{{/* SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH SPDX-License-Identifier: Apache-2.0 */}} --- keycloak: enabled: true containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true runAsUser: 1000 runAsGroup: 1000 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: false runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloak | toYaml | nindent 6 }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} podAnnotations: intents.otterize.com/service-name: "ums-keycloak" replicaCount: {{ .Values.replicas.keycloak }} resources: {{ .Values.resources.umsKeycloak | toYaml | nindent 4 }} nubusGuardian: authorizationApi: imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }} podAnnotations: intents.otterize.com/service-name: "ums-guardian-authorization-api" podSecurityContext: fsGroup: 1000 fsGroupChangePolicy: "Always" replicaCount: {{ .Values.replicas.umsGuardianAuthorizationApi }} resources: {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }} managementApi: imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }} podAnnotations: intents.otterize.com/service-name: "ums-guardian-management-api" podSecurityContext: fsGroup: 1000 fsGroupChangePolicy: "Always" replicaCount: {{ .Values.replicas.umsGuardianManagementApi }} resources: {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 8 }} managementUi: imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }} podAnnotations: intents.otterize.com/service-name: "ums-guardian-management-ui" replicaCount: {{ .Values.replicas.umsGuardianManagementUi }} resources: {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 8 }} openPolicyAgent: imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }} podSecurityContext: fsGroup: 1000 fsGroupChangePolicy: "Always" podAnnotations: intents.otterize.com/service-name: "ums-ums-open-policy-agent" replicaCount: {{ .Values.replicas.umsGuardianOpenPolicyAgent }} resources: {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianOpenPolicyAgent | toYaml | nindent 8 }} provisioning: # Using openDesk keycloak provisioning enabled: false nubusNotificationsApi: additionalAnnotations: intents.otterize.com/service-name: "ums-notifications-api" containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true runAsUser: 1000 runAsGroup: 1000 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsNotificationsApi | toYaml | nindent 6 }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} serviceAccount: create: true replicaCount: {{ .Values.replicas.umsNotificationsApi }} resources: {{ .Values.resources.umsNotificationsApi | toYaml | nindent 4 }} nubusUmcServer: additionalAnnotations: intents.otterize.com/service-name: "ums-umc-server" containerSecurityContext: enabled: true allowPrivilegeEscalation: false capabilities: drop: - "ALL" runAsUser: 0 runAsGroup: 0 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: false seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }} containerSecurityContextInit: enabled: true allowPrivilegeEscalation: false capabilities: drop: - "ALL" runAsUser: 0 runAsGroup: 0 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: false seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} proxy: replicaCount: {{ .Values.replicas.umsUmcServerProxy }} replicaCount: {{ .Values.replicas.umsUmcServer }} resources: {{ .Values.resources.umsUmcServer | toYaml | nindent 4 }} selfService: passwordresetEmailBody: | Sehr geehrte Benutzerin, sehr geehrter Benutzer, Ihr Benutzername für {domainname} lautet: {username} Sie erhalten diese Nachricht, da Sie Ihr Passwort zurücksetzen möchten oder weil Ihr Benutzer neu im System angelegt wurde. Klicken Sie bitte auf den folgenden Link, um Ihr Passwort zu setzen: https://{fqdn}/univention/portal/#/selfservice/newpassword/?token={token}&username={username} Der genannte Link ist nur 48 Stunden gültig, danach fordern Sie ihn bitte erneut an unter: https://{fqdn}/univention/portal/#/selfservice/passwordforgotten Mit freundlichen Grüßen Ihr {domainname} Passwort-Service nubusKeycloakExtensions: handler: imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }} replicaCount: {{ .Values.replicas.umsKeycloakExtensionsHandler }} podAnnotations: intents.otterize.com/service-name: "ums-keycloak-extensions-handler" resources: {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 6 }} securityContext: seccompProfile: type: "RuntimeDefault" seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }} proxy: imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }} replicaCount: {{ .Values.replicas.umsKeycloakExtensionsProxy }} podAnnotations: intents.otterize.com/service-name: "ums-keycloak-extensions-proxy" resources: {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }} securityContext: seccompProfile: type: "RuntimeDefault" seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }} nubusPortalConsumer: portalConsumer: image: pullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 8 }} podAnnotations: intents.otterize.com/service-name: "ums-portal-consumer" replicaCount: {{ .Values.replicas.umsPortalConsumer }} resources: {{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }} resourcesWaitForDependency: {{ .Values.resources.umsPortalConsumerDependencies | toYaml | nindent 4 }} persistence: storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }} size: {{ .Values.persistence.size.nubus.portalConsumer | quote }} securityContext: seccompProfile: type: "RuntimeDefault" seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalConsumer | toYaml | nindent 6 }} nubusUdmListener: containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true runAsUser: 102 runAsGroup: 65534 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsUdmListener | toYaml | nindent 6 }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} replicaCount: {{ .Values.replicas.umsUdmListener }} resources: {{ .Values.resources.umsUdmListener | toYaml | nindent 4 }} nubusPortalServer: additionalAnnotations: intents.otterize.com/service-name: "ums-portal-server" containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true runAsUser: 1000 runAsGroup: 1000 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalServer | toYaml | nindent 6 }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} serviceAccount: create: true replicaCount: {{ .Values.replicas.umsPortalServer }} resources: {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }} nubusLdapNotifier: containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true runAsUser: 101 runAsGroup: 102 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapNotifier | toYaml | nindent 6 }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} podAnnotations: intents.otterize.com/service-name: "ums-ldap-notifier" replicaCount: {{ .Values.replicas.umsLdapNotifier }} resources: {{ .Values.resources.umsLdapNotifier | toYaml | nindent 4 }} nubusLdapServer: imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} highAvailabilityMode: false replicaCountPrimary: 1 replicaCountSecondary: 0 # {{ .Values.replicas.umsLdapServerSecondary }} replicaCountProxy: 0 # {{ .Values.replicas.umsLdapServerProxy }} additionalAnnotations: intents.otterize.com/service-name: "ums-ldap-server" serviceAccount: create: true initResources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }} resources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }} persistence: storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }} size: {{ .Values.persistence.size.nubus.ldapServerData | quote }} extraVolumes: - name: "migration-scripts" secret: secretName: "ums-ldap-server-migration" defaultMode: 0555 extraVolumeMounts: - name: "migration-scripts" mountPath: "/entrypoint.d/30-purge.sh" subPath: "30-purge.sh" - name: "migration-scripts" mountPath: "/entrypoint.d/95-slapadd-24-ldiff.sh" subPath: "95-slapadd-24-ldif.sh" extraSecrets: - name: "ums-ldap-server-migration" stringData: 30-purge.sh: | #!/usr/bin/env bash me=$(basename "$0") echo "- Running ${me}" if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then echo "- Cleaning up /var/lib/univention-ldap." cd /var/lib/univention-ldap rm -rf internal rm -rf ldap ls -l else echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found." fi 95-slapadd-24-ldif.sh: | #!/usr/bin/env bash me=$(basename "$0") echo "- Running ${me}" ls -l /var/lib/univention-ldap if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then echo "- slapadd-ing /var/lib/univention-ldap/ldap-24-export.ldif" ls -l /var/lib/univention-ldap/ rm -rf /var/lib/univention-ldap/ldap rm -rf /var/lib/univention-ldap/internal echo "- deleted /var/lib/univention-ldap/ldap and /var/lib/univention-ldap/internal" ls -l /var/lib/univention-ldap/ mkdir /var/lib/univention-ldap/ldap mkdir /var/lib/univention-ldap/internal echo "- created /var/lib/univention-ldap/ldap and /var/lib/univention-ldap/internal" ls -l /var/lib/univention-ldap/ /usr/sbin/slapadd -v -l /var/lib/univention-ldap/ldap-24-export.ldif echo "- slapadd executed" ls -l /var/lib/univention-ldap/ mv /var/lib/univention-ldap/ldap-24-export.ldif /var/lib/univention-ldap/ldap-24-export.ldif-imported echo "- import file renamed" ls -l /var/lib/univention-ldap/ else echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found." fi nubusPortalFrontend: additionalAnnotations: intents.otterize.com/service-name: "ums-portal-frontend" containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true runAsUser: 1000 runAsGroup: 1000 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalFrontend | toYaml | nindent 6 }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} serviceAccount: create: true replicaCount: {{ .Values.replicas.umsPortalFrontend }} resources: {{ .Values.resources.umsPortalFrontend | toYaml | nindent 4 }} portalFrontend: branding: css: {{ .Values.theme.imagery.portalCss | toJson }} favicon: {{ .Values.theme.imagery.faviconIcoB64 | toJson }} logo: {{ .Values.theme.imagery.logoHeaderSvgB64 | toJson }} backgroundImage: {{ .Values.theme.imagery.logoPortalBackgroundSvgB64 | toJson }} nubusStackDataUms: containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true runAsUser: 1000 runAsGroup: 1000 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsStackDataUms | toYaml | nindent 6 }} pullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} additionalAnnotations: intents.otterize.com/service-name: "ums-stack-data-ums" resources: {{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }} nubusSelfServiceConsumer: containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true runAsUser: 1000 runAsGroup: 1000 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsSelfserviceConsumer | toYaml | nindent 6 }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} podAnnotations: intents.otterize.com/service-name: "ums-selfservice-listener" resources: {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }} replicaCount: {{ .Values.replicas.umsSelfserviceConsumer }} nubusUdmRestApi: additionalAnnotations: intents.otterize.com/service-name: "ums-udm-rest-api" containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true runAsUser: 1000 runAsGroup: 1000 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsUdmRestApi | toYaml | nindent 6 }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} serviceAccount: annotations: intended.usage: "compliance" resources: {{ .Values.resources.umsUdmRestApi | toYaml | nindent 4 }} initResources: {{ .Values.resources.umsUdmRestApiInit | toYaml | nindent 4 }} replicaCount: {{ .Values.replicas.umsUdmRestApi }} nubusUmcGateway: containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true runAsUser: 1000 runAsGroup: 1000 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcGateway | toYaml | nindent 6 }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} replicaCount: {{ .Values.replicas.umsUmcGateway }} resources: {{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }} nubusKeycloakBootstrap: containerSecurityContext: enabled: true allowPrivilegeEscalation: false capabilities: drop: - "ALL" readOnlyRootFilesystem: false runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: "RuntimeDefault" seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakBootstrap | toYaml | nindent 6 }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} podAnnotations: intents.otterize.com/service-name: "ums-keycloak-bootstrap" serviceAccount: annotations: intended.usage: "compliance" resources: {{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 4 }} nubusProvisioning: containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true runAsUser: 1000 runAsGroup: 1000 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioning | toYaml | nindent 6 }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} replicaCount: dispatcher: {{ .Values.replicas.umsProvisioningDispatcher }} udmTransformer: {{ .Values.replicas.umsProvisioningUdmTransformer }} prefill: {{ .Values.replicas.umsProvisioningPrefill }} api: {{ .Values.replicas.umsProvisioningApi }} serviceAccount: create: true nats: config: cluster: replicas: {{ .Values.replicas.umsProvisioningNats }} containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true runAsUser: 1000 runAsGroup: 1000 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningNats | toYaml | nindent 8 }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }} resources: {{ .Values.resources.umsProvisioningNats | toYaml | nindent 6 }} additionalAnnotations: intents.otterize.com/service-name: "ums-provisioning-nats" serviceAccount: create: true api: resources: {{ .Values.resources.umsProvisioningApi | toYaml | nindent 6 }} additionalAnnotations: intents.otterize.com/service-name: "ums-provisioning-api" dispatcher: resources: {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 6 }} additionalAnnotations: intents.otterize.com/service-name: "ums-provisioning-dispatcher" prefill: resources: {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 6 }} additionalAnnotations: intents.otterize.com/service-name: "ums-provisioning-prefill" registerConsumers: additionalAnnotations: intents.otterize.com/service-name: "ums-provisioning-register-consumers" udmTransformer: resources: {{ .Values.resources.umsProvisioningUdmTransformer | toYaml | nindent 6 }} additionalAnnotations: intents.otterize.com/service-name: "ums-provisioning-udm-transformer" resources: registerConsumers: {{ .Values.resources.umsProvisioningRegisterConsumers | toYaml | nindent 6 }}