mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-06 15:31:38 +01:00
Compare commits
8 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
45b924e8fa | ||
|
|
9446faaa59 | ||
|
|
17efbd79f1 | ||
|
|
d794a2036e | ||
|
|
7414f05005 | ||
|
|
3d80c7e2b1 | ||
|
|
d74742808c | ||
|
|
861b84b14d |
@@ -232,8 +232,8 @@ variables:
|
||||
extends: ".environments"
|
||||
environment:
|
||||
name: "${NAMESPACE}"
|
||||
image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/helm:1.1.0\
|
||||
@sha256:74f349066ac5d20e3afaa6abd28781b4c8dc086f67e3d3c1b8345e4a9c3371b1"
|
||||
image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/helm:1.3.1\
|
||||
@sha256:de527f493044f06009045c369be831ababbc8dd74adaa378613c5acb1e654959"
|
||||
script:
|
||||
- "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
|
||||
# MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD
|
||||
@@ -769,6 +769,17 @@ avscan-prepare:
|
||||
stage: "scan"
|
||||
image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/clamav-imagescan:1.0.0"
|
||||
before_script:
|
||||
- "mkdir -p ~/.docker"
|
||||
- |
|
||||
cat << EOF > ~/.docker/config.json
|
||||
{
|
||||
"auths": {
|
||||
"$CI_REGISTRY": {
|
||||
"auth": "$(printf %s:%s ${CI_REGISTRY_USER} ${CI_REGISTRY_PASSWORD} | base64 | tr -d '\n')"
|
||||
}
|
||||
}
|
||||
}
|
||||
EOF
|
||||
- "sed -i \"/^DatabaseMirror .*$/c DatabaseMirror ${DATABASE_MIRROR}\" /etc/clamav/freshclam.conf"
|
||||
- "freshclam"
|
||||
- "mkdir /scan"
|
||||
|
||||
11
CHANGELOG.md
11
CHANGELOG.md
@@ -1,3 +1,14 @@
|
||||
## [1.3.1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.3.0...v1.3.1) (2025-04-24)
|
||||
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* **ci:** Update Helm to v3.17.3 ([9446faa](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9446faaa597777e9fb15d33953e02fdbfef646b2))
|
||||
* **ci:** Update Helm to v3.17.3 ([d794a20](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d794a2036ed6543bf89a0b661cc8a4c8a383a5f0))
|
||||
* **docs:** Update "Ingress controller" section and add footnote on volume provisioner in `requirements.md` ([17efbd7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/17efbd79f177f635885735823696a6e50b919d3e))
|
||||
* **helmfile:** Conditional templating of additional annotations in selected components to unblock openDesk deployment despite a bug in Helm 3.17 (https://github.com/helm/helm/issues/30587) ([861b84b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/861b84b14de9fb42c483f3ddb9e083305750d137))
|
||||
* **postfix:** Disable unauthenticated relaying of mails in `postfix-ox` ([7414f05](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7414f05005e019f2121e8458fe63e795819fe92c))
|
||||
|
||||
# [1.3.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.2.1...v1.3.0) (2025-04-22)
|
||||
|
||||
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
<!--
|
||||
SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
||||
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
-->
|
||||
@@ -12,6 +13,8 @@ This section covers the internal system requirements and external service requir
|
||||
* [Hardware](#hardware)
|
||||
* [Kubernetes](#kubernetes)
|
||||
* [Ingress controller](#ingress-controller)
|
||||
* [Supported controllers](#supported-controllers)
|
||||
* [Minimal configuration](#minimal-configuration)
|
||||
* [Volume provisioner](#volume-provisioner)
|
||||
* [Certificate management](#certificate-management)
|
||||
* [External services](#external-services)
|
||||
@@ -25,15 +28,13 @@ openDesk is a Kubernetes-only solution and requires an existing Kubernetes (K8s)
|
||||
|
||||
- K8s cluster >= v1.24, [CNCF Certified Kubernetes distribution](https://www.cncf.io/certification/software-conformance/)
|
||||
- Domain and DNS Service
|
||||
- Ingress controller (Ingress NGINX) >= [4.11.5/1.11.5](https://github.com/kubernetes/ingress-nginx/releases) - tested with v1.11.1 up to v1.11.5
|
||||
- **Important Note**: We are working on support for more recent versions, but please ensure to use at least 1.11.5 due to ["security issues"](https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities) in earlier versions.
|
||||
- Ingress-NGINX introduced new security defaults in version 1.12.0, which are currently not compatible with openDesk. While we are working to adhere to these defaults, you can find additional information below on how to configure Ingress-NGINX >= 1.12.0 to be compatible with openDesk.
|
||||
- Ingress controller (Ingress NGINX) >= [4.11.5/1.11.5](https://github.com/kubernetes/ingress-nginx/releases)
|
||||
- [Helm](https://helm.sh/) >= v3.9.0
|
||||
- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v1.0.0-rc8**
|
||||
- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= v1.0.0-rc8
|
||||
- [HelmDiff](https://github.com/databus23/helm-diff) >= v3.6.0
|
||||
- Volume provisioner supporting RWO (read-write-once)
|
||||
- Volume provisioner supporting RWO (read-write-once)[^1]
|
||||
- Certificate handling with [cert-manager](https://cert-manager.io/)
|
||||
- [OpenKruise](https://openkruise.io/)[^1] >= v1.6
|
||||
- [OpenKruise](https://openkruise.io/)[^2] >= v1.6
|
||||
|
||||
# Hardware
|
||||
|
||||
@@ -60,21 +61,33 @@ The deployment is tested against [kubespray](https://github.com/kubernetes-sigs/
|
||||
The deployment is intended to be used only over HTTPS via a configured FQDN, therefore it is required to have a properly
|
||||
configured ingress controller deployed in your cluster.
|
||||
|
||||
**Supported controllers:**
|
||||
## Supported controllers
|
||||
|
||||
- [Ingress NGINX Controller](https://github.com/kubernetes/ingress-nginx)
|
||||
|
||||
> **Note**<br>
|
||||
> The platform development team is evaluating the use of [Gateway API](https://gateway-api.sigs.k8s.io/).
|
||||
|
||||
**Compatibility with Ingress NGINX >= 1.12.0**
|
||||
|
||||
With the release 1.12.0 Ingress NGINX introduced new security default settings, which are incompatible with current openDesk releases. If you want to use Ingress-NGINX >= 1.12.0 the following settings have to be set
|
||||
- The annotation risk level has to be set to `critical`. See the [documentation](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#annotations-risk-level) for details.
|
||||
- Strict path type validation has to be disabled. See the [documentation](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type) for details.
|
||||
With the release 1.12.0 Ingress NGINX introduced new security default settings, which are incompatible with current openDesk releases. If you want to use Ingress-NGINX >= 1.12.0 the following settings have to be set:
|
||||
```
|
||||
controller.config.annotations-risk-level=Critical
|
||||
controller.config.strict-validate-path-type=false
|
||||
```
|
||||
See the [`annotations-risk-level` documentation](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#annotations-risk-level) and [`strict-validate-path-type` documentation](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type) for details.
|
||||
|
||||
> **Important Note**<br>
|
||||
> Ensure to install at least Ingress NGINX 1.12.1 due to ["security issues"](https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities) in 1.12.0.
|
||||
> Ensure to install at least Ingress NGINX 1.11.5 or 1.12.1 due to [security issues](https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities) in earlier versions.
|
||||
|
||||
## Minimal configuration
|
||||
|
||||
> **Note**<br>
|
||||
> The platform development team is evaluating the use of [Gateway API](https://gateway-api.sigs.k8s.io/). If you can provide input on that topic, please get in contact with us.
|
||||
Several components in openDesk make use of snippet annotations, which are disabled by default. Please enable them using the following configuration:
|
||||
```
|
||||
controller.allowSnippetAnnotations=true
|
||||
controller.admissionWebhooks.allowSnippetAnnotations=true
|
||||
```
|
||||
See the [`allowSnippetAnnotations` documentation](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#allow-snippet-annotations) for context.
|
||||
|
||||
# Volume provisioner
|
||||
|
||||
@@ -122,4 +135,6 @@ Helmfile requires [HelmDiff](https://github.com/databus23/helm-diff) to compare
|
||||
|
||||
# Footnotes
|
||||
|
||||
[^1]: Required for Dovecot Pro as part of openDesk Enterprise Edition.
|
||||
[^1]: Due to [restrictions on Kubernetes `emptyDir`](https://github.com/kubernetes/kubernetes/pull/130277) you need a volume provisioner that has sticky bit support, otherwise the OpenProject seeder job will fail.
|
||||
|
||||
[^2]: Required for Dovecot Pro as part of openDesk Enterprise Edition.
|
||||
|
||||
@@ -10,9 +10,10 @@ global:
|
||||
{{ .Values.global.hosts | toYaml | nindent 4 }}
|
||||
imagePullSecrets:
|
||||
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
||||
{{- if .Values.annotations.jitsiGlobal.pod }}
|
||||
podAnnotations:
|
||||
{{ .Values.annotations.jitsiGlobal.pod | toYaml | nindent 4}}
|
||||
|
||||
{{- end }}
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
enabled: true
|
||||
@@ -78,10 +79,12 @@ jitsi:
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
ingress:
|
||||
enabled: {{ .Values.ingress.enabled }}
|
||||
{{- if .Values.annotations.jitsiWeb.ingress }}
|
||||
annotations:
|
||||
{{- with .Values.annotations.jitsiWeb.ingress }}
|
||||
{{ . | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
|
||||
hosts:
|
||||
- host: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
|
||||
@@ -109,8 +112,10 @@ jitsi:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.jitsi | toYaml | nindent 8 }}
|
||||
{{- if .Values.annotations.jitsiWeb.pod }}
|
||||
podAnnotations:
|
||||
{{ .Values.annotations.jitsiWeb.pod | toYaml | nindent 6 }}
|
||||
{{- end }}
|
||||
prosody:
|
||||
image:
|
||||
repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
|
||||
@@ -160,8 +165,10 @@ jitsi:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.prosody | toYaml | nindent 8 }}
|
||||
{{- if .Values.annotations.jitsiProsody.pod }}
|
||||
podAnnotations:
|
||||
{{ .Values.annotations.jitsiProsody.pod | toYaml | nindent 6 }}
|
||||
{{- end }}
|
||||
jicofo:
|
||||
replicaCount: {{ .Values.replicas.jicofo }}
|
||||
image:
|
||||
@@ -185,8 +192,10 @@ jitsi:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.jicofo | toYaml | nindent 8 }}
|
||||
{{- if .Values.annotations.jitsiJicofo.pod }}
|
||||
podAnnotations:
|
||||
{{ .Values.annotations.jitsiJicofo.pod | toYaml | nindent 6 }}
|
||||
{{- end }}
|
||||
jigasi:
|
||||
replicaCount: {{ .Values.replicas.jigasi }}
|
||||
enabled: {{ .Values.sip.jigasi.enabled }}
|
||||
@@ -216,8 +225,10 @@ jitsi:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.jigasi | toYaml | nindent 8 }}
|
||||
{{- if .Values.annotations.jitsiJigasi.pod }}
|
||||
podAnnotations:
|
||||
{{ .Values.annotations.jitsiJigasi.pod | toYaml | nindent 6 }}
|
||||
{{- end }}
|
||||
jvb:
|
||||
replicaCount: {{ .Values.replicas.jvb }}
|
||||
# The `useNodeIP` option provided by the upstream charts does not support all relevant scenarios, but since
|
||||
@@ -234,8 +245,10 @@ jitsi:
|
||||
{{ .Values.resources.jvb | toYaml | nindent 6 }}
|
||||
service:
|
||||
type: {{ coalesce .Values.service.type.jitsiVideoBridge .Values.cluster.service.type | quote }}
|
||||
{{- if .Values.annotations.jitsiJvb.service }}
|
||||
annotations:
|
||||
{{ .Values.annotations.jitsiJvb.service | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities: {}
|
||||
@@ -248,14 +261,18 @@ jitsi:
|
||||
type: "RuntimeDefault"
|
||||
seLinuxOptions:
|
||||
{{ .Values.seLinuxOptions.jvb | toYaml | nindent 8 }}
|
||||
{{- if .Values.annotations.jitsiJvb.pod }}
|
||||
podAnnotations:
|
||||
{{ .Values.annotations.jitsiJvb.pod | toYaml | nindent 6 }}
|
||||
{{- end }}
|
||||
metrics:
|
||||
prometheusAnnotations:
|
||||
{{ .Values.annotations.jitsiJvb.metricsPrometheus | toYaml | nindent 8 }}
|
||||
{{- if .Values.annotations.jitsiJvb.metricsGrafana }}
|
||||
grafanaDashboards:
|
||||
annotations:
|
||||
{{ .Values.annotations.jitsiJvb.metricsGrafana | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
jibri:
|
||||
replicaCount: {{ .Values.replicas.jibri }}
|
||||
image:
|
||||
@@ -272,16 +289,19 @@ jitsi:
|
||||
# Chart does not allow to template more
|
||||
capabilities:
|
||||
add: ["SYS_ADMIN"]
|
||||
{{- if .Values.annotations.jitsiJibri.pod }}
|
||||
podAnnotations:
|
||||
{{ .Values.annotations.jitsiJibri.pod | toYaml | nindent 6 }}
|
||||
{{- end }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.annotations.jitsi.serviceAccount }}
|
||||
serviceAccount:
|
||||
annotations:
|
||||
{{ .Values.annotations.jitsi.serviceAccount | toYaml | nindent 6 }}
|
||||
|
||||
{{- end }}
|
||||
|
||||
patchJVB:
|
||||
configuration:
|
||||
@@ -308,8 +328,10 @@ patchJVB:
|
||||
repository: {{ .Values.images.jitsiPatchJVB.repository | quote }}
|
||||
tag: {{ .Values.images.jitsiPatchJVB.tag | quote }}
|
||||
|
||||
{{- if .Values.annotations.jitsi.pod }}
|
||||
podAnnotations:
|
||||
{{ .Values.annotations.jitsi.pod | toYaml | nindent 2 }}
|
||||
{{- end }}
|
||||
|
||||
replicaCount: {{ .Values.replicas.jitsiKeycloakAdapter }}
|
||||
|
||||
|
||||
@@ -628,8 +628,10 @@ appsuite:
|
||||
repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
|
||||
tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
|
||||
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
||||
{{- if .Values.annotations.openxchangeAppsuiteCoreDocumentconverter.pod }}
|
||||
podAnnotations:
|
||||
{{ .Values.annotations.openxchangeAppsuiteCoreDocumentconverter.pod | toYaml | nindent 6 }}
|
||||
{{- end }}
|
||||
redis: *redisConfiguration
|
||||
replicaCount: {{ .Values.replicas.openxchangeCoreDocumentConverter }}
|
||||
resources:
|
||||
@@ -718,8 +720,10 @@ appsuite:
|
||||
endpoint: "."
|
||||
accessKey: "."
|
||||
secretKey: "."
|
||||
{{- if .Values.annotations.openxchangeAppsuiteCoreImageconverter.pod }}
|
||||
podAnnotations:
|
||||
{{ .Values.annotations.openxchangeAppsuiteCoreImageconverter.pod | toYaml | nindent 6 }}
|
||||
{{- end }}
|
||||
redis: *redisConfiguration
|
||||
replicaCount: {{ .Values.replicas.openxchangeCoreImageConverter }}
|
||||
resources:
|
||||
|
||||
@@ -57,7 +57,7 @@ postfix:
|
||||
{{- end }}
|
||||
rspamdHost: ""
|
||||
relayHost: {{ if .Values.smtp.host }}{{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}{{ else }}""{{ end }}
|
||||
relayNets: {{ join " " .Values.cluster.networking.cidr | quote }}
|
||||
allowRelayNets: false
|
||||
smtpSASLAuthEnable: "yes"
|
||||
smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
|
||||
smtpTLSSecurityLevel: "encrypt"
|
||||
|
||||
@@ -66,6 +66,7 @@ postfix:
|
||||
rspamdHost: ""
|
||||
relayHost: {{ if .Values.smtp.host }}{{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}{{ else }}""{{ end }}
|
||||
relayNets: {{ join " " .Values.cluster.networking.cidr | quote }}
|
||||
allowRelayNets: true
|
||||
smtpSASLAuthEnable: "yes"
|
||||
smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
|
||||
smtpTLSSecurityLevel: "encrypt"
|
||||
|
||||
@@ -419,7 +419,7 @@ charts:
|
||||
registry: "registry.opencode.de"
|
||||
repository: "bmi/opendesk/components/platform-development/charts/opendesk-postfix"
|
||||
name: "postfix"
|
||||
version: "3.0.0"
|
||||
version: "3.0.1"
|
||||
verify: true
|
||||
postgresql:
|
||||
# providerCategory: "Platform"
|
||||
|
||||
@@ -3,5 +3,5 @@
|
||||
---
|
||||
global:
|
||||
systemInformation:
|
||||
releaseVersion: "v1.3.0"
|
||||
releaseVersion: "v1.3.1"
|
||||
...
|
||||
|
||||
@@ -22,8 +22,8 @@ name: "openDesk"
|
||||
platforms:
|
||||
- "web"
|
||||
developmentStatus: "stable"
|
||||
softwareVersion: "1.3.0"
|
||||
releaseDate: "2025-04-22"
|
||||
softwareVersion: "1.3.1"
|
||||
releaseDate: "2025-04-23"
|
||||
softwareType: "standalone/web"
|
||||
url: "https://gitlab.opencode.de/bmi/opendesk/"
|
||||
logo: "openDesk-logo-rgb-color.svg"
|
||||
|
||||
Reference in New Issue
Block a user