mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-07 07:51:38 +01:00
Compare commits
22 Commits
v1.1.0
...
trossner/n
| Author | SHA1 | Date | |
|---|---|---|---|
|
732a807cb0 | ||
|
|
d545768bfe | ||
|
|
6d300304ee | ||
|
|
da79f3b286 | ||
|
|
ed5bf231cc | ||
|
|
f4faebaf68 | ||
|
|
574acb5976 | ||
|
|
44d5e5a2b5 | ||
|
|
984b23c73b | ||
|
|
abca53d02f | ||
|
|
a159724abd | ||
|
|
8c1b0802a0 | ||
|
|
000af5a604 | ||
|
|
ba9560d14b | ||
|
|
0c91117575 | ||
|
|
6c67eca7aa | ||
|
|
0e21d2cea5 | ||
|
|
a13cf63024 | ||
|
|
28a6528528 | ||
|
|
2926e2c93a | ||
|
|
6796f320f7 | ||
|
|
63562c1aae |
@@ -1,12 +1,11 @@
|
||||
# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
include:
|
||||
- project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
|
||||
ref: "v2.4.8"
|
||||
file:
|
||||
- "ci/common/automr.yml"
|
||||
- "ci/common/lint.yml"
|
||||
- "ci/release-automation/semantic-release.yml"
|
||||
- local: "/.gitlab/generate/generate-docs.yml"
|
||||
@@ -32,7 +31,6 @@ stages:
|
||||
- ".pre"
|
||||
- "renovate"
|
||||
- "scan"
|
||||
- "automr"
|
||||
- "env-cleanup"
|
||||
- "env"
|
||||
- "pre-services-deploy"
|
||||
|
||||
@@ -2,10 +2,10 @@
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
variables:
|
||||
OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.5.6\
|
||||
@sha256:2e5ed5e4f7870c8f72314805de0e295660578af8f1bb6da7546fe413b0efd3a0"
|
||||
OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.11\
|
||||
@sha256:5673584a8f1bb3e3941a7a27647fdeb768d2250b69fe3df2f36a0ec6ac21d981"
|
||||
OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.7.1\
|
||||
@sha256:f09e36a4ad4b3a3a9ed260d6f36293002e39866a877c0a6b1efa16a88b8fd107"
|
||||
OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.14\
|
||||
@sha256:34d2a96e5fc25155abd48fef4d335b131c71d8cbc00ad531df0cae9918b9f2ab"
|
||||
|
||||
.common:
|
||||
cache: {}
|
||||
|
||||
@@ -31,7 +31,11 @@ lint-kyverno:
|
||||
- >
|
||||
node /app/opendesk-ci-cli/src/index.js generate-kyverno-env
|
||||
-d ${CI_PROJECT_DIR}/helmfile/environments
|
||||
-x ${CI_PROJECT_DIR}/.kyverno/_overwrite.yaml
|
||||
- "helmfile template -e test --include-needs --skip-tests > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
|
||||
- >
|
||||
node /app/opendesk-ci-cli/src/index.js remove-empty-keys
|
||||
-f ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml
|
||||
- "cd ${CI_PROJECT_DIR}/.kyverno"
|
||||
# Test optional
|
||||
- >
|
||||
|
||||
6
.kyverno/_overwrite.yaml
Normal file
6
.kyverno/_overwrite.yaml
Normal file
@@ -0,0 +1,6 @@
|
||||
# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
---
|
||||
replicas:
|
||||
umsLdapServerPrimary: 2
|
||||
...
|
||||
@@ -30,7 +30,7 @@ openDesk currently features the following functional main components:
|
||||
|
||||
| Function | Functional Component | Component<br/>Version | Upstream Documentation |
|
||||
| -------------------- | --------------------------- | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| Chat & collaboration | Element ft. Nordeck widgets | [1.11.87](https://github.com/element-hq/element-desktop/releases/tag/v1.11.87) | [For the most recent release](https://element.io/user-guide) |
|
||||
| Chat & collaboration | Element ft. Nordeck widgets | [1.11.89](https://github.com/element-hq/element-desktop/releases/tag/v1.11.89) | [For the most recent release](https://element.io/user-guide) |
|
||||
| Diagram editor | CryptPad ft. diagrams.net | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0) | [For the most recent release](https://docs.cryptpad.org/en/) |
|
||||
| File management | Nextcloud | [29.0.8](https://nextcloud.com/de/changelog/#29-0-8) | [Nextcloud 29](https://docs.nextcloud.com/) |
|
||||
| Groupware | OX App Suite | [8.30](https://documentation.open-xchange.com/appsuite/releases/8.30/) | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
|
||||
|
||||
@@ -5,6 +5,7 @@ SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
<h1>Architecture</h1>
|
||||
|
||||
<!-- TOC -->
|
||||
* [Overview](#overview)
|
||||
* [Nubus (IAM)](#nubus-iam)
|
||||
* [Authentication](#authentication)
|
||||
@@ -37,6 +38,7 @@ SPDX-License-Identifier: Apache-2.0
|
||||
* [XWiki (Knowledge management)](#xwiki-knowledge-management)
|
||||
* [Application specific user accounts](#application-specific-user-accounts)
|
||||
* [Footnotes](#footnotes)
|
||||
<!-- TOC -->
|
||||
|
||||
openDesk is designed as a [Kubernetes](https://kubernetes.io) deployment.
|
||||
|
||||
|
||||
@@ -51,6 +51,10 @@ This chapter presents APIs available in openDesk grouped by applications.
|
||||
* [Matrix Server-Server API](#matrix-server-server-api)
|
||||
* [Matrix Push Gateway API](#matrix-push-gateway-api)
|
||||
* [Matrix Identity Service API](#matrix-identity-service-api)
|
||||
* [Matrix React SDK Module API](#matrix-react-sdk-module-api)
|
||||
* [Matrix Widget API](#matrix-widget-api)
|
||||
* [NeoBoard Data Model API](#neoboard-data-model-api)
|
||||
* [NeoDateFix REST API](#neodatefix-rest-api)
|
||||
* [Knowledge management - XWiki](#knowledge-management---xwiki)
|
||||
* [REST API](#rest-api-1)
|
||||
* [Scripting API](#scripting-api)
|
||||
@@ -647,7 +651,56 @@ Following are APIs used by the Project management application:
|
||||
|
||||
While Jitsi is available as standalone videoconferencing in openDesk, it is also used in [Element as videoconferencing backend](https://github.com/element-hq/element-web/blob/develop/docs/jitsi.md).
|
||||
|
||||
|
||||
```mermaid
|
||||
---
|
||||
config:
|
||||
class:
|
||||
hideEmptyMembersBox: true
|
||||
---
|
||||
classDiagram
|
||||
class CommunicationService["Communication Service"] {
|
||||
<<interface>>
|
||||
}
|
||||
|
||||
class MxChat["Element Matrix Chat"] {
|
||||
<<interface>>
|
||||
}
|
||||
class JitsiVideoConference["Jitsi Video Conference"] {
|
||||
<<interface>>
|
||||
}
|
||||
|
||||
CommunicationService <|.. MxChat
|
||||
CommunicationService <|.. JitsiVideoConference
|
||||
MxChat <-- JitsiVideoConference
|
||||
|
||||
class MxAppServiceApi["Matrix Application Service API"]
|
||||
class MxClientServerApi["Matrix Client Server API"]
|
||||
class MxServerServerApi["Matrix Server Server API"]
|
||||
class MxPushGatewayApi["Matrix Push Gateway API"]
|
||||
class MxIdentityServiceApi["Matrix Identity Service API"]
|
||||
class MxRtc["Matrix RTC"]
|
||||
class MxElementWebModuleApi["Matrix React SDK Module API"]
|
||||
class MxWidgetApi["Matrix Widget API"]
|
||||
class NeoBoardDataModelApi["NeoBoard Data Model API"]
|
||||
class NeoDateFixRestApi["NeoDateFix REST API"]
|
||||
|
||||
MxChat *-- MxAppServiceApi
|
||||
MxChat *-- MxClientServerApi
|
||||
MxChat *-- MxServerServerApi
|
||||
MxChat *-- MxPushGatewayApi
|
||||
MxChat *-- MxIdentityServiceApi
|
||||
MxChat *-- MxRtc
|
||||
MxChat *-- MxElementWebModuleApi
|
||||
MxChat *-- MxWidgetApi
|
||||
|
||||
class JitsiIframeApi["Jitsi iFrame API"]
|
||||
class JitsiMeetApi["Jitsi Meet API"]
|
||||
class JitsiMeetReactSdk["Jitsi Meet React SDK"]
|
||||
|
||||
JitsiVideoConference *-- JitsiIframeApi
|
||||
JitsiVideoConference *-- JitsiMeetApi
|
||||
JitsiVideoConference *-- JitsiMeetReactSdk
|
||||
```
|
||||
|
||||
Following are APIs used by the Chat application:
|
||||
|
||||
@@ -741,6 +794,74 @@ Following are APIs used by the Chat application:
|
||||
| Supported standards | [Matrix](https://spec.matrix.org/latest/identity-service-api/) |
|
||||
| Documentation | [Synapse](https://element-hq.github.io/synapse/latest/) is the reference implementation of the Matrix protocol, see standard for API details |
|
||||
|
||||
## Matrix React SDK Module API
|
||||
|
||||
| Name | Matrix React SDK Module API |
|
||||
| ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| Purpose | The module system in Element Web is a way to add or modify functionality of Element Web itself, bundled at compile time for the app. |
|
||||
| Versioning | [Releases in the Git repository](https://github.com/matrix-org/matrix-react-sdk-module-api/releases); [Dependency in `package.json` in Element (Chat Web-UI)](https://github.com/element-hq/element-web/blob/develop/package.json) |
|
||||
| Authentication | n/a - used as a library |
|
||||
| In openDesk provided by | Element (Chat Web-UI) |
|
||||
| Transport protocol | n/a - used as a library |
|
||||
| Usage within component | [Element (Chat-Web-UI) Modules](https://github.com/nordeck/element-web-modules/) |
|
||||
| Usage within openDesk | none |
|
||||
| Usage for external integration | n/a - uses as a library |
|
||||
| Parallel access | Allowed |
|
||||
| Message protocol | n/a - used as a library |
|
||||
| Supported standards | n/a - Element (Chat Web-UI) specific |
|
||||
| Documentation | [Element (Chat Web-UI) Documentation](https://github.com/element-hq/element-web/blob/develop/docs/modules.md); [matrix-react-sdk-module-api Git repository](https://github.com/matrix-org/matrix-react-sdk-module-api) |
|
||||
|
||||
## Matrix Widget API
|
||||
|
||||
| Name | Matrix Widget API |
|
||||
| ------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| Purpose | Matrix Widgets are HTML and Javascript content / applications that can be embedded within, and communicate with Matrix clients. |
|
||||
| Versioning | n/a |
|
||||
| Authentication | Widgets request capabilities. They must be confirmed by a user or by the [Widget Lifecycle Module](https://github.com/nordeck/element-web-modules/blob/main/packages/element-web-widget-lifecycle-module/README.md). |
|
||||
| In openDesk provided by | Element (Chat Web-UI) |
|
||||
| Transport protocol | [HTML window.postMessage API](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) |
|
||||
| Usage within component | [NeoDateFix](https://github.com/nordeck/matrix-meetings/), [NeoBoard](https://github.com/nordeck/matrix-neoboard), [NeoChoice](https://github.com/nordeck/matrix-poll) |
|
||||
| Usage within openDesk | none |
|
||||
| Usage for external integration | none |
|
||||
| Parallel access | Allowed |
|
||||
| Message protocol | JSON |
|
||||
| Supported standards | [Matrix - MSC2764](https://github.com/matrix-org/matrix-spec-proposals/pull/2764) |
|
||||
| Documentation | [Matrix - MSC2764](https://github.com/matrix-org/matrix-spec-proposals/pull/2764) |
|
||||
|
||||
## NeoBoard Data Model API
|
||||
|
||||
| Name | NeoBoard Data Model API |
|
||||
| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| Purpose | The NeoBoard data model can be used to generate whiteboard documents. |
|
||||
| Versioning | `version` field in the [NeoBoard data model](https://github.com/nordeck/matrix-neoboard/blob/main/docs/model/export-format.md#fields) |
|
||||
| Authentication | n/a |
|
||||
| In openDesk provided by | [NeoBoard](https://github.com/nordeck/matrix-neoboard) |
|
||||
| Transport protocol | n/a |
|
||||
| Usage within component | [NeoBoard](https://github.com/nordeck/matrix-neoboard) |
|
||||
| Usage within openDesk | none |
|
||||
| Usage for external integration | none |
|
||||
| Parallel access | n/a |
|
||||
| Message protocol | JSON |
|
||||
| Supported standards | n/a |
|
||||
| Documentation | [NeoBoard data model](https://github.com/nordeck/matrix-neoboard/tree/main/docs/model) |
|
||||
|
||||
## NeoDateFix REST API
|
||||
|
||||
| Name | NeoDateFix REST API |
|
||||
| ------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| Purpose | Can be used to query and set up NeoDateFix Matrix meetings. |
|
||||
| Versioning | Path segment in the [Meetings Bot API](https://github.com/nordeck/matrix-meetings/blob/main/docs/data-model.md#http-api) |
|
||||
| Authentication | n/a |
|
||||
| In openDesk provided by | [NeoDateFix](https://github.com/nordeck/matrix-meetings) |
|
||||
| Transport protocol | HTTP(S) |
|
||||
| Usage within component | [NeoDateFix](https://github.com/nordeck/matrix-meetings) |
|
||||
| Usage within openDesk | Used by OX to sync calendar entries to NeoDateFix |
|
||||
| Usage for external integration | none |
|
||||
| Parallel access | n/a |
|
||||
| Message protocol | JSON |
|
||||
| Supported standards | n/a |
|
||||
| Documentation | [NeoDateFix ADR001](https://github.com/nordeck/matrix-meetings/blob/main/docs/adrs/adr001-use-the-widget-api-to-interact-with-the-meetings-bot.md) |
|
||||
|
||||
# Knowledge management - XWiki
|
||||
|
||||
Following are APIs used by the Knowledge management application:
|
||||
@@ -804,7 +925,7 @@ Following are APIs used by the Knowledge management application:
|
||||
|
||||
## JavaScript API
|
||||
|
||||
| Name | Javascript API |
|
||||
| Name | JavaScript API |
|
||||
| ------------------------------ | -------------------------------------------------------------------------------------------- |
|
||||
| Purpose | Include dynamic components in XWiki/web pages |
|
||||
| Versioning | |
|
||||
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 28 KiB |
@@ -95,8 +95,8 @@ XWiki,PersistentVolume,1
|
||||
| **OpenProject** | PostgreSQL | Yes | Application's main database | `openproject` | |
|
||||
| | S3 | Yes | Attachments, custom styles | `openproject` | |
|
||||
| | Memcached | No | Cache | | |
|
||||
| | PVC | No | PVC backed `emptyDir` as K8s cannot set the sticky bit on standard emptyDirs | `openproject-<web|worker>-*-tmp` | `/tmp` |
|
||||
| | | No | PVC backed `emptyDir` as K8s cannot set the sticky bit on standard emptyDirs | `openproject-<web|worker>-app-*-tmp` | `/app/tmp` |
|
||||
| | PVC | No | PVC backed `emptyDir` as K8s cannot set the sticky bit on standard emptyDirs | `openproject-<web/worker>-*-tmp` | `/tmp` |
|
||||
| | | No | PVC backed `emptyDir` as K8s cannot set the sticky bit on standard emptyDirs | `openproject-<web/worker>-app-*-tmp` | `/app/tmp` |
|
||||
| **Open-Xchange** | MariaDB | Yes | Application's control database to coordiate dynamically created ones | `configdb` | |
|
||||
| | | Yes | Dynamically creates databases of schema `PRIMARYDB_n`containing multiple contexts | `PRIMARYDB_*` | |
|
||||
| | | Yes | OX Guard related settings | `oxguard*` | |
|
||||
@@ -113,5 +113,5 @@ Additionally, the following persistent volumes are mounted by pods that serve as
|
||||
| ---------- | ---------------- | ------------ | --------------------------- | --------------------- |
|
||||
| MariaDB | `mariadb-*` | `data` | `data-mariadb-0` | `/var/lib/mysql` |
|
||||
| MinIO | `minio-*-*` | `data` | `minio` | `/bitnami/minio/data` |
|
||||
| PostgreSQK | `postgresql-*` | `data` | `data-postgresql-0` | `/mnt/postgresql` |
|
||||
| PostgreSQL | `postgresql-*` | `data` | `data-postgresql-0` | `/mnt/postgresql` |
|
||||
| Redis | `redis-master-*` | `redis-data` | `redis-data-redis-master-0` | `/data` |
|
||||
|
||||
@@ -12,6 +12,7 @@ SPDX-License-Identifier: Apache-2.0
|
||||
* [Adding a container to a pod/deployment - Dev/Test only](#adding-a-container-to-a-poddeployment---devtest-only)
|
||||
* [Temporary/ephemeral containers](#temporaryephemeral-containers)
|
||||
* [Components](#components)
|
||||
* [Helmfile](#helmfile)
|
||||
* [MariaDB](#mariadb)
|
||||
* [Nextcloud](#nextcloud)
|
||||
* [OpenProject](#openproject)
|
||||
@@ -29,7 +30,7 @@ We for sure do not want to reinvent the wheel, so we might link to external sour
|
||||
information where available.
|
||||
|
||||
> **Warning**<br>
|
||||
> You should never enable the debug option in production environments! By looking up `debug.enable` in the deployment, you
|
||||
> You should never enable the debug option in production environments! By looking up `debug.enabled` in the deployment, you
|
||||
will find the various places changes are applied when enabling debugging. So, outside of development and test
|
||||
environments, you should use them thoughtfully and carefully if needed.
|
||||
|
||||
@@ -38,7 +39,7 @@ environments, you should use them thoughtfully and carefully if needed.
|
||||
Check the openDesk [`debug.yaml.gotmpl`](../helmfile/environments/default/debug.yaml.gotmpl) and set for your deployment
|
||||
```
|
||||
debug:
|
||||
enable: true
|
||||
enabled: true
|
||||
```
|
||||
|
||||
This will result in:
|
||||
@@ -142,6 +143,15 @@ kubectl -n ${NAMESPACE} attach -it -c ${EPH_CONTAINER_NAME} ${POD_NAME}
|
||||
|
||||
# Components
|
||||
|
||||
## Helmfile
|
||||
|
||||
When refactoring the Helmfile structure you want to ensure that there are not unintended mistakes by e.g. `diff`
|
||||
comparing the output of Helmfile from before and after the change by calling:
|
||||
|
||||
```shell
|
||||
helmfile template -e dev >output_to_compare.yaml
|
||||
```
|
||||
|
||||
## MariaDB
|
||||
|
||||
When using the openDesk bundled MariaDB, you can explore the database(s) using the MariaDB interactive terminal from the Pod's command line: `mariadb -u root -p`. On the password prompt, provide the value for `MARIADB_ROOT_PASSWORD` found in the Pod's environment.
|
||||
|
||||
@@ -41,7 +41,7 @@ deploy openDesk onto your Kubernetes infrastructure.
|
||||
|
||||
# Requirements
|
||||
|
||||
Detailed system requirements are covered on the [requirements](requirements.md) page.
|
||||
Detailed system requirements are covered on the [requirements](./docs/requirements.md) page.
|
||||
|
||||
# Customize environment
|
||||
|
||||
|
||||
@@ -7,10 +7,13 @@ SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
<!-- TOC -->
|
||||
* [Disclaimer](#disclaimer)
|
||||
* [openDesk supported upgrade path](#opendesk-supported-upgrade-path)
|
||||
* [Releases upgrade details](#releases-upgrade-details)
|
||||
* [From v1.0.0](#from-v100)
|
||||
* [Pre-upgrade: Manual checks/steps from v1.0.0](#pre-upgrade-manual-checkssteps-from-v100)
|
||||
* [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
|
||||
* [Manual update steps](#manual-update-steps)
|
||||
* [From v1.1.0: Manual checks/steps](#from-v110-manual-checkssteps)
|
||||
* [Pre-upgrade](#pre-upgrade)
|
||||
* [Helmfile new secret: `secrets.nubus.masterpassword`](#helmfile-new-secret-secretsnubusmasterpassword)
|
||||
* [From v1.0.0: Manual checks/steps](#from-v100-manual-checkssteps)
|
||||
* [Pre-upgrade](#pre-upgrade-1)
|
||||
* [Helmfile Cleanup: Restructured `/helmfile/files/theme` folder](#helmfile-cleanup-restructured-helmfilefilestheme-folder)
|
||||
* [Helmfile Cleanup: Consistent use of `*.yaml.gotmpl`](#helmfile-cleanup-consistent-use-of-yamlgotmpl)
|
||||
* [Helmfile Cleanup: Prefixing certain app directories with `opendesk-`](#helmfile-cleanup-prefixing-certain-app-directories-with-opendesk-)
|
||||
@@ -20,8 +23,7 @@ SPDX-License-Identifier: Apache-2.0
|
||||
* [openDesk defaults (new): Enforce login](#opendesk-defaults-new-enforce-login)
|
||||
* [openDesk defaults (changed): Jitsi room history enabled](#opendesk-defaults-changed-jitsi-room-history-enabled)
|
||||
* [External requirements: Redis 7.4](#external-requirements-redis-74)
|
||||
* [Automated migrations from v1.0.0](#automated-migrations-from-v100)
|
||||
* [From v0.9.0](#from-v090)
|
||||
* [From v0.9.0: Manual checks/steps](#from-v090-manual-checkssteps)
|
||||
* [Pre-upgrade: Manual steps](#pre-upgrade-manual-steps)
|
||||
* [Configuration Cleanup: Removal of unnecessary OX-Profiles in Nubus](#configuration-cleanup-removal-of-unnecessary-ox-profiles-in-nubus)
|
||||
* [Configuration Cleanup: Updated `global.imagePullSecrets`](#configuration-cleanup-updated-globalimagepullsecrets)
|
||||
@@ -30,52 +32,68 @@ SPDX-License-Identifier: Apache-2.0
|
||||
* [Changed openDesk defaults: File-share configurability](#changed-opendesk-defaults-file-share-configurability)
|
||||
* [Changed openDesk defaults: Updated default subdomains in `global.hosts`](#changed-opendesk-defaults-updated-default-subdomains-in-globalhosts)
|
||||
* [Changed openDesk defaults: Dedicated group for access to the UDM REST API](#changed-opendesk-defaults-dedicated-group-for-access-to-the-udm-rest-api)
|
||||
* [Automated migrations from v0.9.0](#automated-migrations-from-v090)
|
||||
* [Post-upgrade: Manual steps](#post-upgrade-manual-steps)
|
||||
* [Post-upgrade](#post-upgrade)
|
||||
* [Configuration Improvement: Separate user permission for using Video Conference component](#configuration-improvement-separate-user-permission-for-using-video-conference-component)
|
||||
* [Optional Cleanup](#optional-cleanup)
|
||||
* [From v0.8.1](#from-v081)
|
||||
* [Updated `cluster.networking.cidr`](#updated-clusternetworkingcidr)
|
||||
* [Updated customizable template attributes](#updated-customizable-template-attributes)
|
||||
* [`migrations` S3 bucket](#migrations-s3-bucket)
|
||||
* [Related components and artifacts](#related-components-and-artifacts)
|
||||
* [From v1.1.0: Manual checks/steps](#from-v110-manual-checkssteps-1)
|
||||
* [Pre-upgrade](#pre-upgrade-2)
|
||||
* [Updated `cluster.networking.cidr`](#updated-clusternetworkingcidr)
|
||||
* [Updated customizable template attributes](#updated-customizable-template-attributes)
|
||||
* [`migrations` S3 bucket](#migrations-s3-bucket)
|
||||
* [Automated migrations - Details](#automated-migrations---details)
|
||||
* [From v1.1.0: Automated migrations](#from-v110-automated-migrations)
|
||||
* [From v0.9.0: Automated migrations](#from-v090-automated-migrations)
|
||||
* [Related components and artifacts](#related-components-and-artifacts)
|
||||
* [Development](#development)
|
||||
<!-- TOC -->
|
||||
|
||||
# Disclaimer
|
||||
|
||||
With openDesk 1.0, we aim to offer hassle-free updates/upgrades.
|
||||
Starting with openDesk 1.0, we aim to offer hassle-free updates/upgrades.
|
||||
|
||||
But openDesk requires a defined upgrade path that is described in the section [openDesk supported upgrade path](#opendesk-supported-upgrade-path).
|
||||
Therefore openDesk contains automated migrations between versions to lower the requirements for manual interaction. These automated migrations can have limitations in the way that they need a certain openDesk version to be installed causing a mandatory upgrade path that is described in the section [Automated migrations](#automated-migrations).
|
||||
|
||||
Some upgrades even require manual interaction, which are referenced in the aforementioned section and described further down this document.
|
||||
Manual checks and possible activities are also required by openDesk updates, they are described in the section [Manual update steps](#manual-update-steps).
|
||||
|
||||
> **Known limitations:**<br>
|
||||
> **Note**<br>
|
||||
> Please be sure you read / follow the requirements before you update / upgrade thoroughly.
|
||||
|
||||
> **Known limitations**<br>
|
||||
> We assume that the PV reclaim policy is set to `delete`, resulting in PVs getting deleted as soon as the related PVC was deleted; we will not address explicit deletion for PVs.
|
||||
|
||||
# openDesk supported upgrade path
|
||||
# Automated migrations - Overview and mandatory upgrade path
|
||||
|
||||
When updating your openDesk installation you have to install the releases listed below in the sequential order from
|
||||
the lowest version number you are already on to the more current version you are looking to install.
|
||||
The following table gives an overview of the mandatory upgrade path of openDesk for the automated migrations to work as expected.
|
||||
|
||||
Explanation of the table's columns:
|
||||
- *Coming from*: Check the column for the release you are currently on.
|
||||
- *Mandatory release*: Defines which release(s) support the upgrade from your currently installed version.
|
||||
- *Automatic migration*: Summary of, or link to openDesk's automatic migration details.
|
||||
- *Manual activities*: Reference to required manual steps to upgrade your openDesk installation to the *Mandatory release*.
|
||||
To upgrade existing deployments, you cannot skip any version mentioned in the column *Mandatory version*. When a version number is not fully defined (e.g. `v1.1.x`), you can install any version matching the given schema.
|
||||
|
||||
| Coming from | Mandatory (minimum) release | Manual steps required | Details |
|
||||
| ------------- | --------------------------- | --------------------------------------------------------------------------------- | ----------------------------- |
|
||||
| v1.0.0 | v1.1.0 | [Before upgrade](#pre-upgrade-manual-checkssteps-from-v100) | See [From v1.0.0](#from-v100) |
|
||||
| v0.9.0 | v1.0.0 | [Before](#pre-upgrade-manual-steps) & [After upgrade](#post-upgrade-manual-steps) | See [From v0.9.0](#from-v090) |
|
||||
| v0.8.1 | v0.9.0 | Initializes migration system | See [From v0.8.1](#from-v081) |
|
||||
| not supported | v0.8.1 | First release that supporting updates | |
|
||||
| Mandatory version |
|
||||
| ----------------- |
|
||||
| v1.1.x |
|
||||
| v1.0.0 |
|
||||
| v0.9.0 |
|
||||
| v0.8.1 |
|
||||
|
||||
# Releases upgrade details
|
||||
> **Note**<br>
|
||||
> Be sure you check out the table in the release version you are going to install, an not the one that is currently installed.
|
||||
|
||||
## From v1.0.0
|
||||
When interested in more details about the automated migrations, please read section [Automated migrations - Details](#automated-migrations---details).
|
||||
|
||||
### Pre-upgrade: Manual checks/steps from v1.0.0
|
||||
# Manual update steps
|
||||
|
||||
Be sure you check all the sections for the releases your are going to update your current deployment from.
|
||||
|
||||
## From v1.1.0: Manual checks/steps
|
||||
|
||||
### Pre-upgrade
|
||||
|
||||
#### Helmfile new secret: `secrets.nubus.masterpassword`
|
||||
|
||||
A not yet templated secret was discovered in the Nubus deployment that is now defined in [`secrets.yaml.gotmpl`](../helmfile/environments/default/theme.yaml.gotmpl) with the key `secrets.nubus.masterpassword`. If you define your own secrets, please be sure this new secret is set to the value of the `MASTER_PASSWORD` environment variable used in your deployment.
|
||||
|
||||
## From v1.0.0: Manual checks/steps
|
||||
|
||||
### Pre-upgrade
|
||||
|
||||
#### Helmfile Cleanup: Restructured `/helmfile/files/theme` folder
|
||||
|
||||
@@ -236,18 +254,7 @@ The update from openDesk 1.0.0 contains Redis 7.4.1, like the other openDesk bun
|
||||
|
||||
Please ensure for the Redis you are using that it is updated to at least 7.4 to support the requirement of OX App Suite.
|
||||
|
||||
### Automated migrations from v1.0.0
|
||||
|
||||
With openDesk v1.1.0 the IAM stack supports HA LDAP primary as well as scalable LDAP secondary pods.
|
||||
|
||||
openDesk's automated migrations takes care of this upgrade requirement described here for
|
||||
[Nubus 1.5.1](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.5.1/en/changelog.html#migrate-existing-ldap-server-to-mirror-mode-readiness),
|
||||
creating the config map with the mentioned label.
|
||||
|
||||
> **Note**<br>
|
||||
> Details can be found in [run_3.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_3.py).
|
||||
|
||||
## From v0.9.0
|
||||
## From v0.9.0: Manual checks/steps
|
||||
|
||||
### Pre-upgrade: Manual steps
|
||||
|
||||
@@ -433,16 +440,7 @@ The IAMs admin account `Administrator` is a member of this group by default, but
|
||||
|
||||
If you need other accounts to use the API, please assign them to the aforementioned group.
|
||||
|
||||
### Automated migrations from v0.9.0
|
||||
|
||||
The `migrations-pre` and `migrations-post` jobs in the openDesk deployment address the automated migration tasks.
|
||||
|
||||
The permissions required to execute the migrations can be found in the migration's Helm chart [`role.yaml'](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-migrations/-/blob/v1.3.5/charts/opendesk-migrations/templates/role.yaml?ref_type=tags#L29)
|
||||
|
||||
> **Note**<br>
|
||||
> Details can be found in [run_2.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_3.py).
|
||||
|
||||
### Post-upgrade: Manual steps
|
||||
### Post-upgrade
|
||||
|
||||
#### Configuration Improvement: Separate user permission for using Video Conference component
|
||||
|
||||
@@ -472,14 +470,16 @@ kubectl -n ${NAMESPACE} delete pvc shared-run-ums-ldap-server-0
|
||||
kubectl -n ${NAMESPACE} delete pvc ox-connector-ox-contexts-ox-connector-0
|
||||
```
|
||||
|
||||
## From v0.8.1
|
||||
## From v1.1.0: Manual checks/steps
|
||||
|
||||
### Updated `cluster.networking.cidr`
|
||||
### Pre-upgrade
|
||||
|
||||
#### Updated `cluster.networking.cidr`
|
||||
|
||||
- Action: `cluster.networking.cidr` is now an array (was a string until 0.8.1); please update your setup accordingly if you explicitly set this value.
|
||||
- Reference:[cluster.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/cluster.yaml)
|
||||
|
||||
### Updated customizable template attributes
|
||||
#### Updated customizable template attributes
|
||||
|
||||
- Action: Please update your custom deployment values according to the updated default value structure.
|
||||
- References:
|
||||
@@ -488,12 +488,34 @@ kubectl -n ${NAMESPACE} delete pvc ox-connector-ox-contexts-ox-connector-0
|
||||
- `monitoring.` prefix for `prometheus.*` and `graphana.*`, see [monitoring.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/monitoring.yaml).
|
||||
- `smtp.` prefix for `localpartNoReply`, see [smtp.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/smtp.yaml).
|
||||
|
||||
### `migrations` S3 bucket
|
||||
#### `migrations` S3 bucket
|
||||
|
||||
- Action: For self-managed/external S3/object storages, please ensure you add a bucket `migrations` to your S3.
|
||||
- Reference: `objectstores.migrations` in [objectstores.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/objectstores.yaml)
|
||||
|
||||
# Related components and artifacts
|
||||
# Automated migrations - Details
|
||||
|
||||
## From v1.1.0: Automated migrations
|
||||
|
||||
With openDesk v1.1.0 the IAM stack supports HA LDAP primary as well as scalable LDAP secondary pods.
|
||||
|
||||
openDesk's automated migrations takes care of this upgrade requirement described here for
|
||||
[Nubus 1.5.1](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.5.1/en/changelog.html#migrate-existing-ldap-server-to-mirror-mode-readiness),
|
||||
creating the config map with the mentioned label.
|
||||
|
||||
> **Note**<br>
|
||||
> Details can be found in [run_3.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_3.py).
|
||||
|
||||
## From v0.9.0: Automated migrations
|
||||
|
||||
The `migrations-pre` and `migrations-post` jobs in the openDesk deployment address the automated migration tasks.
|
||||
|
||||
The permissions required to execute the migrations can be found in the migration's Helm chart [`role.yaml'](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-migrations/-/blob/v1.3.5/charts/opendesk-migrations/templates/role.yaml?ref_type=tags#L29)
|
||||
|
||||
> **Note**<br>
|
||||
> Details can be found in [run_2.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_3.py).
|
||||
|
||||
## Related components and artifacts
|
||||
|
||||
openDesk comes with two upgrade steps as part of the deployment; they can be found in the folder [/helmfile/apps](../helmfile/apps/) as all other components:
|
||||
|
||||
|
||||
@@ -71,6 +71,12 @@ aio:
|
||||
value: {{ .Values.databases.nextcloud.username | quote }}
|
||||
password:
|
||||
value: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
|
||||
pushNotify:
|
||||
enabled: {{ .Values.technical.nextcloud.pushNotify.enabled }}
|
||||
logLevel: {{ if .Values.debug.enabled }}"debug"{{ else }}"info"{{ end }}
|
||||
replicaCount: {{ .Values.replicas.nextcloudPushNotify }}
|
||||
resources:
|
||||
{{ .Values.resources.nextcloudPushNotify | toYaml | nindent 8 }}
|
||||
trustedProxy: {{ join " " .Values.cluster.networking.cidr | quote }}
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
|
||||
@@ -44,8 +44,6 @@ releases:
|
||||
version: "{{ .Values.charts.nubus.version }}"
|
||||
values:
|
||||
- "values-nubus.yaml.gotmpl"
|
||||
- "values-opendesk-customization.yaml.gotmpl"
|
||||
- "values-opendesk-images.yaml.gotmpl"
|
||||
{{ range .Values.customization.release.ums }}
|
||||
- {{ . }}
|
||||
{{ end }}
|
||||
|
||||
@@ -53,7 +53,7 @@ ics:
|
||||
secret: {{ .Values.secrets.intercom.secret | quote }}
|
||||
issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
|
||||
originRegex: "{{ .Values.global.domain }}"
|
||||
userUniqueMapper: {{ if .Values.functional.chat.matrix.profile.useImmutableIdentifierForLocalpart }}"entryuuid"{{ else }}"opendesk_username"{{ end }}
|
||||
userUniqueMapper: {{ if .Values.functional.chat.matrix.profile.useImmutableIdentifierForLocalpart }}"opendesk_useruuid"{{ else }}"opendesk_username"{{ end }}
|
||||
usernameClaim: "opendesk_username"
|
||||
keycloak:
|
||||
realm: {{ .Values.platform.realm | quote }}
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -1,728 +0,0 @@
|
||||
{{/*
|
||||
SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
keycloak:
|
||||
enabled: true
|
||||
ingress:
|
||||
enabled: false
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsKeycloak | toYaml | nindent 6 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-keycloak"
|
||||
replicaCount: {{ .Values.replicas.keycloak }}
|
||||
resources:
|
||||
{{ .Values.resources.umsKeycloak | toYaml | nindent 4 }}
|
||||
|
||||
nubusGuardian:
|
||||
authorizationApi:
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-guardian-authorization-api"
|
||||
podSecurityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: "Always"
|
||||
replicaCount: {{ .Values.replicas.umsGuardianAuthorizationApi }}
|
||||
resources:
|
||||
{{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }}
|
||||
managementApi:
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-guardian-management-api"
|
||||
podSecurityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: "Always"
|
||||
replicaCount: {{ .Values.replicas.umsGuardianManagementApi }}
|
||||
resources:
|
||||
{{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 8 }}
|
||||
managementUi:
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-guardian-management-ui"
|
||||
replicaCount: {{ .Values.replicas.umsGuardianManagementUi }}
|
||||
resources:
|
||||
{{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 8 }}
|
||||
openPolicyAgent:
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
|
||||
podSecurityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: "Always"
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-ums-open-policy-agent"
|
||||
replicaCount: {{ .Values.replicas.umsGuardianOpenPolicyAgent }}
|
||||
resources:
|
||||
{{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsGuardianOpenPolicyAgent | toYaml | nindent 8 }}
|
||||
provisioning:
|
||||
# Using openDesk keycloak provisioning
|
||||
enabled: false
|
||||
|
||||
nubusNotificationsApi:
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-notifications-api"
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsNotificationsApi | toYaml | nindent 6 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
serviceAccount:
|
||||
create: true
|
||||
replicaCount: {{ .Values.replicas.umsNotificationsApi }}
|
||||
resources:
|
||||
{{ .Values.resources.umsNotificationsApi | toYaml | nindent 4 }}
|
||||
|
||||
nubusUmcServer:
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-umc-server"
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
|
||||
containerSecurityContextInit:
|
||||
enabled: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
|
||||
containerSecurityContextSssd:
|
||||
enabled: true
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
add:
|
||||
- "DAC_OVERRIDE"
|
||||
- "SETGID"
|
||||
- "AUDIT_WRITE"
|
||||
- "SETUID"
|
||||
- "CHOWN"
|
||||
- "SETPCAP"
|
||||
- "FOWNER"
|
||||
- "FSETID"
|
||||
- "KILL"
|
||||
- "MKNOD"
|
||||
- "NET_BIND_SERVICE"
|
||||
- "SYS_CHROOT"
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: false
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
proxy:
|
||||
replicaCount: {{ .Values.replicas.umsUmcServerProxy }}
|
||||
replicaCount: {{ .Values.replicas.umsUmcServer }}
|
||||
|
||||
resources:
|
||||
{{ .Values.resources.umsUmcServer | toYaml | nindent 4 }}
|
||||
selfService:
|
||||
passwordresetEmailBody: |
|
||||
Sehr geehrte Benutzerin, sehr geehrter Benutzer,
|
||||
|
||||
Ihr Benutzername für {domainname} lautet: {username}
|
||||
|
||||
Sie erhalten diese Nachricht, da Sie Ihr Passwort zurücksetzen möchten oder weil Ihr Benutzer neu im System angelegt wurde.
|
||||
|
||||
Klicken Sie bitte auf den folgenden Link, um Ihr Passwort zu setzen:
|
||||
https://{fqdn}/univention/portal/#/selfservice/newpassword/?token={token}&username={username}
|
||||
|
||||
Der genannte Link ist nur 48 Stunden gültig, danach fordern Sie ihn bitte erneut an unter:
|
||||
https://{fqdn}/univention/portal/#/selfservice/passwordforgotten
|
||||
|
||||
Mit freundlichen Grüßen
|
||||
Ihr {domainname} Passwort-Service
|
||||
|
||||
nubusKeycloakExtensions:
|
||||
enabled: true
|
||||
handler:
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
|
||||
replicaCount: {{ .Values.replicas.umsKeycloakExtensionsHandler }}
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-keycloak-extensions-handler"
|
||||
resources:
|
||||
{{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 6 }}
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }}
|
||||
proxy:
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
|
||||
replicaCount: {{ .Values.replicas.umsKeycloakExtensionsProxy }}
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-keycloak-extensions-proxy"
|
||||
resources:
|
||||
{{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }}
|
||||
|
||||
nubusPortalConsumer:
|
||||
portalConsumer:
|
||||
image:
|
||||
pullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-portal-consumer"
|
||||
replicaCount: {{ .Values.replicas.umsPortalConsumer }}
|
||||
resources:
|
||||
{{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }}
|
||||
resourcesWaitForDependency:
|
||||
{{ .Values.resources.umsPortalConsumerDependencies | toYaml | nindent 4 }}
|
||||
persistence:
|
||||
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
size: {{ .Values.persistence.size.nubus.portalConsumer | quote }}
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsPortalConsumer | toYaml | nindent 6 }}
|
||||
{{- if .Values.certificate.selfSigned }}
|
||||
extraVolumes:
|
||||
- name: "trusted-cert-secret-volume"
|
||||
secret:
|
||||
secretName: "opendesk-certificates-ca-tls"
|
||||
items:
|
||||
- key: "ca.crt"
|
||||
path: "ca-certificates.crt"
|
||||
- key: "ca.crt"
|
||||
path: "cacert.pem"
|
||||
extraVolumeMounts:
|
||||
- name: "trusted-cert-secret-volume"
|
||||
mountPath: "/etc/ssl/certs/ca-certificates.crt"
|
||||
subPath: "ca-certificates.crt"
|
||||
waitForDependency:
|
||||
extraVolumeMounts:
|
||||
- name: "trusted-cert-secret-volume"
|
||||
readOnly: true
|
||||
mountPath: "/etc/ssl/certs/ca-certificates.crt"
|
||||
subPath: "ca-certificates.crt"
|
||||
- name: "trusted-cert-secret-volume"
|
||||
readOnly: true
|
||||
mountPath: "/usr/local/lib/python3.11/dist-packages/certifi/cacert.pem"
|
||||
subPath: "cacert.pem"
|
||||
extraEnvVars:
|
||||
- name: "REQUESTS_CA_BUNDLE"
|
||||
value: "/etc/ssl/certs/ca-certificates.crt"
|
||||
- name: "DEFAULT_CA_BUNDLE_PATH"
|
||||
value: "/etc/ssl/certs/ca-certificates.crt"
|
||||
- name: "SSL_CERT_FILE"
|
||||
value: "/etc/ssl/certs/ca-certificates.crt"
|
||||
{{- end }}
|
||||
|
||||
nubusUdmListener:
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 102
|
||||
runAsGroup: 65534
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsUdmListener | toYaml | nindent 6 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
replicaCount: {{ .Values.replicas.umsUdmListener }}
|
||||
resources:
|
||||
{{ .Values.resources.umsUdmListener | toYaml | nindent 4 }}
|
||||
|
||||
nubusPortalServer:
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-portal-server"
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsPortalServer | toYaml | nindent 6 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
serviceAccount:
|
||||
create: true
|
||||
replicaCount: {{ .Values.replicas.umsPortalServer }}
|
||||
resources:
|
||||
{{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}
|
||||
{{- if .Values.certificate.selfSigned }}
|
||||
extraVolumes:
|
||||
- name: "trusted-cert-crt-secret-volume"
|
||||
secret:
|
||||
secretName: "opendesk-certificates-ca-tls"
|
||||
items:
|
||||
- key: "ca.crt"
|
||||
path: "ca-certificates.crt"
|
||||
- key: "ca.crt"
|
||||
path: "cacert.pem"
|
||||
extraVolumeMounts:
|
||||
- name: "trusted-cert-crt-secret-volume"
|
||||
readOnly: true
|
||||
mountPath: "/etc/ssl/certs/ca-certificates.crt"
|
||||
subPath: "ca-certificates.crt"
|
||||
- name: "trusted-cert-crt-secret-volume"
|
||||
readOnly: true
|
||||
mountPath: "/usr/local/lib/python3.11/dist-packages/certifi/cacert.pem"
|
||||
subPath: "cacert.pem"
|
||||
- name: "trusted-cert-crt-secret-volume"
|
||||
readOnly: true
|
||||
mountPath: "/usr/lib/python3/dist-packages/botocore/cacert.pem"
|
||||
subPath: "cacert.pem"
|
||||
- name: "trusted-cert-crt-secret-volume"
|
||||
readOnly: true
|
||||
mountPath: "/usr/lib/python3/dist-packages/certifi/cacert.pem"
|
||||
subPath: "cacert.pem"
|
||||
{{- end }}
|
||||
|
||||
nubusLdapNotifier:
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 101
|
||||
runAsGroup: 102
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsLdapNotifier | toYaml | nindent 6 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-ldap-notifier"
|
||||
replicaCount: {{ .Values.replicas.umsLdapNotifier }}
|
||||
resources:
|
||||
{{ .Values.resources.umsLdapNotifier | toYaml | nindent 4 }}
|
||||
|
||||
nubusLdapServer:
|
||||
global:
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
|
||||
replicaCountPrimary: {{ .Values.replicas.umsLdapServerPrimary }}
|
||||
replicaCountSecondary: {{ .Values.replicas.umsLdapServerSecondary }}
|
||||
replicaCountProxy: {{ .Values.replicas.umsLdapServerProxy }}
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-ldap-server"
|
||||
serviceAccount:
|
||||
create: true
|
||||
initResources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
|
||||
resources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
|
||||
persistence:
|
||||
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
|
||||
size: {{ .Values.persistence.size.nubus.ldapServerData | quote }}
|
||||
extraVolumes:
|
||||
- name: "migration-scripts"
|
||||
secret:
|
||||
secretName: "ums-ldap-server-migration"
|
||||
defaultMode: 0555
|
||||
extraVolumeMounts:
|
||||
- name: "migration-scripts"
|
||||
mountPath: "/entrypoint.d/30-purge.sh"
|
||||
subPath: "30-purge.sh"
|
||||
- name: "migration-scripts"
|
||||
mountPath: "/entrypoint.d/95-slapadd-24-ldiff.sh"
|
||||
subPath: "95-slapadd-24-ldif.sh"
|
||||
extraSecrets:
|
||||
- name: "ums-ldap-server-migration"
|
||||
stringData:
|
||||
30-purge.sh: |
|
||||
#!/usr/bin/env bash
|
||||
me=$(basename "$0")
|
||||
echo "- Running ${me}"
|
||||
if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
|
||||
echo "- Cleaning up /var/lib/univention-ldap."
|
||||
cd /var/lib/univention-ldap
|
||||
rm -rf internal
|
||||
rm -rf ldap
|
||||
ls -l
|
||||
else
|
||||
echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
|
||||
fi
|
||||
95-slapadd-24-ldif.sh: |
|
||||
#!/usr/bin/env bash
|
||||
me=$(basename "$0")
|
||||
echo "- Running ${me}"
|
||||
ls -l /var/lib/univention-ldap
|
||||
if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
|
||||
echo "- slapadd-ing /var/lib/univention-ldap/ldap-24-export.ldif"
|
||||
ls -l /var/lib/univention-ldap/
|
||||
rm -rf /var/lib/univention-ldap/ldap
|
||||
rm -rf /var/lib/univention-ldap/internal
|
||||
echo "- deleted /var/lib/univention-ldap/ldap and /var/lib/univention-ldap/internal"
|
||||
ls -l /var/lib/univention-ldap/
|
||||
mkdir /var/lib/univention-ldap/ldap
|
||||
mkdir /var/lib/univention-ldap/internal
|
||||
echo "- created /var/lib/univention-ldap/ldap and /var/lib/univention-ldap/internal"
|
||||
ls -l /var/lib/univention-ldap/
|
||||
/usr/sbin/slapadd -v -l /var/lib/univention-ldap/ldap-24-export.ldif
|
||||
echo "- slapadd executed"
|
||||
ls -l /var/lib/univention-ldap/
|
||||
mv /var/lib/univention-ldap/ldap-24-export.ldif /var/lib/univention-ldap/ldap-24-export.ldif-imported
|
||||
echo "- import file renamed"
|
||||
ls -l /var/lib/univention-ldap/
|
||||
else
|
||||
echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
|
||||
fi
|
||||
nubusPortalFrontend:
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-portal-frontend"
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsPortalFrontend | toYaml | nindent 6 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
serviceAccount:
|
||||
create: true
|
||||
replicaCount: {{ .Values.replicas.umsPortalFrontend }}
|
||||
resources:
|
||||
{{ .Values.resources.umsPortalFrontend | toYaml | nindent 4 }}
|
||||
portalFrontend:
|
||||
branding:
|
||||
css: {{ .Values.theme.styles.portal.main | toJson }}
|
||||
# Requires .ico, .svg does not work.
|
||||
favicon: {{ .Values.theme.imagery.portal.faviconIco | toJson }}
|
||||
# The actual `logo` is set in customizing image, the logo down here is for for waiting spinner.
|
||||
logo: {{ .Values.theme.imagery.portal.waitingSpinnerSvg | toJson }}
|
||||
backgroundImage: {{ .Values.theme.imagery.portal.logoBackgroundSvg | toJson }}
|
||||
|
||||
nubusStackDataUms:
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsStackDataUms | toYaml | nindent 6 }}
|
||||
pullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-stack-data-ums"
|
||||
resources:
|
||||
{{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
|
||||
initResources:
|
||||
{{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
|
||||
|
||||
nubusSelfServiceConsumer:
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsSelfserviceConsumer | toYaml | nindent 6 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-selfservice-listener"
|
||||
resources:
|
||||
{{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
|
||||
replicaCount: {{ .Values.replicas.umsSelfserviceConsumer }}
|
||||
|
||||
nubusUdmRestApi:
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-udm-rest-api"
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsUdmRestApi | toYaml | nindent 6 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
serviceAccount:
|
||||
annotations:
|
||||
intended.usage: "compliance"
|
||||
resources:
|
||||
{{ .Values.resources.umsUdmRestApi | toYaml | nindent 4 }}
|
||||
initResources:
|
||||
{{ .Values.resources.umsUdmRestApiInit | toYaml | nindent 4 }}
|
||||
replicaCount: {{ .Values.replicas.umsUdmRestApi }}
|
||||
|
||||
nubusUmcGateway:
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsUmcGateway | toYaml | nindent 6 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
replicaCount: {{ .Values.replicas.umsUmcGateway }}
|
||||
resources:
|
||||
{{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
|
||||
initResources:
|
||||
{{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
|
||||
|
||||
nubusKeycloakBootstrap:
|
||||
additionalAnnotations:
|
||||
argocd.argoproj.io/hook: "Sync"
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
readOnlyRootFilesystem: false
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsKeycloakBootstrap | toYaml | nindent 6 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-keycloak-bootstrap"
|
||||
resources:
|
||||
{{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 4 }}
|
||||
|
||||
nubusProvisioning:
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsProvisioning | toYaml | nindent 6 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
replicaCount:
|
||||
dispatcher: {{ .Values.replicas.umsProvisioningDispatcher }}
|
||||
udmTransformer: {{ .Values.replicas.umsProvisioningUdmTransformer }}
|
||||
prefill: {{ .Values.replicas.umsProvisioningPrefill }}
|
||||
api: {{ .Values.replicas.umsProvisioningApi }}
|
||||
|
||||
serviceAccount:
|
||||
create: true
|
||||
nats:
|
||||
config:
|
||||
cluster:
|
||||
replicas: {{ .Values.replicas.umsProvisioningNats }}
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.umsProvisioningNats | toYaml | nindent 8 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
|
||||
persistence:
|
||||
size: {{ .Values.persistence.size.nubus.provisioningNats }}
|
||||
resources:
|
||||
{{ .Values.resources.umsProvisioningNats | toYaml | nindent 6 }}
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-provisioning-nats"
|
||||
serviceAccount:
|
||||
create: true
|
||||
api:
|
||||
resources:
|
||||
{{ .Values.resources.umsProvisioningApi | toYaml | nindent 6 }}
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-provisioning-api"
|
||||
dispatcher:
|
||||
resources:
|
||||
{{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 6 }}
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-provisioning-dispatcher"
|
||||
prefill:
|
||||
resources:
|
||||
{{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 6 }}
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-provisioning-prefill"
|
||||
registerConsumers:
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-provisioning-register-consumers"
|
||||
podAnnotations:
|
||||
intents.otterize.com/service-name: "ums-provisioning-register-consumers"
|
||||
udmTransformer:
|
||||
resources:
|
||||
{{ .Values.resources.umsProvisioningUdmTransformer | toYaml | nindent 6 }}
|
||||
additionalAnnotations:
|
||||
intents.otterize.com/service-name: "ums-provisioning-udm-transformer"
|
||||
resources:
|
||||
registerConsumers:
|
||||
{{ .Values.resources.umsProvisioningRegisterConsumers | toYaml | nindent 6 }}
|
||||
@@ -1,266 +0,0 @@
|
||||
{{/*
|
||||
SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/}}
|
||||
---
|
||||
global:
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
keycloak:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloak.registry | quote }}
|
||||
repository: {{ .Values.images.nubusKeycloak.repository }}
|
||||
tag: {{ .Values.images.nubusKeycloak.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusKeycloakBootstrap:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }}
|
||||
repository: {{ .Values.images.nubusKeycloakBootstrap.repository }}
|
||||
tag: {{ .Values.images.nubusKeycloakBootstrap.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusKeycloakExtensions:
|
||||
handler:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionHandler.registry | quote }}
|
||||
repository: {{ .Values.images.nubusKeycloakExtensionHandler.repository }}
|
||||
tag: {{ .Values.images.nubusKeycloakExtensionHandler.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
proxy:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionProxy.registry | quote }}
|
||||
repository: {{ .Values.images.nubusKeycloakExtensionProxy.repository }}
|
||||
tag: {{ .Values.images.nubusKeycloakExtensionProxy.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusLdapNotifier:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapNotifier.registry | quote }}
|
||||
repository: {{ .Values.images.nubusLdapNotifier.repository }}
|
||||
tag: {{ .Values.images.nubusLdapNotifier.tag }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusLdapServer:
|
||||
ldapServer:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServer.registry | quote }}
|
||||
repository: {{ .Values.images.nubusLdapServer.repository }}
|
||||
tag: {{ .Values.images.nubusLdapServer.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
leaderElector:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServerLeaderElector.registry | quote }}
|
||||
repository: {{ .Values.images.nubusLdapServerLeaderElector.repository }}
|
||||
tag: {{ .Values.images.nubusLdapServerLeaderElector.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
dhInitcontainer:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServerDhInitContainer.registry | quote }}
|
||||
repository: {{ .Values.images.nubusLdapServerDhInitContainer.repository }}
|
||||
tag: {{ .Values.images.nubusLdapServerDhInitContainer.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
waitForDependency:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
|
||||
repository: {{ .Values.images.nubusWaitForDependency.repository }}
|
||||
tag: {{ .Values.images.nubusWaitForDependency.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusNotificationsApi:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusNotificationsApi.registry | quote }}
|
||||
repository: {{ .Values.images.nubusNotificationsApi.repository }}
|
||||
tag: {{ .Values.images.nubusNotificationsApi.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusPortalFrontend:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalFrontend.registry | quote }}
|
||||
repository: {{ .Values.images.nubusPortalFrontend.repository }}
|
||||
tag: {{ .Values.images.nubusPortalFrontend.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusPortalConsumer:
|
||||
portalConsumer:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalConsumer.registry | quote }}
|
||||
repository: {{ .Values.images.nubusPortalConsumer.repository }}
|
||||
tag: {{ .Values.images.nubusPortalConsumer.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
waitForDependency:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
|
||||
repository: {{ .Values.images.nubusWaitForDependency.repository }}
|
||||
tag: {{ .Values.images.nubusWaitForDependency.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusPortalServer:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalServer.registry | quote }}
|
||||
repository: {{ .Values.images.nubusPortalServer.repository }}
|
||||
tag: {{ .Values.images.nubusPortalServer.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusProvisioning:
|
||||
api:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }}
|
||||
repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
|
||||
tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
dispatcher:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningDispatcher.registry | quote }}
|
||||
repository: {{ .Values.images.nubusProvisioningDispatcher.repository }}
|
||||
tag: {{ .Values.images.nubusProvisioningDispatcher.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
udmTransformer:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmTransformer.registry | quote }}
|
||||
repository: {{ .Values.images.nubusProvisioningUdmTransformer.repository }}
|
||||
tag: {{ .Values.images.nubusProvisioningUdmTransformer.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
prefill:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }}
|
||||
repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
|
||||
tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
registerConsumers:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
|
||||
repository: {{ .Values.images.nubusWaitForDependency.repository }}
|
||||
tag: {{ .Values.images.nubusWaitForDependency.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
nats:
|
||||
nats:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNats.registry | quote }}
|
||||
repository: {{ .Values.images.nubusNats.repository }}
|
||||
tag: {{ .Values.images.nubusNats.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
reloader:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsReloader.registry | quote }}
|
||||
repository: {{ .Values.images.nubusNatsReloader.repository }}
|
||||
tag: {{ .Values.images.nubusNatsReloader.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
natsBox:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsBox.registry | quote }}
|
||||
repository: {{ .Values.images.nubusNatsBox.repository }}
|
||||
tag: {{ .Values.images.nubusNatsBox.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusProvisioningEventsAndConsumerApi:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }}
|
||||
repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
|
||||
tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusProvisioningPrefill:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }}
|
||||
repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
|
||||
tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusUdmListener:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmListener.registry | quote }}
|
||||
repository: {{ .Values.images.nubusProvisioningUdmListener.repository }}
|
||||
tag: {{ .Values.images.nubusProvisioningUdmListener.tag }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusSelfServiceConsumer:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfServiceConsumer.registry | quote }}
|
||||
repository: {{ .Values.images.nubusSelfServiceConsumer.repository }}
|
||||
tag: {{ .Values.images.nubusSelfServiceConsumer.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
waitForDependency:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
|
||||
repository: {{ .Values.images.nubusWaitForDependency.repository }}
|
||||
tag: {{ .Values.images.nubusWaitForDependency.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusUdmRestApi:
|
||||
udmRestApi:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUdmRestApi.registry | quote }}
|
||||
repository: {{ .Values.images.nubusUdmRestApi.repository }}
|
||||
tag: {{ .Values.images.nubusUdmRestApi.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusUmcGateway:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcGateway.registry | quote }}
|
||||
repository: {{ .Values.images.nubusUmcGateway.repository }}
|
||||
tag: {{ .Values.images.nubusUmcGateway.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusUmcServer:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcServer.registry | quote }}
|
||||
repository: {{ .Values.images.nubusUmcServer.repository }}
|
||||
tag: {{ .Values.images.nubusUmcServer.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
proxy:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusUmcServerProxy.registry | quote }}
|
||||
repository: {{ .Values.images.nubusUmcServerProxy.repository }}
|
||||
tag: {{ .Values.images.nubusUmcServerProxy.tag }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusWaitForDependency:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
|
||||
repository: {{ .Values.images.nubusWaitForDependency.repository }}
|
||||
tag: {{ .Values.images.nubusWaitForDependency.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
|
||||
nubusGuardian:
|
||||
provisioning:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianProvisioning.registry | quote }}
|
||||
repository: {{ .Values.images.nubusGuardianProvisioning.repository }}
|
||||
tag: {{ .Values.images.nubusGuardianProvisioning.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
authorizationApi:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianAuthorizationApi.registry | quote }}
|
||||
repository: {{ .Values.images.nubusGuardianAuthorizationApi.repository }}
|
||||
tag: {{ .Values.images.nubusGuardianAuthorizationApi.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
managementApi:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementApi.registry | quote }}
|
||||
repository: {{ .Values.images.nubusGuardianManagementApi.repository }}
|
||||
tag: {{ .Values.images.nubusGuardianManagementApi.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
managementUi:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementUi.registry | quote }}
|
||||
repository: {{ .Values.images.nubusGuardianManagementUi.repository }}
|
||||
tag: {{ .Values.images.nubusGuardianManagementUi.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
openPolicyAgent:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpenPolicyAgent.registry | quote }}
|
||||
repository: {{ .Values.images.nubusOpenPolicyAgent.repository }}
|
||||
tag: {{ .Values.images.nubusOpenPolicyAgent.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
|
||||
nubusStackDataUms:
|
||||
image:
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }}
|
||||
repository: {{ .Values.images.nubusDataLoader.repository }}
|
||||
tag: {{ .Values.images.nubusDataLoader.tag }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
@@ -30,7 +30,7 @@ config:
|
||||
{{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }}
|
||||
managed:
|
||||
clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list', 'offline_access', 'roles', 'address', 'phone' ]
|
||||
clients: [ 'opendesk-intercom', 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
|
||||
clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
|
||||
keycloak:
|
||||
adminUser: "kcadmin"
|
||||
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
|
||||
@@ -442,34 +442,6 @@ config:
|
||||
included.client.audience: "opendesk-intercom"
|
||||
id.token.claim: false
|
||||
access.token.claim: true
|
||||
# temporary additional claim while entryuuid is a hardcoded attribute in IntercomService and we cannot set
|
||||
# it to `opendesk_useruuid` standard claim. For reference:
|
||||
# https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/app.js#L89
|
||||
- name: "entryuuid_temp"
|
||||
protocol: "openid-connect"
|
||||
protocolMapper: "oidc-usermodel-attribute-mapper"
|
||||
consentRequired: false
|
||||
config:
|
||||
userinfo.token.claim: true
|
||||
user.attribute: "entryUUID"
|
||||
id.token.claim: true
|
||||
access.token.claim: true
|
||||
claim.name: "entryuuid"
|
||||
jsonType.label: "String"
|
||||
# temporary additional claim while phoenixusername is a hardcoded attribute in IntercomService and we cannot
|
||||
# set it to `opendesk_username` standard claim. For reference:
|
||||
# https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/routes/navigation.js#L27
|
||||
- name: "phoenixusername_temp"
|
||||
protocol: "openid-connect"
|
||||
protocolMapper: "oidc-usermodel-attribute-mapper"
|
||||
consentRequired: false
|
||||
config:
|
||||
userinfo.token.claim: true
|
||||
user.attribute: "uid"
|
||||
id.token.claim: true
|
||||
access.token.claim: true
|
||||
claim.name: "phoenixusername"
|
||||
jsonType.label: "String"
|
||||
- name: "opendesk_username"
|
||||
protocol: "openid-connect"
|
||||
protocolMapper: "oidc-usermodel-attribute-mapper"
|
||||
@@ -481,6 +453,17 @@ config:
|
||||
access.token.claim: true
|
||||
claim.name: "opendesk_username"
|
||||
jsonType.label: "String"
|
||||
- name: "opendesk_useruuid"
|
||||
protocol: "openid-connect"
|
||||
protocolMapper: "oidc-usermodel-attribute-mapper"
|
||||
consentRequired: false
|
||||
config:
|
||||
userinfo.token.claim: true
|
||||
user.attribute: "entryUUID"
|
||||
id.token.claim: true
|
||||
access.token.claim: true
|
||||
claim.name: "opendesk_useruuid"
|
||||
jsonType.label: "String"
|
||||
defaultClientScopes:
|
||||
- "offline_access"
|
||||
{{ if .Values.notes.enabled }}
|
||||
|
||||
@@ -23,9 +23,8 @@ image:
|
||||
repository: {{ .Values.images.oxConnector.repository | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
tag: {{ .Values.images.oxConnector.tag | quote }}
|
||||
|
||||
waitForDependency:
|
||||
registry: {{ .Values.global.imageRegistry | default .Values.images.nubusWaitForDependency.registry | quote }}
|
||||
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
|
||||
repository: {{ .Values.images.nubusWaitForDependency.repository }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
||||
pullSecrets:
|
||||
|
||||
@@ -10,6 +10,68 @@ global:
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
|
||||
assets:
|
||||
element:
|
||||
subdomain: {{ .Values.global.hosts.element }}
|
||||
paths:
|
||||
- path: "/vector-icons/favicon.........ico"
|
||||
data: {{ .Values.theme.imagery.chat.faviconIco }}
|
||||
jitsi:
|
||||
subdomain: {{ .Values.global.hosts.jitsi }}
|
||||
paths:
|
||||
- path: "/images/favicon.svg"
|
||||
data: {{ .Values.theme.imagery.videoconference.faviconSvg }}
|
||||
keycloak:
|
||||
subdomain: {{ .Values.global.hosts.keycloak }}
|
||||
paths:
|
||||
- path: "/resources/...../login/UCS/img/favicon.ico"
|
||||
data: {{ .Values.theme.imagery.login.faviconIco }}
|
||||
- path: "/static-files/login/logo.svg"
|
||||
data: {{ .Values.theme.imagery.login.logoSvg }}
|
||||
nextcloud:
|
||||
subdomain: {{ .Values.global.hosts.nextcloud }}
|
||||
paths:
|
||||
- path: "/core/img/favicon-touch.png"
|
||||
data: {{ .Values.theme.imagery.files.faviconPng }}
|
||||
- path: "/core/img/favicon.ico"
|
||||
data: {{ .Values.theme.imagery.files.faviconIco }}
|
||||
notes:
|
||||
subdomain: {{ .Values.global.hosts.notes }}
|
||||
paths:
|
||||
- path: "/favicon.ico"
|
||||
data: {{ .Values.theme.imagery.notes.faviconIco }}
|
||||
openproject:
|
||||
subdomain: {{ .Values.global.hosts.openproject }}
|
||||
paths:
|
||||
- path: "/custom_style/........../favicon/favicon.svg"
|
||||
data: {{ .Values.theme.imagery.projects.faviconSvg }}
|
||||
openxchange:
|
||||
subdomain: {{ .Values.global.hosts.openxchange }}
|
||||
paths:
|
||||
- path: "/appsuite/favicon.ico"
|
||||
data: {{ .Values.theme.imagery.groupware.faviconIco }}
|
||||
- path: "/appsuite/favicon.svg"
|
||||
data: {{ .Values.theme.imagery.groupware.faviconSvg }}
|
||||
portal:
|
||||
subdomain: {{ .Values.global.hosts.nubus }}
|
||||
paths:
|
||||
- path: "/favicon.ico"
|
||||
data: {{ .Values.theme.imagery.portal.faviconIco }}
|
||||
- path: "/static-files/portal/background.svg"
|
||||
data: {{ .Values.theme.imagery.portal.backgroundSvg }}
|
||||
- path: "/static-files/portal/waiting-spinner.svg"
|
||||
data: {{ .Values.theme.imagery.portal.waitingSpinnerSvg }}
|
||||
- path: "/static-files/login/background.jpg"
|
||||
data: {{ .Values.theme.imagery.login.backgroundJpg }}
|
||||
|
||||
xwiki:
|
||||
subdomain: {{ .Values.global.hosts.xwiki }}
|
||||
paths:
|
||||
- path: "/resources/icons/xwiki/favicon.svg"
|
||||
data: {{ .Values.theme.imagery.knowledge.faviconSvg }}
|
||||
- path: "/resources/icons/xwiki/favicon16.png"
|
||||
data: {{ .Values.theme.imagery.knowledge.faviconPng }}
|
||||
|
||||
cleanup:
|
||||
deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
|
||||
deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
|
||||
@@ -54,59 +116,4 @@ resources:
|
||||
|
||||
service:
|
||||
type: "ClusterIP"
|
||||
|
||||
theme:
|
||||
imagery:
|
||||
assets:
|
||||
element:
|
||||
subdomain: {{ .Values.global.hosts.element }}
|
||||
paths:
|
||||
- path: "/vector-icons/favicon.........ico"
|
||||
data: {{ .Values.theme.imagery.chat.faviconIco }}
|
||||
jitsi:
|
||||
subdomain: {{ .Values.global.hosts.jitsi }}
|
||||
paths:
|
||||
- path: "/images/favicon.svg"
|
||||
data: {{ .Values.theme.imagery.videoconference.faviconSvg }}
|
||||
keycloak:
|
||||
subdomain: {{ .Values.global.hosts.keycloak }}
|
||||
paths:
|
||||
- path: "/resources/...../login/UCS/img/favicon.ico"
|
||||
data: {{ .Values.theme.imagery.portal.faviconIco }}
|
||||
nextcloud:
|
||||
subdomain: {{ .Values.global.hosts.nextcloud }}
|
||||
paths:
|
||||
- path: "/core/img/favicon-touch.png"
|
||||
data: {{ .Values.theme.imagery.files.faviconPng }}
|
||||
- path: "/core/img/favicon.ico"
|
||||
data: {{ .Values.theme.imagery.files.faviconIco }}
|
||||
notes:
|
||||
subdomain: {{ .Values.global.hosts.notes }}
|
||||
paths:
|
||||
- path: "/favicon.ico"
|
||||
data: {{ .Values.theme.imagery.notes.faviconIco }}
|
||||
openproject:
|
||||
subdomain: {{ .Values.global.hosts.openproject }}
|
||||
paths:
|
||||
- path: "/custom_style/........../favicon/favicon.svg"
|
||||
data: {{ .Values.theme.imagery.projects.faviconSvg }}
|
||||
openxchange:
|
||||
subdomain: {{ .Values.global.hosts.openxchange }}
|
||||
paths:
|
||||
- path: "/appsuite/favicon.ico"
|
||||
data: {{ .Values.theme.imagery.groupware.faviconIco }}
|
||||
- path: "/appsuite/favicon.svg"
|
||||
data: {{ .Values.theme.imagery.groupware.faviconSvg }}
|
||||
portal:
|
||||
subdomain: {{ .Values.global.hosts.nubus }}
|
||||
paths:
|
||||
- path: "/favicon.ico"
|
||||
data: {{ .Values.theme.imagery.portal.faviconIco }}
|
||||
xwiki:
|
||||
subdomain: {{ .Values.global.hosts.xwiki }}
|
||||
paths:
|
||||
- path: "/resources/icons/xwiki/favicon.svg"
|
||||
data: {{ .Values.theme.imagery.knowledge.faviconSvg }}
|
||||
- path: "/resources/icons/xwiki/favicon16.png"
|
||||
data: {{ .Values.theme.imagery.knowledge.faviconPng }}
|
||||
...
|
||||
|
||||
@@ -256,7 +256,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
|
||||
name: "opendesk-nextcloud"
|
||||
version: "3.6.2"
|
||||
version: "3.7.0-trossner-notify-push"
|
||||
verify: true
|
||||
nextcloudManagement:
|
||||
# providerCategory: "Platform"
|
||||
@@ -266,7 +266,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
|
||||
name: "opendesk-nextcloud-management"
|
||||
version: "3.6.2"
|
||||
version: "3.7.0-trossner-notify-push"
|
||||
verify: true
|
||||
nginx:
|
||||
# providerCategory: "Community"
|
||||
@@ -318,7 +318,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-alerts"
|
||||
name: "opendesk-alerts"
|
||||
version: "1.1.0"
|
||||
version: "1.1.1"
|
||||
verify: true
|
||||
opendeskDashboards:
|
||||
# providerCategory: "Platform"
|
||||
@@ -328,7 +328,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-dashboards"
|
||||
name: "opendesk-dashboards"
|
||||
version: "1.1.0"
|
||||
version: "1.1.1"
|
||||
verify: true
|
||||
opendeskKeycloakBootstrap:
|
||||
# providerCategory: "Platform"
|
||||
@@ -348,7 +348,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-static-files"
|
||||
name: "opendesk-static-files"
|
||||
version: "3.0.1"
|
||||
version: "4.0.1"
|
||||
verify: true
|
||||
openproject:
|
||||
# providerCategory: "Supplier"
|
||||
|
||||
@@ -3,5 +3,5 @@
|
||||
---
|
||||
global:
|
||||
systemInformation:
|
||||
releaseVersion: "v1.1.0"
|
||||
releaseVersion: "v1.1.1"
|
||||
...
|
||||
|
||||
@@ -61,7 +61,7 @@ images:
|
||||
# upstreamRepository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
|
||||
tag: "1.11.4@sha256:bfb0ce4afe737e7b6a0404c9e3f2d8dbe341ce72a930d0d5173a0145729cf646"
|
||||
tag: "1.11.6@sha256:1ac5eeea24c5fbfdfeda44cb00651fa22864e26d8cb32add150c4bf1aea0fb36"
|
||||
freshclam:
|
||||
# providerCategory: "Community"
|
||||
# providerResponsible: "openDesk"
|
||||
@@ -130,12 +130,12 @@ images:
|
||||
tag: "v20241023@sha256:2391799c5168222f0e3ebb94d7c3cb3bcea6f075399458197f0c1bbbb8f293fe"
|
||||
jitsiPatchJVB:
|
||||
# providerCategory: "Community"
|
||||
# providerResponsible: "Nordeck"
|
||||
# providerResponsible: "openDesk"
|
||||
# upstreamRegistry: "https://registry-1.docker.io"
|
||||
# upstreamRepository: "bitnami/kubectl"
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "bitnami/kubectl"
|
||||
tag: "1.31.3@sha256:e90b9642d3daeabcfe73cf9aadcbbc624d1de7f88185095307c785f1c266bdb9"
|
||||
tag: "1.32.0@sha256:48c81b7aaf4fabf2733a0b888960f6982181fbcd2c3f8dfcebc4a1a065631162"
|
||||
jvb:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "Nordeck"
|
||||
@@ -243,7 +243,7 @@ images:
|
||||
# upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
|
||||
tag: "2.3.4@sha256:46c596818861486ee621cf8a454c2539a4e230e58b1aebb5735022de849de8e6"
|
||||
tag: "2.4.0-trossner-notify-push@sha256:bce12f88cdabc2c5fa81cc4d4dfe7c59e999868f99b2da1f76061dbc2ed55a08"
|
||||
nextcloudExporter:
|
||||
# providerCategory: "Platform"
|
||||
# providerResponsible: "openDesk"
|
||||
@@ -453,7 +453,7 @@ images:
|
||||
# upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
|
||||
tag: "1.9.0@sha256:1a84ae2f21849934d3ff24c066fce21c4bc811521b615cc0071432d3fb1848c1"
|
||||
tag: "1.9.1@sha256:4cc4d4bc39167d7dc305ab1787763fd1091fa1284ddf373e081c595d4dce39a9"
|
||||
nubusOpenPolicyAgent:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "Univention"
|
||||
@@ -833,7 +833,7 @@ images:
|
||||
# upstreamMirrorStartFrom: ["1", "91", "2"]
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/supplier/element/images-mirror/synapse"
|
||||
tag: "v1.120.2@sha256:daee887fa4ca6370e297439bb33a61896ff3413c9454540446a94e461f097d33"
|
||||
tag: "v1.121.1@sha256:5d8081b6004eb115635334dbc1ec2f87318f19d5ad0e7c62f7476d4cc16de277"
|
||||
synapseCreateUser:
|
||||
# providerCategory: "Community"
|
||||
# providerResponsible: "Nordeck"
|
||||
@@ -841,7 +841,7 @@ images:
|
||||
# upstreamRepository: "alpine/k8s"
|
||||
registry: "registry-1.docker.io"
|
||||
repository: "alpine/k8s"
|
||||
tag: "1.31.3@sha256:77812543abe5649b286d5f0dc17a7dbaa4056433225f6f695150f329cb4b6803"
|
||||
tag: "1.32.0@sha256:6d49f7f37ae5f4c07bfe46edb44e3d3b6896974d1b87da76d8aa8d6e23b4d619"
|
||||
synapseGuestModule:
|
||||
# providerCategory: "Supplier"
|
||||
# providerResponsible: "Nordeck"
|
||||
|
||||
@@ -154,6 +154,8 @@ replicas:
|
||||
nextcloud: 1
|
||||
# -- scalable: true
|
||||
nextcloudExporter: 1
|
||||
# -- scalable: tbd
|
||||
nextcloudPushNotify: 1
|
||||
|
||||
# -- component: openDesk Static Files
|
||||
# -- scalable: true
|
||||
|
||||
@@ -239,6 +239,13 @@ resources:
|
||||
requests:
|
||||
cpu: 0.1
|
||||
memory: "512Mi"
|
||||
nextcloudPushNotify:
|
||||
limits:
|
||||
cpu: 99
|
||||
memory: "128Mi"
|
||||
requests:
|
||||
cpu: 0.01
|
||||
memory: "32Gi"
|
||||
nextcloudExporter:
|
||||
limits:
|
||||
cpu: 99
|
||||
|
||||
@@ -7,22 +7,20 @@ SPDX-License-Identifier: Apache-2.0
|
||||
secrets:
|
||||
oxAppSuite:
|
||||
adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "admin_password" | sha1sum | quote }}
|
||||
migrationsMasterPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "opendesk") "ox_appsuite" "migrations_master_password" | sha1sum | quote }}
|
||||
basicAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "basic_auth_password" | sha1sum | quote }}
|
||||
cookieHashSalt: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "cookie_hash_salt" | sha1sum | quote }}
|
||||
sessiondEncryptionKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "sessiond_encryptionkey" | sha1sum | quote }}
|
||||
shareCryptKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_cryptkey" | sha1sum | quote }}
|
||||
hzGroupPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "hz_group_password" | sha1sum | quote }}
|
||||
jolokiaPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "jolokia_password" | sha1sum | quote }}
|
||||
migrationsMasterPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "opendesk") "ox_appsuite" "migrations_master_password" | sha1sum | quote }}
|
||||
oxguardMC: {{ printf "MC%s" (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "oxguardMC" | sha1sum | trunc 20 | b64enc) | quote }}
|
||||
oxguardRC: {{ printf "RC%s" (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "oxguardRC" | sha1sum | trunc 20 | b64enc) | quote }}
|
||||
hzGroupPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "hz_group_password" | sha1sum | quote }}
|
||||
basicAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "basic_auth_password" | sha1sum | quote }}
|
||||
jolokiaPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "jolokia_password" | sha1sum | quote }}
|
||||
cookieHashSalt: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "cookie_hash_salt" | sha1sum | quote }}
|
||||
shareCryptKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_crypt_key" | sha1sum | quote }}
|
||||
sessiondEncryptionKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "sessiond_encryption_key" | sha1sum | quote }}
|
||||
shareCryptKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_crypt_key" | sha1sum | quote }}
|
||||
synapseAsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "as_token" | sha1sum | quote }}
|
||||
oxConnector:
|
||||
provisioningApiPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ox-connector" | sha1sum | quote }}
|
||||
nubus:
|
||||
masterpassword: {{ env "MASTER_PASSWORD" | default "sovereign-workplace" | quote }}
|
||||
ldapSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "ldap" | sha1sum | quote }}
|
||||
ldapSearch:
|
||||
keycloak: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_keycloak" | sha1sum | quote }}
|
||||
@@ -82,7 +80,6 @@ secrets:
|
||||
dovecot: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "dovecot_client_secret" | sha1sum | quote }}
|
||||
intercom: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "intercom_client_secret" | sha1sum | quote }}
|
||||
matrix: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "matrix_client_secret" | sha1sum | quote }}
|
||||
notes: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "notes_client_secret" | sha1sum | quote }}
|
||||
jitsi: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "jitsi_plain_client_secret" | sha1sum | quote }}
|
||||
ncoidc: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "ncoidc_client_secret" | sha1sum | quote }}
|
||||
openproject: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "openproject_client_secret" | sha1sum | quote }}
|
||||
|
||||
@@ -6,4 +6,11 @@ technical:
|
||||
collabora:
|
||||
# Defines the value for the start parameter `-o:num_prespawn_children`
|
||||
numPrespawnChildren: 4
|
||||
# Nextcloud related technical settings
|
||||
nextcloud:
|
||||
# Client push / push-notify app related settings.
|
||||
# Ref.: https://apps.nextcloud.com/apps/notify_push
|
||||
pushNotify:
|
||||
# Enable the feature
|
||||
enabled: true
|
||||
...
|
||||
|
||||
@@ -49,6 +49,11 @@ theme:
|
||||
faviconIco: {{ readFile "./../../files/theme/files/favicon.ico" | b64enc | quote }}
|
||||
faviconPng: {{ readFile "./../../files/theme/files/favicon.png" | b64enc | quote }}
|
||||
|
||||
login:
|
||||
faviconIco: {{ readFile "./../../files/theme/login/favicon.ico" | b64enc | quote }}
|
||||
backgroundJpg: {{ readFile "./../../files/theme/login/background.jpg" | b64enc | quote }}
|
||||
logoSvg: {{ readFile "./../../files/theme/login/logo.svg" | b64enc | quote }}
|
||||
|
||||
groupware:
|
||||
faviconIco: {{ readFile "./../../files/theme/groupware/favicon.ico" | b64enc | quote }}
|
||||
faviconSvg: {{ readFile "./../../files/theme/groupware/favicon.svg" | b64enc | quote }}
|
||||
@@ -62,8 +67,8 @@ theme:
|
||||
|
||||
portal:
|
||||
faviconIco: {{ readFile "./../../files/theme/portal/favicon.ico" | b64enc | quote }}
|
||||
waitingSpinnerSvg: {{ readFile "./../../files/theme/portal/waitingSpinner.svg" | b64enc }}
|
||||
logoBackgroundSvg: {{ readFile "./../../files/theme/empty.svg" | b64enc | quote }}
|
||||
waitingSpinnerSvg: {{ readFile "./../../files/theme/portal/waiting-spinner.svg" | b64enc }}
|
||||
backgroundSvg: {{ readFile "./../../files/theme/portal/background.svg" | b64enc | quote }}
|
||||
portalTiles:
|
||||
adminAnnouncement: {{ readFile "./../../files/theme/portal-tiles/admin_announcement.svg" | b64enc | quote }}
|
||||
adminContext: {{ readFile "./../../files/theme/portal-tiles/admin_context.svg" | b64enc | quote }}
|
||||
|
||||
BIN
helmfile/files/theme/login/background.jpg
Normal file
BIN
helmfile/files/theme/login/background.jpg
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 100 KiB |
BIN
helmfile/files/theme/login/favicon.ico
Normal file
BIN
helmfile/files/theme/login/favicon.ico
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 49 KiB |
|
Before Width: | Height: | Size: 3.5 KiB After Width: | Height: | Size: 3.5 KiB |
|
Before Width: | Height: | Size: 100 B After Width: | Height: | Size: 100 B |
File diff suppressed because one or more lines are too long
|
Before Width: | Height: | Size: 707 B After Width: | Height: | Size: 707 B |
Reference in New Issue
Block a user