox-external-secrets sheppy:tlatz/portal_update sheppy:jbornhold/tmp-portal-update sheppy:trossner/temp_kc26.2.2_preview sheppy:yschmidt/nubus-v1.9.1-twofa-helpdesk sheppy:mmoura/phone-dial-in sheppy:lender/feat-externalsecrets-mariadb sheppy:lender/feat-externalsecrets-postgresql sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap-1725.191 sheppy:ys/dev-helpdesk sheppy:tkaltenbrunner/fix/dovecot-acls sheppy:ox-vpracht/dovecot-conf sheppy:renovate/major-openproject sheppy:renovate/major-platform sheppy:renovate/lasuite-impress-y-provider-3.x sheppy:renovate/lasuite-impress-y-provider-2.x sheppy:renovate/xwiki sheppy:trossner/nc_notifypush sheppy:cnegrini/load sheppy:nic/feat/ZO-155_dialin_docs sheppy:feat/dovecot-config sheppy:yschmidt/s3-region-example sheppy:trossner/nubus_ox_consumer sheppy:yschmidt/s3-region-vars sheppy:jschulz/fix_nubus-consumer-pvc-size sheppy:el/t3chguy/element-web-modules sheppy:jahlers/2fa-helpdesk sheppy:trossner/notes_guest_access sheppy:thollwed/nubus-v1.6.0-integration sheppy:jschulz/fix_set_jitsi_element_antiaffinity sheppy:jbornhold/nubus-v1.6.0-s3-ingress sheppy:chore/open-xchange/release-8.34 sheppy:jconde/test-ox-packaging sheppy:jtorres/ox-extension-integration sheppy:jschulz/feat_helmfile-enable-intents sheppy:chore/openproject/15-3-changes sheppy:nc-main sheppy:fischer/review-apps sheppy:jconde/fix-intercom-element sheppy:trossner/nc_notify_push sheppy:docs/nubus-version sheppy:schneemann/ingress-nginx-max-version sheppy:jlohmer/configurable-udm-listener-password sheppy:jtorres/hotfix-ics-secret sheppy:jtorres/ics-redis-ssl sheppy:dkaminski/feat/annotations sheppy:trossner/fix/openproject sheppy:jconde/ox-connector-kyverno sheppy:jconde/ics-kyverno-changes sheppy:chore/open-xchange/bump-8-31 sheppy:mmoura/feat_test sheppy:dkaminski/fix/nubus-v0.72.0 sheppy:jconde/ics-filepicker-fix sheppy:trossner/update_migrs sheppy:nic/qa/develop sheppy:nic/fix/widgets-no-guests sheppy:uv-jconde/plain-nubus sheppy:nubus/main sheppy:uv-jbornhold/preview-fe sheppy:nic/fix/undo-439-add-widgets sheppy:jtorres/bump-0.60-cache-http sheppy:acaceres/develop sheppy:fix/trossner/dominiks_improvements sheppy:uv-jbornhold/plain-nubus-3 sheppy:nubus-update-2024-09-16-backup sheppy:trossner/nubus-update-2024-09-16-ldap-mig sheppy:nic/feat/matrix-neoboard-widget-1.19.1 sheppy:jconde/integrate-ox-connector sheppy:jbornhold/include-ldap-migration-script sheppy:acaceres/integrate-ox-connector sheppy:uv-jbornhold/plain-nubus-2 sheppy:jtorres/clients-fixup sheppy:jconde/system-information sheppy:jtorres/remove-admin-credentials sheppy:jbornhold/develop sheppy:chore/openproject/bump-14-5-0 sheppy:temp/trossner/kcupd-fr sheppy:nubus/fix-domain-configuration sheppy:uv-fix/default-service-loglevel sheppy:uv-jlohmer/consumer-race-condition sheppy:uv-jconde/umc-plain-login sheppy:uv-jconde/statefulset-keycloak sheppy:jlohmer/develop sheppy:fix/tkaltenbrunner/oxmonitoring sheppy:jtorres/udm-loader sheppy:nubus/tkintscher/fix-fsnotify-load sheppy:nubus/wip-jbornhold-test sheppy:jbornhold/small-fixes sheppy:nubus/jconde-test-users sheppy:feat/nubus-updates sheppy:uv-jlohmer/manual-deploy-jobs sheppy:uv-jtorres/login-tiles sheppy:uv-jbornhold/fix-e2e-test-configuration sheppy:uv-jlohmer/fix-feature-flag-typo sheppy:uv-jbornhold/fix-e2e-test-configuration-test sheppy:uv-acaceres/register-ox-connector sheppy:uv-jtorres/keycloak-upgrade sheppy:uv-jtorres/create-readonly-user sheppy:uv-acaceres/update-provisioning-and-stack-data sheppy:uv-jlohmer/selfservice-consumer sheppy:uv-jlohmer/provisioning-consumer-feature-flag sheppy:uv-jconde/test-email-e2e-tests sheppy:jlohmer/nubus-updates-provisioning sheppy:nubus/provisioning-consumer-integration sheppy:uv-dkaminski/cert-manager-support sheppy:uv-jbornhold/update-portal-frontend sheppy:uv-provisioning-consumer-integration sheppy:uv-jtorres/opendesk-udm-loader sheppy:uv-jtorres/ox-extensions-to-data-loader sheppy:uv-jbornhold/update-stack-data sheppy:uv-maildev-ci-setup sheppy:uv-jconde/umc-server-session-stickyness sheppy:uv-jbornhold/cleanup sheppy:uv-dtroeder/raise-helm-timeout sheppy:uv-dtroeder/prov-int-biscet sheppy:uv-spike-plain-nubus sheppy:jtorres/univention-keycloak-provisioning sheppy:fix/trossner/proxy_ips sheppy:uv-jlohmer/provisioning-consumer-integration sheppy:uv-jconde/menu-patches sheppy:jconde/use-nubus-umbrella sheppy:jconde/udm-rest-api-fix sheppy:sandersen/develop sheppy:b1-demo1 sheppy:jbornhold/tmp-test-od-main-0.9.0 sheppy:feat/use-nubus-umbrella-2 sheppy:OC000007901454-main-patch-76476 sheppy:jtorres/allow-theme-configuration sheppy:acaceres/debug-ox-error sheppy:101-add-configmap-checksum-check-to-postfix-helm-chart sheppy:trossner/fix/op_guests sheppy:renovate/platform sheppy:feat/ldap-scalability sheppy:jlohmer/split-provisioning-listener sheppy:feat/update-keycloak-related-charts sheppy:acaceres/update-selfservice-to-use-provisioning sheppy:feat/nubus-keycloak-extensions sheppy:feat/nubus-keycloak-bootstrap sheppy:feat/nubus-provisioning-with-selfservice sheppy:refactor/ums-umbrella-values sheppy:54-issue-with-invitation-password-reset-mails sheppy:nic/fix/ew-1.11.59-widget-sync sheppy:trossner/fix/renovate sheppy:nic/test/ew-1.11.59 sheppy:feat/mon-redis sheppy:feat/mon-jitsi sheppy:feat/mon-ox sheppy:feat/mon-xwiki sheppy:v0.5.74-patch1
sheppy:v1.10.0 sheppy:v1.9.0 sheppy:v1.8.0 sheppy:v1.7.1 sheppy:v1.7.0 sheppy:v1.6.0 sheppy:v1.5.0 sheppy:v1.4.1 sheppy:v1.4.0 sheppy:v1.3.2 sheppy:v1.3.1 sheppy:v1.3.0 sheppy:v1.2.1 sheppy:v1.2.0 sheppy:v1.1.2 sheppy:v1.1.1 sheppy:v1.1.0 sheppy:v1.0.0 sheppy:v0.9.0 sheppy:v0.8.1 sheppy:v0.8.0 sheppy:v0.7.1 sheppy:v0.7.0 sheppy:v0.6.0 sheppy:v0.5.81 sheppy:v0.5.80 sheppy:v0.5.79 sheppy:v0.5.78 sheppy:v0.5.74 sheppy:24.03 sheppy:v0.5.77 sheppy:v0.5.76 sheppy:v0.5.75 sheppy:v0.5.73 sheppy:v0.5.72 sheppy:v0.5.71 sheppy:v0.5.70 sheppy:v0.5.69 sheppy:v0.5.68 sheppy:v0.5.67 sheppy:v0.5.66 sheppy:v0.5.65 sheppy:v0.5.64 sheppy:v0.5.63 sheppy:v0.5.62 sheppy:v0.5.61 sheppy:v0.5.60 sheppy:v0.5.59 sheppy:v0.5.58 sheppy:v0.5.57 sheppy:v0.5.56 sheppy:v0.5.55 sheppy:v0.5.54 sheppy:v0.5.53 sheppy:v0.5.52 sheppy:v0.5.51 sheppy:v0.5.50 sheppy:v0.5.49 sheppy:v0.5.48 sheppy:v0.5.47 sheppy:v0.5.46 sheppy:v0.5.45 sheppy:v0.5.44 sheppy:v0.5.43 sheppy:v0.5.42 sheppy:v0.5.41 sheppy:v0.5.40 sheppy:v0.5.39 sheppy:v0.5.38 sheppy:23.12 sheppy:v0.5.37 sheppy:v0.5.36 sheppy:v0.5.35 sheppy:v0.5.34 sheppy:v0.5.33 sheppy:v0.5.32 sheppy:v0.5.31 sheppy:v0.5.30 sheppy:v0.5.29 sheppy:v0.5.28 sheppy:v0.5.27 sheppy:v0.5.26 sheppy:v0.5.25 sheppy:v0.5.24 sheppy:v0.5.23 sheppy:v0.5.22 sheppy:v0.5.21 sheppy:v0.5.20 sheppy:v0.5.19 sheppy:v0.5.18 sheppy:v0.5.17 sheppy:v0.5.16 sheppy:v0.5.15 sheppy:v0.5.14 sheppy:v0.5.13 sheppy:v0.5.12 sheppy:v0.5.11 sheppy:v0.5.10 sheppy:v0.5.9 sheppy:v0.5.8 sheppy:v0.5.7 sheppy:v0.5.6 sheppy:v0.5.5 sheppy:v0.5.4 sheppy:v0.5.3 sheppy:v0.5.2 sheppy:v0.5.1 sheppy:v0.5.0 sheppy:v0.4.9 sheppy:v0.4.8 sheppy:v0.4.7 sheppy:v0.4.6 sheppy:v0.4.5 sheppy:v0.4.4 sheppy:v0.4.3 sheppy:v0.4.2 sheppy:v0.4.1 sheppy:v0.4.0 sheppy:v0.3.2 sheppy:v0.3.1 sheppy:v0.3.0 sheppy:v0.2.10 sheppy:v0.2.9 sheppy:v0.2.8 sheppy:v0.2.7 sheppy:v0.2.6 sheppy:v0.2.5 sheppy:v0.2.4 sheppy:v0.2.3 sheppy:v0.2.2 sheppy:v0.2.1 sheppy:v0.2.0 sheppy:v0.1.2 sheppy:v0.1.1 sheppy:v0.1.0 sheppy:v0.0.6 sheppy:v0.0.5 sheppy:v0.0.4 sheppy:v0.0.3 sheppy:v0.0.2 sheppy:v0.0.1
..
compare: sheppy:acaceres/update-selfservice-to-use-provisioning
Branches Tags
sheppy:renovate/univention sheppy:renovate/openxchange sheppy:trossner/gpg-keys sheppy:trossner/mail_doc sheppy:tkaltenbrunner/fix-milter sheppy:ntretkowski/intercom-update sheppy:b1-boekhorst/nc_testing_encryption_bfp_nginx sheppy:trossner/ox_deputy sheppy:kuntke/size-profiles sheppy:trossner/misc_1.11.0 sheppy:feat/openproject/bump-16-6-2 sheppy:renovate/opf-helm-charts-openproject-11.x sheppy:rohland/selfsigned sheppy:sschmidt/feat_update_otterize sheppy:sell/opendesk-exporter sheppy:trossner/coco-update sheppy:renovate/lasuite-impress-y-provider-4.x sheppy:renovate/opf-helm-charts-openproject-10.x sheppy:renovate/openproject sheppy:renovate/nordeck sheppy:renovate/element sheppy:renovate/collabora sheppy:lender/test-externalsecrets sheppy:develop sheppy:rfischer/baseline_requirements_update_2025 sheppy:chore/kyverno-sec sheppy:sell/pythonic-charts-local sheppy:trossner/ox-jitsi sheppy:irondesk-preview sheppy:chore/open-xchange/update-8.43 sheppy:b1-boekhorst/nc_basicauth_testing sheppy:lluerenbaum/develop sheppy:rfischer/nc_sharereview_app sheppy:tkaltenbrunner/fix/new-element-chart sheppy:vpracht/demo sheppy:main sheppy:b1-boekhorst/nc_status_php sheppy:gaberb1/postfix-sasl-security-options sheppy:ntretkowski/nubus-v1.15.0 sheppy:ntretkowski/ox-connector-v0.32.2 sheppy:sschmidt/feat_add_otterize_chart sheppy:b1-boekhorst/nc_bfp sheppy:trossner/nc_31-0-9 sheppy:trossner/token_exchange sheppy:boekhorst/nc_31-0-10_testing sheppy:ntretkowski/nubus-v1.14.1 sheppy:tkaltenbrunner/fix/dovecot-migration sheppy:tkaltenbrunner/fix/dovecot-caches sheppy:tkaltenbrunner/fix/postfix-transport sheppy:chore/open-xchange/update-8.42 sheppy:dkaminski/ca_certs sheppy:dpapoutsis/bundled-keycloak-secrets sheppy:boekhorst/favicon_resize sheppy:irondesk sheppy:boekhorst/nc_31-0-9 sheppy:migration_test sheppy:sschmidt/fix_services_otterize_intents sheppy:mmeschter/nats-secrets-refactor sheppy:sccon_2025 sheppy:jtorres/ox-test sheppy:lender/feat-externalsecrets-xwiki sheppy:sschmidt/fix_nubus_opendesk_keycloak_bootstrap_annotation sheppy:ntretkowski/nubus-2fa-upgrade-fix sheppy:jlohmer/ox-connector-helm-unittests sheppy:mmeschter/develop sheppy:tkaltenbrunner/fix/ox-push-notification sheppy:cgarcia/develop sheppy:trossner/fix_storageclassnames sheppy:jconde/ox-groups-deletion sheppy:ntretkowski/nubus-v1.13.1 sheppy:jtorres/develop sheppy:tkaltenbrunner/fix/opendesk-impress-customization sheppy:jconde/develop sheppy:mgcm/test/mas-upstream sheppy:document-nordeck-widgets sheppy:trossner/upd_jitsi_10431 sheppy:chaack/feat_add_jitsi_patchJVB_backoffLimit sheppy:trossner/xwiki_solr_image sheppy:1.7+harbor-fixes sheppy:lender/feat-externalsecrets-notes sheppy:tkaltenbrunner/fix/dovecot-fts sheppy:lender/feat-externalsecrets-postfix-dovecot sheppy:heading-capitalization-harmonization sheppy:lender/feat-externalsecrets-minio sheppy:jconde/debug-no-portal-tiles sheppy:hermann/feat-support-nginx-security-defaults sheppy:jtorres/ox-connector-manager-tests sheppy:jtorres/1.12.0-kc-bootstrap sheppy:sell/prometheus-nats-exporter sheppy:jconde/ics-secret-refactor sheppy:tkaltenbrunner/fix/postfix-submissions sheppy:jconde/debug-ics-with-keycloak-26.3 sheppy:data_storage_doc sheppy:tkaltenbrunner/fix/coco-internal sheppy:sell/keycloak-metrics sheppy:jconde/ox-connector-fixes sheppy:jlohmer/ox-connector-test sheppy:gaberb1/wip-ci sheppy:weber/update-notes sheppy:lender/feat-externalsecrets-redis sheppy:lender/feat-externalsecrets-opendesk-services sheppy:lender/feat-externalsecrets-collabora sheppy:lender/feat-externalsecrets-cassandra sheppy:lender/feat-externalsecrets-nextcloud sheppy:lender/feat-externalsecrets-openproject-bootstrap sheppy:thollwed/doc-bawue-migration-dev sheppy:1.5+nats-fix sheppy:trossner/nc_31.0.5 sheppy:sell/nubus-liveness-customization sheppy:integration-opendesk-family sheppy:gsautner/fix_nc_custom_baseDn sheppy:tkaltenbrunner/fix/ox-external-secrets sheppy:tlatz/portal_update sheppy:jbornhold/tmp-portal-update sheppy:trossner/temp_kc26.2.2_preview sheppy:yschmidt/nubus-v1.9.1-twofa-helpdesk sheppy:mmoura/phone-dial-in sheppy:lender/feat-externalsecrets-mariadb sheppy:lender/feat-externalsecrets-postgresql sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap sheppy:thollwed/feat_readonly-filesystem-keycloak-bootstrap-1725.191 sheppy:ys/dev-helpdesk sheppy:tkaltenbrunner/fix/dovecot-acls sheppy:ox-vpracht/dovecot-conf sheppy:renovate/major-openproject sheppy:renovate/major-platform sheppy:renovate/lasuite-impress-y-provider-3.x sheppy:renovate/lasuite-impress-y-provider-2.x sheppy:renovate/xwiki sheppy:trossner/nc_notifypush sheppy:cnegrini/load sheppy:nic/feat/ZO-155_dialin_docs sheppy:feat/dovecot-config sheppy:yschmidt/s3-region-example sheppy:trossner/nubus_ox_consumer sheppy:yschmidt/s3-region-vars sheppy:jschulz/fix_nubus-consumer-pvc-size sheppy:el/t3chguy/element-web-modules sheppy:jahlers/2fa-helpdesk sheppy:trossner/notes_guest_access sheppy:thollwed/nubus-v1.6.0-integration sheppy:jschulz/fix_set_jitsi_element_antiaffinity sheppy:jbornhold/nubus-v1.6.0-s3-ingress sheppy:chore/open-xchange/release-8.34 sheppy:jconde/test-ox-packaging sheppy:jtorres/ox-extension-integration sheppy:jschulz/feat_helmfile-enable-intents sheppy:chore/openproject/15-3-changes sheppy:nc-main sheppy:fischer/review-apps sheppy:jconde/fix-intercom-element sheppy:trossner/nc_notify_push sheppy:docs/nubus-version sheppy:schneemann/ingress-nginx-max-version sheppy:jlohmer/configurable-udm-listener-password sheppy:jtorres/hotfix-ics-secret sheppy:jtorres/ics-redis-ssl sheppy:dkaminski/feat/annotations sheppy:trossner/fix/openproject sheppy:jconde/ox-connector-kyverno sheppy:jconde/ics-kyverno-changes sheppy:chore/open-xchange/bump-8-31 sheppy:mmoura/feat_test sheppy:dkaminski/fix/nubus-v0.72.0 sheppy:jconde/ics-filepicker-fix sheppy:trossner/update_migrs sheppy:nic/qa/develop sheppy:nic/fix/widgets-no-guests sheppy:uv-jconde/plain-nubus sheppy:nubus/main sheppy:uv-jbornhold/preview-fe sheppy:nic/fix/undo-439-add-widgets sheppy:jtorres/bump-0.60-cache-http sheppy:acaceres/develop sheppy:fix/trossner/dominiks_improvements sheppy:uv-jbornhold/plain-nubus-3 sheppy:nubus-update-2024-09-16-backup sheppy:trossner/nubus-update-2024-09-16-ldap-mig sheppy:nic/feat/matrix-neoboard-widget-1.19.1 sheppy:jconde/integrate-ox-connector sheppy:jbornhold/include-ldap-migration-script sheppy:acaceres/integrate-ox-connector sheppy:uv-jbornhold/plain-nubus-2 sheppy:jtorres/clients-fixup sheppy:jconde/system-information sheppy:jtorres/remove-admin-credentials sheppy:jbornhold/develop sheppy:chore/openproject/bump-14-5-0 sheppy:temp/trossner/kcupd-fr sheppy:nubus/fix-domain-configuration sheppy:uv-fix/default-service-loglevel sheppy:uv-jlohmer/consumer-race-condition sheppy:uv-jconde/umc-plain-login sheppy:uv-jconde/statefulset-keycloak sheppy:jlohmer/develop sheppy:fix/tkaltenbrunner/oxmonitoring sheppy:jtorres/udm-loader sheppy:nubus/tkintscher/fix-fsnotify-load sheppy:nubus/wip-jbornhold-test sheppy:jbornhold/small-fixes sheppy:nubus/jconde-test-users sheppy:feat/nubus-updates sheppy:uv-jlohmer/manual-deploy-jobs sheppy:uv-jtorres/login-tiles sheppy:uv-jbornhold/fix-e2e-test-configuration sheppy:uv-jlohmer/fix-feature-flag-typo sheppy:uv-jbornhold/fix-e2e-test-configuration-test sheppy:uv-acaceres/register-ox-connector sheppy:uv-jtorres/keycloak-upgrade sheppy:uv-jtorres/create-readonly-user sheppy:uv-acaceres/update-provisioning-and-stack-data sheppy:uv-jlohmer/selfservice-consumer sheppy:uv-jlohmer/provisioning-consumer-feature-flag sheppy:uv-jconde/test-email-e2e-tests sheppy:jlohmer/nubus-updates-provisioning sheppy:nubus/provisioning-consumer-integration sheppy:uv-dkaminski/cert-manager-support sheppy:uv-jbornhold/update-portal-frontend sheppy:uv-provisioning-consumer-integration sheppy:uv-jtorres/opendesk-udm-loader sheppy:uv-jtorres/ox-extensions-to-data-loader sheppy:uv-jbornhold/update-stack-data sheppy:uv-maildev-ci-setup sheppy:uv-jconde/umc-server-session-stickyness sheppy:uv-jbornhold/cleanup sheppy:uv-dtroeder/raise-helm-timeout sheppy:uv-dtroeder/prov-int-biscet sheppy:uv-spike-plain-nubus sheppy:jtorres/univention-keycloak-provisioning sheppy:fix/trossner/proxy_ips sheppy:uv-jlohmer/provisioning-consumer-integration sheppy:uv-jconde/menu-patches sheppy:jconde/use-nubus-umbrella sheppy:jconde/udm-rest-api-fix sheppy:sandersen/develop sheppy:b1-demo1 sheppy:jbornhold/tmp-test-od-main-0.9.0 sheppy:feat/use-nubus-umbrella-2 sheppy:OC000007901454-main-patch-76476 sheppy:jtorres/allow-theme-configuration sheppy:acaceres/debug-ox-error sheppy:101-add-configmap-checksum-check-to-postfix-helm-chart sheppy:trossner/fix/op_guests sheppy:renovate/platform sheppy:feat/ldap-scalability sheppy:jlohmer/split-provisioning-listener sheppy:feat/update-keycloak-related-charts sheppy:acaceres/update-selfservice-to-use-provisioning sheppy:feat/nubus-keycloak-extensions sheppy:feat/nubus-keycloak-bootstrap sheppy:feat/nubus-provisioning-with-selfservice sheppy:refactor/ums-umbrella-values sheppy:54-issue-with-invitation-password-reset-mails sheppy:nic/fix/ew-1.11.59-widget-sync sheppy:trossner/fix/renovate sheppy:nic/test/ew-1.11.59 sheppy:feat/mon-redis sheppy:feat/mon-jitsi sheppy:feat/mon-ox sheppy:feat/mon-xwiki sheppy:v0.5.74-patch1
sheppy:v1.10.0 sheppy:v1.9.0 sheppy:v1.8.0 sheppy:v1.7.1 sheppy:v1.7.0 sheppy:v1.6.0 sheppy:v1.5.0 sheppy:v1.4.1 sheppy:v1.4.0 sheppy:v1.3.2 sheppy:v1.3.1 sheppy:v1.3.0 sheppy:v1.2.1 sheppy:v1.2.0 sheppy:v1.1.2 sheppy:v1.1.1 sheppy:v1.1.0 sheppy:v1.0.0 sheppy:v0.9.0 sheppy:v0.8.1 sheppy:v0.8.0 sheppy:v0.7.1 sheppy:v0.7.0 sheppy:v0.6.0 sheppy:v0.5.81 sheppy:v0.5.80 sheppy:v0.5.79 sheppy:v0.5.78 sheppy:v0.5.74 sheppy:24.03 sheppy:v0.5.77 sheppy:v0.5.76 sheppy:v0.5.75 sheppy:v0.5.73 sheppy:v0.5.72 sheppy:v0.5.71 sheppy:v0.5.70 sheppy:v0.5.69 sheppy:v0.5.68 sheppy:v0.5.67 sheppy:v0.5.66 sheppy:v0.5.65 sheppy:v0.5.64 sheppy:v0.5.63 sheppy:v0.5.62 sheppy:v0.5.61 sheppy:v0.5.60 sheppy:v0.5.59 sheppy:v0.5.58 sheppy:v0.5.57 sheppy:v0.5.56 sheppy:v0.5.55 sheppy:v0.5.54 sheppy:v0.5.53 sheppy:v0.5.52 sheppy:v0.5.51 sheppy:v0.5.50 sheppy:v0.5.49 sheppy:v0.5.48 sheppy:v0.5.47 sheppy:v0.5.46 sheppy:v0.5.45 sheppy:v0.5.44 sheppy:v0.5.43 sheppy:v0.5.42 sheppy:v0.5.41 sheppy:v0.5.40 sheppy:v0.5.39 sheppy:v0.5.38 sheppy:23.12 sheppy:v0.5.37 sheppy:v0.5.36 sheppy:v0.5.35 sheppy:v0.5.34 sheppy:v0.5.33 sheppy:v0.5.32 sheppy:v0.5.31 sheppy:v0.5.30 sheppy:v0.5.29 sheppy:v0.5.28 sheppy:v0.5.27 sheppy:v0.5.26 sheppy:v0.5.25 sheppy:v0.5.24 sheppy:v0.5.23 sheppy:v0.5.22 sheppy:v0.5.21 sheppy:v0.5.20 sheppy:v0.5.19 sheppy:v0.5.18 sheppy:v0.5.17 sheppy:v0.5.16 sheppy:v0.5.15 sheppy:v0.5.14 sheppy:v0.5.13 sheppy:v0.5.12 sheppy:v0.5.11 sheppy:v0.5.10 sheppy:v0.5.9 sheppy:v0.5.8 sheppy:v0.5.7 sheppy:v0.5.6 sheppy:v0.5.5 sheppy:v0.5.4 sheppy:v0.5.3 sheppy:v0.5.2 sheppy:v0.5.1 sheppy:v0.5.0 sheppy:v0.4.9 sheppy:v0.4.8 sheppy:v0.4.7 sheppy:v0.4.6 sheppy:v0.4.5 sheppy:v0.4.4 sheppy:v0.4.3 sheppy:v0.4.2 sheppy:v0.4.1 sheppy:v0.4.0 sheppy:v0.3.2 sheppy:v0.3.1 sheppy:v0.3.0 sheppy:v0.2.10 sheppy:v0.2.9 sheppy:v0.2.8 sheppy:v0.2.7 sheppy:v0.2.6 sheppy:v0.2.5 sheppy:v0.2.4 sheppy:v0.2.3 sheppy:v0.2.2 sheppy:v0.2.1 sheppy:v0.2.0 sheppy:v0.1.2 sheppy:v0.1.1 sheppy:v0.1.0 sheppy:v0.0.6 sheppy:v0.0.5 sheppy:v0.0.4 sheppy:v0.0.3 sheppy:v0.0.2 sheppy:v0.0.1

44 Commits
v0.5.80 ... acaceres/u

Author SHA1 Message Date
Anton Caceres
f69de3cc33 fix: enable and set up provisioning 2024-05-14 11:01:43 +02:00
Anton Caceres
5766d0fedd fix: update chart ums, update provisioning and selfservice-listener images, update values-umbrella for selfservice-listener 2024-05-09 22:12:57 +02:00
Thorsten Roßner
d82d9e7e24 fix(helmfile): Use Open CoDE as default registry for Univention helm chart (#71) 2024-05-07 19:02:49 +02:00
Thorsten Roßner
bf9abfd279 fix(nextcloud): Bump to 28.0.5 incl. latest app versions 2024-05-07 19:02:49 +02:00
Thorsten Roßner
5520f81d10 fix(univention-management-stack): Bump Keycloak to 24.0.3 2024-05-07 19:02:49 +02:00
Thorsten Roßner
76967fd179 fix(nextcloud): Bump images to update integrartion_swp to 3.1.16 2024-05-07 19:02:49 +02:00
Thorsten Roßner
02b76d3f45 chore(release): 0.7.0 [skip ci] 
# [0.7.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.6.0...v0.7.0) (2024-05-06)

### Bug Fixes

* **ci:** Add debug option. Has to be supported by stage specific configuration containing: `debug.enabled: {{ env "DEBUG_ENABLED" | default false }}` ([3dc6484](3dc648421b))
* **element:** Provide the internal cluster domain to synapse web ([b9ac5ec](b9ac5ecf2d))
* **univention-management-stack:** Add the image configuration for NATS ([e9ec2f3](e9ec2f3a6e))
* **univention-management-stack:** Fix [#55](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/55), [#35](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/35) by updating chart "ums" to 0.11.2 and image "portal-listener" to 0.20.6; To update an existing installation you need to manually delete the `ums-portal-listener` stateful set before the update: `kubectl -n <your_namespace> delete statefulsets ums-portal-listener` ([2ad0270](2ad027082f))
* **univention-management-stack:** Migrate UDM-REST-API image to new Univention registry ([9be3b78](9be3b78761))
* **univention-management-stack:** Objectstore credentials ([d1bd43f](d1bd43fa95))
* **univention-management-stack:** Update Helm chart to 0.12.0 including required changes to openDesk Helmfile deployment. ([fefd2f6](fefd2f6cae))
* **univention-management-stack:** Use the NATS related image configuration ([cd22570](cd225703eb))

### Features

* **element:** Add support for Matrix federation ([36139b4](36139b42f1))
* **helmfile:** Introduce additional variables for mailDomain and synapseDomain ([e6fe2a7](e6fe2a7c18))
* **services:** Add opendesk-home service, which redirects on domain to portal ([c7e2172](c7e217208c))
 2024-05-06 15:36:46 +00:00
Dominik Kaminski
36139b42f1 feat(element): Add support for Matrix federation 2024-05-06 16:43:36 +02:00
Dominik Kaminski
e6fe2a7c18 feat(helmfile): Introduce additional variables for mailDomain and synapseDomain 2024-05-05 23:22:35 +02:00
René Fischer
7cb2c2261b chore: Add missing global definition 2024-05-05 23:22:35 +02:00
René Fischer
4a2801c8a0 chore: Allow configuring a separate mail domain 2024-05-05 23:22:35 +02:00
Dominik Kaminski
b9ac5ecf2d fix(element): Provide the internal cluster domain to synapse web 2024-05-05 23:04:38 +02:00
Thorsten Roßner
fefd2f6cae fix(univention-management-stack): Update Helm chart to 0.12.0 including required changes to openDesk Helmfile deployment. 2024-04-30 17:17:57 +03:00
Johannes Bornhold
2ad027082f fix(univention-management-stack): Fix #55, #35 by updating chart "ums" to 0.11.2 and image "portal-listener" to 0.20.6; To update an existing installation you need to manually delete the ums-portal-listener stateful set before the update: kubectl -n <your_namespace> delete statefulsets ums-portal-listener 2024-04-30 10:32:26 +00:00
Jaime Conde
9be3b78761 fix(univention-management-stack): Migrate UDM-REST-API image to new Univention registry 2024-04-30 10:15:00 +00:00
Thorsten Roßner
3dc648421b fix(ci): Add debug option. Has to be supported by stage specific configuration containing: debug.enabled: {{ env "DEBUG_ENABLED" | default false }} 2024-04-30 08:17:09 +03:00
Dominik Kaminski
c7e217208c feat(services): Add opendesk-home service, which redirects on domain to portal 2024-04-16 08:45:14 +02:00
Johannes Bornhold
cd225703eb fix(univention-management-stack): Use the NATS related image configuration 2024-04-15 17:56:32 +02:00
Johannes Bornhold
e9ec2f3a6e fix(univention-management-stack): Add the image configuration for NATS 2024-04-15 17:54:14 +02:00
Thorsten Roßner
d1bd43fa95 fix(univention-management-stack): Objectstore credentials 2024-04-12 08:02:23 +02:00
Thorsten Roßner
76b7d41d5c chore(release): 0.6.0 [skip ci] 
# [0.6.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.81...v0.6.0) (2024-04-11)

### Bug Fixes

* **helmfile:** Improve support for external Objectstore, and fix issue with DoveCot storageClassName ([1b748b6](1b748b6bf6)), closes [#57](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/57) [#60](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/60) [#56](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/56)
* **nextcloud:** Bump to 28.0.4 ([cb33a92](cb33a929ef))
* **univention-management-stack:** add Guardian provisioning job image ([79c52d0](79c52d014c))
* **univention-management-stack:** Update UMC to 0.11.8 ([5e3f4fa](5e3f4faade))
* **univention-management-stack:** Use umbrella helm chart ([10ecb44](10ecb44aa6))
* **xwiki:** Bump to 15.10.8 and enable OIDC backchannel logout ([c395d35](c395d35dd7))

### Features

* **open-xchange:** Bump to 8.23 and remove Istio prerequisite ([3be3564](3be3564ec7))
 2024-04-11 16:35:01 +00:00
Dominik Kaminski
1b748b6bf6 fix(helmfile): Improve support for external Objectstore, and fix issue with DoveCot storageClassName 
[#57]: Add missing template for ObjectStore host in helm chart
[#60]: OpenProject dosn't set the correct Host when specifying an external Object Store
[#56]: Only template storageClassName when defined
 2024-04-11 15:53:35 +02:00
Dominik Kaminski
a943ca9a3c ci(gitlab): Deploy networkpolcies before all services to avoid race conditions 2024-04-11 07:44:43 +02:00
Thorsten Roßner
3be3564ec7 feat(open-xchange): Bump to 8.23 and remove Istio prerequisite 2024-04-11 07:44:23 +02:00
Thorsten Roßner
10ecb44aa6 fix(univention-management-stack): Use umbrella helm chart 2024-04-11 07:44:06 +02:00
Jaime Conde
79c52d014c fix(univention-management-stack): add Guardian provisioning job image 2024-04-11 07:44:06 +02:00
Andreas Niemann
5e3f4faade fix(univention-management-stack): Update UMC to 0.11.8 2024-04-11 07:43:42 +02:00
Thorsten Roßner
c395d35dd7 fix(xwiki): Bump to 15.10.8 and enable OIDC backchannel logout 2024-04-04 08:06:17 +02:00
Thorsten Roßner
cb33a929ef fix(nextcloud): Bump to 28.0.4 2024-04-03 09:11:09 +02:00
Thorsten Roßner
f94e9c4930 chore(release): 0.5.81 [skip ci] 
## [0.5.81](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.80...v0.5.81) (2024-03-28)

### Bug Fixes

* **docs:** Various updates ([50e2638](50e263866b))
* **element:** Update Element Web to v1.11.59 with widget sync fix and NeoBoard v1.14.0 ([0fd4a26](0fd4a26c71))
* **helmfile:** Fix OpenAPI validations for Kubernetes v1.28 ([0aa4cfb](0aa4cfb46f))
* **nextcloud:** Bump to 28.0.3 ([34d2c05](34d2c05959))
* **nextcloud:** Rename default shared folder to `__Shared_with_me__` ([5f9d015](5f9d015f0b))
* **open-xchange:** Bump to 8.22 ([5ebf291](5ebf291a4d))
* **openproject:** Bump OpenProject to 13.4.0 ([d565c05](d565c057dd))
* **openproject:** Bump version to 13.4.1 ([7cc3964](7cc39647d8))
* **services:** Update Otterize Policies ([42f63e3](42f63e3992))
* **univention-management-stack:** Add missing authenticator secret mount to portal-server ([5a39e87](5a39e8725b))
* **univention-management-stack:** Update LDAP server for BSI base security compliance ([8e889db](8e889db63e))
* **univention-management-stack:** Update ldap-notifier and ldap-server ([a41ddd5](a41ddd5451))
* **univention-management-stack:** Update provisioning charts, images and helm value to add authentication ([8c97bcf](8c97bcf994))
 2024-03-28 10:46:46 +00:00
Thorsten Roßner
5f9d015f0b fix(nextcloud): Rename default shared folder to __Shared_with_me__ 2024-03-28 09:42:26 +01:00
Oliver Günther
7cc39647d8 fix(openproject): Bump version to 13.4.1 2024-03-27 09:45:22 +01:00
Sebastian König-Festl
8c97bcf994 fix(univention-management-stack): Update provisioning charts, images and helm value to add authentication 2024-03-26 13:53:50 +00:00
Andreas Niemann
5a39e8725b fix(univention-management-stack): Add missing authenticator secret mount to portal-server 2024-03-26 14:39:46 +01:00
Thorsten Roßner
34d2c05959 fix(nextcloud): Bump to 28.0.3 2024-03-26 10:37:49 +00:00
Dominik Kaminski
42f63e3992 fix(services): Update Otterize Policies 2024-03-26 09:42:07 +00:00
Andreas Niemann
81105d1e94 chore(univention-management-stack): Add ums umbrella chart to get it covered by the Open CoDE mirror. 2024-03-26 07:26:42 +01:00
Andreas Niemann
a41ddd5451 fix(univention-management-stack): Update ldap-notifier and ldap-server 2024-03-22 12:45:14 +01:00
Andreas Niemann
8e889db63e fix(univention-management-stack): Update LDAP server for BSI base security compliance 2024-03-21 08:28:06 +01:00
Thorsten Roßner
5ebf291a4d fix(open-xchange): Bump to 8.22 2024-03-20 13:54:17 +00:00
Oliver Günther
d565c057dd fix(openproject): Bump OpenProject to 13.4.0 2024-03-20 13:46:43 +01:00
Thorsten Roßner
50e263866b fix(docs): Various updates 2024-03-18 16:06:11 +01:00
Milton Moura
0fd4a26c71 fix(element): Update Element Web to v1.11.59 with widget sync fix and NeoBoard v1.14.0 
Signed-off-by: Milton Moura <miltonmoura@gmail.com>
 2024-03-15 11:37:09 -01:00
Thorsten Roßner
0aa4cfb46f fix(helmfile): Fix OpenAPI validations for Kubernetes v1.28 2024-03-14 12:17:31 +01:00
69 changed files with 2246 additions and 3039 deletions
Expand all files Collapse all files

45
.gitlab-ci.yml
View File

@@ -1,4 +1,5 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-License-Identifier: Apache-2.0
---
include:
@@ -11,6 +12,7 @@ include:
- local: "/.gitlab/generate/generate-docs.yml"
- project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
file: "gitlab/environments.yaml"
ref: "main"
- local: "/.gitlab/lint/lint-opendesk.yml"
rules:
- if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
@@ -18,7 +20,7 @@ include:
- when: "always"
- local: "/.gitlab/lint/lint-kyverno.yml"
rules:
- if: "$JOB_KYVERNO_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
- if: "$JOB_KYVERNO_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event|web|triggers'"
when: "never"
- when: "always"
@@ -26,12 +28,13 @@ stages:
- ".pre"
- "scan"
- "automr"
- "lint"
- "env-cleanup"
- "env"
- "pre-services-deploy"
- "basic-services-deploy"
- "component-deploy-stage-1"
- "component-deploy-stage-2"
- "lint"
- "tests"
- "env-stop"
- ".post"
@@ -41,14 +44,23 @@ variables:
description: "The name of namespaces to deploy to."
value: ""
CLUSTER:
description: "Define which cluster to use. Cluster must be defined in gitlab/environments.yaml of
sovereign-workplace-env included above."
description: "Which cluster to use. Cluster must be defined in `gitlab/environments.yaml` of the
repo that is included above using the env var `PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG`:
${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
value: "dev"
MASTER_PASSWORD_WEB_VAR:
description: "Optional: Provide a passphrase to be used for password generation."
description: >
Optional: Provide a seed to be used for generation of all internal secrets.
Same seed will result in same secrets.
value: ""
ENV_STOP_BEFORE:
description: "Stop environment/delete namespace for the deployment"
description: "Stop environment/delete namespace for the deployment."
value: "no"
options:
- "yes"
- "no"
DEBUG_ENABLED:
description: "Allows to set `debug.enabled` to true for a deployment, needs to be supported by stage specific configuration containting: `debug.enabled: {{ env \"DEBUG_ENABLED\" | default false }}`"
value: "no"
options:
- "yes"
@@ -156,7 +168,7 @@ variables:
fi;
- >
echo "Installing ${COMPONENT} into ${NAMESPACE} namespace as ${HELMFILE_ENVIRONMENT} environment on ${CLUSTER}"
- "helmfile --namespace ${NAMESPACE} apply --suppress-diff"
- "helmfile --namespace ${NAMESPACE} apply --suppress-diff ${ADDITIONAL_ARGS}"
tags:
- "docker"
- "kubernetes"
@@ -213,6 +225,19 @@ env-start:
--dry-run=client -o yaml | kubectl apply -f -
stage: "env"
policies-deploy:
stage: "pre-services-deploy"
extends: ".deploy-common"
rules:
- if: >
$CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
$NAMESPACE =~ /.+/ &&
($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_SERVICES != "no")
when: "on_success"
variables:
COMPONENT: "services"
ADDITIONAL_ARGS: "-l name=opendesk-otterize"
services-deploy:
stage: "basic-services-deploy"
extends: ".deploy-common"
@@ -451,7 +476,7 @@ avscan-prepare:
$CI_PIPELINE_SOURCE =~ "push|merge_request_event"
when: "always"
- when: "never"
image: "external-registry.souvap-univention.de/docker-remote/mikefarah/yq"
image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/mikefarah/yq"
script:
- |
cat << 'EOF' > dynamic-scans.yml
@@ -514,7 +539,7 @@ avscan-start:
# Overwrite shared settings
.common-semantic-release:
image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest"
image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/semantic-release-patched:1.0.0"
tags: []
conventional-commits-linter:
@@ -565,7 +590,7 @@ release:
- |
echo -e "\n[INFO] Writing data to helm value file..."
cat <<EOF >helmfile/environments/default/global.generated.yaml
# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-License-Identifier: Apache-2.0
---
global:

6
.kyverno/policies/template-image-registries.yaml
View File

@@ -24,10 +24,10 @@ spec:
pattern:
spec:
=(ephemeralContainers):
- image: "external-registry.souvap-univention.de/*"
- image: "my_private_registry.domain.tld/*"
=(initContainers):
- image: "external-registry.souvap-univention.de/*"
- image: "my_private_registry.domain.tld/*"
containers:
- image: "external-registry.souvap-univention.de/*"
- image: "my_private_registry.domain.tld/*"
validationFailureAction: "audit"
...

57
CHANGELOG.md
View File

@@ -1,3 +1,60 @@
# [0.7.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.6.0...v0.7.0) (2024-05-06)
### Bug Fixes
* **ci:** Add debug option. Has to be supported by stage specific configuration containing: `debug.enabled: {{ env "DEBUG_ENABLED" | default false }}` ([3dc6484](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3dc648421b80d4e170a11792604be127a3960c0e))
* **element:** Provide the internal cluster domain to synapse web ([b9ac5ec](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b9ac5ecf2def57bba0070f1c2f4a01449808f106))
* **univention-management-stack:** Add the image configuration for NATS ([e9ec2f3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e9ec2f3a6e51975ccdbd6d3575b5fc6a909502aa))
* **univention-management-stack:** Fix [#55](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/55), [#35](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/35) by updating chart "ums" to 0.11.2 and image "portal-listener" to 0.20.6; To update an existing installation you need to manually delete the `ums-portal-listener` stateful set before the update: `kubectl -n <your_namespace> delete statefulsets ums-portal-listener` ([2ad0270](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2ad027082f4cb958d68d7728d8db05f786dba0f0))
* **univention-management-stack:** Migrate UDM-REST-API image to new Univention registry ([9be3b78](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9be3b78761610db0274572d5a7c526aa34d0615f))
* **univention-management-stack:** Objectstore credentials ([d1bd43f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d1bd43fa957accdb70f0cda69983e0490ac6cfa0))
* **univention-management-stack:** Update Helm chart to 0.12.0 including required changes to openDesk Helmfile deployment. ([fefd2f6](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/fefd2f6cae3617ba1f00ef0c5fa3a80cde1d6ba1))
* **univention-management-stack:** Use the NATS related image configuration ([cd22570](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cd225703ebe67bc78faa878080639dd7cc1845a9))
### Features
* **element:** Add support for Matrix federation ([36139b4](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/36139b42f1df9785b8414059bf70dc3e37616e8a))
* **helmfile:** Introduce additional variables for mailDomain and synapseDomain ([e6fe2a7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e6fe2a7c18581f637d6bd4d0553d558f753dadd2))
* **services:** Add opendesk-home service, which redirects on domain to portal ([c7e2172](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c7e217208c4cb812cc23f9aa5ea42fcb77ea7c3a))
# [0.6.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.81...v0.6.0) (2024-04-11)
### Bug Fixes
* **helmfile:** Improve support for external Objectstore, and fix issue with DoveCot storageClassName ([1b748b6](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1b748b6bf63d75fc5232c90407a3fa885c2dd3c8)), closes [#57](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/57) [#60](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/60) [#56](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/56)
* **nextcloud:** Bump to 28.0.4 ([cb33a92](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cb33a929ef7c13a9a578e56a631951292d14d0e4))
* **univention-management-stack:** add Guardian provisioning job image ([79c52d0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/79c52d014cec188d010a2827bb63b2635abafb2c))
* **univention-management-stack:** Update UMC to 0.11.8 ([5e3f4fa](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5e3f4faade2ea02e51f260d1d614296a6a484848))
* **univention-management-stack:** Use umbrella helm chart ([10ecb44](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/10ecb44aa675d2f139aaec6fe8d4246fa1d3dd40))
* **xwiki:** Bump to 15.10.8 and enable OIDC backchannel logout ([c395d35](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c395d35dd77bbec5e6b7d01768533f87af843560))
### Features
* **open-xchange:** Bump to 8.23 and remove Istio prerequisite ([3be3564](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3be3564ec7168a1a2d72b58f11da84e89e81911d))
## [0.5.81](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.80...v0.5.81) (2024-03-28)
### Bug Fixes
* **docs:** Various updates ([50e2638](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/50e263866be8b51ef295ebf8025c3117821a2b6c))
* **element:** Update Element Web to v1.11.59 with widget sync fix and NeoBoard v1.14.0 ([0fd4a26](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0fd4a26c711fb345b79cdff1c775d7ef20335768))
* **helmfile:** Fix OpenAPI validations for Kubernetes v1.28 ([0aa4cfb](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0aa4cfb46f793369a472a736b28eea834a545439))
* **nextcloud:** Bump to 28.0.3 ([34d2c05](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/34d2c059596466f8f7d6d09c2855c595391a7e0d))
* **nextcloud:** Rename default shared folder to `__Shared_with_me__` ([5f9d015](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5f9d015f0b98579d652fd4172e74835ed67ccf11))
* **open-xchange:** Bump to 8.22 ([5ebf291](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5ebf291a4dbe88a09c0afe2befa6140ad33bf30b))
* **openproject:** Bump OpenProject to 13.4.0 ([d565c05](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d565c057ddb7b348f7a829e0f931b1ea448b454b))
* **openproject:** Bump version to 13.4.1 ([7cc3964](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7cc39647d89538630bac9caa158c47b5cb8d2c45))
* **services:** Update Otterize Policies ([42f63e3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/42f63e399230495c83f934e07beb9fc950ef5e29))
* **univention-management-stack:** Add missing authenticator secret mount to portal-server ([5a39e87](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5a39e8725b6454591f552f87f12535201e52df7c))
* **univention-management-stack:** Update LDAP server for BSI base security compliance ([8e889db](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8e889db63eaf05b24cc23838545f63d969232c65))
* **univention-management-stack:** Update ldap-notifier and ldap-server ([a41ddd5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a41ddd5451a9fbd3c6319827fee3eaffbd931271))
* **univention-management-stack:** Update provisioning charts, images and helm value to add authentication ([8c97bcf](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8c97bcf994487281ae94e6d66c73f4a11c08a0be))
## [0.5.80](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.79...v0.5.80) (2024-03-11)

15
README.md
View File

@@ -1,4 +1,5 @@
<!--
SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
-->
@@ -22,8 +23,8 @@ SPDX-License-Identifier: Apache-2.0
# Overview
openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the "Projektgruppe für
Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the
*Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH*.
openDesk currently features the following functional main components:
@@ -31,11 +32,11 @@ openDesk currently features the following functional main components:
| -------------------- | --------------------------- | -------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
| Chat & collaboration | Element ft. Nordeck widgets | [1.11.59](https://github.com/element-hq/element-desktop/releases/tag/v1.11.59) | [For the most recent release](https://element.io/user-guide) |
| Diagram editor | Cryptpad ft. diagrams.net | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0) | [For the most recent release](https://docs.cryptpad.org/en/) |
| File management | Nextcloud | [28.0.2](https://nextcloud.com/de/changelog/#28-0-2) | [Nextcloud 28](https://docs.nextcloud.com/) |
| Groupware | OX Appsuite | [8.20](https://documentation.open-xchange.com/appsuite/releases/8.20/) | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
| Knowledge management | XWiki | [15.10.4](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15104Released) | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation) |
| File management | Nextcloud | [28.0.5](https://nextcloud.com/de/changelog/#28-0-5) | [Nextcloud 28](https://docs.nextcloud.com/) |
| Groupware | OX App Suite | [8.23](https://documentation.open-xchange.com/appsuite/releases/8.23/) | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
| Knowledge management | XWiki | [15.10.8](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15108Released) | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation) |
| Portal & IAM | Nubus | Product Preview[^1] | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html) |
| Project management | OpenProject | [13.3.1](https://www.openproject.org/docs/release-notes/13-3-1/) | [For the most recent release](https://www.openproject.org/docs/user-guide/) |
| Project management | OpenProject | [13.4.1](https://www.openproject.org/docs/release-notes/13-4-1/) | [For the most recent release](https://www.openproject.org/docs/user-guide/) |
| Videoconferencing | Jitsi | [2.0.8922](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_8922) | [For the most recent release](https://jitsi.github.io/handbook/docs/category/user-guide/) |
| Weboffice | Collabora | [23.05.9.4.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/) | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/) |
@@ -116,7 +117,7 @@ This project uses the following license: Apache-2.0
# Copyright
Copyright (C) 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
Copyright (C) 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# Footnotes

21
docs/ci.md
View File

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
-->
<h1>CI/CD</h1>
This page will cover openDesk automation via Gitlab CI.
This page covers openDesk deployment automation via Gitlab CI.
<!-- TOC -->
* [Deployment](#deployment)
@@ -13,30 +13,31 @@ This page will cover openDesk automation via Gitlab CI.
# Deployment
The project includes a `.gitlab-ci.yml` that allows you to execute the deployment from a Gitlab instance of your choice.
The project includes a `.gitlab-ci.yml` that allows you to execute the deployment from a GitLab instance of your choice.
When starting the pipeline through the Gitlab UI, you will be queried for some variables plus the following ones:
When starting the pipeline through the GitLab UI, you will be queried for some variables plus the following ones:
- `DOMAIN` = The domain to deploy to.
- `ISTIO_DOMAIN` = istio.`DOMAIN`
- `NAMESPACE`: Defines into which namespace of your K8s cluster the SWP will be installed
- `MAIL_DOMAIN` = (optional) Specify domain (f.e. root FQDN) for Mail, defaults to `DOMAIN`.
- `SYNAPSE_DOMAIN` = (optional) Specify domain (f.e. root FQDN) for Synapse, defaults to `DOMAIN`.
- `NAMESPACE`: Defines into which namespace of your K8s cluster openDesk will be installed
- `MASTER_PASSWORD_WEB_VAR`: Overwrites value of `MASTER_PASSWORD`
Based on your input, the following variables will be set:
- `MASTER_PASSWORD` = `MASTER_PASSWORD_WEB_VAR`. If `MASTER_PASSWORD_WEB_VAR`
is not set, the default for `MASTER_PASSWORD` will be used, unless you set
`MASTER_PASSWORD` as a masked CI/CD variable in Gitlab to supersede the default.
`MASTER_PASSWORD` as a masked CI/CD variable in GitLab to supersede the default.
You might want to set credential variables in the Gitlab project at `Settings` > `CI/CD` > `Variables`.
You might want to set credential variables in the GitLab project at `Settings` > `CI/CD` > `Variables`.
# Tests
The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project.
The GitLab CI pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another GitLab project.
The `DEPLOY_`-variables are used to determine which components should be tested.
In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this gitlab project's CI variables
In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this GitLab project's CI variables
that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
`<domain of gitlab>/api/v4/projects/<id>`.
If the branch of the test pipeline is not `main` this can be set with the .gitlab-ci.yml variable
If the branch of the test pipeline is not `main` this can be set with the `.gitlab-ci.yml` variable
`TESTS_BRANCH` while creating a new pipeline.

5
docs/components.md
View File

@@ -1,5 +1,6 @@
<!--
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
SPDX-License-Identifier: Apache-2.0
-->
<h1>Components</h1>
@@ -34,7 +35,6 @@ they need to be replaced in production deployments.
| ClamAV (Simple) | Antivirus engine | Eval |
| Collabora | Weboffice | Functional |
| CryptPad | Weboffice | Functional |
| Dovecot | Mail backend | Functional |
| Element | Secure communications platform | Functional |
| Intercom Service | Cross service data exchange | Functional |
| Jitsi | Videoconferencing | Functional |
@@ -44,7 +44,8 @@ they need to be replaced in production deployments.
| Nextcloud | File share | Functional |
| OpenProject | Project management | Functional |
| OX Appsuite | Groupware | Functional |
| Provisioning | Backend provisioning | Functional |
| OX Dovecot | Mail backend (IMAP) | Functional |
| Provisioning (OX Connector) | Groupware provisioning | Functional |
| Postfix | MTA | Eval |
| PostgreSQL | Database | Eval |
| Redis | Cache Database | Eval |

91
docs/debugging.md
View File

@@ -6,6 +6,9 @@ SPDX-License-Identifier: Apache-2.0
* [Disclaimer](#disclaimer)
* [Enable debugging](#enable-debugging)
* [Adding containers to a pod for debugging purposes](#adding-containers-to-a-pod-for-debugging-purposes)
* [Adding a container to a pod/deployment - Dev/Test only](#adding-a-container-to-a-poddeployment---devtest-only)
* [Temporary/ephemeral containers](#temporaryephemeral-containers)
* [Components](#components)
* [MariaDB](#mariadb)
* [Nextcloud](#nextcloud)
@@ -35,6 +38,94 @@ and set the loglevel for components to "Debug".
**Note:** All containers should write their log output to STDOUT, if you find (valuable) logs inside a container, please let us know!
# Adding containers to a pod for debugging purposes
During test or development you come across the need to execute tools, browse or even change things in the filesystem of another container.
This can be a challenge the more security hardened container images are, because there are no debugging tools available and sometimes not even a shell.
Adding a container to a Pod can ease the pain.
Below you will find some wrap-up notes when it comes to debugging openDesk by adding debug containers. Of course there are a lot of more detailled resources out in the wild.
## Adding a container to a pod/deployment - Dev/Test only
You can add a container by editing and updating an existing deployment, which is quite comforable with tools like [Lens](https://k8slens.dev/).
- Select the container you want to make use of as debugging container, in the example below it's `registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0`.
- Ensure the `shareProcessNamespace` option is enabled for the Pod.
- Reference the selected container within the `containers` array of the deployment.
- In case you want to access another containers filesystem, ensure the user/group settings of both containers match.
- Save & update the deployment.
The following example can e.g. be used to debug the `openDesk-Nextcloud-PHP` container, in case you want to modify files, don't forget to set `readOnlyRootFilesystem` to `true` on the PHP container.
```
shareProcessNamespace: true
containers:
- name: debugging
image: registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0
command: ["/bin/bash", "-c", "while true; do echo 'This is a temporary container for debugging'; sleep 5 ; done"]
securityContext:
capabilities:
drop:
- ALL
privileged: false
runAsUser: 65532
runAsGroup: 65532
runAsNonRoot: true
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
```
- After the deployment was reloaded open the shell of the debugging container.
- When you've been successful you will see the processes of both/all containers in the pod when doing a `ps aux`.
- To access another containers filesystem just select the PID of a process from the other container an do a `cd /proc/<selected_process_id>/root`
## Temporary/ephemeral containers
Interesting read we picked most of the details below from: https://iximiuz.com/en/posts/kubernetes-ephemeral-containers/
Sometimes you do not want to add a container permanently to your existing deployment. In that case you could use [ephemeral containers](https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/).
For the commands further down this section we set some environment variables first:
- `NAMESPACE`: The namespace the Pod you want to inspects is running in.
- `DEPLOYMENT_NAME`: The name of the deployment responsible for spawning the Pod you want to inspect within the prementioned namespace.
- `POD_NAME`: The name of the Pod you want to inspect within the prementioned namespace.
- `EPH_CONTAINER_NAME`: Chose the name for the container, "debugging" seem obvious.
- `DEBUG_IMAGE`: The image you want to make use of for debugging purposes.
e.g.
```
export EPH_CONTAINER_NAME=debugging
export NAMESPACE=my_testdeployment
export DEPLOYMENT_NAME=opendesk-nextcloud-php
export POD_NAME=opendesk-nextcloud-php-6686d47cfb-7vtmf
export DEBUG_IMAGE=registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0
```
You still need to ensure that your deployment supports process namespace sharing:
```
kubectl -n ${NAMESPACE} patch deployment ${DEPLOYMENT_NAME} --patch '
spec:
template:
spec:
shareProcessNamespace: true'
```
Now you can add the ephemeral container with:
```
kubectl -n ${NAMESPACE} debug -it --attach=false -c ${EPH_CONTAINER_NAME} --image={DEBUG_IMAGE} ${POD_NAME}
```
and open it's interactive terminal with
```
kubectl -n ${NAMESPACE} attach -it -c ${EPH_CONTAINER_NAME} ${POD_NAME}
```
# Components
## MariaDB

13
docs/development.md
View File

@@ -1,5 +1,6 @@
<!--
SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
SPDX-License-Identifier: Apache-2.0
-->
@@ -32,7 +33,7 @@ flowchart TD
D-->G[images.yaml]
D-->H[global.*]
D-->I[secrets.yaml\nreplicas.yaml\nresources.yaml\n...]
A-->|overwrite defaults with\nyour environment specific values|E[./helmfile/environments/*your_environment*/values.yaml.gotmpl]
A-->|overwrite defaults with your\ndeployment/environment specific values|E[./helmfile/environments/*your_environment*/values.yaml.gotmpl]
```
The `helmfile.yaml` in the root folder is the basis for the whole deployment. It references the app specific `helmfile.yaml` files as well as some
@@ -96,13 +97,13 @@ Example:
## Renovate
- See also: https://gitlab.opencode.de/bmi/opendesk/tooling/renovate-opencode
Uses a regular expression to match the values of the following attributes:
Uses a regular expression to match the values of the attributes
- `# upstreamRegistry`
- `# upstreamRepository`
- `registry`
- `repository`
- `tag`
check for newer versions of the given artefact and create a MR containing the newest version's tag (and digest).
Checks for newer versions of the given artefact and creates a MR containing the newest version's tag (and digest).
## Mirroring

67
docs/getting-started.md
View File

@@ -10,6 +10,7 @@ This documentation should enable you to create your own evaluation instance of o
<!-- TOC -->
* [Requirements](#requirements)
* [Customize environment](#customize-environment)
* [DNS](#dns)
* [Domain](#domain)
* [Apps](#apps)
* [Private registries](#private-registries)
@@ -49,10 +50,24 @@ files.
For the following guide, we will use `dev` as environment, where variables can be set in
`helmfile/environments/dev/values.yaml`.
## Domain
## DNS
The deployment is designed to deploy each app under a subdomains. For your convenience, we recommend to create a
`*.domain.tld` A-Record to your cluster ingress controller, otherwise you need to create an A-Record for each subdomain.
The deployment is designed to deploy each application/service under a dedicated subdomain.
For your convenience, we recommend to create a `*.domain.tld` A-Record to your cluster ingress controller,
otherwise you need to create an A-Record for each subdomain.
| Record name | Type | Value | Additional information |
| ----------------------- | ---- | -------------------------------------------------- | --------------------------------------------------------------------------------------- |
| *.domain.tld | A | IPv4 address of your Ingress Controller | |
| *.domain.tld | AAAA | IPv6 address of your Ingress Controller | |
| mail.domain.tld | A | IPv4 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix |
| mail.domain.tld | AAAA | IPv6 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix |
| domain.tld | MX | `10 mail.domain.tld` | |
| domain.tld | TXT | `v=spf1 +a +mx +a:mail.domain.tld ~all` | Optional, use proper MTA record if present |
| _dmarc.domain.tld | TXT | `v=DMARC1; p=quarantine` | Optional |
| _matrix._tcp.domain.tld | SRV | `1 10 PORT matrix.domain.tld` | The `PORT` is your NodePort/LoadBalancer port of `opendesk-synapse-federation` service. |
## Domain
A list of all subdomains can be found in `helmfile/environments/default/global.yaml`.
@@ -68,29 +83,49 @@ The domain have to be set either via `dev` environment
```yaml
global:
domain: "my.open.desk"
istio:
domain: "istio.my.open.desk"
domain: "domain.tld"
```
or via environment variable
```shell
export DOMAIN=my.open.desk
export ISTIO_DOMAIN=istio.my.open.desk
export DOMAIN=domain.tld
```
When you configure each subdomain individually, you can set `global.domain` and `istio.domain` to the same value.
Additionally, you can announce/specify an alternative domain for mail and chat.
Istio is only used for Open-Xchange Appsuite 8, when you don't want to install it, you can disable Istio:
As an example, if your domain is `domain.tld` and you want to send mails with this domain, then you can deploy openDesk to
`*.opendesk.domain.tld` and send mail as `default.user@domain.tld`.
Webmail will be accessed via `mail.opendesk.domain.tld` in this scenario.
The required routing have to be implemented by yourself.
The alternative domains have to be set either via `dev` environment
```yaml
istio:
enabled: false
oxAppsuite:
enabled: false
global:
mailDomain: "open.desk"
synapseDomain: "open.desk"
```
or via environment variable
```shell
export MAIL_DOMAIN=open.desk
export SYNAPSE_DOMAIN=open.desk
```
If you want to federate with other Matrix instances, you need to add an SRV record to signal Matrix delegation.
| Record name | Type | Value |
|--------------------------------|------|---------------------------|
| _matrix._tcp.SYNAPSE_DOMAIN | SRV | `1 10 PORT matrix.DOMAIN` |
| matrix-fed._tcp.SYNAPSE_DOMAIN | SRV | `1 10 PORT matrix.DOMAIN` |
| MAIL_DOMAIN | MX | `10 mail.domain.tld` |
_Hint:_ Replace `SYNAPSE_DOMAIN`, `MAIL_DOMAIN` and `DOMAIN` with proper values of your domain settings.
_Hint:_ `matrix.DOMAIN` can also be an IP address where synapse tls port is listening to.
### Apps
All available apps and their default value can be found in `helmfile/environments/default/workplace.yaml`.
@@ -143,13 +178,13 @@ prefer the use of a private image registry anyway you can configure such for
```yaml
global:
imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
imageRegistry: "my_private_registry.domain.tld"
```
alternatively you can use an environment variable:
```shell
export PRIVATE_IMAGE_REGISTRY_URL=external-registry.souvap-univention.de/sovereign-workplace
export PRIVATE_IMAGE_REGISTRY_URL=my_private_registry.domain.tld
```
If authentication is required, you can reference imagePullSecrets as following:

7
docs/requirements.md
View File

@@ -28,7 +28,6 @@ openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s)
- [HelmDiff](https://github.com/databus23/helm-diff) >= 3.6.0
- Volume provisioner supporting RWO (read-write-once)
- Certificate handling with [cert-manager](https://cert-manager.io/)
- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8
# Hardware
@@ -56,12 +55,8 @@ configured ingress controller deployed.
**Maintained controllers:**
- [NGINX Ingress Controller](https://github.com/nginxinc/kubernetes-ingress)
- [HAProxy Kubernetes Ingress Controller](https://github.com/haproxytech/kubernetes-ingress)
**Community Supported:**
- [Ingress NGINX Controller](https://github.com/kubernetes/ingress-nginx)
When you want to use Open-Xchange Appsuite 8, you need to deploy and configure additionally [Istio](https://istio.io/)
- [HAProxy Kubernetes Ingress Controller](https://github.com/haproxytech/kubernetes-ingress)
# Volume provisioner

23
docs/workflow.md
View File

@@ -1,5 +1,6 @@
<!--
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
SPDX-License-Identifier: Apache-2.0
-->
@@ -139,17 +140,19 @@ As a standard, the openDesk platform development team uses [reuse.software](http
openDesk uses Apache 2.0 as the license for their work. A typical reuse copyright and license header looks like this:
```
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-License-Identifier: Apache-2.0
```
As the way to mark the license header as a comment differs between the various filetypes, please find matching examples for the types all across the [deployment automation repository](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace).
**Remark**: If there is already an existing `SPDX-FileCopyrightText` please just add the one from the above example.
## Development workflow
### Disclaimer
openDesk consists only of community products, so there is no SLA to receive service updates or backports of critical security fixes. This has two consequences:
- In production scenarios, you should replace the community versions of the functional components with supported, SLA-backend paid versions.
- In production scenarios, you should replace the community versions of the functional components with supported, SLA-backed paid versions.
- openDesk aims to always update to the latest available releases of the community components and we therefore have rolling technical releases.
### Workflow
@@ -225,22 +228,28 @@ gitGraph
The Standard Quality Gate addresses quality assurance steps that should be executed within each of the mentioned quality gates in the workflow.
1. Linting
- Blocking
- Licening: [reuse](https://github.com/fsfe/reuse-tool)
- openDesk specific: Especially `images.yaml` and `charts.yaml`, find more details in the [development](./development.md) docu
- Non Blocking
- Security: [Kyverno policy check](../.kyverno) addressing some IT-Grundschutz requirements
- Formal: Yaml
1. Deploy the full openDesk stack from scratch:
- All deployment steps must be successful (green)
- All tests from the end-to-end test set must be successful
2. Update deployment[^3] of the full openDesk stack and apply the quality measures from the step #1:
1. Update deployment[^3] of the full openDesk stack and apply the quality measures from the step #1:
- Deploy the current merge target baseline (`develop` or `main`)
- Update deploy from your QA branch into the instance from the previous step
3. No showstopper found regarding
1. No showstopper found regarding
- SBOM compliance[^4]
- Malware check
- CVE check[^5]
- Kubescape scan[^5]
- Kyverno policy check (also covering some basic requirements from IT-Grundschutz)[^5]
Steps #1 and #2 from above are executed as GitLab CI and therefore documented within GitLab.
Steps #1 to #3 from above are executed as GitLab CI and therefore documented within GitLab.
Step #3 is focussed on security and was not fully implemented yet. Its main objective is to check for regressions. That step is just the second step of a security check and monitoring chain as shown below. While some checks can be executed against the static artefacts (e.g. container images) other might require an up-and-running instance. These are especially located in the third step below which is not yet implemented.
Step #4 is focussed on security and was not fully implemented yet. Its main objective is to check for regressions. That step is just the second step of a security check and monitoring chain as shown below. While some checks can be executed against the static artefacts (e.g. container images) other might require an up-and-running instance. These are especially located in the third step below which is not yet implemented.
```mermaid
flowchart TD

2
helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
View File

@@ -12,7 +12,7 @@ configuration:
bot:
username: "meetings-bot"
displayname: "Terminplaner Bot"
openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
strings:
breakoutSessionWidgetName: "Breakoutsessions"
calendarRoomName: "Terminplaner"

1
helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
View File

@@ -4,6 +4,7 @@
configuration:
bot:
username: "meetings-bot"
homeserver: {{ .Values.global.synapseDomain | default .Values.global.domain }}
containerSecurityContext:
allowPrivilegeEscalation: false

2
helmfile/apps/element/values-synapse-web.yaml.gotmpl
View File

@@ -1,6 +1,8 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
clusterDomain: {{ .Values.cluster.networking.domain }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:

1
helmfile/apps/element/values-synapse.yaml.gotmpl
View File

@@ -29,6 +29,7 @@ configuration:
password: {{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser | quote }}
homeserver:
serverName: {{ .Values.global.synapseDomain | default .Values.global.domain }}
appServiceConfigs:
- as_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
hs_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}

4
helmfile/apps/intercom-service/values.yaml.gotmpl
View File

@@ -27,7 +27,7 @@ global:
ics:
secret: {{ .Values.secrets.intercom.secret | quote }}
issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
originRegex: "{{ .Values.istio.domain }}|{{ .Values.global.domain }}"
originRegex: "{{ .Values.global.domain }}"
keycloak:
realm: {{ .Values.platform.realm | quote }}
default:
@@ -49,7 +49,7 @@ ics:
password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }}
openxchange:
oci: true
url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
audience: "opendesk-oxappsuite"
nextcloud:
audience: "opendesk-nextcloud"

4
helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
View File

@@ -68,7 +68,6 @@ jitsi:
securityContext:
allowPrivilegeEscalation: false
capabilities: {}
enabled: true
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
@@ -117,7 +116,6 @@ jitsi:
securityContext:
allowPrivilegeEscalation: false
capabilities: {}
enabled: true
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
@@ -140,7 +138,6 @@ jitsi:
securityContext:
allowPrivilegeEscalation: false
capabilities: {}
enabled: true
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
@@ -164,7 +161,6 @@ jitsi:
securityContext:
allowPrivilegeEscalation: false
capabilities: {}
enabled: true
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0

3
helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
View File

@@ -9,7 +9,6 @@ global:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
istioDomain: {{ .Values.istio.domain }}
additionalAnnotations:
intents.otterize.com/service-name: "opendesk-nextcloud-php"
@@ -55,7 +54,7 @@ configuration:
secretKey:
value: {{ .Values.objectstores.nextcloud.secretKey | default .Values.secrets.minio.nextcloudUser | quote }}
bucket: {{ .Values.objectstores.nextcloud.bucket | quote }}
host: {{ .Values.objectstores.nextcloud.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
host: {{ .Values.objectstores.nextcloud.endpoint | quote }}
region: {{ .Values.objectstores.nextcloud.region | quote }}
storageClass: {{ .Values.objectstores.nextcloud.storageClass | quote }}
port: {{ .Values.objectstores.nextcloud.port | quote }}

7
helmfile/apps/open-xchange/helmfile.yaml
View File

@@ -6,7 +6,7 @@ bases:
---
repositories:
# openDesk Dovecot
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-dovecot
# Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dovecot
- name: "dovecot-repo"
keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.dovecot.verify }}
@@ -18,6 +18,8 @@ repositories:
# Open-Xchange
- name: "open-xchange-repo"
keyring: "../../files/gpg-pubkeys/open-xchange-com.gpg"
verify: {{ .Values.charts.openXchangeAppSuite.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
@@ -25,7 +27,8 @@ repositories:
{{ .Values.charts.openXchangeAppSuite.repository }}"
# openDesk Open-Xchange Bootstrap
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap
# Source:
# https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap
- name: "open-xchange-bootstrap-repo"
keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.openXchangeAppSuiteBootstrap.verify }}

41
helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
View File

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
mysql:
host: {{ .Values.databases.oxAppsuite.host | quote }}
database: {{ .Values.databases.oxAppsuite.name | quote }}
@@ -13,9 +13,6 @@ global:
password: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
rootPassword: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
istio:
enabled: {{ .Values.istio.enabled }}
nextcloud-integration-ui:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeNextcloudIntegrationUI.registry | quote }}
@@ -77,18 +74,22 @@ appsuite:
switchboard:
enabled: false
istio:
enabled: {{ .Values.istio.enabled }}
ingressGateway:
name: "opendesk-gateway-istio-gateway"
enabled: false
ingress:
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
enabled: true
existingSecret: {{ .Values.ingress.tls.secretName | quote }}
appsuite:
hosts:
- "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
virtualServices:
appsuite:
hosts:
- "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
dav:
hosts:
- "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
- "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
dav:
hosts:
- "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
routes:
trailslash:
enabled: false
core-mw:
enabled: true
asConfig:
@@ -99,7 +100,7 @@ appsuite:
oidcPath: "/oidc"
masterAdmin: "admin"
masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
serviceAccount:
create: true
features:
@@ -168,9 +169,9 @@ appsuite:
com.openexchange.oidc.opJwkSetEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
com.openexchange.oidc.opLogoutEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
com.openexchange.oidc.opTokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
com.openexchange.oidc.rpRedirectURIAuth: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/auth"
com.openexchange.oidc.rpRedirectURIAuth: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/appsuite/api/oidc/auth"
com.openexchange.oidc.rpRedirectURILogout: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
com.openexchange.oidc.rpRedirectURIPostSSOLogout: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/logout"
com.openexchange.oidc.rpRedirectURIPostSSOLogout: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/appsuite/api/oidc/logout"
com.openexchange.oidc.ssoLogout: "true"
com.openexchange.oidc.startDefaultBackend: "true"
com.openexchange.oidc.userLookupClaim: "opendesk_username"
@@ -366,7 +367,7 @@ appsuite:
enabled: true
ingress:
hosts:
- host: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
- host: "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
enabled: false
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
@@ -385,6 +386,8 @@ appsuite:
auth:
enabled: true
password: {{ .Values.secrets.redis.password | quote }}
# Workaround for a bug in 8.23
ca: ""
resources:
{{ .Values.resources.openxchangeCoreUIMiddleware | toYaml | nindent 6 }}
updater:

2
helmfile/apps/openproject/values.yaml.gotmpl
View File

@@ -155,7 +155,7 @@ resources:
s3:
enabled: true
endpoint: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
host: {{ (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
host: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
pathStyle: {{ .Values.objectstores.openproject.pathStyle | quote }}
region: {{ .Values.objectstores.openproject.region | quote }}
bucketName: {{ .Values.objectstores.openproject.bucket | quote }}

2
helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
View File

@@ -33,7 +33,7 @@ oxConnector:
oxMasterAdmin: "admin"
oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
oxSmtpServer: "smtp://127.0.0.1:587"
oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
resources:
{{ .Values.resources.oxConnector | toYaml | nindent 2 }}

38
helmfile/apps/services/helmfile.yaml
View File

@@ -1,3 +1,4 @@
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
@@ -16,6 +17,17 @@ repositories:
url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/\
{{ .Values.charts.otterize.repository }}"
# openDesk Home
# Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-home
- name: "home-repo"
keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.home.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.home.registry }}/\
{{ .Values.charts.home.repository }}"
# openDesk Certificates
# Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates
- name: "certificates-repo"
@@ -60,17 +72,6 @@ repositories:
url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/\
{{ .Values.charts.postfix.repository }}"
# openDesk Istio Resources
# https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-istio-resources
- name: "istio-resources-repo"
keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.istioResources.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.istioResources.registry }}/\
{{ .Values.charts.istioResources.repository }}"
# openDesk ClamAV
# https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-clamav
- name: "clamav-repo"
@@ -126,6 +127,13 @@ releases:
installed: {{ .Values.security.otterizeIntents.enabled }}
timeout: 900
- name: "opendesk-home"
chart: "home-repo/{{ .Values.charts.home.name }}"
version: "{{ .Values.charts.home.version }}"
values:
- "values-home.yaml.gotmpl"
installed: {{ .Values.home.enabled }}
- name: "opendesk-certificates"
chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
version: "{{ .Values.charts.certificates.version }}"
@@ -190,14 +198,6 @@ releases:
installed: {{ .Values.clamavSimple.enabled }}
timeout: 900
- name: "opendesk-gateway"
chart: "istio-resources-repo/{{ .Values.charts.istioResources.name }}"
version: "{{ .Values.charts.istioResources.version }}"
values:
- "values-istio-gateway.yaml.gotmpl"
installed: {{ .Values.istio.enabled }}
timeout: 900
- name: "minio"
chart: "minio-repo/{{ .Values.charts.minio.name }}"
version: "{{ .Values.charts.minio.version }}"

8
helmfile/apps/services/values-certificates.yaml.gotmpl
View File

@@ -11,14 +11,6 @@ global:
issuerRef:
name: {{ .Values.certificate.issuerRef.name | quote }}
{{- if .Values.istio.enabled }}
istio:
enabled: {{ .Values.istio.enabled }}
domain: {{ .Values.istio.domain | quote }}
issuerRef:
name: {{ .Values.istio.issuerRef.name | quote }}
{{- end }}
cleanup:
keepRessourceOnDelete: {{ .Values.cleanup.keepRessourceOnDelete }}

16
helmfile/apps/services/values-home.yaml.gotmpl Normal file
View File

@@ -0,0 +1,16 @@
{{/*
SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
ingress:
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
tls:
secretName: {{ .Values.ingress.tls.secretName | quote }}
...

12
helmfile/apps/services/values-istio-gateway.yaml.gotmpl
View File

@@ -1,12 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
global:
domain: {{ .Values.istio.domain | quote }}
hosts:
openxchange: {{ .Values.global.hosts.openxchange | quote }}
tls:
httpsRedirect: false
secretName: "{{ .Values.istio.domain }}-tls"
...

4
helmfile/apps/services/values-otterize.yaml.gotmpl
View File

@@ -45,6 +45,10 @@ apps:
xwiki:
enabled: {{ .Values.xwiki.enabled }}
ingressController:
{{ .Values.security.ingressController | toYaml | nindent 2 }}
extraApps:
clusterPostfix:
enabled: {{ .Values.security.clusterPostfix.enabled }}

4
helmfile/apps/services/values-postfix.yaml.gotmpl
View File

@@ -41,7 +41,7 @@ podSecurityContext:
postfix:
amavisHost: ""
amavisPortIn: ""
domain: {{ .Values.global.domain | quote }}
domain: {{ .Values.global.mailDomain | default .Values.global.domain }}
hostname: "postfix"
inetProtocols: "ipv4"
milterDefaultAction: "accept"
@@ -67,7 +67,7 @@ postfix:
{{- else if .Values.clamavSimple.enabled }}
smtpdMilters: "inet:clamav-simple:7357"
{{- end }}
virtualMailboxDomains: {{ .Values.global.domain | quote }}
virtualMailboxDomains: {{ .Values.global.mailDomain | default .Values.global.domain }}
virtualTransport: "lmtps:dovecot:24"
replicaCount: {{ .Values.replicas.postfix }}

378
helmfile/apps/univention-management-stack/helmfile.yaml
View File

@@ -5,168 +5,17 @@ bases:
- "../../bases/environments.yaml"
---
repositories:
# Univention Management Stack
- name: "ums-guardian-management-api-repo"
# Univention Management Stack Umbrella Chart
- name: "ums"
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsGuardianManagementApi.verify }}
verify: {{ .Values.charts.ums.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianManagementApi.registry }}/\
{{ .Values.charts.umsGuardianManagementApi.repository }}"
- name: "ums-guardian-management-ui-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsGuardianManagementUi.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianManagementUi.registry }}/\
{{ .Values.charts.umsGuardianManagementUi.repository }}"
- name: "ums-guardian-authorization-api-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsGuardianAuthorizationApi.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianAuthorizationApi.registry }}/\
{{ .Values.charts.umsGuardianAuthorizationApi.repository }}"
- name: "ums-open-policy-agent-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsOpenPolicyAgent.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.umsOpenPolicyAgent.registry }}/\
{{ .Values.charts.umsOpenPolicyAgent.repository }}"
- name: "ums-ldap-server-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsLdapServer.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.umsLdapServer.registry }}/\
{{ .Values.charts.umsLdapServer.repository }}"
- name: "ums-ldap-notifier-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsLdapNotifier.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.umsLdapNotifier.registry }}/\
{{ .Values.charts.umsLdapNotifier.repository }}"
- name: "ums-udm-rest-api-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsUdmRestApi.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUdmRestApi.registry }}/\
{{ .Values.charts.umsUdmRestApi.repository }}"
- name: "ums-stack-data-ums-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsStackDataUms.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStackDataUms.registry }}/\
{{ .Values.charts.umsStackDataUms.repository }}"
- name: "ums-stack-data-swp-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsStackDataSwp.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStackDataSwp.registry }}/\
{{ .Values.charts.umsStackDataSwp.repository }}"
- name: "ums-portal-server-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsPortalServer.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalServer.registry }}/\
{{ .Values.charts.umsPortalServer.repository }}"
- name: "ums-notifications-api-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsNotificationsApi.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.umsNotificationsApi.registry }}/\
{{ .Values.charts.umsNotificationsApi.repository }}"
- name: "ums-portal-listener-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsPortalListener.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalListener.registry }}/\
{{ .Values.charts.umsPortalListener.repository }}"
- name: "ums-portal-frontend-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsPortalFrontend.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalFrontend.registry }}/\
{{ .Values.charts.umsPortalFrontend.repository }}"
- name: "ums-umc-gateway-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsUmcGateway.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUmcGateway.registry }}/\
{{ .Values.charts.umsUmcGateway.repository }}"
- name: "ums-umc-server-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsUmcServer.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUmcServer.registry }}/\
{{ .Values.charts.umsUmcServer.repository }}"
- name: "ums-selfservice-listener-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsSelfserviceListener.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.umsSelfserviceListener.registry }}/\
{{ .Values.charts.umsSelfserviceListener.repository }}"
- name: "ums-provisioning-repo"
keyring: "../../files/gpg-pubkeys/univention-de.gpg"
verify: {{ .Values.charts.umsProvisioning.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.umsProvisioning.registry }}/\
{{ .Values.charts.umsProvisioning.repository }}"
# Univention Keycloak Extensions
- name: "ums-keycloak-extensions-repo"
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloakExtensions.registry }}/\
{{ .Values.charts.umsKeycloakExtensions.repository }}"
# Univention Keycloak
- name: "ums-keycloak-repo"
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.umsKeycloak.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloak.registry }}/\
{{ .Values.charts.umsKeycloak.repository }}"
- name: "ums-keycloak-bootstrap-repo"
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.umsKeycloakBootstrap.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloakBootstrap.registry }}/\
{{ .Values.charts.umsKeycloakBootstrap.repository }}"
url:
"{{ .Values.global.helmRegistry | default .Values.charts.ums.registry }}/\
{{ .Values.charts.ums.repository }}"
# OpenDesk Keycloak Bootstrap Chart
- name: "opendesk-keycloak-bootstrap-repo"
keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.opendeskKeycloakBootstrap.verify }}
@@ -175,223 +24,24 @@ repositories:
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/\
{{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
# VMWare Bitnami
# Source: https://github.com/bitnami/charts/
- name: "nginx-repo"
keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.nginx.verify }}
username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
oci: true
url: "{{ .Values.global.helmRegistry | default .Values.charts.nginx.registry }}/\
{{ .Values.charts.nginx.repository }}"
releases:
- name: "ums-keycloak"
chart: "ums-keycloak-repo/{{ .Values.charts.umsKeycloak.name }}"
version: "{{ .Values.charts.umsKeycloak.version }}"
# Univention Management Stack Umbrella Chart
- name: "ums"
chart: "ums/{{ .Values.charts.ums.name }}"
version: "{{ .Values.charts.ums.version }}"
values:
- "values-ums-keycloak.yaml.gotmpl"
- "values-umbrella.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
- name: "ums-keycloak-extensions"
chart: "ums-keycloak-extensions-repo/{{ .Values.charts.umsKeycloakExtensions.name }}"
version: "{{ .Values.charts.umsKeycloakExtensions.version }}"
values:
- "values-ums-keycloak-extensions.yaml.gotmpl"
needs:
- "ums-keycloak"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
- name: "ums-keycloak-bootstrap"
chart: "ums-keycloak-bootstrap-repo/{{ .Values.charts.umsKeycloakBootstrap.name }}"
version: "{{ .Values.charts.umsKeycloakBootstrap.version }}"
values:
- "values-ums-keycloak-bootstrap.yaml.gotmpl"
needs:
- "ums-keycloak"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
# OpenDesk Keycloak Bootstrap Chart
- name: "opendesk-keycloak-bootstrap"
chart: "opendesk-keycloak-bootstrap-repo/{{ .Values.charts.opendeskKeycloakBootstrap.name }}"
version: "{{ .Values.charts.opendeskKeycloakBootstrap.version }}"
values:
- "values-opendesk-keycloak-bootstrap.yaml.gotmpl"
needs:
- "ums-keycloak-bootstrap"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
- name: "ums-stack-gateway"
chart: "nginx-repo/{{ .Values.charts.nginx.name }}"
version: "{{ .Values.charts.nginx.version }}"
values:
- "values-ums-stack-gateway.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
- name: "ums-ldap-server"
chart: "ums-ldap-server-repo/{{ .Values.charts.umsLdapServer.name }}"
version: "{{ .Values.charts.umsLdapServer.version }}"
values:
- "values-common.yaml.gotmpl"
- "values-ldap-server.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
- name: "ums-ldap-notifier"
chart: "ums-ldap-notifier-repo/{{ .Values.charts.umsLdapNotifier.name }}"
version: "{{ .Values.charts.umsLdapNotifier.version }}"
values:
- "values-common.yaml.gotmpl"
- "values-ldap-notifier.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
- name: "ums-udm-rest-api"
chart: "ums-udm-rest-api-repo/{{ .Values.charts.umsUdmRestApi.name }}"
version: "{{ .Values.charts.umsUdmRestApi.version }}"
values:
- "values-common.yaml.gotmpl"
- "values-udm-rest-api.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
- name: "ums-stack-data-ums"
chart: "ums-stack-data-ums-repo/{{ .Values.charts.umsStackDataUms.name }}"
version: "{{ .Values.charts.umsStackDataUms.version }}"
values:
- "values-common.yaml.gotmpl"
- "values-stack-data-ums.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
- name: "ums-stack-data-swp"
chart: "ums-stack-data-swp-repo/{{ .Values.charts.umsStackDataSwp.name }}"
version: "{{ .Values.charts.umsStackDataSwp.version }}"
values:
- "values-common.yaml.gotmpl"
- "values-stack-data-swp.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
- name: "ums-portal-server"
chart: "ums-portal-server-repo/{{ .Values.charts.umsPortalServer.name }}"
version: "{{ .Values.charts.umsPortalServer.version }}"
values:
- "values-common.yaml.gotmpl"
- "values-portal-server.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
- name: "ums-notifications-api"
chart: "ums-notifications-api-repo/{{ .Values.charts.umsNotificationsApi.name }}"
version: "{{ .Values.charts.umsNotificationsApi.version }}"
values:
- "values-common.yaml.gotmpl"
- "values-notifications-api.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
- name: "ums-portal-listener"
chart: "ums-portal-listener-repo/{{ .Values.charts.umsPortalListener.name }}"
version: "{{ .Values.charts.umsPortalListener.version }}"
values:
- "values-common.yaml.gotmpl"
- "values-portal-listener.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
- name: "ums-portal-frontend"
chart: "ums-portal-frontend-repo/{{ .Values.charts.umsPortalFrontend.name }}"
version: "{{ .Values.charts.umsPortalFrontend.version }}"
values:
- "values-common.yaml.gotmpl"
- "values-portal-frontend.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
- name: "ums-umc-gateway"
chart: "ums-umc-gateway-repo/{{ .Values.charts.umsUmcGateway.name }}"
version: "{{ .Values.charts.umsUmcGateway.version }}"
values:
- "values-common.yaml.gotmpl"
- "values-umc-gateway.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
- name: "ums-umc-server"
chart: "ums-umc-server-repo/{{ .Values.charts.umsUmcServer.name }}"
version: "{{ .Values.charts.umsUmcServer.version }}"
values:
- "values-common.yaml.gotmpl"
- "values-umc-server.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
- name: "ums-selfservice-listener"
chart: "ums-selfservice-listener-repo/{{ .Values.charts.umsSelfserviceListener.name }}"
version: "{{ .Values.charts.umsSelfserviceListener.version }}"
values:
- "values-common.yaml.gotmpl"
- "values-selfservice-listener.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
- name: "ums-provisioning"
chart: "ums-provisioning-repo/{{ .Values.charts.umsProvisioning.name }}"
version: "{{ .Values.charts.umsProvisioning.version }}"
values:
- "values-common.yaml.gotmpl"
- "values-provisioning.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
- name: "ums-provisioning-udm-listener"
chart: "ums-provisioning-repo/{{ .Values.charts.umsProvisioningUdmListener.name }}"
version: "{{ .Values.charts.umsProvisioningUdmListener.version }}"
values:
- "values-common.yaml.gotmpl"
- "values-provisioning-udm-listener.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
- name: "ums-guardian-management-api"
chart: "ums-guardian-management-api-repo/{{ .Values.charts.umsGuardianManagementApi.name }}"
version: "{{ .Values.charts.umsGuardianManagementApi.version }}"
values:
- "values-common.yaml.gotmpl"
- "values-guardian-management-api.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
- name: "ums-guardian-management-ui"
chart: "ums-guardian-management-ui-repo/{{ .Values.charts.umsGuardianManagementUi.name }}"
version: "{{ .Values.charts.umsGuardianManagementUi.version }}"
values:
- "values-common.yaml.gotmpl"
- "values-guardian-management-ui.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
- name: "ums-guardian-authorization-api"
chart: "ums-guardian-authorization-api-repo/{{ .Values.charts.umsGuardianAuthorizationApi.name }}"
version: "{{ .Values.charts.umsGuardianAuthorizationApi.version }}"
values:
- "values-common.yaml.gotmpl"
- "values-guardian-authorization-api.yaml.gotmpl"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900
- name: "ums-open-policy-agent"
chart: "ums-open-policy-agent-repo/{{ .Values.charts.umsOpenPolicyAgent.name }}"
version: "{{ .Values.charts.umsOpenPolicyAgent.version }}"
values:
- "values-common.yaml.gotmpl"
- "values-open-policy-agent.yaml.gotmpl"
- "ums"
installed: {{ .Values.univentionManagementStack.enabled }}
timeout: 900

25
helmfile/apps/univention-management-stack/values-common.yaml.gotmpl
View File

@@ -1,25 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
global:
configMapUcrDefaults: "ums-stack-data-ums-ucr"
configMapUcr: "ums-stack-data-swp-ucr"
configMapUcrForced: null
ingress:
# Intentionally not using the Ingress configuration of the UMS stack at the
# moment, since it does depend on rewriting capabilities of the ingress
# controller. Those are encapsulated into the release "stack-gateway" so that
# the compatibility with all ingress controllers is increased.
enabled: false
host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls:
# The TLS configuration is on the "master" Ingress, see "portal-frontend"
enabled: false
secretName: ""
istio:
enabled: false
...

61
helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
View File

@@ -1,61 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
guardianAuthorizationApi:
guardianAuthzCorsAllowedOrigins: "*"
guardianAuthzAdapterSettingsPort: "env"
guardianAuthzAdapterAppPersistencePort: "udm_data"
guardianAuthzAdapterPolicyPort: "opa"
guardianAuthzAdapterAuthenticationPort: "fast_api_oauth"
guardianAuthzLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARNING"{{ end }}
guardianAuthzLoggingStructured: false
guardianAuthzLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
home: "/guardian_service_dir"
isUniventionAppCenter: 0
oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
opaAdapterUrl: "http://ums-open-policy-agent/"
udmDataAdapterUrl: "http://ums-udm-rest-api/udm/"
udmDataAdapterUsername: "cn=admin"
udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianAuthorizationApi.registry | quote }}
repository: {{ .Values.images.umsGuardianAuthorizationApi.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsGuardianAuthorizationApi.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
readOnlyRootFilesystem: false
seLinuxOptions:
{{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 4 }}
...

79
helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
View File

@@ -1,79 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
guardianManagementApi:
home: "/guardian_service_dir"
isUniventionAppCenter: 0
guardianManagementCorsAllowedOrigins: "*"
guardianManagementAdapterSettingsPort: "env"
guardianManagementAdapterAppPersistencePort: "sql"
guardianManagementAdapterConditionPersistencePort: "sql"
guardianManagementAdapterContextPersistencePort: "sql"
guardianManagementAdapterNamespacePersistencePort: "sql"
guardianManagementAdapterPermissionPersistencePort: "sql"
guardianManagementAdapterRolePersistencePort: "sql"
guardianManagementAdapterCapabilityPersistencePort: "sql"
guardianManagementAdapterAuthenticationPort: "fast_api_oauth"
guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization"
guardianManagementAdapterResourceAuthorizationPort: "always"
guardianManagementLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARNING"{{ end }}
guardianManagementLoggingStructured: false
guardianManagementLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
guardianManagementBaseUrl: "http://0.0.0.0:8000"
oauthAdapterM2mSecretFile: "/var/secrets/oauthAdapterM2mSecret"
oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
sqlPersistenceAdapterDialect: "postgresql"
sqlPersistenceAdapterDbName: "postgres"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementApi.registry | quote }}
repository: {{ .Values.images.umsGuardianManagementApi.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsGuardianManagementApi.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
postgresql:
bundled: false
connection:
host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
auth:
username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
password: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
resources:
{{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
readOnlyRootFilesystem: false
seLinuxOptions:
{{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 4 }}
...

52
helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl
View File

@@ -1,52 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
guardianManagementUi:
viteManagementUiAdapterAuthenticationPort: "keycloak"
viteManagementUiAdapterDataPort: "api"
viteKeycloakAuthenticationAdapterClientId: "guardian-ui"
viteApiDataAdapterUri: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/management"
viteKeycloakAuthenticationAdapterSsoUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
viteKeycloakAuthenticationAdapterRealm: {{ .Values.platform.realm | quote }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementUi.registry | quote }}
repository: {{ .Values.images.umsGuardianManagementUi.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsGuardianManagementUi.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
seLinuxOptions:
{{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 4 }}
...

38
helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl
View File

@@ -1,38 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapNotifier.registry | quote }}
repository: {{ .Values.images.umsLdapNotifier.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsLdapNotifier.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsLdapNotifier | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
privileged: false
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions:
{{ .Values.seLinuxOptions.umsLdapNotifier | toYaml | nindent 4 }}
volumes:
claims:
shared-data: "shared-data-ums-ldap-server-0"
shared-run: "shared-run-ums-ldap-server-0"
...

88
helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
View File

@@ -1,88 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
extraVolumes:
- name: "opendesk-schemas"
configMap:
name: "ums-stack-data-swp-schemas"
extraVolumeMounts:
- name: "opendesk-schemas"
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskFileshare.schema"
subPath: "opendeskFileshare.schema"
- name: "opendesk-schemas"
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskKnowledgemanagement.schema"
subPath: "opendeskKnowledgemanagement.schema"
- name: "opendesk-schemas"
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLearnmanagement.schema"
subPath: "opendeskLearnmanagement.schema"
- name: "opendesk-schemas"
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLivecollaboration.schema"
subPath: "opendeskLivecollaboration.schema"
- name: "opendesk-schemas"
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema"
subPath: "opendeskProjectmanagement.schema"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
repository: {{ .Values.images.umsLdapServer.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsLdapServer.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
waitForDependency:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
ldapServer:
waitForSamlMetadata: true
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
persistence:
sharedData:
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
sharedRun:
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions:
{{ .Values.seLinuxOptions.umsLdapServer | toYaml | nindent 4 }}
service:
type: "ClusterIP"
resources:
{{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}
...

50
helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl
View File

@@ -1,50 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsNotificationsApi.registry | quote }}
repository: {{ .Values.images.umsNotificationsApi.repository }}
pullPolicy: {{ .Values.global.imagePullPolicy }}
tag: {{ .Values.images.umsNotificationsApi.tag }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
notificationsapi:
apply_database_migrations: "True"
dev_mode: "False"
environment: "staging"
log_level: "DEBUG"
sql_echo: "False"
api_prefix: "/univention/portal/notifications-api"
postgresql:
bundled: false
connection:
host: {{ .Values.databases.umsNotificationsApi.host | quote }}
port: {{ .Values.databases.umsNotificationsApi.port | quote }}
auth:
username: {{ .Values.databases.umsNotificationsApi.username | quote }}
database: {{ .Values.databases.umsNotificationsApi.name | quote }}
password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
resources:
{{ .Values.resources.umsNotificationsApi | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: false
seLinuxOptions:
{{ .Values.seLinuxOptions.umsNotificationsApi | toYaml | nindent 4 }}
...

52
helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl
View File

@@ -1,52 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsOpenPolicyAgent.registry | quote }}
repository: {{ .Values.images.umsOpenPolicyAgent.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsOpenPolicyAgent.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
openPolicyAgent:
isUniventionAppCenter: 0
opaDataBundle: "bundles/GuardianDataBundle.tar.gz"
opaPolicyBundle: "bundles/GuardianPolicyBundle.tar.gz"
opaPollingMinDelay: 10
opaPollingMaxDelay: 15
opaGuardianManagementUrl: "http://ums-guardian-management-api/guardian/management"
resources:
{{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsOpenPolicyAgent | toYaml | nindent 4 }}
...

291
helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
View File

@@ -253,7 +253,7 @@ config:
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/*"
- "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
consentRequired: false
frontchannelLogout: false
@@ -261,8 +261,8 @@ config:
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: true
backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/ajax/oidc/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
protocolMappers:
- name: "context"
protocol: "openid-connect"
@@ -293,296 +293,13 @@ config:
authorizationServicesEnabled: false
attributes:
backchannel.logout.session.required: false
backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/NOT_YET_IMPLEMENTED_DONT_FORGET_TO_DISABLE_FCL_WHEN_BCL_IS_ACTIVATED/backchannel-logout"
backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout"
post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
defaultClientScopes:
- "opendesk"
- "address"
- "email"
- "profile"
- name: "guardian-management-api"
clientId: "guardian-management-api"
rootUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
baseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
protocol: "openid-connect"
clientAuthenticatorType: "client-secret"
secret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
redirectUris:
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*"
fullScopeAllowed: true
protocolMappers:
- name: "Client Host"
protocol: "openid-connect"
protocolMapper: "oidc-usersessionmodel-note-mapper"
consentRequired: false
config:
user.session.note: "clientHost"
userinfo.token.claim: true
id.token.claim: true
access.token.claim: true
claim.name: "clientHost"
jsonType.label: "String"
- name: "Client ID"
protocol: "openid-connect"
protocolMapper: "oidc-usersessionmodel-note-mapper"
consentRequired: false
config:
user.session.note: "client_id"
userinfo.token.claim: true
id.token.claim: true
access.token.claim: true
claim.name: "client_id"
jsonType.label: "String"
- name: "guardian-audience"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian"
userinfo.token.claim: false
id.token.claim: false
access.token.claim: true
- name: "audiencemap"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian-cli"
userinfo.token.claim: true
id.token.claim: true
access.token.claim: true
- name: "dn"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: false
user.attribute: "LDAP_ENTRY_DN"
id.token.claim: false
access.token.claim: true
claim.name: "dn"
jsonType.label: "String"
- name: "username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "username"
id.token.claim: true
access.token.claim: true
claim.name: "preferred_username"
jsonType.label: "String"
- name: "uid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "uid"
jsonType.label: "String"
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "Client IP Address"
protocol: "openid-connect"
protocolMapper: "oidc-usersessionmodel-note-mapper"
consentRequired: false
config:
user.session.note: "clientAddress"
userinfo.token.claim: true
id.token.claim: true
access.token.claim: true
claim.name: "clientAddress"
jsonType.label: "String"
- name: "guardian-scripts"
clientId: "guardian-scripts"
description: ""
rootUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
adminUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
baseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
surrogateAuthRequired: false
enabled: true
alwaysDisplayInConsole: false
clientAuthenticatorType: "client-secret"
redirectUris:
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*"
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*"
webOrigins:
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
bearerOnly: false
consentRequired: false
standardFlowEnabled: true
implicitFlowEnabled: false
directAccessGrantsEnabled: true
serviceAccountsEnabled: false
publicClient: true
frontchannelLogout: false
protocol: "openid-connect"
fullScopeAllowed: true
protocolMappers:
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "guardian-audience"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian"
id.token.claim: false
access.token.claim: true
userinfo.token.claim: false
- name: "username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "username"
id.token.claim: true
access.token.claim: true
claim.name: "preferred_username"
jsonType.label: "String"
- name: "uid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "uid"
jsonType.label: "String"
- name: "audiencemap"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian-scripts"
id.token.claim: true
access.token.claim: true
userinfo.token.claim: true
- name: "dn"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
aggregate.attrs: false
multivalued: false
userinfo.token.claim: false
user.attribute: "LDAP_ENTRY_DN"
id.token.claim: false
access.token.claim: true
claim.name: "dn"
jsonType.label: "String"
defaultClientScopes:
- "opendesk"
- "web-origins"
- "acr"
- "roles"
- "profile"
- "email"
optionalClientScopes:
- "address"
- "phone"
- "offline_access"
- "microprofile-jwt"
- name: "guardian-ui"
clientId: "guardian-ui"
rootUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
baseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
clientAuthenticatorType: "client-secret"
redirectUris:
- "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*"
standardFlowEnabled: true
publicClient: true
protocol: "openid-connect"
fullScopeAllowed: true
protocolMappers:
- name: "uid"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "uid"
id.token.claim: true
access.token.claim: true
claim.name: "uid"
jsonType.label: "String"
- name: "username"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "username"
id.token.claim: true
access.token.claim: true
claim.name: "preferred_username"
jsonType.label: "String"
- name: "dn"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-attribute-mapper"
consentRequired: false
config:
userinfo.token.claim: "false"
user.attribute: "LDAP_ENTRY_DN"
id.token.claim: false
access.token.claim: true
claim.name: "dn"
jsonType.label: "String"
- name: "audiencemap"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian-ui"
id.token.claim: true
access.token.claim: true
userinfo.token.claim: true
- name: "email"
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
consentRequired: false
config:
userinfo.token.claim: true
user.attribute: "email"
id.token.claim: true
access.token.claim: true
claim.name: "email"
jsonType.label: "String"
- name: "guardian-audience"
protocol: "openid-connect"
protocolMapper: "oidc-audience-mapper"
consentRequired: false
config:
included.client.audience: "guardian"
id.token.claim: false
access.token.claim: true
userinfo.token.claim: false
containerSecurityContext:
allowPrivilegeEscalation: false

117
helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl
View File

@@ -1,117 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
extraIngresses:
redirects:
# Using "stack-gateway" currently.
enabled: false
# The TLS configuration is on the "master" Ingress, see below.
tls:
enabled: false
master:
# Using "stack-gateway" currently.
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
# See "extraVolumeMounts" below
custom-favicon:
# Using "stack-gateway" at the moment
enabled: false
annotations:
nginx.org/mergeable-ingress-type: "minion"
paths:
- pathType: "Exact"
path: "/favicon.ico"
tls: {}
extraVolumes:
- name: "opendesk-branding"
configMap:
name: "ums-stack-data-swp-branding"
extraVolumeMounts:
- name: "opendesk-branding"
mountPath: "/var/www/html/favicon.ico"
subPath: "favicon.ico"
- name: "opendesk-branding"
mountPath: "/var/www/html/css/custom.css"
subPath: "custom.css"
- name: "opendesk-branding"
mountPath: "/var/www/html/icons/logo.svg"
subPath: "logo.svg"
- name: "opendesk-branding"
mountPath: "/var/www/html/icons/logo_small_border.svg"
subPath: "logo_small_border.svg"
- name: "opendesk-branding"
mountPath: "/var/www/html/custom/portal_background_image.png"
subPath: "portal_background_image.png"
- name: "opendesk-branding"
mountPath: "/var/www/html/custom/portal_background_image.svg"
subPath: "portal_background_image.svg"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalFrontend.registry | quote }}
repository: {{ .Values.images.umsPortalFrontend.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsPortalFrontend.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
# See "extraVolumeMounts" below
custom-branding:
# Using "stack-gateway" at the moment
enabled: false
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
rewrite ^/univention/portal(/.*)$ $1 break;
nginx.org/location-snippets: |
rewrite ^/univention/portal(/.*)$ $1 break;
nginx.org/mergeable-ingress-type: "minion"
paths:
# This relies on the correct implementation of the matching for paths of
# type "Prefix" since "/univention/portal/icons/entries/" is owned by
# store-dav.
# See: https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches
- pathType: "Prefix"
path: "/univention/portal/icons/"
- pathType: "Prefix"
path: "/univention/portal/custom/"
tls: {}
replicaCount: {{ .Values.replicas.umsPortalFrontend }}
resources:
{{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions:
{{ .Values.seLinuxOptions.umsPortalFrontend | toYaml | nindent 4 }}
...

85
helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
View File

@@ -1,85 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalListener.registry | quote }}
repository: {{ .Values.images.umsPortalListener.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsPortalListener.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
waitForDependency:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
persistence:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }}
portalListener:
adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
assetsRootPath: "portal-assets"
ucsInternalPath: "portal-data"
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
notifierServer: {{ .Values.ldap.notifierHost | quote }}
portalDefaultDn: {{ printf "%s,%s" "cn=domain,cn=portal,cn=portals,cn=univention" .Values.ldap.baseDn | quote }}
udmApiUrl: "http://ums-udm-rest-api/udm/"
udmApiUsername: "cn=admin"
debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
tlsMode: "off"
udmApiUrl: "http://ums-udm-rest-api/udm/"
udmApiUsername: "cn=admin"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
objectStorageAccessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }}
objectStorageSecretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
resources:
{{ .Values.resources.umsPortalListener | toYaml | nindent 2 }}
resourcesDependencyWaiter:
{{ .Values.resources.umsPortalListenerDependencies | toYaml | nindent 2 }}
store-dav:
bundled: false
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions:
{{ .Values.seLinuxOptions.umsPortalListener | toYaml | nindent 4 }}
...

62
helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
View File

@@ -1,62 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalServer.registry | quote }}
repository: {{ .Values.images.umsPortalServer.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsPortalServer.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
portalServer:
authMode: "saml"
editable: "false"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
ucsInternalPath: "portal-data"
objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
objectStorageAccessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }}
objectStorageSecretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
centralNavigation:
enabled: true
authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
replicaCount: {{ .Values.replicas.umsPortalServer }}
resources:
{{ .Values.resources.umsPortalServer | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions:
{{ .Values.seLinuxOptions.umsPortalServer | toYaml | nindent 4 }}
...

28
helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl
View File

@@ -1,28 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }}
repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
config:
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
notifierServer: {{ .Values.ldap.notifierHost | quote }}
tlsMode: "off"
natsHost: "ums-provisioning-nats"
natsPort: "4222"
resources:
{{ .Values.resources.umsProvisioningUdmListener | toYaml | nindent 4 }}
...

81
helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
View File

@@ -1,81 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
dispatcher:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningDispatcher.registry | quote }}
repository: {{ .Values.images.umsProvisioningDispatcher.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsProvisioningDispatcher.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 4 }}
config:
UDM_HOST: "ums-udm-rest-api"
UDM_PORT: 9979
UDM_USERNAME: "cn=admin"
api:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
repository: {{ .Values.images.umsProvisioningEventsAndConsumerApi.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsProvisioningEventsAndConsumerApi.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
config:
rootPath: "/univention/provisioning-api"
resources:
{{ .Values.resources.umsProvisioningEventsAndConsumerApi | toYaml | nindent 4 }}
prefill:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningPrefill.registry | quote }}
repository: {{ .Values.images.umsProvisioningPrefill.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsProvisioningPrefill.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 4 }}
nats:
bundled: true
nameOverride: ""
resources:
{{ .Values.resources.umsProvisioningNats | toYaml | nindent 4 }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
podSecurityContext:
enabled: true
fsGroup: 1000
fsGroupChangePolicy: "Always"
sysctls:
- name: "net.ipv4.ip_unprivileged_port_start"
value: "1"
...

79
helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl
View File

@@ -1,79 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
image:
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
selfserviceListener:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsSelfserviceListener.registry | quote }}
repository: {{ .Values.images.umsSelfserviceListener.repository | quote }}
tag: {{ .Values.images.umsSelfserviceListener.tag | quote }}
selfserviceInvitation:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsSelfserviceInvitation.registry | quote }}
repository: {{ .Values.images.umsSelfserviceInvitation.repository | quote }}
tag: {{ .Values.images.umsSelfserviceInvitation.tag | quote }}
waitForDependency:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
persistence:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.selfserviceListener | quote }}
resources:
{{ .Values.resources.umsSelfserviceListener | toYaml | nindent 2 }}
resourcesDependencyWaiter:
{{ .Values.resources.umsSelfserviceListenerDependencies | toYaml | nindent 2 }}
selfserviceListener:
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
notifierServer: {{ .Values.ldap.notifierHost | quote }}
umcAdminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
tlsMode: "off"
umcServerUrl: "http://ums-umc-server"
umcAdminUser: "default.admin"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions:
{{ .Values.seLinuxOptions.umsSelfserviceListener | toYaml | nindent 4 }}
...

74
helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl
View File

@@ -1,74 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
additionalAnnotations:
intents.otterize.com/service-name: "ums-stack-data-swp"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsDataLoader.registry | quote }}
repository: {{ .Values.images.umsDataLoader.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsDataLoader.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsStackDataSwp | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions:
{{ .Values.seLinuxOptions.umsDataLoader | toYaml | nindent 4 }}
stackDataContext:
ldapBase: "dc=swp-ldap,dc=internal"
oxDefaultContext: "1"
smtpStartTls: true
ldapSearchUsers:
{{- range $username, $password := .Values.secrets.univentionManagementStack.ldapSearch }}
- username: {{ printf "ldapsearch_%s" $username | quote }}
password: {{ $password | quote }}
lastname: "LDAP-Search-User"
{{- end }}
externalDomainName: {{ .Values.global.domain | quote }}
externalMailDomain: {{ .Values.global.domain | quote }}
portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.istio.domain | quote }}
portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain | quote }}
portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain | quote }}
portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain | quote }}
portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain | quote }}
portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain | quote }}
portalTitleDE: "{{ .Values.theme.texts.productName }} Portal"
portalTitleEN: "{{ .Values.theme.texts.productName }} Portal"
smtpHost: {{ .Values.smtp.host | quote }}
smtpPort: {{ .Values.smtp.port | quote }}
smtpUser: {{ .Values.smtp.username | quote }}
userPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.userPassword | quote }}
adminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
stackDataSwp:
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
systemInformation:
deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
udmApiUser: "cn=admin"
udmApiUrl: "http://ums-udm-rest-api/udm/"
loadDevData: true
...

59
helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl
View File

@@ -1,59 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
additionalAnnotations:
intents.otterize.com/service-name: "ums-stack-data-ums"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsDataLoader.registry | quote }}
repository: {{ .Values.images.umsDataLoader.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsDataLoader.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsStackDataUms | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions:
{{ .Values.seLinuxOptions.umsDataLoader | toYaml | nindent 4 }}
stackDataContext:
idpSamlMetadataUrlInternal: null
umcSamlSchemes: "https"
# The openDesk configuration brings its own UMC policies.
installUmcPolicies: false
domainname: {{ .Values.global.domain | quote }}
externalMailDomain: {{ .Values.global.domain | quote }}
hostname: {{ .Values.global.hosts.univentionManagementStack | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
ldapBase: {{ .Values.ldap.baseDn | quote }}
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
idpSamlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
umcSamlSpFqdn: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
idpFqdn: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.systemAccounts.administratorPassword | quote }}
initialPasswordSysIdpUser: {{ .Values.secrets.univentionManagementStack.systemAccounts.sysIdpUserPassword | quote }}
stackDataUms:
loadDevData: true
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
udmApiUrl: "http://ums-udm-rest-api/udm/"
udmApiUser: "cn=admin"
...

65
helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl
View File

@@ -1,65 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsStoreDav.registry | quote }}
repository: {{ .Values.images.umsStoreDav.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsStoreDav.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
configHtpasswd:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsConfigHtpasswd.registry | quote }}
repository: {{ .Values.images.umsConfigHtpasswd.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsConfigHtpasswd.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
persistence:
data:
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }}
resources:
{{ .Values.resources.umsStoreDav | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions:
{{ .Values.seLinuxOptions.umsStoreDav | toYaml | nindent 4 }}
storeDav:
auth:
basicAuth:
portal-listener: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener | quote }}
portal-server: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer | quote }}
...

67
helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl
View File

@@ -1,67 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
extraVolumes:
- name: "attribute-to-group-mapper-hook"
configMap:
name: "ums-stack-data-swp-attribute-to-group-mapper-hook"
extraVolumeMounts:
- name: "attribute-to-group-mapper-hook"
mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py"
subPath: "AttributeToGroupMapper.py"
- name: "attribute-to-group-mapper-hook"
mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
subPath: "flag_to_group_mapping.json"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsUdmRestApi.registry | quote }}
repository: {{ .Values.images.umsUdmRestApi.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsUdmRestApi.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsUdmRestApi | toYaml | nindent 2 }}
replicaCount: {{ .Values.replicas.umsUdmRestApi }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions:
{{ .Values.seLinuxOptions.umsUdmRestApi | toYaml | nindent 4 }}
udmRestApi:
# TODO: Stub value currently
caCert: ""
# TODO: Secret should be entered without b64enc
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
# TODO: Secret should be entered without b64enc
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
...

1647
helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl Normal file
View File

File diff suppressed because it is too large Load Diff

64
helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl
View File

@@ -1,64 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
extraVolumes:
- name: "entrypoint-swp-patches"
configMap:
name: "ums-stack-data-swp-umc-gateway-entrypoint"
defaultMode: 0555
- name: "announcements-customization"
configMap:
name: "ums-stack-data-swp-umc-server-announcements"
defaultMode: 0444
extraVolumeMounts:
- name: "entrypoint-swp-patches"
mountPath: "/entrypoint.d/90-swp.sh"
subPath: "90-swp.sh"
- name: "announcements-customization"
mountPath:
"/usr/share/univention-management-console-frontend/js/dijit/themes\
/umc/icons/16x16/udm-portals-announcement.png"
subPath: "udm-portals-announcement.png"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcGateway.registry | quote }}
repository: {{ .Values.images.umsUmcGateway.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsUmcGateway.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
resources:
{{ .Values.resources.umsUmcGateway | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions:
{{ .Values.seLinuxOptions.umsUmcGateway | toYaml | nindent 4 }}
...

109
helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl
View File

@@ -1,109 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
extraVolumes:
- name: "certificates"
secret:
secretName: "opendesk-certificates-tls"
- name: "entrypoint-swp-patches"
configMap:
name: "ums-stack-data-swp-umc-server-entrypoint"
defaultMode: 0555
- name: "self-service-emails"
configMap:
name: "ums-stack-data-swp-self-service-emails"
defaultMode: 0444
- name: "attribute-to-group-mapper-hook"
configMap:
name: "ums-stack-data-swp-attribute-to-group-mapper-hook"
- name: "announcements-customization"
configMap:
name: "ums-stack-data-swp-umc-server-announcements"
defaultMode: 0444
extraVolumeMounts:
- name: "certificates"
mountPath: "/var/secrets/ssl"
- name: "entrypoint-swp-patches"
mountPath: "/entrypoint.d/90-customization.sh"
subPath: "90-customization.sh"
- name: "self-service-emails"
mountPath: "/usr/share/univention-self-service/email_bodies"
- name: "attribute-to-group-mapper-hook"
mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py"
subPath: "AttributeToGroupMapper.py"
- name: "attribute-to-group-mapper-hook"
mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
subPath: "flag_to_group_mapping.json"
- name: "announcements-customization"
mountPath: "/usr/share/univention-management-console/modules/udm-portals-announcement.xml"
subPath: "udm-portals-announcement.xml"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcServer.registry | quote }}
repository: {{ .Values.images.umsUmcServer.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsUmcServer.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
memcached:
bundled: false
auth:
username: null
password: null
server: {{ .Values.cache.umsSelfservice.host | quote }}
postgresql:
bundled: false
auth:
username: {{ .Values.databases.umsSelfservice.username | quote }}
database: {{ .Values.databases.umsSelfservice.name | quote }}
password: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
postgresPassword: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
connection:
host: {{ .Values.databases.umsSelfservice.host | quote }}
port: {{ .Values.databases.umsSelfservice.port | quote }}
resources:
{{ .Values.resources.umsUmcServer | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions:
{{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 4 }}
umcServer:
certPemFile: "/var/secrets/ssl/tls.crt"
# TODO: Secret should be entered without b64enc
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
# TODO: Secret should be entered without b64enc
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
smtpSecret: {{ .Values.smtp.password | quote }}
privateKeyFile: "/var/secrets/ssl/tls.key"
...

83
helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl
View File

@@ -1,83 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
registry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakBootstrap.registry | quote }}
repository: {{ .Values.images.umsKeycloakBootstrap.repository | quote }}
tag: {{ .Values.images.umsKeycloakBootstrap.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
config:
keycloak:
adminUser: "kcadmin"
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
realm: {{ .Values.platform.realm | quote }}
intraCluster:
enabled: true
internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
loginLinks:
- link_number: 1
language: "de"
description: "Passwort vergessen?"
href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten"
- link_number: 1
language: "en"
description: "Forgot password?"
href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten"
ums:
ldap:
internalHostname: {{ .Values.ldap.host | quote }}
baseDN: {{ .Values.ldap.baseDn | quote }}
readUserDN: "uid=ldapsearch_keycloak,cn=users,dc=swp-ldap,dc=internal"
readUserPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.keycloak | quote }}
mappers:
- ldapAndUserModelAttributeName: "opendeskProjectmanagementAdmin"
- ldapAndUserModelAttributeName: "oxContextIDNum"
saml:
serviceProviderHostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
twoFactorAuthentication:
enabled: true
group: "2fa-users"
containerSecurityContext:
enabled: true
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: false
privileged: false
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions:
{{ .Values.seLinuxOptions.umsKeycloakBootstrap | toYaml | nindent 4 }}
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak-bootstrap"
podSecurityContext:
enabled: true
fsGroup: 1000
fsGroupChangePolicy: "Always"
resources:
{{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 2 }}
...

111
helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
View File

@@ -1,111 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
keycloak:
host: "ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
adminUsername: "kcadmin"
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
adminRealm: "master"
realm: {{ .Values.platform.realm | quote }}
postgresql:
connection:
host: {{ .Values.databases.keycloakExtension.host | quote }}
port: {{ .Values.databases.keycloakExtension.port }}
auth:
database: {{ .Values.databases.keycloakExtension.name | quote }}
username: {{ .Values.databases.keycloakExtension.username | quote }}
password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
handler:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakExtensionHandler.registry | quote }}
repository: {{ .Values.images.umsKeycloakExtensionHandler.repository | quote }}
tag: {{ .Values.images.umsKeycloakExtensionHandler.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets: {{ .Values.global.imagePullSecrets }}
appConfig:
captchaProtectionEnable: false
deviceProtectionEnable: true
ipProtectionEnable: true
logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
smtpPassword: {{ .Values.smtp.password | quote }}
smtpHost: {{ .Values.smtp.host | quote }}
smtpPort: {{ .Values.smtp.port | quote }}
smtpUsername: {{ .Values.smtp.username | quote }}
mailFrom: "noreply@{{ .Values.global.domain }}"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
privileged: false
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 6 }}
resources:
{{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 4 }}
postgresql:
enabled: false
proxy:
appConfig:
logLevel: {{ if .Values.debug.enabled }}"debug"{{ else }}"warn"{{ end }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakExtensionProxy.registry | quote }}
repository: {{ .Values.images.umsKeycloakExtensionProxy.repository | quote }}
tag: {{ .Values.images.umsKeycloakExtensionProxy.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets: {{ .Values.global.imagePullSecrets }}
ingress:
annotations:
nginx.org/proxy-buffer-size: "8k"
nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
paths:
{{- if .Values.debug.enabled }}
- pathType: "Prefix"
path: "/admin"
{{- end }}
- pathType: "Prefix"
path: "/realms"
- pathType: "Prefix"
path: "/resources"
- pathType: "Prefix"
path: "/fingerprintjs"
- pathType: "Exact"
path: "/univention/meta.json"
backend:
service:
name: "ums-stack-gateway"
port:
name: "http"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
privileged: false
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
resources:
{{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 4 }}
...

64
helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
View File

@@ -1,64 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloak.registry | quote }}
repository: {{ .Values.images.umsKeycloak.repository | quote }}
tag: {{ .Values.images.umsKeycloak.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
config:
admin:
password: {{ .Values.secrets.keycloak.adminPassword | quote }}
database:
host: {{ .Values.databases.keycloak.host | quote }}
port: {{ .Values.databases.keycloak.port }}
user: {{ .Values.databases.keycloak.username | quote }}
database: {{ .Values.databases.keycloak.name | quote }}
password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
enableMetrics: true
# The availability of the admin console is already restricted through the path settings in the Keycloak Extensions
# Proxy which is used in openDesk. The setting here is just relevant when Keycloak endpoints are exposed directly
# through an own ingress.
exposeAdminConsole: false
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
privileged: false
readOnlyRootFilesystem: false
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsKeycloak | toYaml | nindent 4 }}
podSecurityContext:
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
theme:
univentionTheme: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/theme.css"
univentionCustomTheme: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/css/custom.css"
favIcon: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/favicon.ico"
replicaCount: {{ .Values.replicas.keycloak }}
resources:
{{ .Values.resources.umsKeycloak | toYaml | nindent 2 }}
...

301
helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
View File

@@ -1,301 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
fullnameOverride: "ums-stack-gateway"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsStackGateway.registry | quote }}
repository: {{ .Values.images.umsStackGateway.repository | quote }}
tag: {{ .Values.images.umsStackGateway.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
ingress:
annotations:
# Ensure that the ingress controller can handle responses with plenty of
# headers. This is a requirement from the UDM Rest API.
nginx.org/proxy-buffer-size: "64k"
nginx.org/proxy-buffers: "4 128k"
enabled: {{ .Values.ingress.enabled }}
extraTls:
- hosts:
- {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
hostname: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls: false
podSecurityContext:
enabled: true
fsGroup: 1001
containerSecurityContext:
enabled: true
runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions:
{{ .Values.seLinuxOptions.umsStackGateway | toYaml | nindent 4 }}
service:
type: "ClusterIP"
serviceAccount:
create: true
fullnameOverride: "ums-stack-gateway"
# The content of the "serverBlock" does resemble the Ingress configuration of
# the UMS components. The "location" entries do intentionally reflect precisely
# the respective paths which are configured.
serverBlock: |
server {
listen 8080;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_x_forwarded_host;
proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
## portal-frontend
# The frontend does not own "/univention/portal" nor
# "/univention/selfservice", only these two bits
location = /univention/portal/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
location = /univention/portal/index.html {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
location = /univention/selfservice/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
# The following prefixes are owned by the frontend
location /univention/portal/css/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/fonts/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/i18n/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/media/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/js/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/oidc/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/css/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/fonts/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/i18n/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/media/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/js/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/oidc/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
## frontend redirects
location = / {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention/ {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention/portal {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention/selfservice {
absolute_redirect off;
return 302 /univention/selfservice/;
}
## portal-server
location = /univention/portal/portal.json {
proxy_pass http://ums-portal-server:80;
}
location = /univention/selfservice/portal.json {
proxy_pass http://ums-portal-server:80;
}
location = /univention/portal/navigation.json {
proxy_pass http://ums-portal-server:80;
}
## object storage (minio)
location /univention/portal/icons/entries/ {
rewrite ^/univention/portal(/icons/entries/.*)$ /ums/portal-assets$1 break;
proxy_pass http://minio:9000;
}
location /univention/portal/icons/logos/ {
rewrite ^/univention/portal(/icons/logos/.*)$ /ums/portal-assets$1 break;
proxy_pass http://minio:9000;
}
location /univention/selfservice/icons/entries/ {
rewrite ^/univention/selfservice(/icons/entries/.*)$ /ums/portal-assets$1 break;
proxy_pass http://minio:9000;
}
location /univention/selfservice/icons/logos/ {
rewrite ^/univention/selfservice(/icons/logos/.*)$ /ums/portal-assets$1 break;
proxy_pass http://minio:9000;
}
## udm-rest-api
location /univention/udm/ {
# The UDM Rest API does return on some endpoints a lot of headers
proxy_busy_buffers_size 128k;
proxy_buffers 4 128k;
proxy_buffer_size 64k;
rewrite ^/univention(/udm/.*)$ $1 break;
proxy_pass http://ums-udm-rest-api:80;
}
## umc-gateway
location = /univention/languages.json {
proxy_pass http://ums-umc-gateway:80;
}
location = /univention/meta.json {
proxy_pass http://ums-umc-gateway:80;
}
location = /univention/theme.css {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/js/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/login/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/management/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/themes/ {
proxy_pass http://ums-umc-gateway:80;
}
## umc-server
location = /univention/auth {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
proxy_set_header X-UMC-HTTPS 'on';
}
location /univention/logout {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/saml {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
proxy_set_header X-UMC-HTTPS 'on';
}
location /univention/get {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/set {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/command {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/upload {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
## notifications-api
location /univention/portal/notifications-api/ {
rewrite ^/univention/portal/notifications-api(/.*)$ $1 break;
proxy_pass http://ums-notifications-api:80;
}
## openDesk branding
location = /favicon.ico {
proxy_pass http://ums-portal-frontend:80/;
}
location /univention/portal/custom/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
location /univention/portal/icons/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
## guardian
location /univention/guardian/management-ui {
proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui;
}
location /guardian/opa {
rewrite ^/guardian/opa(/.*)$ $1 break;
proxy_pass http://ums-open-policy-agent:80/;
}
location /guardian/management {
proxy_pass http://ums-guardian-management-api:80/guardian/management;
}
location /guardian/authorization {
proxy_pass http://ums-guardian-authorization-api:80/guardian/authorization;
}
}
...

24
helmfile/apps/xwiki/values.yaml.gotmpl
View File

@@ -62,21 +62,21 @@ customConfigs:
xwiki.authentication.ldap.groupcache_expiration: 300
xwiki.properties:
oidc.endpoint.authorization: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
oidc.endpoint.token: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
oidc.endpoint.userinfo: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
oidc.endpoint.logout: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
oidc.secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
oidc.scope: "openid,profile,email,address,opendesk"
oidc.endpoint.userinfo.method: "GET"
oidc.user.nameFormater: "${oidc.user.opendesk_username._clean._lowerCase}"
oidc.user.subjectFormater: "${oidc.user.opendesk_username._lowerCase}"
# yamllint disable-line rule:line-length
oidc.userinfoclaims: "xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype"
oidc.clientid: "opendesk-xwiki"
oidc.endpoint.token.auth_method: "client_secret_basic"
oidc.skipped: false
oidc.endpoint.userinfo.method: "GET"
oidc.logoutMechanism: "rpInitiated"
oidc.provider: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/opendesk"
oidc.scope: "openid,profile,email,address,opendesk"
oidc.secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
oidc.skipped: false
oidc.user.nameFormater: "${oidc.user.opendesk_username._clean._lowerCase}"
oidc.user.subjectFormater: "${oidc.user.opendesk_username._lowerCase}"
# Using the claims below some user based information can be passed through OIDC to XWiki that partitially has an
# impact on the user experience. E.g. you can define the default editor for the user `xwiki_user_editor` or if
# the `xwiki_user_usertype` is advanced or simple.
# yamllint disable-line rule:line-length
oidc.userinfoclaims: "xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype"
url.trustedDomains: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
workplaceServices.navigationEndpoint: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
workplaceServices.base: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"

297
helmfile/environments/default/charts.yaml
View File

@@ -1,7 +1,9 @@
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
#
# Please read the /docs/development.md for information about structure and annotations used in this file.
# yamllint disable rule:line-length
---
charts:
certificates:
@@ -12,7 +14,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-certificates"
name: "opendesk-certificates"
version: "2.1.1"
version: "2.1.3"
verify: true
clamav:
# providerCategory: 'Platform'
@@ -22,7 +24,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav"
name: "opendesk-clamav"
version: "4.0.1"
version: "4.0.5"
verify: true
clamavSimple:
# providerCategory: 'Platform'
@@ -32,7 +34,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav"
name: "clamav-simple"
version: "4.0.1"
version: "4.0.5"
verify: true
collabora:
# providerCategory: 'Supplier'
@@ -66,7 +68,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-dovecot"
name: "dovecot"
version: "1.3.8"
version: "1.3.10"
verify: true
element:
# providerCategory: 'Platform'
@@ -76,7 +78,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
name: "opendesk-element"
version: "2.6.7"
version: "2.7.1"
verify: true
elementWellKnown:
# providerCategory: 'Platform'
@@ -86,7 +88,17 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
name: "opendesk-well-known"
version: "2.6.7"
version: "2.7.1"
verify: true
home:
# providerCategory: 'Platform'
# providerResponsible: 'openDesk'
# upstreamRegistry: 'registry.opencode.de'
# upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-home'
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-home"
name: "opendesk-home"
version: "1.0.1"
verify: true
intercomService:
# providerCategory: 'Supplier'
@@ -100,16 +112,6 @@ charts:
name: "intercom-service"
version: "2.0.1"
verify: true
istioResources:
# providerCategory: 'Platform'
# providerResponsible: 'openDesk'
# upstreamRegistry: 'registry.opencode.de'
# upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-istio-resources/istio-gateway'
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-istio-resources"
name: "istio-gateway"
version: "2.0.1"
verify: true
jitsi:
# providerCategory: 'Platform'
# providerResponsible: 'openDesk'
@@ -178,7 +180,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
name: "opendesk-matrix-user-verification-service"
version: "2.6.7"
version: "2.7.1"
verify: true
memcached:
# providerCategory: 'Community'
@@ -208,7 +210,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
name: "opendesk-nextcloud"
version: "1.5.0"
version: "1.5.2"
verify: true
nextcloudManagement:
# providerCategory: 'Platform'
@@ -218,7 +220,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
name: "opendesk-nextcloud-management"
version: "1.5.0"
version: "1.5.2"
verify: true
nginx:
# providerCategory: 'Community'
@@ -272,7 +274,8 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
name: "appsuite-public-sector"
version: "2.2.37"
version: "2.5.3"
verify: false
openXchangeAppSuiteBootstrap:
# providerCategory: 'Platform'
# providerResponsible: 'openDesk'
@@ -291,7 +294,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize"
name: "opendesk-otterize"
version: "1.7.5"
version: "2.0.1"
verify: true
oxConnector:
# providerCategory: 'Supplier'
@@ -343,7 +346,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
name: "opendesk-synapse"
version: "2.6.7"
version: "2.7.1"
verify: true
synapseCreateAccount:
# providerCategory: 'Platform'
@@ -353,7 +356,7 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
name: "opendesk-synapse-create-account"
version: "2.6.7"
version: "2.7.1"
verify: true
synapseWeb:
# providerCategory: 'Platform'
@@ -363,55 +366,25 @@ charts:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
name: "opendesk-synapse-web"
version: "2.6.7"
version: "2.7.1"
verify: true
umsGuardianAuthorizationApi:
ums:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry.souvap-univention.de'
# upstreamRepository: 'souvap/tooling/charts/univention/guardian-authorization-api'
# upstreamRepository: 'souvap/tooling/charts/univention/ums'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ['0', '0', '1']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "guardian-authorization-api"
version: "0.1.0"
verify: true
umsGuardianManagementApi:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry.souvap-univention.de'
# upstreamRepository: 'souvap/tooling/charts/univention/guardian-management-api'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ['0', '0', '1']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "guardian-management-api"
version: "0.1.0"
verify: true
umsGuardianManagementUi:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry.souvap-univention.de'
# upstreamRepository: 'souvap/tooling/charts/univention/guardian-management-ui'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ['0', '0', '1']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "guardian-management-ui"
version: "0.1.0"
verify: true
umsKeycloak:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry.souvap-univention.de'
# upstreamRepository: 'souvap/tooling/charts/univention-keycloak/ums-keycloak'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ['1', '0', '3']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "ums-keycloak"
version: "1.0.5"
# TODO: return back mirror registry and repository before merging
# registry: "registry.opencode.de"
# repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
registry: "registry.souvap-univention.de"
repository: "souvap/tooling/charts/univention"
name: "ums"
# TODO: Needs an update once the previous MR is merged
# See: https://git.knut.univention.de/univention/customers/dataport/upx/ums-stack/-/merge_requests/32
# version: "0.12.1"
version: "0.12.1-pre-acaceres-update-dependencies"
verify: true
umsKeycloakBootstrap:
# providerCategory: 'Supplier'
@@ -425,198 +398,6 @@ charts:
name: "ums-keycloak-bootstrap"
version: "1.0.1"
verify: true
umsKeycloakExtensions:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry.souvap-univention.de'
# upstreamRepository: 'souvap/tooling/charts/univention/keycloak-extensions'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ['0', '0', '3']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "keycloak-extensions"
version: "0.2.1"
verify: true
umsLdapNotifier:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry.souvap-univention.de'
# upstreamRepository: 'souvap/tooling/charts/univention/ldap-notifier'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ['0', '7', '2']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "ldap-notifier"
version: "0.8.2"
verify: true
umsLdapServer:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry.souvap-univention.de'
# upstreamRepository: 'souvap/tooling/charts/univention/ldap-server'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ['0', '7', '2']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "ldap-server"
version: "0.8.2"
verify: true
umsNotificationsApi:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry.souvap-univention.de'
# upstreamRepository: 'souvap/tooling/charts/univention/notifications-api'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ['0', '9', '2']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "notifications-api"
version: "0.9.2"
verify: true
umsOpenPolicyAgent:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry.souvap-univention.de'
# upstreamRepository: 'souvap/tooling/charts/univention/open-policy-agent'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ['0', '0', '1']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "open-policy-agent"
version: "0.1.0"
verify: true
umsPortalFrontend:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry.souvap-univention.de'
# upstreamRepository: 'souvap/tooling/charts/univention/portal-frontend'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ['0', '9', '2']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "portal-frontend"
version: "0.14.0"
verify: true
umsPortalListener:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry.souvap-univention.de'
# upstreamRepository: 'souvap/tooling/charts/univention/portal-listener'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ['0', '9', '2']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "portal-listener"
version: "0.14.0"
verify: true
umsPortalServer:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry.souvap-univention.de'
# upstreamRepository: 'souvap/tooling/charts/univention/portal-server'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ['0', '9', '2']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "portal-server"
version: "0.14.0"
verify: true
umsProvisioning:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry.souvap-univention.de'
# upstreamRepository: 'souvap/tooling/charts/univention/provisioning'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ['0', '9', '5']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "provisioning"
version: "0.14.0"
verify: true
umsProvisioningUdmListener:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry.souvap-univention.de'
# upstreamRepository: 'souvap/tooling/charts/univention/udm-listener'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ['0', '9', '5']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "udm-listener"
version: "0.14.0"
verify: true
umsSelfserviceListener:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry.souvap-univention.de'
# upstreamRepository: 'souvap/tooling/charts/univention/selfservice-listener'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ['0', '3', '1']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "selfservice-listener"
version: "0.3.1"
verify: true
umsStackDataSwp:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry.souvap-univention.de'
# upstreamRepository: 'souvap/tooling/charts/univention/stack-data-swp'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ['0', '41', '8']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "stack-data-swp"
version: "0.44.0"
verify: true
umsStackDataUms:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry.souvap-univention.de'
# upstreamRepository: 'souvap/tooling/charts/univention/stack-data-ums'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ['0', '41', '8']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "stack-data-ums"
version: "0.44.0"
verify: true
umsUdmRestApi:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry.souvap-univention.de'
# upstreamRepository: 'souvap/tooling/charts/univention/udm-rest-api'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ['0', '4', '3']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "udm-rest-api"
version: "0.5.2"
verify: true
umsUmcGateway:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry.souvap-univention.de'
# upstreamRepository: 'souvap/tooling/charts/univention/umc-gateway'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ['0', '6', '4']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "umc-gateway"
version: "0.6.4"
verify: true
umsUmcServer:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry.souvap-univention.de'
# upstreamRepository: 'souvap/tooling/charts/univention/umc-server'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ['0', '6', '4']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
name: "umc-server"
version: "0.6.4"
verify: true
xwiki:
# providerCategory: 'Supplier'
# providerResponsible: 'XWiki'

4
helmfile/environments/default/global.generated.yaml
View File

@@ -1,7 +1,7 @@
# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-License-Identifier: Apache-2.0
---
global:
systemInformation:
releaseVersion: "v0.5.80"
releaseVersion: "v0.7.0"
...

8
helmfile/environments/default/global.gotmpl
View File

@@ -11,6 +11,14 @@ global:
#
domain: {{ env "DOMAIN" | default "souvap.cloud" | quote }}
## Define mail host
#
mailDomain: {{ env "MAIL_DOMAIN" | quote }}
## Define synapse host
#
synapseDomain: {{ env "SYNAPSE_DOMAIN" | quote }}
## Define docker registry address.
#
helmRegistry: {{ env "PRIVATE_HELM_REGISTRY_URL" | quote }}

3
helmfile/environments/default/global.yaml
View File

@@ -1,4 +1,5 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-License-Identifier: Apache-2.0
---
## The global properties are used to configure multiple charts at once.
@@ -9,9 +10,7 @@ global:
hosts:
collabora: "collabora"
cryptpad: "cryptpad"
dimension: "integration"
element: "chat"
etherpad: "etherpad"
intercomService: "ics"
jitsi: "meet"
keycloak: "id"

138
helmfile/environments/default/images.yaml
View File

@@ -46,7 +46,7 @@ images:
# upstreamMirrorStartFrom: ['1', '8', '0']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
tag: "1.10.0@sha256:050f4fd6aafdf988033486f3e75545b664edb60163f6a639cb1209aec6ed9387"
tag: "1.11.0@sha256:633cc31a4c312cdb072136247ac382463ddbc458a5c57e139241394acee9baaf"
freshclam:
# providerCategory: 'Community'
# providerResponsible: 'openDesk'
@@ -148,7 +148,7 @@ images:
# upstreamMirrorStartFrom: ['1', '4', '0']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-neoboard-widget"
tag: "1.12.0@sha256:2b2913cef614f2a81faea1997d9372b01347dadc3100d574b766df997d5ef2d5"
tag: "1.14.0@sha256:1a00f33ed5f560e55b06011b2f81696fd8230820f6980edb826768af0e0b41d9"
matrixNeoChoiceWidget:
# providerCategory: 'Supplier'
# providerResponsible: 'Nordeck'
@@ -220,7 +220,7 @@ images:
# upstreamRepository: 'bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2'
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
tag: "1.1.16@sha256:c36aaef5dfbd44b702f351ea1a875180caa537c90520d4f4fe69ea28357d85a9"
tag: "1.1.21@sha256:ec63d564eb11d7ed213a5ef8719f2b3380e552f1ffb1251470b84c0c8937b7b8"
nextcloudExporter:
# providerCategory: 'Platform'
# providerResponsible: 'openDesk'
@@ -236,7 +236,7 @@ images:
# upstreamRepository: 'bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management'
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
tag: "1.3.6@sha256:4ebe6aa3fc67aa7c2c39035db9f63bfcd398ff980f43ef903dd916acaf88c241"
tag: "1.3.12@sha256:54bb5a90ebe49b33b053e8a7df2fa8d8cb992b17f68a04d08357961c3aded0b0"
nextcloudPHP:
# providerCategory: 'Platform'
# providerResponsible: 'openDesk'
@@ -244,7 +244,7 @@ images:
# upstreamRepository: 'bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php'
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
tag: "1.8.5@sha256:4fee6fc29fc1b34c069a37fbcf99d1e2a257053971035d248defe9624bea36e7"
tag: "1.8.11@sha256:85b3bbf027c9e6a2ccf411b8e2b3752f6a58a3a14f00fb92ecefd9e7ca0c6954"
opendeskKeycloakBootstrap:
# providerCategory: 'Platform'
# providerResponsible: 'openDesk'
@@ -262,7 +262,7 @@ images:
# upstreamMirrorStartFrom: ['13', '1', '1']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
tag: "13.3.1@sha256:7e5a2cbd3d9f2db65e977797c0f7669b83f8e1b21bf0687ee20d19cbd1b55b7a"
tag: "13.4.1@sha256:b72d3e841fa4da03fc284e0ef7c56e763a9b04188f4219e527d9de93ccc49fe3"
openprojectBootstrap:
# providerCategory: 'Platform'
# providerResponsible: 'openDesk'
@@ -296,7 +296,7 @@ images:
# upstreamMirrorStartFrom: ['8', '6', '0']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-guidedtours"
tag: "8.6.0@sha256:6c20780f8c609636f2182c41709e2ee26586b4a23679fd13b15875a5f443445b"
tag: "8.6.3@sha256:6fb8169cba4beb4bd9039f4ce7ab9b29fc02c4991b283824db949fe2b7be34e2"
openxchangeCoreMW:
# providerCategory: 'Supplier'
# providerResponsible: 'Open-Xchange'
@@ -306,7 +306,7 @@ images:
# upstreamMirrorStartFrom: ['8', '20', '51']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/middleware-public-sector"
tag: "8.20.51@sha256:4a9cc9d6745b09a9ace2475fbbacfeff2ca66db02b6314eb8e035f28e28574a8"
tag: "8.23.47@sha256:b721bf41d7f06b328e9235a0561436cb678bc2a1a67202f0fa6e1f55956cc0cc"
openxchangeCoreUI:
# providerCategory: 'Supplier'
# providerResponsible: 'Open-Xchange'
@@ -316,7 +316,7 @@ images:
# upstreamMirrorStartFrom: ['8', '20', '1']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui"
tag: "8.20.1@sha256:a8bdf83b1179ca9126bcd4e5301b818aafec5e8ac6ff25914603d74a137b65dc"
tag: "8.23.2@sha256:0cc07053cbb9d7062a17ef807c6a6942a912748243a6f0c63a892d5cb2953351"
openxchangeCoreUIMiddleware:
# providerCategory: 'Supplier'
# providerResponsible: 'Open-Xchange'
@@ -326,7 +326,7 @@ images:
# upstreamMirrorStartFrom: ['2', '0', '0']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui-middleware"
tag: "2.0.0@sha256:8082edf30498a3ac1715f2d9b3e406f240ea586e2616b97f40c207ef55dff11f"
tag: "2.0.3@sha256:56fe8afe841105f0725674e36afc6f10f22751e3c21a301a6322834383f2d786"
openxchangeCoreUserGuide:
# providerCategory: 'Supplier'
# providerResponsible: 'Open-Xchange'
@@ -336,7 +336,7 @@ images:
# upstreamMirrorStartFrom: ['8', '20', '799279']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-user-guide"
tag: "8.20.799279@sha256:075c917a7e5ebfe57c07c3c21485ee672554616252d5c57f829f443ca987e75b"
tag: "8.23.941932@sha256:231b13cb795241513d2f54ee4bc628843ae737b5ecceab758aba3658f03de1bd"
openxchangeDocumentConverter:
# providerCategory: 'Supplier'
# providerResponsible: 'Open-Xchange'
@@ -346,17 +346,17 @@ images:
# upstreamMirrorStartFrom: ['8', '20', '50']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/documentconverter"
tag: "8.20.50@sha256:bd11b4e5a62377aab79ebc0ebbe8da0bf54d42ce9a8ae64db0c84608570edf9f"
tag: "8.23.43@sha256:aa9bbce833ae018573997fb07dcaf32bb7c5c4c6a7d6331f3d3156fd5b8d53b3"
openxchangeGotenberg:
# providerCategory: 'Supplier'
# providerResponsible: 'Open-Xchange'
# upstreamRegistry: 'registry.open-xchange.com'
# upstreamRepository: 'appsuite-public-sector/3rdparty/gotenberg'
# upstreamRepository: 'appsuite-public-sector/gotenberg'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ['7', '9', '2']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/gotenberg"
tag: "8.0.3@sha256:1f4979e8cfde1c69f28c24604d19b3a11cf95c59b2a73db957c5af0a27a30ce8"
tag: "8.2.0@sha256:ec5afe8eea496d3bef6c42291fde9c203c20e8a68189a2314ef876e9c0e67680"
openxchangeGuardUI:
# providerCategory: 'Supplier'
# providerResponsible: 'Open-Xchange'
@@ -366,7 +366,7 @@ images:
# upstreamMirrorStartFrom: ['4', '2', '2']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/guard-ui"
tag: "4.2.2@sha256:c2ff375fa3dc359c555570f5216a5451966d9b7165934980acb1bf60363b59c8"
tag: "8.23.0@sha256:0510458017fa028582515ce18c0b12f91ac9e23f0e94e99ac34fd49b07146c01"
openxchangeImageConverter:
# providerCategory: 'Supplier'
# providerResponsible: 'Open-Xchange'
@@ -376,7 +376,7 @@ images:
# upstreamMirrorStartFrom: ['8', '20', '50']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/imageconverter"
tag: "8.20.50@sha256:590a8a4c583057f6bb071247c2f8b8566c79d5d219482dcaa452b30c944c876b"
tag: "8.23.43@sha256:ecc77a569f60e1b14f0d77ec93d891200b89d11eb9d7c26f59fa7696343e20e3"
openxchangeNextcloudIntegrationUI:
# providerCategory: 'Supplier'
# providerResponsible: 'Open-Xchange'
@@ -396,7 +396,7 @@ images:
# upstreamMirrorStartFrom: ['2', '2', '1']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/public-sector-ui"
tag: "2.2.1@sha256:cf5dc3754dfdf41844f619b0c3178d0406de3ce8dd51317ed706cb329d338fc8"
tag: "2.3.0@sha256:a557816ee55500ecc3b46b60f0440ea66c7f0d90e888ce3b0df8a9acdd72acbe"
oxConnector:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
@@ -486,7 +486,7 @@ images:
# upstreamMirrorStartFrom: ['0', '41', '5']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
tag: "0.44.0@sha256:c08d619880537c03ebdcdc19fa9746bf5098e3810d85487d47676f3846c6b16c"
tag: "0.45.2@sha256:6e2e054903f361eea5cd54ae6dd3da94380d4a6a11f2628983e2acdbc66d605e"
umsGuardianAuthorizationApi:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
@@ -517,6 +517,16 @@ images:
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-management-ui-management-ui"
tag: "2.0.0@sha256:57e2503a4772f0ff656e792a98fadef4d41c248218e6c368f76ce82a892478cf"
umsGuardianProvisioning:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry.souvap-univention.de'
# upstreamRepository: 'souvap/tooling/images/univention/guardian-init'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ['0', '3', '0']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-init"
tag: "0.3.0@sha256:6ce026307cace794b33dddc616e37025974707b5c94fc52cff100b769cba722b"
umsKeycloak:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
@@ -526,7 +536,7 @@ images:
# upstreamMirrorStartFrom: ['22', '0', '3']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-keycloak"
tag: "23.0.7-ucs1@sha256:94b34cf3d9266435cf03549b58f874219ecbe9c38c18a070fea403d0cdd2bfc4"
tag: "24.0.3-ucs1@sha256:cc66a1730abdd5abe88ac5cf045b6558f289bf1ae8d077ee884a42d785742f8b"
umsKeycloakBootstrap:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
@@ -546,7 +556,7 @@ images:
# upstreamMirrorStartFrom: ['0', '0', '3']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-handler"
tag: "0.2.0@sha256:ed3a391cb32b9bb9408a4b8e9839b6ee89cbab60149732cd51165a871a91c54d"
tag: "0.3.1@sha256:98871e8d5acfe6bfa6ea7d140197ae41585cfb06c71514ffcf6e98df8315b9ee"
umsKeycloakExtensionProxy:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
@@ -556,7 +566,7 @@ images:
# upstreamMirrorStartFrom: ['0', '0', '3']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-proxy"
tag: "0.2.0@sha256:8b924ab47771b9aee07384e3d13106406d49b1e7ef7fc46648adb1f0fb401327"
tag: "0.3.1@sha256:e6c2130310798e286cea84bf5226709021c12663fb9e8ca30f29515151741fa5"
umsLdapNotifier:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
@@ -566,7 +576,7 @@ images:
# upstreamMirrorStartFrom: ['0', '8', '2']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
tag: "0.8.2@sha256:bb7d76fb5299e9d019aa61b5397af15063a5b341fcf2b74c65db679ca5fa873f"
tag: "0.10.3@sha256:beb4577e7fdf1e18d3769e62296f210c0651460346dc2325e6cc29f4c671fa71"
umsLdapServer:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
@@ -576,7 +586,31 @@ images:
# upstreamMirrorStartFrom: ['0', '8', '2']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
tag: "0.8.2@sha256:abcaec050875a8605befe13cce78f9f8eb28aa3c1764e281a8540b2a3db4a5da"
tag: "0.10.3@sha256:7742eca27bf1134cf92e6e3571bc2784e2f21a76664fdcab6ae213051db26c05"
umsNats:
# providerCategory: 'Community'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry-1.docker.io'
# upstreamRepository: 'library/nats'
registry: "registry-1.docker.io"
repository: "library/nats"
tag: "2.10.10@sha256:fa26beda8a3187ccefa47afcfe9ea6d0e2f40a57c8f64d70bd63c792d7973938"
umsNatsBox:
# providerCategory: 'Community'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry-1.docker.io'
# upstreamRepository: 'natsio/nats-box'
registry: "registry-1.docker.io"
repository: "natsio/nats-box"
tag: "0.14.2@sha256:c9b8ebaabb2ca4c227feb4f6b856dc72d4775ac3d71f80d2c65aa82303079011"
umsNatsReloader:
# providerCategory: 'Community'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry-1.docker.io'
# upstreamRepository: 'natsio/nats-server-config-reloader'
registry: "registry-1.docker.io"
repository: "natsio/nats-server-config-reloader"
tag: "0.14.1@sha256:77dd4c60001ffbf442c6b25592e73b4fca06ea9406c677607192788d80453783"
umsNotificationsApi:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
@@ -586,7 +620,7 @@ images:
# upstreamMirrorStartFrom: ['0', '9', '4']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
tag: "0.9.4@sha256:f058398d68c38039bb168af6d60d016f66fffde83a02f0b8f62124ebf2fed4d9"
tag: "0.20.3@sha256:1e32854d6d4413725870fde26a904da83282b3debea82b386c5753223ecc6a59"
umsOpenPolicyAgent:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
@@ -606,7 +640,7 @@ images:
# upstreamMirrorStartFrom: ['0', '9', '4']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
tag: "0.19.0@sha256:7c80f703faf720da159c405a140c1029fd8c12def61653737e2a772982012d5c"
tag: "0.20.3@sha256:4fe6646711efcc07eb4b6e59a57f1d5080cca5f4ec2c960d073e92ecae8be42f"
umsPortalListener:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
@@ -616,7 +650,7 @@ images:
# upstreamMirrorStartFrom: ['0', '9', '4']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-listener"
tag: "0.19.0@sha256:7fff6db5151b9aecffdfcd429b6eefb36a96ca14c5384183aa4246b5c0c8b133"
tag: "0.20.7@sha256:8f158b88e0ceb7a5c79d2ad390f6ce851ce0c5ccb675d08d6b6c37f0b21f6177"
umsPortalServer:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
@@ -626,7 +660,7 @@ images:
# upstreamMirrorStartFrom: ['0', '9', '4']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
tag: "0.19.0@sha256:9a19e3a0990fba1dd2cdb1fd96ab53dcfba23717291ca1b0c87d8ed19b4c2c46"
tag: "0.20.3@sha256:0ec3db74ce9b7c8706d1534b6dcb464eb016a5de94c3b5bfc49215ccb606715c"
umsProvisioningDispatcher:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
@@ -636,7 +670,7 @@ images:
# upstreamMirrorStartFrom: ['0', '14', '0']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
tag: "0.14.0@sha256:2b51c4f2c71e044c67b036ab9084cb30330a7d38aae02a81ddf08752534ffa6f"
tag: "0.25.0@sha256:c6c9d1e4a46222105ded32c8e87cb2e9b19945592a9ada4e6c13e6942d721694"
umsProvisioningEventsAndConsumerApi:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
@@ -646,7 +680,7 @@ images:
# upstreamMirrorStartFrom: ['0', '14', '0']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
tag: "0.14.0@sha256:c27f585d77fa030b0663ca6c5799ae1a7950f30e34e08407c295451af0a6b653"
tag: "0.25.0@sha256:f0382154126421e4078beede3ce2579f61859da64c497cb5c93acc693bf71647"
umsProvisioningPrefill:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
@@ -656,7 +690,7 @@ images:
# upstreamMirrorStartFrom: ['0', '14', '0']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
tag: "0.14.0@sha256:f781373c3df8db73dcb87e5390deabe3f948054e15d9e107a556185773d473b0"
tag: "0.25.0@sha256:a5beae74c2575fa20d305ae635bc0c2bba64a9b1173819f8ddd4cca3fb59f6a4"
umsProvisioningUdmListener:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
@@ -666,7 +700,7 @@ images:
# upstreamMirrorStartFrom: ['0', '14', '0']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
tag: "0.14.0@sha256:90875ae80579651555c19db4badd474d7750b7322ab309d7812b40971a6813c5"
tag: "0.25.0@sha256:b67e31d11461d02bc211117408ded3c0428d224b056f26734add7c024d5f710a"
umsSelfserviceInvitation:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
@@ -674,19 +708,15 @@ images:
# upstreamRepository: 'souvap/tooling/images/univention/selfservice-invitation'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ['0', '3', '2']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
tag: "0.3.2@sha256:8dd90d8669e206232edff37aca73c528344ad453ad0154f36cca0561bf1999a2"
umsSelfserviceListener:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry.souvap-univention.de'
# upstreamRepository: 'souvap/tooling/images/univention/selfservice-listener'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ['0', '3', '2']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-listener"
tag: "0.3.2@sha256:de0fc94cab436e982219d9c883a2353d91de583d5cf75046902847df4b451e28"
# TODO: return back mirror registry and repository before merging
# registry: "registry.opencode.de"
# repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
registry: "registry.souvap-univention.de"
repository: "souvap/tooling/images/univention/selfservice-invitation"
# TODO: Needs an update once the previous MR is merged
# See: https://git.knut.univention.de/univention/customers/dataport/upx/selfservice-listener/-/merge_requests/16
# version: "0.5.0"
tag: "0.5.0-pre-acaceres-migrate-self-service-listener-to-provisioning-service@sha256:68b342badcaa0def19e6396bb23ffabf3e140ee2a3a39d37e7a5dc4cbba8362b"
umsStackGateway:
# providerCategory: 'Community'
# providerResponsible: 'Univention'
@@ -694,17 +724,17 @@ images:
# upstreamRepository: 'bitnami/nginx'
registry: "registry-1.docker.io"
repository: "bitnami/nginx"
tag: "1.25.3@sha256:40ce0d6b8f5fc174a4df8c59c8893164c540192ee862cb7253650a30d9dc3b73"
tag: "1.25.4@sha256:dd352b597f4c38ae24abec411710f4249fb5c793293c7ed04737db6b41d32d24"
umsUdmRestApi:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
# upstreamRegistry: 'registry.souvap-univention.de'
# upstreamRepository: 'souvap/tooling/images/univention/udm-rest-api'
# upstreamRegistry: 'artifacts.software-univention.de'
# upstreamRepository: 'nubus/images/udm-rest-api'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
# upstreamMirrorStartFrom: ['0', '5', '2']
# upstreamMirrorStartFrom: ['0', '9', '3']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
tag: "0.5.2@sha256:94c8294130f6a187bb850bcaeb314a09c5aa48ab97e3f419fbeb6ddbd39a3246"
tag: "0.9.3@sha256:7cf2fec05a4ff8b7085a35a215edbce1eb9456c1ae140af46257e66d5a6cd6f7"
umsUmcGateway:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
@@ -714,7 +744,7 @@ images:
# upstreamMirrorStartFrom: ['0', '7', '3']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
tag: "0.9.0@sha256:e15b59b851b3cae2bdfde1a9de707bfbc64a124db98a8d9ac7965d7d3827519b"
tag: "0.11.6@sha256:5d7c1a9b74409d2d7c42e08ca87b41cda506e43cad49efbc85a4ed6b8e9c6bc8"
umsUmcServer:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
@@ -724,7 +754,7 @@ images:
# upstreamMirrorStartFrom: ['0', '7', '3']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
tag: "0.9.0@sha256:7ef0f6a3a3024120a4dae6f0bd44fc531c88ca0b5893465d0bdbd96b5a9c87ea"
tag: "0.11.8@sha256:38a87524703a1e11fbb3cd3cc9d90d5b719e92329a0e3ea05c50451105d64ac6"
umsWaitForDependency:
# providerCategory: 'Supplier'
# providerResponsible: 'Univention'
@@ -734,7 +764,7 @@ images:
# upstreamMirrorStartFrom: ['0', '9', '4']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/univention/images-mirror/wait-for-dependency"
tag: "0.14.0@sha256:fda3f99be59614115997a55ad5887bf8f6482de4c8e168706aac3e42575b4915"
tag: "0.20.3@sha256:d1ccba5fe7448c2bda71c8a93f265a42a000e8dc79fd884e7e6ecdf29ad80efc"
wellKnown:
# providerCategory: 'Community'
# providerResponsible: 'Element'
@@ -748,9 +778,9 @@ images:
# providerResponsible: 'XWiki'
# upstreamRegistry: 'git.xwikisas.com:5050'
# upstreamRepository: 'xwikisas/swp/xwiki'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)-.+$'
# upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)-mariadb.+$'
# upstreamMirrorStartFrom: ['0', '12']
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/xwiki"
tag: "0.14-mariadb-jetty-alpine@sha256:276e871e3938bf80a86a0e1e63751c843920ccd260848badafec8689410ded80"
tag: "0.17-mariadb-jetty-alpine@sha256:9eb67520774c3022aa4485ce348be477f358263b716e647cacd057da3aca9739"
...

15
helmfile/environments/default/istio.gotmpl
View File

@@ -1,15 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
istio:
enabled: true
domain: {{ env "ISTIO_DOMAIN" | default "souvap.cloud" | quote }}
virtualService:
enabled: false
gateway:
enabled: true
issuerRef:
name: "letsencrypt-istio-prod"
...

10
helmfile/environments/default/replicas.yaml
View File

@@ -44,9 +44,19 @@ replicas:
redis: 1
synapse: 1
synapseWeb: 1
umsKeycloakExtensionsHandler: 1
umsKeycloakExtensionsProxy: 1
umsLdapNotifier: 1
umsLdapServer: 1
umsNotificationsApi: 1
umsPortalFrontend: 1
umsPortalListener: 1
umsPortalServer: 1
umsSelfserviceListener: 1
umsStackGateway: 1
umsUdmRestApi: 1
umsUmcGateway: 1
umsUmcServer: 1
wellKnown: 1
xwiki: 1
...

35
helmfile/environments/default/resources.yaml
View File

@@ -396,6 +396,13 @@ resources:
requests:
cpu: 0.1
memory: "256Mi"
umsLdapServerInit:
limits:
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "256Mi"
umsNotificationsApi:
limits:
cpu: 99
@@ -459,6 +466,13 @@ resources:
requests:
cpu: 0.1
memory: "256Mi"
umsProvisioningRegisterConsumer:
limits:
cpu: 0.5
memory: "256Mi"
requests:
cpu: 0.25
memory: "128Mi"
umsProvisioningNats:
limits:
cpu: 99
@@ -473,13 +487,6 @@ resources:
requests:
cpu: 0.1
memory: "256Mi"
umsSelfserviceListenerDependencies:
limits:
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "256Mi"
umsStackDataUms:
limits:
cpu: 99
@@ -494,6 +501,13 @@ resources:
requests:
cpu: 0.1
memory: "256Mi"
umsStackGateway:
limits:
cpu: 99
memory: "64Mi"
requests:
cpu: 0.1
memory: "16Mi"
umsUdmRestApi:
limits:
cpu: 99
@@ -501,6 +515,13 @@ resources:
requests:
cpu: 0.1
memory: "256Mi"
umsUdmRestApiInit:
limits:
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "256Mi"
umsUmcGateway:
limits:
cpu: 99

19
helmfile/environments/default/secrets.gotmpl
View File

@@ -1,5 +1,6 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
SPDX-License-Identifier: Apache-2.0
*/}}
---
@@ -29,6 +30,20 @@ secrets:
storeDavUsers:
portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }}
portalListener: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum | quote }}
provisioning:
apiNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }}
apiAdminNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "apiAdmin" "nats" | sha1sum | quote }}
apiAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }}
prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }}
prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }}
udmProducerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }}
udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmlistener" "nats" | sha1sum | quote }}
selfserviceListener:
provisioningApiPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "selfservice-listener" "selfservice-listener" | sha1sum | quote }}
nats:
natsAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "admin" "nats" | sha1sum | quote }}
postgresql:
postgresUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "postgres_user" | sha1sum | quote }}
keycloakUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum | quote }}
@@ -77,10 +92,8 @@ secrets:
jicofoAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoAuthPassword" | sha1sum | quote }}
jicofoComponentPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoComponentPassword" | sha1sum | quote }}
jvbAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jvbAuthPassword" | sha1sum | quote }}
etherpad:
apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "etherpad" "apiKey" | sha1sum | quote }}
whiteboard:
apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "etherpad" "apiKey" | sha1sum | quote }}
apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "whiteboard" "apiKey" | sha1sum | quote }}
centralnavigation:
apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "centralnavigation" "api_key" | sha1sum | quote }}
redis:

5
helmfile/environments/default/security.yaml
View File

@@ -7,4 +7,9 @@ security:
clusterPostfix:
enabled: false
namespace: ""
ingressController:
podSelector:
matchLabels:
app.kubernetes.io/name: "ingress-nginx"
namespace: "ingress-nginx"
...

1
helmfile/environments/default/selinux.yaml
View File

@@ -7,6 +7,7 @@
---
seLinuxOptions:
clamavSimple: ~
clamav: ~
clamd: ~
collabora: ~
cryptpad: ~

3
helmfile/environments/default/workplace.yaml
View File

@@ -1,3 +1,4 @@
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
@@ -15,6 +16,8 @@ dovecot:
enabled: true
element:
enabled: true
home:
enabled: true
intercom:
enabled: true
jitsi:

12
helmfile/environments/test/values.yaml.gotmpl
View File

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
imageRegistry: "my_private_registry.domain.tld"
imagePullSecrets:
- "kyverno-test"
imagePullPolicy: "kyverno"
@@ -75,9 +75,19 @@ replicas:
redis: 42
synapse: 42
synapseWeb: 42
umsKeycloakExtensionsHandler: 42
umsKeycloakExtensionsProxy: 42
umsLdapNotifier: 42
umsLdapServer: 42
umsNotificationsApi: 42
umsPortalFrontend: 42
umsPortalListener: 42
umsPortalServer: 42
umsSelfserviceListener: 42
umsStackGateway: 42
umsUdmRestApi: 42
umsUmcGateway: 42
umsUmcServer: 42
wellKnown: 42
xwiki: 42
...