sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
6ba69236129e2176afd14d05060f6db1671df863
opendesk/helmfile/apps/nubus/values-nubus.yaml.gotmpl
Thorsten Roßner 6ba6923612 fix(helmfile): Update portal and branding. 
BREAKING CHANGE: Upgrading from previous releases requires manual steps, read `./docs/migrations.md` carefully.
2024-10-13 15:34:25 +02:00

528 lines
20 KiB
Go Template
Raw Blame History

{{/*
SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
nubusDeployment: true
ldap:
baseDn: {{ .Values.ldap.baseDn | quote }}
domainName: {{ .Values.global.domain | quote }}
domain: {{ .Values.global.domain | quote }}
subDomains:
portal: {{ .Values.global.hosts.nubus | quote }}
keycloak: {{ .Values.global.hosts.keycloak | quote }}
ingressClass: {{ .Values.ingress.ingressClassName | default "nginx" | quote }}
certManagerIssuer: {{ .Values.certificate.issuerRef.name | quote }}
nubusMasterPassword: {{ env "MASTER_PASSWORD" | default "sovereign-workplace" | quote }}
keycloak:
realm: {{ .Values.platform.realm | quote }}
objectStorage:
bucket: {{ .Values.objectstores.nubus.bucket | quote }}
connection:
host: "minio"
port: "9000"
protocol: "http"
credentialOverride:
ldapServer:
adminPassword: {{ .Values.secrets.nubus.ldapSecret | quote}}
defaultUsers:
defaultAdminPassword: {{ .Values.secrets.nubus.defaultAccounts.adminPassword | quote}}
defaultUserPassword: {{ .Values.secrets.nubus.defaultAccounts.userPassword | quote}}
defaultAdministratorPassword: {{ .Values.secrets.nubus.systemAccounts.administratorPassword | quote}}
portalConsumer:
minio:
accessKey: {{ .Values.objectstores.nubus.username | quote }}
secretKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
provisioningApi:
password: {{ .Values.secrets.nubus.portalConsumer.provisioningApiPassword | quote}}
provisioning:
api:
adminPassword: {{ .Values.secrets.nubus.provisioning.api.adminPassword | quote}}
natsPassword: {{ .Values.secrets.nubus.provisioning.api.natsPassword | quote}}
prefillPassword: {{ .Values.secrets.nubus.provisioning.api.prefillPassword | quote}}
udmTransformerPassword: {{ .Values.secrets.nubus.provisioning.api.udmTransformerPassword | quote}}
dispatcher:
natsPassword: {{ .Values.secrets.nubus.provisioning.dispatcherNatsPassword | quote}}
nats:
adminPassword: {{ .Values.secrets.nats.natsAdminPassword | quote}}
prefill:
natsPassword: {{ .Values.secrets.nubus.provisioning.prefillNatsPassword | quote}}
udmTransformer:
natsPassword: {{ .Values.secrets.nubus.provisioning.udmTransformerNatsPassword | quote}}
selfserviceConsumer:
provisioningApi:
password: {{ .Values.secrets.nubus.selfserviceConsumer.provisioningApiPassword | quote}}
# -- Extensions to load. Add entries to load additional extensions into Nubus.
extensions:
- name: "ox"
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOxExtension.registry | quote }}
repository: {{ .Values.images.nubusOxExtension.repository }}
tag: {{ .Values.images.nubusOxExtension.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
- name: "opendesk"
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpendeskExtension.registry | quote }}
repository: {{ .Values.images.nubusOpendeskExtension.repository }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
tag: {{ .Values.images.nubusOpendeskExtension.tag }}
# -- Allows to configure the system extensions to load. This is intended for
# internal usage, prefer to use `global.extensions` for user configured
# extensions.
systemExtensions:
- name: "portal"
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalExtension.registry | quote }}
repository: {{ .Values.images.nubusPortalExtension.repository }}
tag: {{ .Values.images.nubusPortalExtension.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
configUcr:
directory:
manager:
rest:
authorized-groups:
domain-admins: __DELETE_KEY__
iam-api-full-access: "cn=IAM API - Full Access,cn=groups,{{ .Values.ldap.baseDn }}"
web:
modules:
users:
user:
add:
default: "cn=openDesk User,cn=templates,cn=univention,{{ .Values.ldap.baseDn }}"
properties:
description:
syntax: "TextArea"
firstname:
required: "true"
mailPrimaryAddress:
required: "true"
username:
syntax: "uid"
search:
autosearch: "True"
wizard:
property:
invite:
default: "True"
overridePWLength:
default: "False"
visible: "False"
pwdChangeNextLogin:
default: "True"
visible: "False"
wizard:
disabled: "No"
ucs:
web:
theme: "light"
umc:
cookie-banner:
show: "false"
login:
password-complexity-message:
de: "Das Passwort muss mindestens 8 Zeichen lang sein und darf keine Zahlenabfolge oder ganze Worte enthalten, wie '1234Test'."
en: "Password must be at least 8 characters long and cannot include a number series or regular words, like '1234Test'."
module:
udm:
oxmail:
oxcontext:
disabled: "True"
portals:
all:
disabled: "True"
self-service:
account-registration:
usertemplate: __DELETE_KEY__
passwordreset:
token_validity_period: 172800
blacklist:
groups: __DELETE_KEY__
ingress:
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
# Nubus bundled services
postgresql:
enabled: false
provisioning:
enabled: false
minio:
enabled: false
# Nubus services which use customer supplied services
keycloak:
keycloak:
auth:
username: "kcadmin"
credentialSecret:
name: "ums-opendesk-keycloak-credentials"
key: "admin_password"
postgresql:
connection:
host: {{ .Values.databases.keycloak.host | quote }}
port: {{ .Values.databases.keycloak.port | quote }}
auth:
username: {{ .Values.databases.keycloak.username | quote }}
database: {{ .Values.databases.keycloak.name | quote }}
credentialSecret:
name: "ums-keycloak-postgresql-opendesk-credentials"
key: "keycloakDatabasePassword"
config:
exposeAdminConsole: {{ .Values.debug.enabled }}
nubusGuardian:
provisioning:
enabled: false
config:
nubusBaseUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain }}
keycloak:
realm: {{ .Values.platform.realm | quote }}
username: "kcadmin"
connection:
host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
baseUrl: "http://ums-keycloak:8080"
credentialSecret:
name: "ums-opendesk-keycloak-credentials"
key: "admin_password"
managementApi:
credentialSecret:
name: "ums-opendesk-guardian-client-secret"
key: "managementApiClientSecret"
ingress:
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
postgresql:
connection:
host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
auth:
username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
credentialSecret:
name: "ums-guardian-postgresql-opendesk-credentials"
key: "guardianDatabasePassword"
nubusNotificationsApi:
postgresql:
connection:
host: {{ .Values.databases.umsNotificationsApi.host | quote }}
port: {{ .Values.databases.umsNotificationsApi.port | quote }}
auth:
username: {{ .Values.databases.umsNotificationsApi.username | quote }}
database: {{ .Values.databases.umsNotificationsApi.name | quote }}
existingSecret: "ums-notifications-api-postgresql-opendesk-credentials"
ingress:
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
nubusPortalFrontend:
ingress:
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName }}
nubusKeycloakExtensions:
keycloak:
auth:
username: "kcadmin"
credentialSecret:
name: "ums-opendesk-keycloak-credentials"
key: "admin_password"
proxy:
ingress:
paths:
{{- if .Values.debug.enabled }}
- pathType: "Prefix"
path: "/admin/"
{{- end }}
- pathType: "Prefix"
path: "/realms/"
- pathType: "Prefix"
path: "/js/"
- pathType: "Prefix"
path: "/resources/"
- pathType: "Prefix"
path: "/fingerprintjs"
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
postgresql:
connection:
host: {{ .Values.databases.keycloakExtension.host | quote }}
port: {{ .Values.databases.keycloakExtension.port | quote }}
auth:
database: {{ .Values.databases.keycloakExtension.name | quote }}
username: {{ .Values.databases.keycloakExtension.username | quote }}
credentialSecret:
name: "ums-keycloak-extensions-postgresql-opendesk-credentials"
key: "umcKeycloakExtensionsDatabasePassword"
smtp:
connection:
host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
port: 25
ssl: false
starttls: false
auth:
enabled: false
username: ""
credentialSecret:
name: "ums-keycloak-extensions-smtp-opendesk-credentials"
key: "umcKeycloakExtensionsSmtpPassword"
handler:
appConfig:
logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
nubusPortalListener:
enabled: false
nubusPortalConsumer:
enabled: true
portalConsumer:
logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
objectStorageEndpoint: {{ .Values.objectstores.nubus.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
provisioningApi:
auth:
username: "portal-consumer"
nubusPortalServer:
portalServer:
objectStorageEndpoint: {{ .Values.objectstores.nubus.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
objectStorageCredentialSecret:
name: "ums-portal-server-minio-opendesk-credentials"
accessKeyKey: "access-key-id"
secretKeyKey: "secret-key-id"
centralNavigation:
enabled: true
authenticatorSecretName: "ums-opendesk-portal-server-central-navigation"
ingress:
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
nubusUdmRestApi:
ingress:
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
nubusProvisioning:
enabled: true
nubusUdmListener:
enabled: true
nubusSelfServiceListener:
enabled: false
nubusSelfServiceConsumer:
enabled: true
# Nubus services
nubusStackDataUms:
additionalAnnotations:
argocd.argoproj.io/hook: "Sync"
argocd.argoproj.io/hook-delete-policy: "HookSucceeded"
stackDataContext:
umcPostgresqlHostname: {{ .Values.databases.umsSelfservice.host | quote }}
umcPostgresqlUsername: {{ .Values.databases.umsSelfservice.username | quote }}
umcMemcachedHostname: {{ .Values.cache.umsSelfservice.host | quote }}
umcMemcachedUsername: ""
externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
umcHtmlTitle: "openDesk Portal"
smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
smtpPort: 25
smtpUser: ""
smtpStartTls: false
ldapBase: {{ .Values.ldap.baseDn }}
templateContext:
# creates the default.user and default.admin
loadDevData: true
portalHeaderLogo: {{ toYaml .Values.theme.imagery.logoHeaderSvgB64 | quote }}
portalTiles: {{ toYaml .Values.theme.imagery.portalTiles | nindent 6 }}
portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain }}
portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain }}
portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain }}
portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain }}
portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain }}
portalTitleDE: "openDesk Portal"
portalTitleEN: "openDesk Portal"
oxDefaultContext: "1"
ldapSearchUsers:
{{- range $username, $password := .Values.secrets.nubus.ldapSearch }}
- username: {{ printf "ldapsearch_%s" $username | quote }}
password: {{ $password | quote }}
lastname: "LDAP-Search-User"
{{- end }}
ldapSystemUsers: []
portaltileGroupUserStandard:
- 'cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}'
- 'cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}'
portaltileGroupUserAdmin:
- 'cn=Domain Admins,cn=groups,{{ .Values.ldap.baseDn }}'
- 'cn=Support,cn=groups,{{ .Values.ldap.baseDn }}'
portaltileGroupUserAll:
- 'cn=Domain Admins,cn=groups,{{ .Values.ldap.baseDn }}'
- 'cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}'
portaltileGroupGroupware:
- 'cn=managed-by-attribute-Groupware,cn=groups,{{ .Values.ldap.baseDn }}'
portaltileGroupFileshare:
- 'cn=managed-by-attribute-Fileshare,cn=groups,{{ .Values.ldap.baseDn }}'
portaltileGroupManagementProject:
- 'cn=managed-by-attribute-Projectmanagement,cn=groups,{{ .Values.ldap.baseDn }}'
portaltileGroupManagementKnowledge:
- 'cn=managed-by-attribute-Knowledgemanagement,cn=groups,{{ .Values.ldap.baseDn }}'
portaltileGroupManagementLearn:
- 'cn=managed-by-attribute-Learnmanagement,cn=groups,{{ .Values.ldap.baseDn }}'
portaltileGroupLiveCollaboration:
- 'cn=managed-by-attribute-Livecollaboration,cn=groups,{{ .Values.ldap.baseDn }}'
portaltileGroupVideoconference:
- 'cn=managed-by-attribute-Videoconference,cn=groups,{{ .Values.ldap.baseDn }}'
systemInformation:
releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
{{- if .Values.functional.admin.portal.deploymentTimestamp.enabled }}
deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
{{- else }}
deployDate: false
{{- end }}
# In openDesk the external memcache does not expect a username to be set. Overwriting
# the default username of `selfservice` is part of the customizing:
nubusUmcServer:
memcached:
auth:
username: ""
nubusUmcServer:
postgresql:
bundled: false
connection:
host: {{ .Values.databases.umsSelfservice.host | quote }}
port: {{ .Values.databases.umsSelfservice.port | quote }}
auth:
username: {{ .Values.databases.umsSelfservice.username | quote }}
database: {{ .Values.databases.umsSelfservice.name | quote }}
credentialSecret:
name: "ums-umc-server-postgresql-opendesk-credentials"
key: "umcServerDatabasePassword"
memcached:
bundled: false
server: {{ .Values.cache.umsSelfservice.host | quote }}
auth:
credentialSecret:
name: "ums-umc-server-memcached-opendesk-credentials"
key: "umcServerMemcachedPassword"
smtp:
credentialSecret:
name: "ums-umc-server-smtp-credentials-custom"
ingress:
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
nubusUmcGateway:
umcGateway:
umcHtmlTitle: "openDesk Portal"
ingress:
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
nubusKeycloakBootstrap:
additionalAnnotations:
argocd.argoproj.io/hook: "Sync"
keycloak:
auth:
username: "kcadmin"
credentialSecret:
name: "ums-opendesk-keycloak-credentials"
key: "admin_password"
bootstrap:
ldapMappers:
- ldapAndUserModelAttributeName: "opendeskProjectmanagementAdmin"
- ldapAndUserModelAttributeName: "oxContextIDNum"
twoFactorAuthentication:
enabled: true
group: "2fa-users"
ldap:
auth:
bindDn: {{ printf "uid=ldapsearch_keycloak,cn=users,%s" .Values.ldap.baseDn }}
credentialSecret:
name: "ums-keycloak-bootstrap-ldap-opendesk-credentials"
# Credential secrets for accessing customer supplied services
extraSecrets:
- name: "ums-opendesk-portal-server-central-navigation"
stringData:
authenticator.secret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
- name: "ums-opendesk-guardian-client-secret"
stringData:
managementApiClientSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
- name: "ums-opendesk-keycloak-credentials"
stringData:
admin_password: {{ .Values.secrets.keycloak.adminPassword | quote }}
- name: "ums-keycloak-postgresql-opendesk-credentials"
stringData:
keycloakDatabasePassword: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
- name: "ums-guardian-postgresql-opendesk-credentials"
stringData:
guardianDatabasePassword: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
- name: "ums-notifications-api-postgresql-opendesk-credentials"
stringData:
password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
- name: "ums-umc-server-postgresql-opendesk-credentials"
stringData:
umcServerDatabasePassword: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
- name: "ums-umc-server-memcached-opendesk-credentials"
stringData:
umcServerMemcachedPassword: ""
- name: "ums-keycloak-extensions-postgresql-opendesk-credentials"
stringData:
umcKeycloakExtensionsDatabasePassword: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
- name: "ums-keycloak-extensions-smtp-opendesk-credentials"
stringData:
umcKeycloakExtensionsSmtpPassword: ""
- name: "ums-keycloak-bootstrap-ldap-opendesk-credentials"
stringData:
password: {{ .Values.secrets.nubus.ldapSearch.keycloak | quote }}
- name: "ums-portal-server-minio-opendesk-credentials"
stringData:
access-key-id: {{ .Values.objectstores.nubus.username | quote }}
secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
- name: "ums-umc-server-smtp-credentials-custom"
stringData:
password: ""
Reference in New Issue View Git Blame Copy Permalink