mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-06 15:31:38 +01:00
Compare commits
5 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
b7f220a6b6 | ||
|
|
fb7dba787c | ||
|
|
72e3afdffd | ||
|
|
85b8fcaab5 | ||
|
|
c3129f1443 |
20
CHANGELOG.md
20
CHANGELOG.md
@@ -1,3 +1,18 @@
|
||||
## [0.5.11](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.10...v0.5.11) (2023-10-11)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **helmfile:** Quote all password template strings ([fb7dba7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/fb7dba787c232c402aa9c989c0e8ace51869d534))
|
||||
* **services:** Add memcached service ([72e3afd](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/72e3afdffdeb6f88f8e926426dbc26adf4b54e7a))
|
||||
|
||||
## [0.5.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.9...v0.5.10) (2023-10-11)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **intercom-service:** Update intercom-service chart to v2.0.0 ([c3129f1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c3129f14437728be890187bb7c4a1bfc42d90958))
|
||||
|
||||
## [0.5.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.8...v0.5.9) (2023-10-10)
|
||||
|
||||
|
||||
@@ -452,3 +467,8 @@
|
||||
* **open-xchange:** OX AppSuite 8 within SWP is now publicly available ([6dc470f](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/6dc470fd67edbb9711e406acb067569ca357b989))
|
||||
* **services:** Add clamav-simple deployment ([505f25c](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/505f25c5493ebb9e0181233ed5b7d8018e3a315d))
|
||||
* **sovereign-workplace:** Initial commit ([533c504](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/533c5040faebd91f4012b604d0f4779ea1510424))
|
||||
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
|
||||
73
README.md
73
README.md
@@ -215,6 +215,7 @@ subdirectory `/helmfile/apps/services`.
|
||||
| Jitsi | `jitsi.enabled` | `true` | Videoconferencing | Functional |
|
||||
| Keycloak | `keycloak.enabled` | `true` | Identity Provider | Functional |
|
||||
| MariaDB | `mariadb.enabled` | `true` | Database | Eval |
|
||||
| Memcached | `memcached.enabled` | `true` | Cache Database | Eval |
|
||||
| Nextcloud | `nextcloud.enabled` | `true` | File share | Functional |
|
||||
| OpenProject | `openproject.enabled` | `true` | Project management | Functional |
|
||||
| OX Appsuite | `oxAppsuite.enabled` | `true` | Groupware | Functional |
|
||||
@@ -238,8 +239,8 @@ subdirectory `/helmfile/apps/services`.
|
||||
|
||||
#### Databases
|
||||
|
||||
In case you don't got for a develop or evaluation environment you want to point
|
||||
the application to your own database instances.
|
||||
When deploying this suite to production, you need to configure the applications to use your production grade database
|
||||
service.
|
||||
|
||||
| Component | Name | Type | Parameter | Key | Default |
|
||||
|-------------|--------------------|------------|-----------|----------------------------------------|----------------------------|
|
||||
@@ -283,6 +284,24 @@ the application to your own database instances.
|
||||
| | | | Username | `databases.xwiki.username` | `xwiki_user` |
|
||||
| | | | Password | `databases.xwiki.password` | |
|
||||
|
||||
#### Cache
|
||||
|
||||
When deploying this suite to production, you need to configure the applications to use your production grade cache
|
||||
service.
|
||||
|
||||
| Component | Name | Type | Parameter | Key | Default |
|
||||
|------------------|------------------|-----------|-----------|------------------------------|------------------|
|
||||
| Intercom Service | Intercom Service | Redis | | | |
|
||||
| | | | Host | `cache.intercomService.host` | `redis-headless` |
|
||||
| | | | Port | `cache.intercomService.port` | `6379` |
|
||||
| Nextcloud | Nextcloud | Redis | | | |
|
||||
| | | | Host | `cache.nextcloud.host` | `redis-headless` |
|
||||
| | | | Port | `cache.nextcloud.port` | `6379` |
|
||||
| OpenProject | OpenProject | Memcached | | | |
|
||||
| | | | Host | `cache.openproject.host` | `memcached` |
|
||||
| | | | Port | `cache.openproject.port` | `11211` |
|
||||
|
||||
|
||||
### Scaling
|
||||
|
||||
The Replicas of components can be increased, while we still have to look in the
|
||||
@@ -350,30 +369,32 @@ This section summarizes various aspects of security and compliance aspects.
|
||||
This list gives you an overview of default security settings and if they comply with security standards:
|
||||
|
||||
|
||||
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|
||||
|------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
|
||||
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
|
||||
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
|
||||
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
|
||||
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
|
||||
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|
||||
|-------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
|
||||
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
|
||||
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
|
||||
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
|
||||
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
|
||||
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
|
||||
| OpenProject | openproject | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||
|
||||
|
||||
### Helm Chart Trust Chain
|
||||
|
||||
@@ -29,7 +29,7 @@ ingress:
|
||||
collabora:
|
||||
# Admin Console Credentials: https://CODE-domain/browser/dist/admin/admin.html
|
||||
username: "collabora-internal-admin"
|
||||
password: {{ .Values.secrets.collabora.adminPassword }}
|
||||
password: {{ .Values.secrets.collabora.adminPassword | quote }}
|
||||
aliasgroups:
|
||||
- host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
|
||||
|
||||
|
||||
@@ -22,7 +22,7 @@ configuration:
|
||||
host: "{{ .Values.databases.synapse.host }}"
|
||||
name: "{{ .Values.databases.synapse.name }}"
|
||||
user: "{{ .Values.databases.synapse.username }}"
|
||||
password: "{{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser }}"
|
||||
password: {{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser | quote }}
|
||||
|
||||
homeserver:
|
||||
oidc:
|
||||
@@ -41,7 +41,7 @@ configuration:
|
||||
port: {{ .Values.turn.server.port }}
|
||||
transport: {{ .Values.turn.transport }}
|
||||
{{- end }}
|
||||
|
||||
|
||||
guestModule:
|
||||
image:
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
|
||||
@@ -15,9 +15,8 @@ repositories:
|
||||
releases:
|
||||
- name: "intercom-service"
|
||||
chart: "intercom-service-repo/intercom-service"
|
||||
version: "1.1.3"
|
||||
version: "2.0.0"
|
||||
values:
|
||||
- "values.yaml"
|
||||
- "values.gotmpl"
|
||||
condition: "intercom.enabled"
|
||||
|
||||
|
||||
@@ -4,6 +4,7 @@ SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
imageRegistry: "{{ .Values.global.imageRegistry }}"
|
||||
domain: "{{ .Values.global.domain }}"
|
||||
hosts:
|
||||
{{ .Values.global.hosts | toYaml | nindent 4 }}
|
||||
@@ -24,13 +25,14 @@ ics:
|
||||
portal:
|
||||
apiKey: {{ .Values.secrets.centralnavigation.apiKey }}
|
||||
redis:
|
||||
password: {{ .Values.secrets.redis.password }}
|
||||
host: {{ .Values.cache.intercomService.host }}
|
||||
port: {{ .Values.cache.intercomService.port }}
|
||||
password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }}
|
||||
openxchange:
|
||||
url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
|
||||
|
||||
image:
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.intercom.repository }}"
|
||||
tag: "{{ .Values.images.intercom.tag }}"
|
||||
|
||||
|
||||
@@ -1,8 +0,0 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
istio:
|
||||
enabled: false
|
||||
virtualService:
|
||||
enabled: false
|
||||
...
|
||||
@@ -86,7 +86,7 @@ jitsi:
|
||||
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jicofo.repository }}"
|
||||
tag: "{{ .Values.images.jicofo.tag }}"
|
||||
xmpp:
|
||||
password: "{{ .Values.secrets.jitsi.jicofoAuthPassword }}"
|
||||
password: {{ .Values.secrets.jitsi.jicofoAuthPassword | quote }}
|
||||
componentSecret: "{{ .Values.secrets.jitsi.jicofoComponentPassword }}"
|
||||
resources:
|
||||
{{ .Values.resources.jicofo | toYaml | nindent 6 }}
|
||||
|
||||
@@ -17,7 +17,7 @@ cleanup:
|
||||
|
||||
config:
|
||||
administrator:
|
||||
password: "{{ .Values.secrets.keycloak.adminPassword }}"
|
||||
password: {{ .Values.secrets.keycloak.adminPassword | quote }}
|
||||
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
|
||||
@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
global:
|
||||
keycloak:
|
||||
adminPassword: {{ .Values.secrets.keycloak.adminPassword }}
|
||||
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
|
||||
postgresql:
|
||||
connection:
|
||||
host: "{{ .Values.databases.keycloakExtension.host }}"
|
||||
@@ -13,7 +13,7 @@ global:
|
||||
auth:
|
||||
database: "{{ .Values.databases.keycloakExtension.name }}"
|
||||
username: "{{ .Values.databases.keycloakExtension.username }}"
|
||||
password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser }}
|
||||
password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
|
||||
handler:
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
@@ -21,7 +21,7 @@ handler:
|
||||
tag: "{{ .Values.images.keycloakExtensionHandler.tag }}"
|
||||
imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
appConfig:
|
||||
smtpPassword: "{{ .Values.smtp.password }}"
|
||||
smtpPassword: {{ .Values.smtp.password | quote }}
|
||||
smtpHost: "{{ .Values.smtp.host }}"
|
||||
smtpUsername: "{{ .Values.smtp.username }}"
|
||||
mailFrom: "noreply@{{ .Values.global.domain }}"
|
||||
|
||||
@@ -20,10 +20,10 @@ externalDatabase:
|
||||
port: {{ .Values.databases.keycloak.port }}
|
||||
user: "{{ .Values.databases.keycloak.username }}"
|
||||
database: "{{ .Values.databases.keycloak.name }}"
|
||||
password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser }}
|
||||
password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
|
||||
|
||||
auth:
|
||||
adminPassword: {{ .Values.secrets.keycloak.adminPassword }}
|
||||
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
|
||||
|
||||
replicaCount: {{ .Values.replicas.keycloak }}
|
||||
|
||||
|
||||
@@ -14,7 +14,7 @@ global:
|
||||
|
||||
config:
|
||||
administrator:
|
||||
password: {{ .Values.secrets.nextcloud.adminPassword }}
|
||||
password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
|
||||
|
||||
antivirus:
|
||||
{{- if .Values.clamavDistributed.enabled }}
|
||||
@@ -25,15 +25,15 @@ config:
|
||||
|
||||
apps:
|
||||
integrationSwp:
|
||||
password: {{ .Values.secrets.centralnavigation.apiKey }}
|
||||
password: {{ .Values.secrets.centralnavigation.apiKey | quote }}
|
||||
userOidc:
|
||||
password: {{ .Values.secrets.keycloak.clientSecret.ncoidc }}
|
||||
password: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
|
||||
|
||||
database:
|
||||
host: "{{ .Values.databases.nextcloud.host }}"
|
||||
name: "{{ .Values.databases.nextcloud.name }}"
|
||||
user: "{{ .Values.databases.nextcloud.username }}"
|
||||
password: "{{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser }}"
|
||||
password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
|
||||
|
||||
ldapSearch:
|
||||
password: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud }}"
|
||||
|
||||
@@ -6,16 +6,20 @@ SPDX-License-Identifier: Apache-2.0
|
||||
nextcloud:
|
||||
host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
|
||||
username: "nextcloud"
|
||||
password: {{ .Values.secrets.nextcloud.adminPassword }}
|
||||
password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
|
||||
externalDatabase:
|
||||
database: "{{ .Values.databases.nextcloud.name }}"
|
||||
user: "{{ .Values.databases.nextcloud.username }}"
|
||||
host: "{{ .Values.databases.nextcloud.host }}"
|
||||
password: "{{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser }}"
|
||||
password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
|
||||
extraEnv:
|
||||
REDIS_HOST: {{ .Values.cache.nextcloud.host | quote }}
|
||||
REDIS_HOST_PORT: {{ .Values.cache.nextcloud.port | quote }}
|
||||
REDIS_HOST_PASSWORD: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
|
||||
redis:
|
||||
auth:
|
||||
enabled: true
|
||||
password: {{ .Values.secrets.redis.password }}
|
||||
password: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
|
||||
ingress:
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
className: {{ .Values.ingress.ingressClassName }}
|
||||
|
||||
@@ -16,10 +16,10 @@ imagePullSecrets:
|
||||
|
||||
dovecot:
|
||||
mailDomain: "{{ .Values.global.domain }}"
|
||||
password: {{ .Values.secrets.dovecot.doveadm }}
|
||||
password: {{ .Values.secrets.dovecot.doveadm | quote }}
|
||||
ldap:
|
||||
dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
|
||||
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot }}
|
||||
password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
|
||||
oidc:
|
||||
introspectionURL: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token/introspect"
|
||||
clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc }}
|
||||
|
||||
@@ -11,8 +11,8 @@ global:
|
||||
database: "{{ .Values.databases.oxAppsuite.name }}"
|
||||
auth:
|
||||
user: "{{ .Values.databases.oxAppsuite.username }}"
|
||||
password: "{{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword }}"
|
||||
rootPassword: "{{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword }}"
|
||||
password: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
|
||||
rootPassword: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
|
||||
|
||||
istio:
|
||||
enabled: {{ .Values.istio.enabled }}
|
||||
|
||||
@@ -14,6 +14,9 @@ image:
|
||||
tag: "{{ .Values.images.openproject.tag }}"
|
||||
|
||||
memcached:
|
||||
connection:
|
||||
host: "{{ .Values.cache.openproject.host }}"
|
||||
port: {{ .Values.cache.openproject.port }}
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.memcached.repository }}"
|
||||
@@ -21,7 +24,7 @@ memcached:
|
||||
|
||||
postgresql:
|
||||
auth:
|
||||
password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser }}
|
||||
password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser | quote }}
|
||||
username: "{{ .Values.databases.openproject.username }}"
|
||||
database: "{{ .Values.databases.openproject.name }}"
|
||||
connection:
|
||||
@@ -35,7 +38,7 @@ openproject:
|
||||
name: "OpenProject Interal Admin"
|
||||
mail: "openproject-admin@swp-domain.internal"
|
||||
password_reset: "false"
|
||||
password: "{{ .Values.secrets.openproject.adminPassword }}"
|
||||
password: {{ .Values.secrets.openproject.adminPassword | quote }}
|
||||
|
||||
ingress:
|
||||
host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
|
||||
|
||||
@@ -4,6 +4,9 @@
|
||||
image:
|
||||
registry: "registry.souvap-univention.de"
|
||||
|
||||
memcached:
|
||||
bundled: false
|
||||
|
||||
probes:
|
||||
liveness:
|
||||
initialDelaySeconds: 300
|
||||
@@ -27,6 +30,12 @@ openproject:
|
||||
# seed will only be executed on initial installation
|
||||
seed_locale: "de"
|
||||
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
|
||||
# For more details and more options see
|
||||
# https://www.openproject.org/docs/installation-and-operations/configuration/environment/
|
||||
environment:
|
||||
|
||||
@@ -21,7 +21,7 @@ oxConnector:
|
||||
domainName: "{{ .Values.global.domain }}"
|
||||
#oxMasterAdmin: "(( .Values.appsuite.core-mw.masterAdmin ))"
|
||||
oxMasterAdmin: "admin"
|
||||
oxMasterPassword: "{{ .Values.secrets.oxAppsuite.adminPassword }}"
|
||||
oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
|
||||
oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
|
||||
oxDefaultContext: "1"
|
||||
|
||||
|
||||
@@ -82,6 +82,13 @@ releases:
|
||||
- "values-redis.gotmpl"
|
||||
- "values-redis.yaml"
|
||||
condition: "redis.enabled"
|
||||
- name: "memcached"
|
||||
chart: "bitnami-repo/memcached"
|
||||
version: "6.6.2"
|
||||
values:
|
||||
- "values-memcached.yaml"
|
||||
- "values-memcached.gotmpl"
|
||||
condition: "memcached.enabled"
|
||||
- name: "postgresql"
|
||||
chart: "postgresql-repo/postgresql"
|
||||
version: "2.0.2"
|
||||
|
||||
@@ -18,11 +18,11 @@ image:
|
||||
job:
|
||||
users:
|
||||
- username: "xwiki_user"
|
||||
password: "{{ .Values.secrets.mariadb.xwikiUser }}"
|
||||
password: {{ .Values.secrets.mariadb.xwikiUser | quote }}
|
||||
- username: "openxchange_user"
|
||||
password: "{{ .Values.secrets.mariadb.openxchangeUser }}"
|
||||
password: {{ .Values.secrets.mariadb.openxchangeUser | quote }}
|
||||
- username: "nextcloud_user"
|
||||
password: "{{ .Values.secrets.mariadb.nextcloudUser }}"
|
||||
password: {{ .Values.secrets.mariadb.nextcloudUser | quote}}
|
||||
databases:
|
||||
- name: "xwiki"
|
||||
user: "xwiki_user"
|
||||
@@ -32,7 +32,7 @@ job:
|
||||
user: "openxchange_user"
|
||||
|
||||
mariadb:
|
||||
rootPassword: "{{ .Values.secrets.mariadb.rootPassword }}"
|
||||
rootPassword: {{ .Values.secrets.mariadb.rootPassword | quote }}
|
||||
|
||||
persistence:
|
||||
storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
|
||||
|
||||
19
helmfile/apps/services/values-memcached.gotmpl
Normal file
19
helmfile/apps/services/values-memcached.gotmpl
Normal file
@@ -0,0 +1,19 @@
|
||||
{{/*
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
imageRegistry: "{{ .Values.global.imageRegistry }}"
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
repository: "{{ .Values.images.memcached.repository }}"
|
||||
tag: "{{ .Values.images.memcached.tag }}"
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.memcached | toYaml | nindent 2 }}
|
||||
...
|
||||
18
helmfile/apps/services/values-memcached.yaml
Normal file
18
helmfile/apps/services/values-memcached.yaml
Normal file
@@ -0,0 +1,18 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 1001
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
|
||||
serviceAccount:
|
||||
create: true
|
||||
...
|
||||
@@ -16,15 +16,15 @@ image:
|
||||
job:
|
||||
users:
|
||||
- username: "keycloak_user"
|
||||
password: {{ .Values.secrets.postgresql.keycloakUser }}
|
||||
password: {{ .Values.secrets.postgresql.keycloakUser | quote }}
|
||||
- username: "openproject_user"
|
||||
password: {{ .Values.secrets.postgresql.openprojectUser }}
|
||||
password: {{ .Values.secrets.postgresql.openprojectUser | quote }}
|
||||
- username: "keycloak_extensions_user"
|
||||
password: {{ .Values.secrets.postgresql.keycloakExtensionUser }}
|
||||
password: {{ .Values.secrets.postgresql.keycloakExtensionUser | quote }}
|
||||
- username: "matrix_user"
|
||||
password: {{ .Values.secrets.postgresql.matrixUser }}
|
||||
password: {{ .Values.secrets.postgresql.matrixUser | quote }}
|
||||
- username: "notificationsapi_user"
|
||||
password: {{ .Values.secrets.postgresql.notificationsapiUser }}
|
||||
password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
|
||||
databases:
|
||||
- name: "keycloak"
|
||||
user: "keycloak_user"
|
||||
@@ -43,7 +43,7 @@ persistence:
|
||||
size: "{{ .Values.persistence.size.postgresql }}"
|
||||
|
||||
postgres:
|
||||
password: {{ .Values.secrets.postgresql.postgresUser }}
|
||||
password: {{ .Values.secrets.postgresql.postgresUser | quote }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.postgresql | toYaml | nindent 2 }}
|
||||
|
||||
@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
auth:
|
||||
password: {{ .Values.secrets.redis.password }}
|
||||
password: {{ .Values.secrets.redis.password | quote }}
|
||||
|
||||
global:
|
||||
imageRegistry: "{{ .Values.global.imageRegistry }}"
|
||||
|
||||
@@ -37,31 +37,31 @@ extraEnvVars:
|
||||
- name: LDAPSEARCH_OX_USERNAME
|
||||
value: "ldapsearch_ox"
|
||||
- name: LDAPSEARCH_OX_PASSWORD
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox }}
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
|
||||
- name: LDAPSEARCH_DOVECOT_USERNAME
|
||||
value: "ldapsearch_dovecot"
|
||||
- name: LDAPSEARCH_DOVECOT_PASSWORD
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot }}
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
|
||||
- name: LDAPSEARCH_KEYCLOAK_USERNAME
|
||||
value: "ldapsearch_keycloak"
|
||||
- name: LDAPSEARCH_KEYCLOAK_PASSWORD
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak }}
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak | quote }}
|
||||
- name: LDAPSEARCH_NEXTCLOUD_USERNAME
|
||||
value: "ldapsearch_nextcloud"
|
||||
- name: LDAPSEARCH_NEXTCLOUD_PASSWORD
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud }}
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud | quote }}
|
||||
- name: LDAPSEARCH_OPENPROJECT_USERNAME
|
||||
value: "ldapsearch_openproject"
|
||||
- name: LDAPSEARCH_OPENPROJECT_PASSWORD
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject }}
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }}
|
||||
- name: LDAPSEARCH_XWIKI_USERNAME
|
||||
value: "ldapsearch_xwiki"
|
||||
- name: LDAPSEARCH_XWIKI_PASSWORD
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki }}
|
||||
value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki | quote }}
|
||||
- name: DEFAULT_ACCOUNT_USER_PASSWORD
|
||||
value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.userPassword }}
|
||||
value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.userPassword | quote }}
|
||||
- name: DEFAULT_ACCOUNT_ADMIN_PASSWORD
|
||||
value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.adminPassword }}
|
||||
value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.adminPassword | quote }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.univentionCorporateServer | toYaml | nindent 2 }}
|
||||
|
||||
@@ -11,7 +11,7 @@ postgresql:
|
||||
auth:
|
||||
username: "notificationsapi_user"
|
||||
database: "notificationsapi"
|
||||
password: {{ .Values.secrets.postgresql.notificationsapiUser }}
|
||||
password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
|
||||
|
||||
image:
|
||||
registry: "{{ .Values.global.imageRegistry }}"
|
||||
|
||||
@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
stackDataSwp:
|
||||
udmApiUsername: "cn=admin"
|
||||
udmApiPassword: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
|
||||
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
||||
udmApiUrl: "http://ums-udm-rest-api/udm/"
|
||||
loadDevData: true
|
||||
|
||||
|
||||
@@ -5,13 +5,13 @@ SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
stackDataUms:
|
||||
udmApiUser: "cn=admin"
|
||||
udmApiPassword: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
|
||||
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
|
||||
udmApiUrl: "http://ums-udm-rest-api/udm/"
|
||||
loadDevData: true
|
||||
|
||||
stackDataContext:
|
||||
ldapBase: "dc=swp-ldap,dc=internal"
|
||||
initialPasswordAdministrator: "{{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword }}"
|
||||
initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
|
||||
|
||||
# The SWP configuration brings its own UMC policies.
|
||||
installUmcPolicies: false
|
||||
|
||||
@@ -9,7 +9,7 @@ image:
|
||||
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
|
||||
|
||||
externalDB:
|
||||
password: "{{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword }}"
|
||||
password: {{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword | quote }}
|
||||
database: "{{ .Values.databases.xwiki.name }}"
|
||||
user: "{{ .Values.databases.xwiki.username }}"
|
||||
host: "{{ .Values.databases.xwiki.host }}"
|
||||
|
||||
16
helmfile/environments/default/cache.yaml
Normal file
16
helmfile/environments/default/cache.yaml
Normal file
@@ -0,0 +1,16 @@
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
cache:
|
||||
intercomService:
|
||||
host: "redis-headless"
|
||||
port: 6379
|
||||
password: ""
|
||||
nextcloud:
|
||||
host: "redis-headless"
|
||||
port: 6379
|
||||
password: ""
|
||||
openproject:
|
||||
host: "memcached"
|
||||
port: 11211
|
||||
...
|
||||
@@ -77,8 +77,8 @@ images:
|
||||
# @supplier: "openDesk DevSecOps"
|
||||
memcached:
|
||||
repository: "bitnami/memcached"
|
||||
tag: "1.6.21-debian-11-r84@sha256:81747acd297d3fcd05706ea771d441a6f01b28d722c366a06f922b6b7d4033dd"
|
||||
# @supplier: "OpenProject"
|
||||
tag: "1.6.21-debian-11-r107@sha256:247ec29efd6030960047a623aef025021154662edf6b6d6e88c97936f164d99d"
|
||||
# @supplier: "openDesk DevSecOps"
|
||||
milter:
|
||||
repository: "clamav/clamav"
|
||||
tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
|
||||
|
||||
@@ -114,6 +114,13 @@ resources:
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "500Mi"
|
||||
memcached:
|
||||
limits:
|
||||
cpu: 1
|
||||
memory: "256Mi"
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "32Mi"
|
||||
milter:
|
||||
limits:
|
||||
cpu: 4
|
||||
|
||||
@@ -21,6 +21,8 @@ keycloak:
|
||||
enabled: true
|
||||
mariadb:
|
||||
enabled: true
|
||||
memcached:
|
||||
enabled: true
|
||||
nextcloud:
|
||||
enabled: true
|
||||
openproject:
|
||||
|
||||
Reference in New Issue
Block a user