mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-05 23:11:40 +01:00
351 lines
13 KiB
Go Template
351 lines
13 KiB
Go Template
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
|
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
---
|
|
global:
|
|
domain: {{ .Values.global.domain | quote }}
|
|
hosts:
|
|
{{ .Values.global.hosts | toYaml | nindent 4 }}
|
|
imagePullSecrets:
|
|
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
|
{{- if .Values.annotations.jitsiGlobal.pod }}
|
|
podAnnotations:
|
|
{{ .Values.annotations.jitsiGlobal.pod | toYaml | nindent 4}}
|
|
{{- end }}
|
|
containerSecurityContext:
|
|
allowPrivilegeEscalation: false
|
|
enabled: true
|
|
readOnlyRootFilesystem: true
|
|
privileged: false
|
|
capabilities:
|
|
drop:
|
|
- "ALL"
|
|
seccompProfile:
|
|
type: "RuntimeDefault"
|
|
runAsUser: 1993
|
|
runAsGroup: 1993
|
|
runAsNonRoot: true
|
|
seLinuxOptions:
|
|
{{ .Values.seLinuxOptions.jitsiKeycloakAdapter | toYaml | nindent 4 }}
|
|
|
|
|
|
{{- if .Values.certificate.selfSigned }}
|
|
extraEnvVars:
|
|
- name: "DENO_CERT"
|
|
value: "/etc/ssl/certs/ca-certificates.crt"
|
|
|
|
extraVolumes:
|
|
- name: "trusted-cert-secret-volume"
|
|
secret:
|
|
secretName: "opendesk-certificates-ca-tls"
|
|
items:
|
|
- key: "ca.crt"
|
|
path: "ca-certificates.crt"
|
|
extraVolumeMounts:
|
|
- name: "trusted-cert-secret-volume"
|
|
mountPath: "/etc/ssl/certs/ca-certificates.crt"
|
|
subPath: "ca-certificates.crt"
|
|
{{- end }}
|
|
|
|
cleanup:
|
|
deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
|
|
deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
|
|
|
|
image:
|
|
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
|
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jitsiKeycloakAdapter.registry | quote }}
|
|
repository: {{ .Values.images.jitsiKeycloakAdapter.repository | quote }}
|
|
tag: {{ .Values.images.jitsiKeycloakAdapter.tag | quote }}
|
|
|
|
settings:
|
|
jwtAppSecret:
|
|
value: {{ .Values.secrets.jitsi.jwtAppSecret | quote }}
|
|
keycloakRealm: {{ .Values.platform.realm | quote }}
|
|
keycloakClientId: "opendesk-jitsi"
|
|
|
|
theme:
|
|
title: "Videokonferenz - {{ .Values.theme.texts.productName }}"
|
|
{{ .Values.theme | toYaml | nindent 2 }}
|
|
|
|
jitsi:
|
|
publicURL: "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
|
|
web:
|
|
replicaCount: {{ .Values.replicas.jitsi }}
|
|
image:
|
|
repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jitsi.registry }}/{{ .Values.images.jitsi.repository }}"
|
|
tag: {{ .Values.images.jitsi.tag | quote }}
|
|
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
|
ingress:
|
|
enabled: {{ .Values.ingress.enabled }}
|
|
{{- if .Values.annotations.jitsiWeb.ingress }}
|
|
annotations:
|
|
{{- with .Values.annotations.jitsiWeb.ingress }}
|
|
{{ . | toYaml | nindent 8 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
|
|
hosts:
|
|
- host: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
|
|
paths:
|
|
- "/"
|
|
tls:
|
|
- secretName: {{ .Values.ingress.tls.secretName | quote }}
|
|
hosts:
|
|
- "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
|
|
extraConfig:
|
|
doNotStoreRoom: {{ not .Values.functional.dataProtection.jitsiRoomHistory.enabled }}
|
|
disableThirdPartyRequests: true
|
|
extraEnvs:
|
|
TURN_ENABLE: "1"
|
|
resources:
|
|
{{ .Values.resources.jitsi | toYaml | nindent 6 }}
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities: {}
|
|
privileged: false
|
|
readOnlyRootFilesystem: false
|
|
runAsGroup: 0
|
|
runAsNonRoot: false
|
|
runAsUser: 0
|
|
seccompProfile:
|
|
type: "RuntimeDefault"
|
|
seLinuxOptions:
|
|
{{ .Values.seLinuxOptions.jitsi | toYaml | nindent 8 }}
|
|
podAnnotations:
|
|
intents.otterize.com/service-name: "jitsi-web"
|
|
{{- with .Values.annotations.jitsiWeb.pod }}
|
|
{{ . | toYaml | nindent 6 }}
|
|
{{- end }}
|
|
prosody:
|
|
image:
|
|
repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
|
|
tag: {{ .Values.images.prosody.tag | quote }}
|
|
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
|
imagePullSecrets:
|
|
{{- range .Values.global.imagePullSecrets }}
|
|
- name: {{ . | quote }}
|
|
{{- end }}
|
|
extraEnvs:
|
|
- name: "AUTH_TYPE"
|
|
value: "hybrid_matrix_token"
|
|
- name: "JWT_APP_ID"
|
|
value: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
|
|
- name: "JWT_APP_SECRET"
|
|
value: {{ .Values.secrets.jitsi.jwtAppSecret | quote }}
|
|
- name: "MATRIX_UVS_SYNC_POWER_LEVELS"
|
|
value: "true"
|
|
- name: "MATRIX_UVS_URL"
|
|
value: "http://opendesk-matrix-user-verification-service.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}"
|
|
- name: TURNS_HOST
|
|
value: {{ .Values.turn.tls.host | quote }}
|
|
- name: TURNS_PORT
|
|
value: {{ .Values.turn.tls.port | quote }}
|
|
- name: TURN_HOST
|
|
value: {{ .Values.turn.server.host | quote }}
|
|
- name: TURN_PORT
|
|
value: {{ .Values.turn.server.port | quote }}
|
|
- name: TURN_TRANSPORT
|
|
value: {{ .Values.turn.transport | quote }}
|
|
- name: TURN_CREDENTIALS
|
|
value: {{ .Values.turn.credentials | quote }}
|
|
resources:
|
|
{{ .Values.resources.prosody | toYaml | nindent 6 }}
|
|
persistence:
|
|
size: {{ .Values.persistence.storages.prosody.size | quote }}
|
|
storageClassName: {{ coalesce .Values.persistence.storages.prosody.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities: {}
|
|
privileged: false
|
|
readOnlyRootFilesystem: false
|
|
runAsGroup: 0
|
|
runAsNonRoot: false
|
|
runAsUser: 0
|
|
seccompProfile:
|
|
type: "RuntimeDefault"
|
|
seLinuxOptions:
|
|
{{ .Values.seLinuxOptions.prosody | toYaml | nindent 8 }}
|
|
podAnnotations:
|
|
intents.otterize.com/service-name: "jitsi-prosody"
|
|
{{- with .Values.annotations.jitsiProsody.pod }}
|
|
{{ . | toYaml | nindent 6 }}
|
|
{{- end }}
|
|
jicofo:
|
|
replicaCount: {{ .Values.replicas.jicofo }}
|
|
image:
|
|
repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jicofo.registry }}/{{ .Values.images.jicofo.repository }}"
|
|
tag: {{ .Values.images.jicofo.tag | quote }}
|
|
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
|
xmpp:
|
|
password: {{ .Values.secrets.jitsi.jicofoAuthPassword | quote }}
|
|
componentSecret: {{ .Values.secrets.jitsi.jicofoComponentPassword | quote }}
|
|
resources:
|
|
{{ .Values.resources.jicofo | toYaml | nindent 6 }}
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities: {}
|
|
privileged: false
|
|
readOnlyRootFilesystem: false
|
|
runAsGroup: 0
|
|
runAsNonRoot: false
|
|
runAsUser: 0
|
|
seccompProfile:
|
|
type: "RuntimeDefault"
|
|
seLinuxOptions:
|
|
{{ .Values.seLinuxOptions.jicofo | toYaml | nindent 8 }}
|
|
podAnnotations:
|
|
intents.otterize.com/service-name: "jitsi-jicofo"
|
|
{{- with .Values.annotations.jitsiJicofo.pod }}
|
|
{{ . | toYaml | nindent 6 }}
|
|
{{- end }}
|
|
jigasi:
|
|
replicaCount: {{ .Values.replicas.jigasi }}
|
|
enabled: {{ .Values.sip.jigasi.enabled }}
|
|
image:
|
|
repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jigasi.registry }}/{{ .Values.images.jigasi.repository }}"
|
|
tag: {{ .Values.images.jigasi.tag | quote }}
|
|
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
|
extraEnvs:
|
|
JIGASI_SIP_PASSWORD: {{ .Values.sip.jigasi.password | quote }}
|
|
JIGASI_SIP_PORT: {{ .Values.sip.jigasi.port | quote }}
|
|
JIGASI_SIP_SERVER: {{ .Values.sip.jigasi.server | quote }}
|
|
JIGASI_SIP_TRANSPORT: {{ .Values.sip.jigasi.transport | quote }}
|
|
JIGASI_SIP_URI: {{ .Values.sip.jigasi.uri | quote }}
|
|
xmpp:
|
|
password: {{ .Values.secrets.jitsi.jigasiXmppPassword | quote }}
|
|
resources:
|
|
{{ .Values.resources.jigasi | toYaml | nindent 6 }}
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities: {}
|
|
privileged: false
|
|
readOnlyRootFilesystem: false
|
|
runAsGroup: 0
|
|
runAsNonRoot: false
|
|
runAsUser: 0
|
|
seccompProfile:
|
|
type: "RuntimeDefault"
|
|
seLinuxOptions:
|
|
{{ .Values.seLinuxOptions.jigasi | toYaml | nindent 8 }}
|
|
podAnnotations:
|
|
intents.otterize.com/service-name: "jitsi-jigasi"
|
|
{{- with .Values.annotations.jitsiJigasi.pod }}
|
|
{{ . | toYaml | nindent 6 }}
|
|
{{- end }}
|
|
jvb:
|
|
replicaCount: {{ .Values.replicas.jvb }}
|
|
# The `useNodeIP` option provided by the upstream charts does not support all relevant scenarios, but since
|
|
# upstream charts v1.4.0 a value for `publicIPs` is required. We set a dummy value as we anyway update it
|
|
# later with the `patchJVB` job.
|
|
publicIPs: [ 0.0.0.0 ]
|
|
image:
|
|
repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jvb.registry }}/{{ .Values.images.jvb.repository }}"
|
|
tag: {{ .Values.images.jvb.tag | quote }}
|
|
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
|
xmpp:
|
|
password: {{ .Values.secrets.jitsi.jvbAuthPassword | quote }}
|
|
resources:
|
|
{{ .Values.resources.jvb | toYaml | nindent 6 }}
|
|
service:
|
|
type: {{ coalesce .Values.service.type.jitsiVideoBridge .Values.cluster.service.type | quote }}
|
|
{{- if .Values.annotations.jitsiJvb.serviceExternal }}
|
|
annotations:
|
|
{{ .Values.annotations.jitsiJvb.serviceExternal | toYaml | nindent 8 }}
|
|
{{- end }}
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities: {}
|
|
privileged: false
|
|
readOnlyRootFilesystem: false
|
|
runAsGroup: 0
|
|
runAsNonRoot: false
|
|
runAsUser: 0
|
|
seccompProfile:
|
|
type: "RuntimeDefault"
|
|
seLinuxOptions:
|
|
{{ .Values.seLinuxOptions.jvb | toYaml | nindent 8 }}
|
|
podAnnotations:
|
|
intents.otterize.com/service-name: "jitsi-jvb"
|
|
{{- with .Values.annotations.jitsiJvb.pod }}
|
|
{{ . | toYaml | nindent 6 }}
|
|
{{- end }}
|
|
metrics:
|
|
prometheusAnnotations:
|
|
{{ .Values.annotations.jitsiJvb.metricsPrometheus | toYaml | nindent 8 }}
|
|
{{- if .Values.annotations.jitsiJvb.metricsGrafana }}
|
|
grafanaDashboards:
|
|
annotations:
|
|
{{ .Values.annotations.jitsiJvb.metricsGrafana | toYaml | nindent 10 }}
|
|
{{- end }}
|
|
jibri:
|
|
replicaCount: {{ .Values.replicas.jibri }}
|
|
image:
|
|
repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jibri.registry }}/{{ .Values.images.jibri.repository }}"
|
|
tag: {{ .Values.images.jibri.tag | quote }}
|
|
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
|
recorder:
|
|
password: {{ .Values.secrets.jitsi.jibriRecorderPassword | quote }}
|
|
xmpp:
|
|
password: {{ .Values.secrets.jitsi.jibriXmppPassword | quote }}
|
|
resources:
|
|
{{ .Values.resources.jibri | toYaml | nindent 6 }}
|
|
securityContext:
|
|
# Chart does not allow to template more
|
|
capabilities:
|
|
add: ["SYS_ADMIN"]
|
|
podAnnotations:
|
|
intents.otterize.com/service-name: "jitsi-jibri"
|
|
{{- with .Values.annotations.jitsiJibri.pod }}
|
|
{{ . | toYaml | nindent 6 }}
|
|
{{- end }}
|
|
imagePullSecrets:
|
|
{{- range .Values.global.imagePullSecrets }}
|
|
- name: {{ . | quote }}
|
|
{{- end }}
|
|
{{- if .Values.annotations.jitsi.serviceAccount }}
|
|
serviceAccount:
|
|
annotations:
|
|
{{ .Values.annotations.jitsi.serviceAccount | toYaml | nindent 6 }}
|
|
{{- end }}
|
|
|
|
patchJVB:
|
|
backoffLimit: 12
|
|
configuration:
|
|
staticLoadbalancerIP: {{ .Values.cluster.networking.ingressGatewayIP | quote }}
|
|
loadbalancerStatusField: {{ .Values.cluster.networking.loadBalancerStatusField | quote }}
|
|
containerSecurityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- "ALL"
|
|
enabled: true
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsUser: 1001
|
|
runAsGroup: 1001
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: "RuntimeDefault"
|
|
seLinuxOptions:
|
|
{{ .Values.seLinuxOptions.jitsiPatchJVB | toYaml | nindent 6 }}
|
|
image:
|
|
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
|
|
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jitsiPatchJVB.registry | quote }}
|
|
repository: {{ .Values.images.jitsiPatchJVB.repository | quote }}
|
|
tag: {{ .Values.images.jitsiPatchJVB.tag | quote }}
|
|
|
|
{{- if .Values.annotations.jitsi.pod }}
|
|
podAnnotations:
|
|
{{ .Values.annotations.jitsi.pod | toYaml | nindent 2 }}
|
|
{{- end }}
|
|
|
|
replicaCount: {{ .Values.replicas.jitsiKeycloakAdapter }}
|
|
|
|
resources:
|
|
{{ .Values.resources.jitsiKeycloakAdapter | toYaml | nindent 2 }}
|
|
|
|
serviceAccount:
|
|
annotations:
|
|
{{ .Values.annotations.jitsi.serviceAccount | toYaml | nindent 4 }}
|
|
...
|