{{/* SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH SPDX-License-Identifier: Apache-2.0 */}} --- global: certManagerIssuer: {{ .Values.certificate.issuerRef.name | quote }} domain: {{ .Values.global.domain | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} ingressClass: {{ .Values.ingress.ingressClassName | default "nginx" | quote }} keycloak: realm: {{ .Values.platform.realm | quote }} ldap: baseDn: {{ .Values.ldap.baseDn | quote }} domainName: {{ .Values.global.domain | quote }} auth: cnAdmin: password: {{ .Values.secrets.nubus.ldapSecret | quote }} nubusDeployment: true nubusMasterPassword: {{ .Values.secrets.nubus.masterpassword | quote }} objectStorage: bucket: {{ .Values.objectstores.nubus.bucket | quote }} connection: host: "minio" port: "9000" protocol: "http" subDomains: portal: {{ .Values.global.hosts.nubus | quote }} keycloak: {{ .Values.global.hosts.keycloak | quote }} # -- Extensions to load. Add entries to load additional extensions into Nubus. extensions: - name: "ox" image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOxExtension.registry | quote }} repository: {{ .Values.images.nubusOxExtension.repository }} tag: {{ .Values.images.nubusOxExtension.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy }} - name: "opendesk" image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpendeskExtension.registry | quote }} repository: {{ .Values.images.nubusOpendeskExtension.repository }} imagePullPolicy: {{ .Values.global.imagePullPolicy }} tag: {{ .Values.images.nubusOpendeskExtension.tag }} # -- Allows to configure the system extensions to load. This is intended for # internal usage, prefer to use `global.extensions` for user configured # extensions. systemExtensions: - name: "portal" image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalExtension.registry | quote }} repository: {{ .Values.images.nubusPortalExtension.repository }} tag: {{ .Values.images.nubusPortalExtension.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy }} configUcr: directory: manager: rest: authorized-groups: domain-admins: __DELETE_KEY__ iam-api-full-access: "cn=IAM API - Full Access,cn=groups,{{ .Values.ldap.baseDn }}" web: modules: users: user: add: default: "cn=openDesk User,cn=templates,cn=univention,{{ .Values.ldap.baseDn }}" properties: description: syntax: "TextArea" firstname: required: "true" mailPrimaryAddress: required: "true" username: syntax: "uid" search: autosearch: "True" wizard: property: invite: default: "True" overridePWLength: default: "False" visible: "False" pwdChangeNextLogin: default: "True" visible: "False" wizard: disabled: "No" ucs: web: theme: "light" umc: cookie-banner: show: "false" login: password-complexity-message: de: "Das Passwort muss mindestens 8 Zeichen lang sein und darf keine Zahlenabfolge oder ganze Worte enthalten, wie '1234Test'." en: "Password must be at least 8 characters long and cannot include a number series or regular words, like '1234Test'." module: udm: oxmail: oxcontext: disabled: "True" portals: all: disabled: "True" self-service: account-registration: usertemplate: __DELETE_KEY__ passwordreset: token_validity_period: 172800 blacklist: groups: __DELETE_KEY__ ingress: # temporary fix {{- if not .Values.minio.enabled }} enabled: false {{- end }} certManager: enabled: false tls: enabled: {{ .Values.ingress.tls.enabled }} secretName: {{ .Values.ingress.tls.secretName | quote }} # Nubus bundled services postgresql: enabled: false provisioning: enabled: false minio: enabled: false # Nubus services which use customer supplied services keycloak: enabled: true config: exposeAdminConsole: {{ .Values.debug.enabled }} logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }} containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true runAsUser: 1000 runAsGroup: 1000 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: false runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloak | toYaml | nindent 6 }} image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloak.registry | quote }} repository: {{ .Values.images.nubusKeycloak.repository }} tag: {{ .Values.images.nubusKeycloak.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} ingress: enabled: false keycloak: auth: username: "kcadmin" existingSecret: name: "ums-opendesk-keycloak-credentials" keyMapping: adminPassword: "admin_password" podAnnotations: intents.otterize.com/service-name: "ums-keycloak" postgresql: connection: host: {{ .Values.databases.keycloak.host | quote }} port: {{ .Values.databases.keycloak.port | quote }} auth: username: {{ .Values.databases.keycloak.username | quote }} database: {{ .Values.databases.keycloak.name | quote }} existingSecret: name: "ums-keycloak-postgresql-opendesk-credentials" keyMapping: password: keycloakDatabasePassword replicaCount: {{ .Values.replicas.keycloak }} resources: {{ .Values.resources.umsKeycloak | toYaml | nindent 4 }} {{- if .Values.certificate.selfSigned }} extraVolumes: - name: "trusted-cert-crt-secret-volume" secret: secretName: "opendesk-certificates-ca-tls" items: - key: "ca.crt" path: "ca-certificates.crt" - name: "trusted-cert-jks-secret-volume" secret: secretName: "opendesk-certificates-ca-tls" items: - key: "truststore.jks" path: "truststore.jks" extraVolumeMounts: - name: "trusted-cert-crt-secret-volume" mountPath: "/etc/ssl/certs/ca-certificates.crt" subPath: "ca-certificates.crt" - name: "trusted-cert-jks-secret-volume" mountPath: "/etc/ssl/certs/truststore.jks" subPath: "truststore.jks" extraEnvVars: - name: "KC_HTTPS_TRUST_STORE_FILE" value: "/etc/ssl/certs/truststore.jks" - name: "KC_HTTPS_TRUST_STORE_PASSWORD" value: {{ .Values.secrets.certificates.password | quote }} - name: "KC_HTTPS_TRUST_STORE_TYPE" value: "jks" {{- end }} nubusGuardian: authorizationApi: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianAuthorizationApi.registry | quote }} repository: {{ .Values.images.nubusGuardianAuthorizationApi.repository }} tag: {{ .Values.images.nubusGuardianAuthorizationApi.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }} podAnnotations: intents.otterize.com/service-name: "ums-guardian-authorization-api" podSecurityContext: fsGroup: 1000 fsGroupChangePolicy: "Always" replicaCount: {{ .Values.replicas.umsGuardianAuthorizationApi }} resources: {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }} ingress: certManager: enabled: false tls: enabled: {{ .Values.ingress.tls.enabled }} secretName: {{ .Values.ingress.tls.secretName | quote }} managementApi: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementApi.registry | quote }} repository: {{ .Values.images.nubusGuardianManagementApi.repository }} tag: {{ .Values.images.nubusGuardianManagementApi.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }} podAnnotations: intents.otterize.com/service-name: "ums-guardian-management-api" podSecurityContext: fsGroup: 1000 fsGroupChangePolicy: "Always" replicaCount: {{ .Values.replicas.umsGuardianManagementApi }} resources: {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 8 }} managementUi: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementUi.registry | quote }} repository: {{ .Values.images.nubusGuardianManagementUi.repository }} tag: {{ .Values.images.nubusGuardianManagementUi.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }} podAnnotations: intents.otterize.com/service-name: "ums-guardian-management-ui" replicaCount: {{ .Values.replicas.umsGuardianManagementUi }} resources: {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 8 }} openPolicyAgent: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpenPolicyAgent.registry | quote }} repository: {{ .Values.images.nubusOpenPolicyAgent.repository }} tag: {{ .Values.images.nubusOpenPolicyAgent.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }} podSecurityContext: fsGroup: 1000 fsGroupChangePolicy: "Always" podAnnotations: intents.otterize.com/service-name: "ums-ums-open-policy-agent" replicaCount: {{ .Values.replicas.umsGuardianOpenPolicyAgent }} resources: {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianOpenPolicyAgent | toYaml | nindent 8 }} postgresql: connection: host: {{ .Values.databases.umsGuardianManagementApi.host | quote }} port: {{ .Values.databases.umsGuardianManagementApi.port | quote }} auth: username: {{ .Values.databases.umsGuardianManagementApi.username | quote }} database: {{ .Values.databases.umsGuardianManagementApi.name | quote }} credentialSecret: name: "ums-guardian-postgresql-opendesk-credentials" key: "guardianDatabasePassword" provisioning: enabled: false config: nubusBaseUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain }} keycloak: realm: {{ .Values.platform.realm | quote }} username: "kcadmin" connection: host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" baseUrl: "http://ums-keycloak:8080" credentialSecret: name: "ums-opendesk-keycloak-credentials" key: "admin_password" managementApi: credentialSecret: name: "ums-opendesk-guardian-client-secret" key: "managementApiClientSecret" image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianProvisioning.registry | quote }} repository: {{ .Values.images.nubusGuardianProvisioning.repository }} tag: {{ .Values.images.nubusGuardianProvisioning.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} nubusNotificationsApi: additionalAnnotations: intents.otterize.com/service-name: "ums-notifications-api" containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true runAsUser: 1000 runAsGroup: 1000 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsNotificationsApi | toYaml | nindent 6 }} image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusNotificationsApi.registry | quote }} repository: {{ .Values.images.nubusNotificationsApi.repository }} tag: {{ .Values.images.nubusNotificationsApi.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} ingress: certManager: enabled: false tls: enabled: {{ .Values.ingress.tls.enabled }} secretName: {{ .Values.ingress.tls.secretName | quote }} postgresql: connection: host: {{ .Values.databases.umsNotificationsApi.host | quote }} port: {{ .Values.databases.umsNotificationsApi.port | quote }} auth: username: {{ .Values.databases.umsNotificationsApi.username | quote }} database: {{ .Values.databases.umsNotificationsApi.name | quote }} existingSecret: name: "ums-notifications-api-postgresql-opendesk-credentials" serviceAccount: create: true replicaCount: {{ .Values.replicas.umsNotificationsApi }} resources: {{ .Values.resources.umsNotificationsApi | toYaml | nindent 4 }} nubusPortalFrontend: additionalAnnotations: intents.otterize.com/service-name: "ums-portal-frontend" containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true runAsUser: 1000 runAsGroup: 1000 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalFrontend | toYaml | nindent 6 }} image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalFrontend.registry | quote }} repository: {{ .Values.images.nubusPortalFrontend.repository }} tag: {{ .Values.images.nubusPortalFrontend.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} ingress: certManager: enabled: false tls: enabled: {{ .Values.ingress.tls.enabled }} secretName: {{ .Values.ingress.tls.secretName }} portalFrontend: branding: css: {{ .Values.theme.styles.portal.main | toJson }} # Requires .ico, .svg does not work. favicon: {{ .Values.theme.imagery.portal.faviconIco | toJson }} # The actual `logo` is set in customizing image, the logo down here is for for waiting spinner. logo: {{ .Values.theme.imagery.portal.waitingSpinnerSvg | toJson }} backgroundImage: {{ .Values.theme.imagery.portal.backgroundSvg | toJson }} serviceAccount: create: true replicaCount: {{ .Values.replicas.umsPortalFrontend }} resources: {{ .Values.resources.umsPortalFrontend | toYaml | nindent 4 }} nubusKeycloakExtensions: enabled: true keycloak: auth: username: "kcadmin" existingSecret: name: "ums-opendesk-keycloak-credentials" keyMapping: adminPassword: "admin_password" proxy: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionProxy.registry | quote }} repository: {{ .Values.images.nubusKeycloakExtensionProxy.repository }} tag: {{ .Values.images.nubusKeycloakExtensionProxy.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }} ingress: paths: {{- if .Values.debug.enabled }} - pathType: "Prefix" path: "/admin/" {{- end }} - pathType: "Prefix" path: "/realms/" - pathType: "Prefix" path: "/js/" - pathType: "Prefix" path: "/resources/" - pathType: "Prefix" path: "/fingerprintjs" certManager: enabled: false tls: enabled: {{ .Values.ingress.tls.enabled }} secretName: {{ .Values.ingress.tls.secretName | quote }} podAnnotations: intents.otterize.com/service-name: "ums-keycloak-extensions-proxy" replicaCount: {{ .Values.replicas.umsKeycloakExtensionsProxy }} resources: {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }} securityContext: seccompProfile: type: "RuntimeDefault" seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }} postgresql: connection: host: {{ .Values.databases.keycloakExtension.host | quote }} port: {{ .Values.databases.keycloakExtension.port | quote }} auth: database: {{ .Values.databases.keycloakExtension.name | quote }} username: {{ .Values.databases.keycloakExtension.username | quote }} existingSecret: name: "ums-keycloak-extensions-postgresql-opendesk-credentials" keyMapping: password: "umcKeycloakExtensionsDatabasePassword" smtp: connection: host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }} port: 25 ssl: false starttls: false auth: enabled: false username: "" existingSecret: name: "ums-keycloak-extensions-smtp-opendesk-credentials" keyMapping: password: "umcKeycloakExtensionsSmtpPassword" handler: appConfig: logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }} newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account" mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}" image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionHandler.registry | quote }} repository: {{ .Values.images.nubusKeycloakExtensionHandler.repository }} tag: {{ .Values.images.nubusKeycloakExtensionHandler.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }} podAnnotations: intents.otterize.com/service-name: "ums-keycloak-extensions-handler" replicaCount: {{ .Values.replicas.umsKeycloakExtensionsHandler }} resources: {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 6 }} securityContext: seccompProfile: type: "RuntimeDefault" seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }} nubusPortalListener: enabled: false nubusPortalConsumer: enabled: true portalConsumer: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalConsumer.registry | quote }} repository: {{ .Values.images.nubusPortalConsumer.repository }} tag: {{ .Values.images.nubusPortalConsumer.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} pullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . | quote }} {{- end }} logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }} objectStorageEndpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }} objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }} objectStorage: auth: accessKey: {{ .Values.objectstores.nubus.username | quote }} secretKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }} persistence: size: {{ .Values.persistence.storages.nubusPortalConsumer.size | quote }} storageClass: {{ coalesce .Values.persistence.storages.nubusPortalConsumer.storageClassName .Values.persistence.storageClassNames.RWO | quote }} podAnnotations: intents.otterize.com/service-name: "ums-portal-consumer" provisioningApi: auth: username: "portal-consumer" password: {{ .Values.secrets.nubus.portalConsumer.provisioningApiPassword | quote }} replicaCount: {{ .Values.replicas.umsPortalConsumer }} resources: {{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }} resourcesWaitForDependency: {{ .Values.resources.umsPortalConsumerDependencies | toYaml | nindent 4 }} securityContext: seccompProfile: type: "RuntimeDefault" seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalConsumer | toYaml | nindent 6 }} waitForDependency: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }} repository: {{ .Values.images.nubusWaitForDependency.repository }} tag: {{ .Values.images.nubusWaitForDependency.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} {{- if .Values.certificate.selfSigned }} extraVolumes: - name: "trusted-cert-secret-volume" secret: secretName: "opendesk-certificates-ca-tls" items: - key: "ca.crt" path: "ca-certificates.crt" - key: "ca.crt" path: "cacert.pem" extraVolumeMounts: - name: "trusted-cert-secret-volume" mountPath: "/etc/ssl/certs/ca-certificates.crt" subPath: "ca-certificates.crt" waitForDependency: extraVolumeMounts: - name: "trusted-cert-secret-volume" readOnly: true mountPath: "/etc/ssl/certs/ca-certificates.crt" subPath: "ca-certificates.crt" - name: "trusted-cert-secret-volume" readOnly: true mountPath: "/usr/local/lib/python3.11/dist-packages/certifi/cacert.pem" subPath: "cacert.pem" extraEnvVars: - name: "REQUESTS_CA_BUNDLE" value: "/etc/ssl/certs/ca-certificates.crt" - name: "DEFAULT_CA_BUNDLE_PATH" value: "/etc/ssl/certs/ca-certificates.crt" - name: "SSL_CERT_FILE" value: "/etc/ssl/certs/ca-certificates.crt" {{- end }} nubusPortalServer: additionalAnnotations: intents.otterize.com/service-name: "ums-portal-server" containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true runAsUser: 1000 runAsGroup: 1000 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalServer | toYaml | nindent 6 }} image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalServer.registry | quote }} repository: {{ .Values.images.nubusPortalServer.repository }} tag: {{ .Values.images.nubusPortalServer.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} ingress: certManager: enabled: false tls: enabled: {{ .Values.ingress.tls.enabled }} secretName: {{ .Values.ingress.tls.secretName | quote }} objectStorage: auth: accessKey: {{ .Values.objectstores.nubus.username | quote }} secretKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }} portalServer: objectStorageEndpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }} objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }} objectStorageCredentialSecret: name: "ums-portal-server-minio-opendesk-credentials" accessKeyKey: "access-key-id" secretKeyKey: "secret-key-id" centralNavigation: enabled: true authenticatorSecretName: "ums-opendesk-portal-server-central-navigation" replicaCount: {{ .Values.replicas.umsPortalServer }} resources: {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }} serviceAccount: create: true {{- if .Values.certificate.selfSigned }} extraVolumes: - name: "trusted-cert-crt-secret-volume" secret: secretName: "opendesk-certificates-ca-tls" items: - key: "ca.crt" path: "ca-certificates.crt" - key: "ca.crt" path: "cacert.pem" extraVolumeMounts: - name: "trusted-cert-crt-secret-volume" readOnly: true mountPath: "/etc/ssl/certs/ca-certificates.crt" subPath: "ca-certificates.crt" - name: "trusted-cert-crt-secret-volume" readOnly: true mountPath: "/usr/local/lib/python3.11/dist-packages/certifi/cacert.pem" subPath: "cacert.pem" - name: "trusted-cert-crt-secret-volume" readOnly: true mountPath: "/usr/lib/python3/dist-packages/botocore/cacert.pem" subPath: "cacert.pem" - name: "trusted-cert-crt-secret-volume" readOnly: true mountPath: "/usr/lib/python3/dist-packages/certifi/cacert.pem" subPath: "cacert.pem" {{- end }} nubusUdmRestApi: additionalAnnotations: intents.otterize.com/service-name: "ums-udm-rest-api" containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true runAsUser: 1000 runAsGroup: 1000 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsUdmRestApi | toYaml | nindent 6 }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} ingress: certManager: enabled: false tls: enabled: {{ .Values.ingress.tls.enabled }} secretName: {{ .Values.ingress.tls.secretName | quote }} initResources: {{ .Values.resources.umsUdmRestApiInit | toYaml | nindent 4 }} replicaCount: {{ .Values.replicas.umsUdmRestApi }} resources: {{ .Values.resources.umsUdmRestApi | toYaml | nindent 4 }} serviceAccount: annotations: intended.usage: "compliance" udmRestApi: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUdmRestApi.registry | quote }} repository: {{ .Values.images.nubusUdmRestApi.repository }} tag: {{ .Values.images.nubusUdmRestApi.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} nubusLdapNotifier: containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true runAsUser: 101 runAsGroup: 102 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapNotifier | toYaml | nindent 6 }} image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapNotifier.registry | quote }} repository: {{ .Values.images.nubusLdapNotifier.repository }} tag: {{ .Values.images.nubusLdapNotifier.tag }} pullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} podAnnotations: intents.otterize.com/service-name: "ums-ldap-notifier" replicaCount: {{ .Values.replicas.umsLdapNotifier }} resources: {{ .Values.resources.umsLdapNotifier | toYaml | nindent 4 }} nubusLdapServer: global: imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }} additionalAnnotations: intents.otterize.com/service-name: "ums-ldap-server" dhInitcontainer: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServerDhInitContainer.registry | quote }} repository: {{ .Values.images.nubusLdapServerDhInitContainer.repository }} tag: {{ .Values.images.nubusLdapServerDhInitContainer.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} initResources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }} ldapServer: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServer.registry | quote }} repository: {{ .Values.images.nubusLdapServer.repository }} tag: {{ .Values.images.nubusLdapServer.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} leaderElector: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServerLeaderElector.registry | quote }} repository: {{ .Values.images.nubusLdapServerLeaderElector.repository }} tag: {{ .Values.images.nubusLdapServerLeaderElector.tag }} pullPolicy: {{ .Values.global.imagePullPolicy | quote }} persistence: size: {{ .Values.persistence.storages.nubusLdapServerData.size | quote }} storageClass: {{ coalesce .Values.persistence.storages.nubusLdapServerData.storageClassName .Values.persistence.storageClassNames.RWO | quote }} replicaCountPrimary: {{ .Values.replicas.umsLdapServerPrimary }} replicaCountSecondary: {{ .Values.replicas.umsLdapServerSecondary }} replicaCountProxy: {{ .Values.replicas.umsLdapServerProxy }} resources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }} serviceAccount: create: true waitForDependency: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }} repository: {{ .Values.images.nubusWaitForDependency.repository }} tag: {{ .Values.images.nubusWaitForDependency.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} nubusProvisioning: enabled: true api: additionalAnnotations: intents.otterize.com/service-name: "ums-provisioning-api" auth: adminPassword: {{ .Values.secrets.nubus.provisioning.api.adminPassword | quote }} prefillPassword: {{ .Values.secrets.nubus.provisioning.api.prefillPassword | quote}} udmTransformerPassword: {{ .Values.secrets.nubus.provisioning.api.udmTransformerPassword | quote}} image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }} repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }} tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} nats: auth: password: {{ .Values.secrets.nubus.provisioning.api.natsPassword | quote}} resources: {{ .Values.resources.umsProvisioningApi | toYaml | nindent 6 }} containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true runAsUser: 1000 runAsGroup: 1000 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioning | toYaml | nindent 6 }} dispatcher: additionalAnnotations: intents.otterize.com/service-name: "ums-provisioning-dispatcher" image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningDispatcher.registry | quote }} repository: {{ .Values.images.nubusProvisioningDispatcher.repository }} tag: {{ .Values.images.nubusProvisioningDispatcher.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} nats: auth: password: {{ .Values.secrets.nubus.provisioning.dispatcherNatsPassword | quote}} resources: {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 6 }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} ldap: auth: password: {{ .Values.secrets.nubus.ldapSecret | quote }} nats: additionalAnnotations: intents.otterize.com/service-name: "ums-provisioning-nats" auth: adminPassword: {{ .Values.secrets.nats.natsAdminPassword | quote }} config: cluster: replicas: {{ .Values.replicas.umsProvisioningNats }} containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true runAsUser: 1000 runAsGroup: 1000 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningNats | toYaml | nindent 8 }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }} nats: image: registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNats.registry | quote }} repository: {{ .Values.images.nubusNats.repository }} tag: {{ .Values.images.nubusNats.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} natsBox: image: registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsBox.registry | quote }} repository: {{ .Values.images.nubusNatsBox.repository }} tag: {{ .Values.images.nubusNatsBox.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} persistence: size: {{ .Values.persistence.storages.nubusProvisioningNats.size }} storageClass: {{ coalesce .Values.persistence.storages.nubusProvisioningNats.storageClassName .Values.persistence.storageClassNames.RWO | quote }} reloader: image: registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsReloader.registry | quote }} repository: {{ .Values.images.nubusNatsReloader.repository }} tag: {{ .Values.images.nubusNatsReloader.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} resources: {{ .Values.resources.umsProvisioningNats | toYaml | nindent 6 }} serviceAccount: create: true prefill: additionalAnnotations: intents.otterize.com/service-name: "ums-provisioning-prefill" image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }} repository: {{ .Values.images.nubusProvisioningPrefill.repository }} tag: {{ .Values.images.nubusProvisioningPrefill.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} nats: auth: password: {{ .Values.secrets.nubus.provisioning.prefillNatsPassword | quote}} resources: {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 6 }} udmTransformer: additionalAnnotations: intents.otterize.com/service-name: "ums-provisioning-udm-transformer" image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmTransformer.registry | quote }} repository: {{ .Values.images.nubusProvisioningUdmTransformer.repository }} tag: {{ .Values.images.nubusProvisioningUdmTransformer.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} nats: auth: password: {{ .Values.secrets.nubus.provisioning.udmTransformerNatsPassword | quote}} resources: {{ .Values.resources.umsProvisioningUdmTransformer | toYaml | nindent 6 }} replicaCount: dispatcher: {{ .Values.replicas.umsProvisioningDispatcher }} udmTransformer: {{ .Values.replicas.umsProvisioningUdmTransformer }} prefill: {{ .Values.replicas.umsProvisioningPrefill }} api: {{ .Values.replicas.umsProvisioningApi }} registerConsumers: additionalAnnotations: intents.otterize.com/service-name: "ums-provisioning-register-consumers" createUsers: oxConsumer: existingSecret: name: ums-provisioning-ox-credentials keyMapping: password: "ox-connector.json" image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }} repository: {{ .Values.images.nubusWaitForDependency.repository }} tag: {{ .Values.images.nubusWaitForDependency.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} podAnnotations: intents.otterize.com/service-name: "ums-provisioning-register-consumers" resources: registerConsumers: {{ .Values.resources.umsProvisioningRegisterConsumers | toYaml | nindent 6 }} serviceAccount: create: true nubusUdmListener: enabled: true containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true runAsUser: 102 runAsGroup: 65534 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsUdmListener | toYaml | nindent 6 }} image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmListener.registry | quote }} repository: {{ .Values.images.nubusProvisioningUdmListener.repository }} tag: {{ .Values.images.nubusProvisioningUdmListener.tag }} pullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} replicaCount: {{ .Values.replicas.umsUdmListener }} resources: {{ .Values.resources.umsUdmListener | toYaml | nindent 4 }} nubusSelfServiceListener: enabled: false resources: {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }} resourcesWaitForDependency: {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }} nubusSelfServiceConsumer: enabled: true containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true runAsUser: 1000 runAsGroup: 1000 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsSelfserviceConsumer | toYaml | nindent 6 }} image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfServiceConsumer.registry | quote }} repository: {{ .Values.images.nubusSelfServiceConsumer.repository }} tag: {{ .Values.images.nubusSelfServiceConsumer.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} podAnnotations: intents.otterize.com/service-name: "ums-selfservice-listener" provisioningApi: auth: password: {{ .Values.secrets.nubus.selfserviceConsumer.provisioningApiPassword | quote}} resources: {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }} replicaCount: {{ .Values.replicas.umsSelfserviceConsumer }} waitForDependency: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }} repository: {{ .Values.images.nubusWaitForDependency.repository }} tag: {{ .Values.images.nubusWaitForDependency.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} # Nubus services nubusStackDataUms: additionalAnnotations: argocd.argoproj.io/hook: "Sync" argocd.argoproj.io/hook-delete-policy: "HookSucceeded" intents.otterize.com/service-name: "ums-stack-data-ums" containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true runAsUser: 1000 runAsGroup: 1000 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsStackDataUms | toYaml | nindent 6 }} image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }} repository: {{ .Values.images.nubusDataLoader.repository }} tag: {{ .Values.images.nubusDataLoader.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} initResources: {{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }} # In openDesk the external memcache does not expect a username to be set. Overwriting # the default username of `selfservice` is part of the customizing: nubusUmcServer: memcached: auth: username: "" pullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} resources: {{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }} stackDataContext: umcPostgresqlHostname: {{ .Values.databases.umsSelfservice.host | quote }} umcPostgresqlUsername: {{ .Values.databases.umsSelfservice.username | quote }} umcMemcachedHostname: {{ .Values.cache.umsSelfservice.host | quote }} umcMemcachedUsername: "" externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }} umcHtmlTitle: "Portal - {{ .Values.theme.texts.productName }}" smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }} smtpPort: 25 smtpUser: "" smtpStartTls: false ldapBase: {{ .Values.ldap.baseDn }} templateContext: initialPasswordDefaultAdmin: {{ .Values.secrets.nubus.defaultAccounts.adminPassword | quote }} initialPasswordDefaultUser: {{ .Values.secrets.nubus.defaultAccounts.userPassword | quote }} initialPasswordAdministrator: {{ .Values.secrets.nubus.systemAccounts.administratorPassword | quote }} portalEnforceLogin: {{ .Values.functional.portal.enforceLogin }} portalHeaderLogo: {{ toYaml .Values.theme.imagery.logoHeaderSvgB64 | quote }} portalTiles: {{ toYaml .Values.theme.imagery.portalTiles | nindent 6 }} portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain }} portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain }} portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain }} portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain }} portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain }} portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain }} portalNotesLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain }} portalTitleDE: "Portal - {{ .Values.theme.texts.productName }}" portalTitleEN: "Portal - {{ .Values.theme.texts.productName }}" oxDefaultContext: "1" componentEnabled: notes: {{ .Values.notes.enabled }} ldapSearchUsers: {{- range $username, $password := .Values.secrets.nubus.ldapSearch }} - username: {{ printf "ldapsearch_%s" $username | quote }} password: {{ $password | quote }} lastname: "LDAP-Search-User" {{- end }} ldapSystemUsers: [] portaltileGroupUserStandard: - 'cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}' portaltileGroupUserAdmin: - 'cn=Domain Admins,cn=groups,{{ .Values.ldap.baseDn }}' - 'cn=Support,cn=groups,{{ .Values.ldap.baseDn }}' portaltileGroupUserAll: - 'cn=Domain Admins,cn=groups,{{ .Values.ldap.baseDn }}' - 'cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}' portaltileGroupGroupware: - 'cn=managed-by-attribute-Groupware,cn=groups,{{ .Values.ldap.baseDn }}' portaltileGroupFileshare: - 'cn=managed-by-attribute-Fileshare,cn=groups,{{ .Values.ldap.baseDn }}' portaltileGroupManagementProject: - 'cn=managed-by-attribute-Projectmanagement,cn=groups,{{ .Values.ldap.baseDn }}' portaltileGroupManagementKnowledge: - 'cn=managed-by-attribute-Knowledgemanagement,cn=groups,{{ .Values.ldap.baseDn }}' portaltileGroupManagementLearn: - 'cn=managed-by-attribute-Learnmanagement,cn=groups,{{ .Values.ldap.baseDn }}' portaltileGroupLiveCollaboration: - 'cn=managed-by-attribute-Livecollaboration,cn=groups,{{ .Values.ldap.baseDn }}' portaltileGroupVideoconference: - 'cn=managed-by-attribute-Videoconference,cn=groups,{{ .Values.ldap.baseDn }}' portaltileGroupNotes: - 'cn=managed-by-attribute-Notes,cn=groups,{{ .Values.ldap.baseDn }}' systemInformation: releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}" {{- if .Values.functional.admin.portal.deploymentTimestamp.enabled }} deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}" {{- else }} deployDate: false {{- end }} nubusUmcServer: additionalAnnotations: intents.otterize.com/service-name: "ums-umc-server" containerSecurityContext: enabled: true allowPrivilegeEscalation: false capabilities: drop: - "ALL" runAsUser: 0 runAsGroup: 0 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: false seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }} containerSecurityContextInit: enabled: true allowPrivilegeEscalation: false capabilities: drop: - "ALL" runAsUser: 0 runAsGroup: 0 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: false seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }} containerSecurityContextSssd: enabled: true allowPrivilegeEscalation: true capabilities: drop: - "ALL" add: - "DAC_OVERRIDE" - "SETGID" - "AUDIT_WRITE" - "SETUID" - "CHOWN" - "SETPCAP" - "FOWNER" - "FSETID" - "KILL" - "MKNOD" - "NET_BIND_SERVICE" - "SYS_CHROOT" runAsUser: 0 runAsGroup: 0 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: false seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }} image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcServer.registry | quote }} repository: {{ .Values.images.nubusUmcServer.repository }} tag: {{ .Values.images.nubusUmcServer.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} pullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} ingress: certManager: enabled: false tls: enabled: {{ .Values.ingress.tls.enabled }} secretName: {{ .Values.ingress.tls.secretName | quote }} memcached: bundled: false server: {{ .Values.cache.umsSelfservice.host | quote }} auth: existingSecret: name: "ums-umc-server-memcached-opendesk-credentials" keyMapping: memcached-password: "umcServerMemcachedPassword" postgresql: bundled: false connection: host: {{ .Values.databases.umsSelfservice.host | quote }} port: {{ .Values.databases.umsSelfservice.port | quote }} auth: username: {{ .Values.databases.umsSelfservice.username | quote }} database: {{ .Values.databases.umsSelfservice.name | quote }} existingSecret: name: "ums-umc-server-postgresql-opendesk-credentials" keyMapping: password: "umcServerDatabasePassword" proxy: image: registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusUmcServerProxy.registry | quote }} repository: {{ .Values.images.nubusUmcServerProxy.repository }} tag: {{ .Values.images.nubusUmcServerProxy.tag }} pullPolicy: {{ .Values.global.imagePullPolicy | quote }} replicaCount: {{ .Values.replicas.umsUmcServerProxy }} replicaCount: {{ .Values.replicas.umsUmcServer }} resources: {{ .Values.resources.umsUmcServer | toYaml | nindent 4 }} selfService: passwordresetEmailBody: | Sehr geehrte Benutzerin, sehr geehrter Benutzer, Ihr Benutzername für {domainname} lautet: {username} Sie erhalten diese Nachricht, da Sie Ihr Passwort zurücksetzen möchten oder weil Ihr Benutzer neu im System angelegt wurde. Klicken Sie bitte auf den folgenden Link, um Ihr Passwort zu setzen: https://{fqdn}/univention/portal/#/selfservice/newpassword/?token={token}&username={username} Der genannte Link ist nur 48 Stunden gültig, danach fordern Sie ihn bitte erneut an unter: https://{fqdn}/univention/portal/#/selfservice/passwordforgotten Mit freundlichen Grüßen Ihr {domainname} Passwort-Service smtp: existingSecret: name: "ums-umc-server-smtp-credentials-custom" nubusUmcGateway: containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" enabled: true runAsUser: 1000 runAsGroup: 1000 seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcGateway | toYaml | nindent 6 }} image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcGateway.registry | quote }} repository: {{ .Values.images.nubusUmcGateway.repository }} tag: {{ .Values.images.nubusUmcGateway.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} pullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} ingress: certManager: enabled: false tls: enabled: {{ .Values.ingress.tls.enabled }} secretName: {{ .Values.ingress.tls.secretName | quote }} initResources: {{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }} replicaCount: {{ .Values.replicas.umsUmcGateway }} resources: {{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }} umcGateway: umcHtmlTitle: "Portal - {{ .Values.theme.texts.productName }}" nubusKeycloakBootstrap: additionalAnnotations: argocd.argoproj.io/hook: "Sync" bootstrap: ldapMappers: - ldapAndUserModelAttributeName: "opendeskProjectmanagementAdmin" - ldapAndUserModelAttributeName: "oxContextIDNum" twoFactorAuthentication: enabled: true group: "2fa-users" containerSecurityContext: enabled: true allowPrivilegeEscalation: false capabilities: drop: - "ALL" readOnlyRootFilesystem: false runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: "RuntimeDefault" seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakBootstrap | toYaml | nindent 6 }} image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }} repository: {{ .Values.images.nubusKeycloakBootstrap.repository }} tag: {{ .Values.images.nubusKeycloakBootstrap.tag }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} keycloak: auth: username: "kcadmin" existingSecret: name: "ums-opendesk-keycloak-credentials" ldap: auth: bindDn: {{ printf "uid=ldapsearch_keycloak,cn=users,%s" .Values.ldap.baseDn }} existingSecret: name: "ums-keycloak-bootstrap-ldap-opendesk-credentials" podAnnotations: intents.otterize.com/service-name: "ums-keycloak-bootstrap" resources: {{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 4 }} # Credential secrets for accessing customer supplied services extraSecrets: - name: "ums-opendesk-portal-server-central-navigation" stringData: authenticator.secret: {{ .Values.secrets.centralnavigation.apiKey | quote }} - name: "ums-opendesk-guardian-client-secret" stringData: managementApiClientSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }} - name: "ums-opendesk-keycloak-credentials" stringData: admin_password: {{ .Values.secrets.keycloak.adminPassword | quote }} - name: "ums-keycloak-postgresql-opendesk-credentials" stringData: keycloakDatabasePassword: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }} - name: "ums-guardian-postgresql-opendesk-credentials" stringData: guardianDatabasePassword: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }} - name: "ums-notifications-api-postgresql-opendesk-credentials" stringData: password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }} - name: "ums-umc-server-postgresql-opendesk-credentials" stringData: umcServerDatabasePassword: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }} - name: "ums-umc-server-memcached-opendesk-credentials" stringData: umcServerMemcachedPassword: "" - name: "ums-keycloak-extensions-postgresql-opendesk-credentials" stringData: umcKeycloakExtensionsDatabasePassword: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }} - name: "ums-keycloak-extensions-smtp-opendesk-credentials" stringData: umcKeycloakExtensionsSmtpPassword: "" - name: "ums-keycloak-bootstrap-ldap-opendesk-credentials" stringData: password: {{ .Values.secrets.nubus.ldapSearch.keycloak | quote }} - name: "ums-portal-server-minio-opendesk-credentials" stringData: access-key-id: {{ .Values.objectstores.nubus.username | quote }} secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }} - name: "ums-umc-server-smtp-credentials-custom" stringData: password: "" - name: "ums-provisioning-ox-credentials" stringData: ox-connector.json: "{ \"name\": \"ox-connector\", \"realms_topics\": [{\"realm\": \"udm\", \"topic\": \"oxmail/oxcontext\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/accessprofile\"}, {\"realm\": \"udm\", \"topic\": \"users/user\"}, {\"realm\": \"udm\", \"topic\": \"oxresources/oxresources\"}, {\"realm\": \"udm\", \"topic\": \"groups/group\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/functional_account\"}], \"request_prefill\": true, \"password\": \"{{ .Values.secrets.oxConnector.provisioningApiPassword }}\" }"