mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-06 07:21:36 +01:00
243 lines
12 KiB
Go Template
243 lines
12 KiB
Go Template
{{/*
|
|
SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
|
SPDX-License-Identifier: Apache-2.0
|
|
*/}}
|
|
---
|
|
image:
|
|
repository: {{ printf "%s/%s" (coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesBackend.registry) (.Values.images.notesBackend.repository) | quote }}
|
|
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
|
tag: {{ .Values.images.notesBackend.tag }}
|
|
credentials:
|
|
name: {{ .Values.global.imagePullSecrets | first | quote }}
|
|
|
|
ingress:
|
|
enabled: {{ .Values.ingress.enabled }}
|
|
className: {{ .Values.ingress.ingressClassName }}
|
|
host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
|
|
tls:
|
|
enabled: "{{ .Values.ingress.tls.enabled }}"
|
|
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
|
|
|
ingressCollaborationWS:
|
|
enabled: {{ .Values.ingress.enabled }}
|
|
className: {{ .Values.ingress.ingressClassName }}
|
|
host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
|
|
path: "/collaboration/ws/"
|
|
tls:
|
|
enabled: "{{ .Values.ingress.tls.enabled }}"
|
|
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/auth-response-headers: "Authorization, X-Can-Edit, X-User-Id"
|
|
nginx.ingress.kubernetes.io/auth-url: https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/api/v1.0/documents/collaboration-auth/
|
|
nginx.ingress.kubernetes.io/enable-websocket: "true"
|
|
nginx.ingress.kubernetes.io/proxy-read-timeout: "86400"
|
|
nginx.ingress.kubernetes.io/proxy-send-timeout: "86400"
|
|
nginx.ingress.kubernetes.io/upstream-hash-by: $arg_room
|
|
|
|
ingressAdmin:
|
|
enabled: {{ .Values.ingress.enabled }}
|
|
className: {{ .Values.ingress.ingressClassName }}
|
|
host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
|
|
tls:
|
|
enabled: "{{ .Values.ingress.tls.enabled }}"
|
|
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
|
|
|
ingressMedia:
|
|
enabled: {{ .Values.ingress.enabled }}
|
|
className: {{ .Values.ingress.ingressClassName }}
|
|
host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/auth-response-headers: "Authorization, X-Amz-Date, X-Amz-Content-SHA256"
|
|
nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/api/v1.0/documents/media-auth/"
|
|
nginx.ingress.kubernetes.io/upstream-vhost: {{ .Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
|
|
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
|
|
nginx.ingress.kubernetes.io/use-regex: "true"
|
|
nginx.ingress.kubernetes.io/rewrite-target: /{{ .Values.objectstores.notes.bucket }}/$1
|
|
nginx.ingress.kubernetes.io/session-cookie-path: /media
|
|
tls:
|
|
enabled: "{{ .Values.ingress.tls.enabled }}"
|
|
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
|
|
|
ingressCollaborationApi:
|
|
enabled: {{ .Values.ingress.enabled }}
|
|
className: {{ .Values.ingress.ingressClassName }}
|
|
host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
|
|
path: /collaboration/api/
|
|
tls:
|
|
enabled: "{{ .Values.ingress.tls.enabled }}"
|
|
secretName: {{ .Values.ingress.tls.secretName | quote }}
|
|
|
|
|
|
serviceMedia:
|
|
host: {{ .Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
|
|
port: {{ .Values.objectstores.notes.port | default 443 }}
|
|
|
|
frontend:
|
|
image:
|
|
repository: {{ printf "%s/%s" (coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesFrontend.registry) (.Values.images.notesFrontend.repository) | quote }}
|
|
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
|
tag: {{ .Values.images.notesFrontend.tag }}
|
|
envVars:
|
|
PORT: 8080
|
|
NEXT_PUBLIC_API_ORIGIN: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
|
|
NEXT_PUBLIC_Y_PROVIDER_URL: {{ printf "wss://%s.%s/ws" .Values.global.hosts.notes .Values.global.domain | quote }}
|
|
NEXT_PUBLIC_MEDIA_URL: {{ printf "https://%s" (.Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
|
|
runtimeEnvs:
|
|
ICS_BASE_URL: {{ printf "https://%s.%s" .Values.global.hosts.intercomService .Values.global.domain | quote }}
|
|
PORTAL_BASE_URL: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
|
|
replicas: {{ .Values.replicas.notesFrontend }}
|
|
resources:
|
|
{{ .Values.resources.notesFrontend | toYaml | nindent 4 }}
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- "ALL"
|
|
privileged: false
|
|
runAsUser: 1001
|
|
runAsGroup: 1001
|
|
seccompProfile:
|
|
type: "RuntimeDefault"
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
seLinuxOptions:
|
|
{{ .Values.seLinuxOptions.notesFrontend | toYaml | nindent 6 }}
|
|
|
|
yProvider:
|
|
image:
|
|
repository: {{ printf "%s/%s" (coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.notesYProvider.registry) (.Values.images.notesYProvider.repository) | quote }}
|
|
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
|
tag: {{ .Values.images.notesYProvider.tag }}
|
|
resources:
|
|
{{ .Values.resources.notesYProvider | toYaml | nindent 4 }}
|
|
replicas: {{ .Values.replicas.notesYProvider }}
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- "ALL"
|
|
privileged: false
|
|
runAsUser: 1001
|
|
runAsGroup: 1001
|
|
seccompProfile:
|
|
type: "RuntimeDefault"
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
seLinuxOptions:
|
|
{{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }}
|
|
envVars:
|
|
COLLABORATION_LOGGING: {{ if .Values.debug.enabled }}"true"{{ else }}"false"{{ end }}
|
|
COLLABORATION_SERVER_ORIGIN: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
|
|
COLLABORATION_SERVER_SECRET: {{ .Values.secrets.notes.collaborationSecret | quote }}
|
|
Y_PROVIDER_API_KEY: {{ .Values.secrets.notes.collaborationSecret | quote }}
|
|
|
|
oidc:
|
|
clientId: "opendesk-notes"
|
|
clientSecret: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
|
|
|
|
aiApiKey: {{ .Values.ai.apiKey }}
|
|
aiBaseUrl: {{ .Values.ai.endpoint }}
|
|
|
|
djangoSuperUserEmail: "default.admin@{{ .Values.global.domain }}"
|
|
djangoSuperUserPass: {{ .Values.secrets.notes.superuser }}
|
|
djangoSecretKey: {{ .Values.secrets.notes.djangoSecretKey }}
|
|
|
|
backend:
|
|
image:
|
|
repository: {{ printf "%s/%s" (coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesBackend.registry) (.Values.images.notesBackend.repository) | quote }}
|
|
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
|
tag: {{ .Values.images.notesBackend.tag }}
|
|
replicas: {{ .Values.replicas.notesBackend }}
|
|
envVars:
|
|
DB_HOST: {{ .Values.databases.notes.host | quote }}
|
|
DB_NAME: {{ .Values.databases.notes.name | quote }}
|
|
DB_USER: {{ .Values.databases.notes.username | quote }}
|
|
DB_PASSWORD: {{ .Values.databases.notes.password | default .Values.secrets.postgresql.notesUser | quote }}
|
|
DB_PORT: {{ .Values.databases.notes.port | quote }}
|
|
POSTGRES_DB: {{ .Values.databases.notes.name | quote }}
|
|
POSTGRES_USER: {{ .Values.databases.notes.username | quote }}
|
|
POSTGRES_PASSWORD: {{ .Values.databases.notes.password | default .Values.secrets.postgresql.notesUser | quote }}
|
|
FRONTEND_THEME: "openDesk"
|
|
REDIS_URL: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7"
|
|
AWS_S3_ENDPOINT_URL: {{ printf "https://%s" (.Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
|
|
AWS_S3_ACCESS_KEY_ID: {{ .Values.objectstores.notes.username }}
|
|
AWS_S3_SECRET_ACCESS_KEY: {{ .Values.objectstores.notes.secretKey | default .Values.secrets.minio.notesUser | quote }}
|
|
AWS_STORAGE_BUCKET_NAME: {{ .Values.objectstores.notes.bucket }}
|
|
DJANGO_CSRF_TRUSTED_ORIGINS: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
|
|
DJANGO_SITE_DOMAIN: {{ printf "%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
|
|
DJANGO_SITE_NAME: {{ printf "%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
|
|
DJANGO_CONFIGURATION: Production
|
|
DJANGO_ALLOWED_HOSTS: "*"
|
|
DJANGO_SECRET_KEY: {{ .Values.secrets.notes.djangoSecretKey }}
|
|
DJANGO_SETTINGS_MODULE: impress.settings
|
|
DJANGO_SUPERUSER_PASSWORD: {{ .Values.secrets.notes.superuser }}
|
|
DJANGO_EMAIL_BRAND_NAME: "openDesk"
|
|
DJANGO_EMAIL_LOGO_IMG: {{ printf "https://%s.%s/univention/portal/icons/entries/swp.notes.svg" .Values.global.hosts.nubus .Values.global.domain | quote }}
|
|
DJANGO_EMAIL_FROM: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
|
|
DJANGO_EMAIL_HOST: "postfix"
|
|
DJANGO_EMAIL_PORT: 25
|
|
DJANGO_EMAIL_USE_SSL: False
|
|
DJANGO_EMAIL_HOST_USER: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
|
|
DJANGO_EMAIL_HOST_PASSWORD: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
|
|
DJANGO_EMAIL_USE_TLS: False
|
|
OIDC_RP_CLIENT_ID: "opendesk-notes"
|
|
OIDC_RP_CLIENT_SECRET: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
|
|
OIDC_OP_JWKS_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
|
|
OIDC_OP_AUTHORIZATION_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
|
|
OIDC_OP_TOKEN_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
|
|
OIDC_OP_USER_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
|
|
OIDC_OP_LOGOUT_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
|
|
OIDC_RP_SIGN_ALGO: RS256
|
|
OIDC_RP_SCOPES: "openid opendesk-notes-scope"
|
|
USER_OIDC_FIELD_TO_SHORTNAME: "given_name"
|
|
USER_OIDC_FIELDS_TO_FULLNAME: "given_name,family_name"
|
|
USER_OIDC_ESSENTIAL_CLAIMS: "email"
|
|
OIDC_REDIRECT_ALLOWED_HOSTS: {{ printf "https://%s.%s/*" .Values.global.hosts.notes .Values.global.domain | quote }}
|
|
OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{}"
|
|
OIDC_RENEW_ID_TOKEN: "False"
|
|
LOGIN_REDIRECT_URL: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
|
|
LOGIN_REDIRECT_URL_FAILURE: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
|
|
LOGOUT_REDIRECT_URL: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
|
|
AI_BASE_URL: {{ .Values.ai.endpoint | quote }}
|
|
AI_API_KEY: {{ .Values.ai.apiKey | quote }}
|
|
AI_MODEL: {{ .Values.ai.model | quote }}
|
|
Y_PROVIDER_API_KEY: {{ .Values.secrets.notes.collaborationSecret | quote }}
|
|
Y_PROVIDER_API_BASE_URL: {{ printf "https://%s.%s/api/" .Values.global.hosts.notes .Values.global.domain | quote }}
|
|
COLLABORATION_API_URL: {{ printf "https://%s.%s/collaboration/api/" .Values.global.hosts.notes .Values.global.domain | quote }}
|
|
COLLABORATION_SERVER_ORIGIN: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
|
|
COLLABORATION_SERVER_SECRET: {{ .Values.secrets.notes.collaborationSecret | quote }}
|
|
COLLABORATION_WS_URL: {{ printf "wss://%s.%s/collaboration/ws/" .Values.global.hosts.notes .Values.global.domain | quote }}
|
|
migrate:
|
|
command:
|
|
- "/bin/sh"
|
|
- "-c"
|
|
- |
|
|
python manage.py migrate --no-input
|
|
restartPolicy: Never
|
|
|
|
createsuperuser:
|
|
command:
|
|
- "/bin/sh"
|
|
- "-c"
|
|
- |
|
|
python manage.py createsuperuser --email default.admin@{{ .Values.global.domain }} --password {{ .Values.secrets.notes.superuser }}
|
|
restartPolicy: Never
|
|
|
|
resources:
|
|
{{ .Values.resources.notesBackend | toYaml | nindent 4 }}
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- "ALL"
|
|
privileged: false
|
|
runAsUser: 1001
|
|
runAsGroup: 1001
|
|
seccompProfile:
|
|
type: "RuntimeDefault"
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
seLinuxOptions:
|
|
{{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }}
|
|
...
|