opendesk/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl

# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
additionalAnnotations:
  {{ .Values.annotations.nubusIntercomService.additional | toYaml | nindent 2 }}

containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  runAsUser: 1000
  runAsGroup: 1000
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  seLinuxOptions:
    {{ .Values.seLinuxOptions.intercom | toYaml | nindent 4 }}

{{- if .Values.certificate.selfSigned }}
extraVolumes:
  - name: "trusted-cert-secret-volume"
    secret:
      secretName: "opendesk-certificates-ca-tls"
      items:
        - key: "ca.crt"
          path: "ca-certificates.crt"
extraVolumeMounts:
  - name: "trusted-cert-secret-volume"
    mountPath: "/etc/ssl/certs/ca-certificates.crt"
    subPath: "ca-certificates.crt"
{{- end }}

extraEnvVars:
  - name: "REDIS_USER"
    value: {{ .Values.cache.intercomService.username }}
  {{- if .Values.certificate.selfSigned }}
  - name: "NODE_EXTRA_CA_CERTS"
    value: "/etc/ssl/certs/ca-certificates.crt"
  {{- end }}

global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

ics:
  session:
    secret: {{ .Values.secrets.intercom.secret | quote }}
  issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
  originRegex: "{{ .Values.global.domain }}"
  enableSessionCookie: true
  userUniqueMapper: {{ if .Values.functional.chat.matrix.profile.useImmutableIdentifierForLocalpart }}"opendesk_useruuid"{{ else }}"opendesk_username"{{ end }}
  usernameClaim: "opendesk_username"
  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  keycloak:
    realm: {{ .Values.platform.realm | quote }}
  default:
    domain: {{ .Values.global.domain | quote }}
  oidc:
    id: "opendesk-intercom"
    clientSecret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
  matrix:
    subdomain: {{ .Values.global.hosts.synapse | quote }}
    serverName: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
    auth:
      applicationServiceSecret: {{ .Values.secrets.intercom.synapseAsToken | quote }}
  nordeck:
    subdomain: {{ .Values.global.hosts.matrixNeoDateFixBot | quote }}
  portal:
    auth:
      sharedSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
  redis:
    host: {{ .Values.cache.intercomService.host | quote }}
    port: {{ .Values.cache.intercomService.port }}
    auth:
      password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }}
  openxchange:
    oci: true
    url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
    audience: "opendesk-oxappsuite"
  xwiki:
    subdomain: {{ .Values.global.hosts.xwiki | quote }}
    audience: "opendesk-xwiki"
  nextcloud:
    origin: {{ .Values.global.hosts.nextcloud | quote }}
    subdomain: {{ .Values.global.hosts.nextcloud | quote }}
    audience: "opendesk-nextcloud"
image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.intercom.registry | quote }}
  repository: {{ .Values.images.intercom.repository | quote }}
  tag: {{ .Values.images.intercom.tag | quote }}

ingress:
  host: "{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
  enabled: {{ .Values.ingress.enabled }}
  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
  tls:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
  annotations:
    {{ .Values.annotations.nubusIntercomService.ingress | toYaml | nindent 4 }}

podAnnotations:
  {{ .Values.annotations.nubusIntercomService.pod | toYaml | nindent 2 }}

podSecurityContext:
  enabled: true
  fsGroup: 1000
  fsGroupChangePolicy: "Always"

provisioning:
  # intercom OIDC client is created by opendesk-keycloak-bootstrap, as we have control over the
  # client's claims this way.
  enabled: false
  config:
    clientBaseUrl: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
    keycloak:
      realm: {{ .Values.platform.realm | quote }}
      connection:
        protocol: "http"
        host: "ums-keycloak"
        port: 8080
      auth:
        username: "kcadmin"
        existingSecret:
          name: "ums-opendesk-keycloak-credentials"
          keyMapping:
            password: "admin_password"
        key: "admin_password"
  image:
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
    repository: {{ .Values.images.nubusWaitForDependency.repository | quote }}
    tag: {{ .Values.images.nubusWaitForDependency.tag | quote }}
  provisioningImage:
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }}
    repository: {{ .Values.images.nubusKeycloakBootstrap.repository | quote }}
    tag: {{ .Values.images.nubusKeycloakBootstrap.tag | quote }}
  resources:
    {{ .Values.resources.intercomService | toYaml | nindent 4 }}
  securityContext:
    seccompProfile:
      type: "RuntimeDefault"
    seLinuxOptions:
      {{ .Values.seLinuxOptions.intercom | toYaml | nindent 6 }}

replicaCount: {{ .Values.replicas.intercomService }}

resources:
  {{ .Values.resources.intercomService | toYaml | nindent 2 }}

service:
  annotations:
    {{ .Values.annotations.nubusIntercomService.service | toYaml | nindent 4 }}

serviceAccount:
  annotations:
    {{ .Values.annotations.nubusIntercomService.serviceAccount | toYaml | nindent 4 }}
...