# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0 --- additionalAnnotations: {{ .Values.annotations.nubusIntercomService.additional | toYaml | nindent 2 }} containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true privileged: false runAsUser: 1000 runAsGroup: 1000 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.intercom | toYaml | nindent 4 }} {{- if .Values.certificate.selfSigned }} extraVolumes: - name: "trusted-cert-secret-volume" secret: secretName: "opendesk-certificates-ca-tls" items: - key: "ca.crt" path: "ca-certificates.crt" extraVolumeMounts: - name: "trusted-cert-secret-volume" mountPath: "/etc/ssl/certs/ca-certificates.crt" subPath: "ca-certificates.crt" {{- end }} extraEnvVars: - name: "REDIS_USER" value: {{ .Values.cache.intercomService.username }} {{- if .Values.certificate.selfSigned }} - name: "NODE_EXTRA_CA_CERTS" value: "/etc/ssl/certs/ca-certificates.crt" {{- end }} global: domain: {{ .Values.global.domain | quote }} hosts: {{ .Values.global.hosts | toYaml | nindent 4 }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} ics: session: secret: {{ .Values.secrets.intercom.secret | quote }} issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}" originRegex: "{{ .Values.global.domain }}" enableSessionCookie: true userUniqueMapper: {{ if .Values.functional.chat.matrix.profile.useImmutableIdentifierForLocalpart }}"opendesk_useruuid"{{ else }}"opendesk_username"{{ end }} usernameClaim: "opendesk_username" logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }} keycloak: realm: {{ .Values.platform.realm | quote }} default: domain: {{ .Values.global.domain | quote }} oidc: id: "opendesk-intercom" clientSecret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }} matrix: subdomain: {{ .Values.global.hosts.synapse | quote }} serverName: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}" auth: applicationServiceSecret: {{ .Values.secrets.intercom.synapseAsToken | quote }} nordeck: subdomain: {{ .Values.global.hosts.matrixNeoDateFixBot | quote }} portal: auth: sharedSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }} redis: host: {{ .Values.cache.intercomService.host | quote }} port: {{ .Values.cache.intercomService.port }} auth: password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }} openxchange: oci: true url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}" audience: "opendesk-oxappsuite" xwiki: subdomain: {{ .Values.global.hosts.xwiki | quote }} audience: "opendesk-xwiki" nextcloud: origin: {{ .Values.global.hosts.nextcloud | quote }} subdomain: {{ .Values.global.hosts.nextcloud | quote }} audience: "opendesk-nextcloud" image: imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.intercom.registry | quote }} repository: {{ .Values.images.intercom.repository | quote }} tag: {{ .Values.images.intercom.tag | quote }} ingress: host: "{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}" enabled: {{ .Values.ingress.enabled }} ingressClassName: {{ .Values.ingress.ingressClassName | quote }} tls: enabled: {{ .Values.ingress.tls.enabled }} secretName: {{ .Values.ingress.tls.secretName | quote }} annotations: {{ .Values.annotations.nubusIntercomService.ingress | toYaml | nindent 4 }} podAnnotations: intents.otterize.com/service-name: "intercom-service" {{- with .Values.annotations.nubusIntercomService.pod }} {{ . | toYaml | nindent 2}} {{- end }} podSecurityContext: enabled: true fsGroup: 1000 fsGroupChangePolicy: "Always" provisioning: # intercom OIDC client is created by opendesk-keycloak-bootstrap, as we have control over the # client's claims this way. enabled: false config: clientBaseUrl: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}" keycloak: realm: {{ .Values.platform.realm | quote }} connection: protocol: "http" host: "ums-keycloak" port: 8080 auth: username: "kcadmin" existingSecret: name: "ums-opendesk-keycloak-credentials" keyMapping: password: "admin_password" key: "admin_password" image: imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }} repository: {{ .Values.images.nubusWaitForDependency.repository | quote }} tag: {{ .Values.images.nubusWaitForDependency.tag | quote }} provisioningImage: imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }} repository: {{ .Values.images.nubusKeycloakBootstrap.repository | quote }} tag: {{ .Values.images.nubusKeycloakBootstrap.tag | quote }} resources: {{ .Values.resources.intercomService | toYaml | nindent 4 }} securityContext: seccompProfile: type: "RuntimeDefault" seLinuxOptions: {{ .Values.seLinuxOptions.intercom | toYaml | nindent 6 }} replicaCount: {{ .Values.replicas.intercomService }} resources: {{ .Values.resources.intercomService | toYaml | nindent 2 }} service: annotations: {{ .Values.annotations.nubusIntercomService.service | toYaml | nindent 4 }} serviceAccount: annotations: {{ .Values.annotations.nubusIntercomService.serviceAccount | toYaml | nindent 4 }} ...