{{/* SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" SPDX-License-Identifier: Apache-2.0 */}} --- image: name: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.xwiki.registry }}/{{ .Values.images.xwiki.repository }}" tag: {{ .Values.images.xwiki.tag | quote }} pullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullSecrets: {{ .Values.global.imagePullSecrets }} {{- if .Values.certificate.selfSigned }} javaOpts: - "-Djavax.net.ssl.trustStore=/etc/ssl/certs/truststore.jks" - "-Djavax.net.ssl.trustStoreType=jks" - {{ printf "%s=%s" "-Djavax.net.ssl.trustStorePassword" .Values.secrets.certificates.password | quote }} {{- end }} externalDB: password: {{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword | quote }} database: {{ .Values.databases.xwiki.name | quote }} user: {{ .Values.databases.xwiki.username | quote }} host: {{ printf "%s:%d" .Values.databases.xwiki.host .Values.databases.xwiki.port | quote }} customKeyRef: enabled: false securityContext: enabled: true fsGroup: 101 containerSecurityContext: allowPrivilegeEscalation: false enabled: true privileged: false runAsUser: 100 runAsGroup: 101 runAsNonRoot: true capabilities: drop: - "ALL" seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: false seLinuxOptions: {{ .Values.seLinuxOptions.xwiki | toYaml | nindent 4 }} customConfigs: xwiki.cfg: xwiki.url.protocol: "https" ## Indicate the LDAP field defining the user UID xwiki.authentication.ldap.UID_attr: "uid" ## Indicate the LDAP field defining the user profile picture xwiki.authentication.ldap.photo_attribute: "jpegPhoto" ## Enable the synchronization of the LDAP profile picture xwiki.authentication.ldap.update_photo: 1 {{ if .Values.debug.enabled }} ## Password of "superadmin" user, disables account if not password is set xwiki.superadminpassword: {{ .Values.secrets.xwiki.superadminpassword | quote }} {{ end }} ## LDAP Server configuration xwiki.authentication.ldap.server: {{ .Values.ldap.host | quote }} xwiki.authentication.ldap.port: 389 ## Authentication to the LDAP server xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal" xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.nubus.ldapSearch.xwiki | quote }} ## Base DN used for searching for users xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal" ## Allow short update cycles of the LDAP group cache xwiki.authentication.ldap.groupcache_expiration: 300 ## Mapping for XWiki attributes to the respective LDAP attributes xwiki.authentication.ldap.fields_mapping: "last_name=sn,first_name=givenName,email=mailPrimaryAddress" xwiki.properties: wikiInitializer.initialRequest.xwiki.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/distribution/" wikiInitializer.initialRequest.xwiki.contextPath: "/" wikiInitializer.initialRequest.xwiki.remoteAddress: "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}" oidc.clientid: "opendesk-xwiki" oidc.endpoint.token.auth_method: "client_secret_basic" oidc.endpoint.userinfo.method: "GET" oidc.logoutMechanism: "rpInitiated" oidc.provider: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/opendesk" oidc.scope: "openid,opendesk-xwiki-scope" oidc.secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }} oidc.skipped: false oidc.user.nameFormater: "${oidc.user.opendesk_username._clean._lowerCase}" oidc.user.subjectFormater: "${oidc.user.opendesk_username._lowerCase}" # Using the claims below some user based information can be passed through OIDC to XWiki that partitially has an # impact on the user experience. E.g. you can define the default editor for the user `xwiki_user_editor` or if # the `xwiki_user_usertype` is advanced or simple. # yamllint disable-line rule:line-length oidc.userinfoclaims: "xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype" url.trustedDomains: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" workplaceServices.navigationEndpoint: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/navigation.json" workplaceServices.base: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}" workplaceServices.portalSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }} openoffice.serverType: "0" openoffice.autoStart: "false" openoffice.homePath: "/tmp" notifications.emails.live.graceTime: "5" ingress: enabled: {{ .Values.ingress.enabled }} className: {{ .Values.ingress.ingressClassName | quote }} annotations: nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/proxy-body-size: "{{ .Values.ingress.parameters.bodySize.xwiki }}" nginx.ingress.kubernetes.io/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.xwiki }}" nginx.ingress.kubernetes.io/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.xwiki }}" nginx.org/client-max-body-size: "{{ .Values.ingress.parameters.bodySize.xwiki }}" nginx.org/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.xwiki }}s" nginx.org/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.xwiki }}s" haproxy-ingress.github.io/headers: "X-Forwarded-Host {{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}" hosts: - host: "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}" paths: - path: / pathType: "ImplementationSpecific" tls: - secretName: {{ .Values.ingress.tls.secretName | quote }} hosts: - "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}" istio: enabled: false mariadb: enabled: false mysql: enabled: false persistence: size: {{ .Values.persistence.size.xwiki | quote }} storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }} postgresql: enabled: false properties: "attachment:xwiki:FlamingoThemes.Iceberg@logo.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.logoHeaderSvgB64 }}" "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.faviconSvgB64 }}" "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon16.png": "data:image/png;base64,{{ .Values.theme.imagery.favicon16PngB64 }}" "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon144.png": "data:image/png;base64,{{ .Values.theme.imagery.favicon144PngB64 }}" "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.secure": 1 "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.server": "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}" "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.port": 443 ## This option overwrites the LDAP group mappings including all dynamically created mappings, therefore on XWiki restart an LDAP sync is triggered to load the dynamic mapping. "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.ldap_group_mapping": "xwiki:XWiki.XWikiAdminGroup=cn=managed-by-attribute-KnowledgemanagementAdmin,cn=groups,dc=swp-ldap,dc=internal" ## SMTP settings "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}" "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }} "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.port": 25 "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.properties": "mail.smtp.starttls.enable=false" ## Link LDAP users and users authenticated through OIDC "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1 "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}" "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.colorTheme": "FlamingoThemes.Iceberg" "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.default_language": "de_DE" "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.timezone": "Europe/Berlin" "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.languages": "de_DE" "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.link-color": "@brand-primary" "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.btn-primary-bg": "@brand-primary" "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-color": "@brand-primary" "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-color": "@brand-primary" "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-color": "@brand-primary" "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-active-color": "@brand-primary" "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.brand-primary": {{ .Values.theme.colors.primary | quote }} "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-bg": {{ .Values.theme.colors.white | quote }} "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": {{ .Values.theme.colors.secondaryGreyLight | quote }} # yamllint disable-line rule:line-length "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.lessCode": "li#tmWorkplaceServices { padding-left: 16px; padding-top: 5px; } .navbar-right { padding-top: 8px; } .navbar { border-bottom: 1px solid #ddd !important; height: 64px;} div#companylogo { width: 90px; height: auto; padding-top: 7px; padding-left: 9px; }" "property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "oidc" ## Fields to search in when importing users from the administration UI (not completely in scope for now) "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapUserAttributes": "sn,givenname,uid,mailPrimaryAddress" ## Restrict user import in the UI to global administrators "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.usersAllowedToImport": "globalAdmin" ## Enable group and user synchronization "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupsUpdate": 1 "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupImport": 1 "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.forceXWikiUsersGroupMembershipUpdate": 1 ## Base DN under which groups should be searched for "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchDN": "dc=swp-ldap,dc=internal" ## LDAP filter to only synchronize some groups "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter": "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))" "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.title": "{{ .Values.theme.texts.productName }} Wissen - $!tdoc.displayTitle" cluster: replicas: {{ .Values.replicas.xwiki }} resources: {{ .Values.resources.xwiki | toYaml | nindent 2 }} service: externalPort: 80 enabled: true volumePermissions: enabled: true {{- if .Values.certificate.selfSigned }} extraVolumes: - name: "trusted-cert-secret-volume" secret: secretName: "opendesk-certificates-ca-tls" items: - key: "truststore.jks" path: "truststore.jks" - key: "ca.crt" path: "ca-certificates.crt" extraVolumeMounts: - name: "trusted-cert-secret-volume" mountPath: "/etc/ssl/certs" {{- end }} ...