mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-06 15:31:38 +01:00
315 lines
14 KiB
Go Template
315 lines
14 KiB
Go Template
# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
---
|
|
global:
|
|
collaborationServerSecret:
|
|
value: {{ .Values.secrets.notes.collaborationSecret | quote }}
|
|
existingSecret:
|
|
name: {{ .Values.externalSecrets.notes.collaborationSecret.name | quote }}
|
|
key: {{ .Values.externalSecrets.notes.collaborationSecret.key | quote }}
|
|
fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
|
|
imagePullSecrets:
|
|
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
|
|
tlsSecretName: {{ .Values.ingress.tls.secretName | quote }}
|
|
yProviderApiKey:
|
|
value: {{ .Values.secrets.notes.collaborationSecret | quote }}
|
|
existingSecret:
|
|
name: {{ .Values.externalSecrets.notes.collaborationSecret.name | quote }}
|
|
key: {{ .Values.externalSecrets.notes.collaborationSecret.key | quote }}
|
|
fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
|
|
tlsSecretName: {{ .Values.ingress.tls.secretName | quote }}
|
|
fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
|
|
tlsSecretName: {{ .Values.ingress.tls.secretName | quote }}
|
|
|
|
backend:
|
|
image:
|
|
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesBackend.registry | quote }}
|
|
repository: {{ .Values.images.notesBackend.repository | quote }}
|
|
pullPolicy: "IfNotPresent"
|
|
tag: {{ .Values.images.notesBackend.tag | quote }}
|
|
ingress:
|
|
annotations:
|
|
"nginx.ingress.kubernetes.io/proxy-body-size": "{{ .Values.ingress.parameters.bodySize.notes }}"
|
|
"nginx.ingress.kubernetes.io/proxy-read-timeout": "{{ .Values.ingress.parameters.bodyTimeout.notes }}"
|
|
"nginx.ingress.kubernetes.io/proxy-send-timeout": "{{ .Values.ingress.parameters.bodyTimeout.notes }}"
|
|
{{- if .Values.annotations.notesBackend.ingress }}
|
|
{{ .Values.annotations.notesBackend.ingress | toYaml | nindent 6 }}
|
|
{{- end }}
|
|
ingressClassName: {{ .Values.ingress.ingressClassName }}
|
|
ingressAdmin:
|
|
enabled: false
|
|
annotations:
|
|
{{ .Values.annotations.notesBackend.ingressAdmin | toYaml | nindent 6 }}
|
|
ingressClassName: {{ .Values.ingress.ingressClassName }}
|
|
replicaCount: {{ .Values.replicas.notesBackend }}
|
|
configuration:
|
|
ai:
|
|
apiKey:
|
|
value: {{ .Values.ai.apiKey }}
|
|
existingSecret:
|
|
name: {{ .Values.externalSecrets.ai.apiKey.name | quote }}
|
|
key: {{ .Values.externalSecrets.ai.apiKey.key | quote }}
|
|
baseUrl: {{ .Values.ai.endpoint }}
|
|
model: {{ .Values.ai.model | quote }}
|
|
aws:
|
|
endpointUrl: {{ printf "https://%s" (.Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
|
|
s3AccessKeyId:
|
|
value: {{ .Values.objectstores.notes.username }}
|
|
existingSecret:
|
|
name: {{ .Values.externalSecrets.objectstores.notes.s3AccessKeyId.name | quote }}
|
|
key: {{ .Values.externalSecrets.objectstores.notes.s3AccessKeyId.key | quote }}
|
|
s3SecretAccessKey:
|
|
value: {{ .Values.objectstores.notes.secretKey | default .Values.secrets.minio.notesUser | quote }}
|
|
existingSecret:
|
|
name: {{ .Values.externalSecrets.objectstores.notes.s3SecretAccessKey.name | quote }}
|
|
key: {{ .Values.externalSecrets.objectstores.notes.s3SecretAccessKey.key | quote }}
|
|
storageBucketName: {{ .Values.objectstores.notes.bucket }}
|
|
collaboration:
|
|
apiUrl: {{ printf "https://%s.%s/collaboration/api/" .Values.global.hosts.notes .Values.global.domain | quote }}
|
|
wsUrl: {{ printf "wss://%s.%s/collaboration/ws/" .Values.global.hosts.notes .Values.global.domain | quote }}
|
|
database:
|
|
host: {{ .Values.databases.notes.host | quote }}
|
|
name: {{ .Values.databases.notes.name | quote }}
|
|
password:
|
|
value: {{ .Values.databases.notes.password | default .Values.secrets.postgresql.notesUser | quote }}
|
|
existingSecret:
|
|
name: {{ .Values.externalSecrets.databases.notes.password.name | quote }}
|
|
key: {{ .Values.externalSecrets.databases.notes.password.key | quote }}
|
|
port: {{ .Values.databases.notes.port | quote }}
|
|
user:
|
|
value: {{ .Values.databases.notes.username | quote }}
|
|
existingSecret:
|
|
name: {{ .Values.externalSecrets.databases.notes.user.name | quote }}
|
|
key: {{ .Values.externalSecrets.databases.notes.user.key | quote }}
|
|
email:
|
|
brandName: "openDesk"
|
|
from: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.mailDomain | default .Values.global.domain }}"
|
|
host: "postfix"
|
|
port: "25"
|
|
logoImage: {{ printf "https://%s.%s/univention/portal/icons/entries/swp.notes.svg" .Values.global.hosts.nubus .Values.global.domain | quote }}
|
|
user:
|
|
value: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
|
|
existingSecret:
|
|
name: {{ .Values.externalSecrets.postfix.opendeskSystemUsername.name | quote }}
|
|
key: {{ .Values.externalSecrets.postfix.opendeskSystemUsername.key | quote }}
|
|
password:
|
|
value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
|
|
existingSecret:
|
|
name: {{ .Values.externalSecrets.postfix.opendeskSystemPassword.name | quote }}
|
|
key: {{ .Values.externalSecrets.postfix.opendeskSystemPassword.key | quote }}
|
|
oidc:
|
|
enabled: true
|
|
rpClientId:
|
|
value: "opendesk-notes"
|
|
rpClientSecret:
|
|
value: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
|
|
existingSecret:
|
|
name: {{ .Values.externalSecrets.keycloak.clientSecret.notes.name | quote }}
|
|
key: {{ .Values.externalSecrets.keycloak.clientSecret.notes.key | quote }}
|
|
opJWKSEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
|
|
opAuthorizationEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
|
|
opTokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
|
|
opUserEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
|
|
opLogoutEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
|
|
rpScopes: "openid opendesk-notes-scope"
|
|
loginRedirectUrl: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
|
|
loginRedirectUrlFailure: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
|
|
logoutRedirectUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
|
|
redirectAllowedHosts: {{ printf "https://%s.%s/*" .Values.global.hosts.notes .Values.global.domain | quote }}
|
|
essentialClaims: "email"
|
|
fullnameFields: "given_name,family_name"
|
|
shortnameField: "given_name"
|
|
django:
|
|
secretKey:
|
|
value: {{ .Values.secrets.notes.djangoSecretKey }}
|
|
existingSecret:
|
|
name: {{ .Values.externalSecrets.notes.django.secretKey.name | quote }}
|
|
key: {{ .Values.externalSecrets.notes.django.secretKey.key | quote }}
|
|
createSuperuser: true
|
|
superuserEmail:
|
|
value: {{ printf "default.admin@%s" .Values.global.domain | quote }}
|
|
existingSecret:
|
|
name: {{ .Values.externalSecrets.notes.django.superuserEmail.name | quote }}
|
|
key: {{ .Values.externalSecrets.notes.django.superuserEmail.key | quote }}
|
|
superuserPassword:
|
|
value: {{ .Values.secrets.notes.superuser }}
|
|
existingSecret:
|
|
name: {{ .Values.externalSecrets.notes.django.superuserPassword.name | quote }}
|
|
key: {{ .Values.externalSecrets.notes.django.superuserPassword.key | quote }}
|
|
frontendTheme: "openDesk"
|
|
redisUrl:
|
|
value: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7"
|
|
existingSecret:
|
|
name: {{ .Values.externalSecrets.notes.redisUrl.name | quote }}
|
|
key: {{ .Values.externalSecrets.notes.redisUrl.key | quote }}
|
|
extraEnvVars:
|
|
- name: "FRONTEND_HOMEPAGE_FEATURE_ENABLED"
|
|
value: "False"
|
|
- name: "FRONTEND_FOOTER_FEATURE_ENABLED"
|
|
value: "False"
|
|
containerSecurityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- "ALL"
|
|
enabled: true
|
|
privileged: false
|
|
runAsUser: 1001
|
|
runAsGroup: 1001
|
|
seccompProfile:
|
|
type: "RuntimeDefault"
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
seLinuxOptions:
|
|
{{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }}
|
|
podAnnotations:
|
|
{{ .Values.annotations.notesBackend.pod | toYaml | nindent 4 }}
|
|
podAnnotationsCreateUser:
|
|
{{ .Values.annotations.notesBackend.createUserJob | toYaml | nindent 4 }}
|
|
podAnnotationsMigrate:
|
|
{{ .Values.annotations.notesBackend.migrateJob | toYaml | nindent 4 }}
|
|
podSecurityContext:
|
|
enabled: true
|
|
fsGroup: 1000
|
|
fsGroupChangePolicy: "Always"
|
|
resources:
|
|
{{ .Values.resources.notesBackend | toYaml | nindent 4 }}
|
|
service:
|
|
annotations:
|
|
{{ .Values.annotations.notesBackend.service | toYaml | nindent 6 }}
|
|
extraVolumes:
|
|
- name: "customization-volume"
|
|
configMap:
|
|
name: "impress-customization"
|
|
{{- if .Values.certificate.selfSigned }}
|
|
- name: "trusted-cert-secret-volume"
|
|
secret:
|
|
secretName: "opendesk-certificates-ca-tls"
|
|
items:
|
|
- key: "ca.crt"
|
|
path: "ca-certificates.crt"
|
|
{{- end }}
|
|
extraVolumeMounts:
|
|
- name: "customization-volume"
|
|
mountPath: "/app/impress/configuration/theme/default.json"
|
|
subPath: "theme.json"
|
|
{{- if .Values.certificate.selfSigned }}
|
|
- name: "trusted-cert-secret-volume"
|
|
mountPath: "/usr/local/lib/python3.13/site-packages/certifi/cacert.pem"
|
|
subPath: "ca-certificates.crt"
|
|
{{- end }}
|
|
|
|
frontend:
|
|
image:
|
|
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesFrontend.registry | quote }}
|
|
repository: {{ .Values.images.notesFrontend.repository | quote }}
|
|
pullPolicy: "IfNotPresent"
|
|
tag: {{ .Values.images.notesFrontend.tag | quote }}
|
|
ingress:
|
|
enabled: true
|
|
annotations:
|
|
{{ .Values.annotations.notesFrontend.ingress | toYaml | nindent 6 }}
|
|
ingressClassName: {{ .Values.ingress.ingressClassName }}
|
|
ingressMedia:
|
|
enabled: true
|
|
annotations:
|
|
{{ .Values.annotations.notesFrontend.ingressMedia | toYaml | nindent 6 }}
|
|
ingressClassName: {{ .Values.ingress.ingressClassName }}
|
|
configuration:
|
|
objectStoreHost: {{ printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain | quote }}
|
|
resources:
|
|
{{ .Values.resources.notesFrontend | toYaml | nindent 4 }}
|
|
containerSecurityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- "ALL"
|
|
enabled: true
|
|
privileged: false
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
seccompProfile:
|
|
type: "RuntimeDefault"
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
seLinuxOptions:
|
|
{{ .Values.seLinuxOptions.notesFrontend | toYaml | nindent 6 }}
|
|
podAnnotations:
|
|
{{ .Values.annotations.notesFrontend.pod | toYaml | nindent 4 }}
|
|
podSecurityContext:
|
|
enabled: true
|
|
fsGroup: 1000
|
|
fsGroupChangePolicy: "Always"
|
|
service:
|
|
annotations:
|
|
{{ .Values.annotations.notesFrontend.service | toYaml | nindent 6 }}
|
|
serviceMedia:
|
|
annotations:
|
|
{{ .Values.annotations.notesFrontend.service | toYaml | nindent 6 }}
|
|
extraVolumes:
|
|
- name: "customization-volume"
|
|
configMap:
|
|
name: "impress-customization"
|
|
extraVolumeMounts:
|
|
- name: "customization-volume"
|
|
mountPath: "/usr/share/nginx/html/runtime-env.js"
|
|
subPath: "runtime-env.js"
|
|
|
|
y-provider:
|
|
image:
|
|
registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.notesYProvider.registry | quote }}
|
|
repository: {{ .Values.images.notesYProvider.repository | quote }}
|
|
pullPolicy: "IfNotPresent"
|
|
tag: {{ .Values.images.notesYProvider.tag }}
|
|
replicaCount: 1
|
|
debug: true
|
|
{{- if .Values.certificate.selfSigned }}
|
|
extraEnvVars:
|
|
- name: "NODE_EXTRA_CA_CERTS"
|
|
value: "/etc/ssl/certs/cacert.pem"
|
|
extraVolumes:
|
|
- name: "trusted-cert-secret-volume"
|
|
secret:
|
|
secretName: "opendesk-certificates-ca-tls"
|
|
items:
|
|
- key: "ca.crt"
|
|
path: "ca-certificates.crt"
|
|
extraVolumeMounts:
|
|
- name: "trusted-cert-secret-volume"
|
|
mountPath: "/etc/ssl/certs/cacert.pem"
|
|
subPath: "ca-certificates.crt"
|
|
{{- end }}
|
|
containerSecurityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- "ALL"
|
|
enabled: true
|
|
privileged: false
|
|
runAsUser: 1001
|
|
runAsGroup: 1001
|
|
seccompProfile:
|
|
type: "RuntimeDefault"
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
seLinuxOptions:
|
|
{{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }}
|
|
ingressCollaborationApi:
|
|
annotations:
|
|
{{ .Values.annotations.notesYProvider.ingressCollaborationAPI | toYaml | nindent 6 }}
|
|
ingressClassName: {{ .Values.ingress.ingressClassName }}
|
|
ingressCollaborationWs:
|
|
annotations:
|
|
{{ .Values.annotations.notesYProvider.ingressCollaborationWS | toYaml | nindent 6 }}
|
|
ingressClassName: {{ .Values.ingress.ingressClassName }}
|
|
podAnnotations:
|
|
{{ .Values.annotations.notesYProvider.pod | toYaml | nindent 4 }}
|
|
podSecurityContext:
|
|
enabled: true
|
|
fsGroup: 1001
|
|
fsGroupChangePolicy: "Always"
|
|
service:
|
|
annotations:
|
|
{{ .Values.annotations.notesYProvider.service | toYaml | nindent 6 }}
|
|
...
|