# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

fullnameOverride: "ums-stack-gateway"

image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.umsStackGateway.registry | quote }}
  repository: {{ .Values.images.umsStackGateway.repository | quote }}
  tag: {{ .Values.images.umsStackGateway.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}

ingress:
  annotations:
    # Ensure that the ingress controller can handle responses with plenty of
    # headers. This is a requirement from the UDM Rest API.
    nginx.org/proxy-buffer-size: "64k"
    nginx.org/proxy-buffers: "4 128k"
  enabled: {{ .Values.ingress.enabled }}
  extraTls:
    - hosts:
        - {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
      secretName: {{ .Values.ingress.tls.secretName | quote }}
  hostname: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
  tls: false

podSecurityContext:
  enabled: true
  fsGroup: 1001

containerSecurityContext:
  enabled: true
  runAsUser: 1001
  runAsGroup: 0
  runAsNonRoot: true
  privileged: false
  readOnlyRootFilesystem: false
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.umsStackGateway }}

service:
  type: "ClusterIP"

serviceAccount:
  create: true

fullnameOverride: "ums-stack-gateway"

# The content of the "serverBlock" does resemble the Ingress configuration of
# the UMS components. The "location" entries do intentionally reflect precisely
# the respective paths which are configured.
serverBlock: |
  server {
    listen 8080;

    proxy_http_version 1.1;

    proxy_set_header Host $http_host;

    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $http_x_forwarded_host;
    proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;

    ## portal-frontend
    # The frontend does not own "/univention/portal" nor
    # "/univention/selfservice", only these two bits
    location = /univention/portal/ {
      rewrite ^/univention/portal(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80/;
    }
    location = /univention/portal/index.html {
      rewrite ^/univention/portal(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80/;
    }
    location = /univention/selfservice/ {
      rewrite ^/univention/selfservice(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80/;
    }

    # The following prefixes are owned by the frontend
    location /univention/portal/css/ {
      rewrite ^/univention/portal(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80;
    }
    location /univention/portal/fonts/ {
      rewrite ^/univention/portal(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80;
    }
    location /univention/portal/i18n/ {
      rewrite ^/univention/portal(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80;
    }
    location /univention/portal/media/ {
      rewrite ^/univention/portal(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80;
    }
    location /univention/portal/js/ {
      rewrite ^/univention/portal(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80;
    }
    location /univention/portal/oidc/ {
      rewrite ^/univention/portal(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80;
    }
    location /univention/selfservice/css/ {
      rewrite ^/univention/selfservice(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80;
    }
    location /univention/selfservice/fonts/ {
      rewrite ^/univention/selfservice(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80;
    }
    location /univention/selfservice/i18n/ {
      rewrite ^/univention/selfservice(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80;
    }
    location /univention/selfservice/media/ {
      rewrite ^/univention/selfservice(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80;
    }
    location /univention/selfservice/js/ {
      rewrite ^/univention/selfservice(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80;
    }
    location /univention/selfservice/oidc/ {
      rewrite ^/univention/selfservice(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80;
    }


    ## frontend redirects
    location = / {
       absolute_redirect off;
       return 302 /univention/portal/;
    }
    location = /univention {
       absolute_redirect off;
       return 302 /univention/portal/;
    }
    location = /univention/ {
       absolute_redirect off;
       return 302 /univention/portal/;
    }
    location = /univention/portal {
       absolute_redirect off;
       return 302 /univention/portal/;
    }
    location = /univention/selfservice {
       absolute_redirect off;
       return 302 /univention/selfservice/;
    }


    ## portal-server
    location = /univention/portal/portal.json {
      proxy_pass http://ums-portal-server:80;
    }
    location = /univention/selfservice/portal.json {
      proxy_pass http://ums-portal-server:80;
    }
    location = /univention/portal/navigation.json {
      proxy_pass http://ums-portal-server:80;
    }


    ## object storage (minio)
    location /univention/portal/icons/entries/ {
      rewrite ^/univention/portal(/icons/entries/.*)$ /ums/portal-assets$1 break;
      proxy_pass http://minio:9000;
    }
    location /univention/portal/icons/logos/ {
      rewrite ^/univention/portal(/icons/logos/.*)$ /ums/portal-assets$1 break;
      proxy_pass http://minio:9000;
    }
    location /univention/selfservice/icons/entries/ {
      rewrite ^/univention/selfservice(/icons/entries/.*)$ /ums/portal-assets$1 break;
      proxy_pass http://minio:9000;
    }
    location /univention/selfservice/icons/logos/ {
      rewrite ^/univention/selfservice(/icons/logos/.*)$ /ums/portal-assets$1 break;
      proxy_pass http://minio:9000;
    }


    ## udm-rest-api
    location /univention/udm/ {
      # The UDM Rest API does return on some endpoints a lot of headers
      proxy_busy_buffers_size 128k;
      proxy_buffers 4 128k;
      proxy_buffer_size 64k;

      rewrite ^/univention(/udm/.*)$ $1 break;
      proxy_pass http://ums-udm-rest-api:80;
    }


    ## umc-gateway
    location = /univention/languages.json {
      proxy_pass http://ums-umc-gateway:80;
    }
    location = /univention/meta.json {
      proxy_pass http://ums-umc-gateway:80;
    }
    location = /univention/theme.css {
      proxy_pass http://ums-umc-gateway:80;
    }
    location /univention/js/ {
      proxy_pass http://ums-umc-gateway:80;
    }
    location /univention/login/ {
      proxy_pass http://ums-umc-gateway:80;
    }
    location /univention/management/ {
      proxy_pass http://ums-umc-gateway:80;
    }
    location /univention/themes/ {
      proxy_pass http://ums-umc-gateway:80;
    }


    ## umc-server
    location = /univention/auth {
      rewrite ^/univention(/.*)$ $1 break;
      proxy_pass http://ums-umc-server:80;
      proxy_set_header X-UMC-HTTPS 'on';
    }
    location /univention/logout {
      rewrite ^/univention(/.*)$ $1 break;
      proxy_pass http://ums-umc-server:80;
    }
    location /univention/saml {
      rewrite ^/univention(/.*)$ $1 break;
      proxy_pass http://ums-umc-server:80;
      proxy_set_header X-UMC-HTTPS 'on';
    }
    location /univention/get {
      rewrite ^/univention(/.*)$ $1 break;
      proxy_pass http://ums-umc-server:80;
    }
    location /univention/set {
      rewrite ^/univention(/.*)$ $1 break;
      proxy_pass http://ums-umc-server:80;
    }
    location /univention/command {
      rewrite ^/univention(/.*)$ $1 break;
      proxy_pass http://ums-umc-server:80;
    }
    location /univention/upload {
      rewrite ^/univention(/.*)$ $1 break;
      proxy_pass http://ums-umc-server:80;
    }


    ## notifications-api
    location /univention/portal/notifications-api/ {
      rewrite ^/univention/portal/notifications-api(/.*)$ $1 break;
      proxy_pass http://ums-notifications-api:80;
    }

    ## openDesk branding
    location = /favicon.ico {
      proxy_pass http://ums-portal-frontend:80/;
    }
    location /univention/portal/custom/ {
      rewrite ^/univention/portal(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80/;
    }
    location /univention/portal/icons/ {
      rewrite ^/univention/portal(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80/;
    }

    ## ums-provisioning
    location /univention/provisioning-api/ {
      rewrite ^/univention/provisioning-api(/.*)$ $1 break;
      proxy_pass http://ums-provisioning-events-and-consumer-api:80;
    }

    ## guardian
    location /univention/guardian/management-ui {
      proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui;
    }
    location /guardian/opa {
      rewrite ^/guardian/opa(/.*)$ $1 break;
      proxy_pass http://ums-open-policy-agent:80/;
    }
    location /guardian/management {
      proxy_pass http://ums-guardian-management-api:80/guardian/management;
    }
    location /guardian/authorization {
      proxy_pass http://ums-guardian-authorization-api:80/guardian/authorization;
    }

  }

...