sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
75e793ebb48553b746355c5bb40407492d7827c3
opendesk/helmfile/apps/nubus/values-nubus.yaml.gotmpl
Thorsten Roßner 7ec8d94c6c fix(nubus): Enable email address uniqueness
2025-12-05 07:48:53 +00:00

1661 lines
69 KiB
Go Template
Raw Blame History

# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-License-Identifier: Apache-2.0
---
additionalAnnotations:
{{ .Values.annotations.nubus.additional | toYaml | nindent 2 }}
global:
certManagerIssuer: {{ .Values.certificate.issuerRef.name | quote }}
domain: {{ .Values.global.domain | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
ingressClass: {{ .Values.ingress.ingressClassName | default "nginx" | quote }}
keycloak:
realm: {{ .Values.platform.realm | quote }}
ldap:
baseDn: {{ .Values.ldap.baseDn | quote }}
domainName: {{ .Values.global.domain | quote }}
nubusDeployment: true
secrets:
masterPassword: {{ .Values.secrets.nubus.masterpassword | quote }}
subDomains:
portal: {{ .Values.global.hosts.nubus | quote }}
keycloak: {{ .Values.global.hosts.keycloak | quote }}
# -- Extensions to load. Add entries to load additional extensions into Nubus.
extensions:
- name: "opendesk-a2g-mapper"
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpendeskExtensionA2gMapper.registry | quote }}
repository: {{ .Values.images.nubusOpendeskExtensionA2gMapper.repository }}
tag: {{ .Values.images.nubusOpendeskExtensionA2gMapper.tag }}
# -- Allows to configure the system extensions to load. This is intended for
# internal usage, prefer to use `global.extensions` for user configured
# extensions.
systemExtensions:
- name: "ox"
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOxExtension.registry | quote }}
repository: {{ .Values.images.nubusOxExtension.repository }}
tag: {{ .Values.images.nubusOxExtension.tag }}
- name: "opendesk"
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpendeskExtension.registry | quote }}
repository: {{ .Values.images.nubusOpendeskExtension.repository }}
tag: {{ .Values.images.nubusOpendeskExtension.tag }}
- name: "portal"
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalExtension.registry | quote }}
repository: {{ .Values.images.nubusPortalExtension.repository }}
tag: {{ .Values.images.nubusPortalExtension.tag }}
configUcr:
directory:
manager:
mail-address:
uniqueness: "True"
rest:
authorized-groups:
domain-admins: __DELETE_KEY__
iam-api-full-access: "cn=IAM API - Full Access,cn=groups,{{ .Values.ldap.baseDn }}"
web:
modules:
users:
user:
add:
default: "cn=openDesk User,cn=templates,cn=univention,{{ .Values.ldap.baseDn }}"
properties:
description:
syntax: "TextArea"
firstname:
required: "True"
mailPrimaryAddress:
required: "True"
username:
syntax: "uid"
search:
autosearch: "True"
wizard:
property:
invite:
default: "True"
overridePWLength:
default: "False"
visible: "False"
pwdChangeNextLogin:
default: "True"
visible: "False"
wizard:
disabled: "No"
ucs:
web:
theme: "light"
umc:
# Configures that login redirects point to OIDC and not SAML. Does not disable the saml endpoint.
web:
sso:
enabled: false
cookie-banner:
show: "false"
login:
password-complexity-message:
de: "Das Passwort muss mindestens 8 Zeichen lang sein und darf keine Zahlenabfolge oder ganze Worte enthalten, wie '1234Test'."
en: "Password must be at least 8 characters long and cannot include a number series or regular words, like '1234Test'."
module:
udm:
oxmail:
oxcontext:
disabled: "True"
portals:
all:
disabled: "True"
self-service:
account-registration:
usertemplate: __DELETE_KEY__
passwordreset:
token_validity_period: 172800
blacklist:
groups: __DELETE_KEY__
limit:
total:
day: {{ .Values.security.passwordResetLimits.day }}
hour: {{ .Values.security.passwordResetLimits.hour }}
minute: {{ .Values.security.passwordResetLimits.minute }}
ingress:
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "128k"
nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
nginx.ingress.kubernetes.io/proxy-busy-buffers-size: "128k"
nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
nginx.ingress.kubernetes.io/proxy-set-headers: |
Host $http_host;
X-Forwarded-For $proxy_add_x_forwarded_for;
X-Forwarded-Host $http_x_forwarded_host;
X-Forwarded-Port $http_x_forwarded_port;
X-Forwarded-Proto $http_x_forwarded_proto;
nginx.ingress.kubernetes.io/use-regex: "true"
{{- with .Values.annotations.nubus.ingress }}
{{ . | toYaml | nindent 4 }}
{{- end }}
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
minio:
enabled: false
# Nubus bundled services
postgresql:
enabled: false
provisioning:
enabled: false
minio:
enabled: false
# Nubus services which use customer supplied services
keycloak:
enabled: true
config:
exposeAdminConsole: {{ .Values.debug.enabled }}
logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsKeycloak | toYaml | nindent 6 }}
commonAnnotations:
{{ .Values.annotations.nubusKeycloak.common | toYaml | nindent 4 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloak.registry | quote }}
repository: {{ .Values.images.nubusKeycloak.repository }}
tag: {{ .Values.images.nubusKeycloak.tag }}
ingress:
enabled: false
keycloak:
auth:
username: "kcadmin"
password: {{ .Values.secrets.keycloak.adminPassword | quote }}
login:
messages:
de:
loginTitle: "Anmeldung bei {{ .Values.theme.texts.productName }}"
en:
loginTitle: "Sign in to {{ .Values.theme.texts.productName }}"
features:
enabled:
- "admin-fine-grained-authz:v1"
- "token-exchange"
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak"
{{- with .Values.annotations.nubusKeycloak.pod }}
{{ . | toYaml | nindent 4 }}
{{- end }}
postgresql:
connection:
host: {{ .Values.databases.keycloak.host | quote }}
port: {{ .Values.databases.keycloak.port | quote }}
auth:
username: {{ .Values.databases.keycloak.username | quote }}
database: {{ .Values.databases.keycloak.name | quote }}
# TODO: Pending secrets refactoring to be able to provide the value directly
existingSecret:
name: "ums-keycloak-postgresql-opendesk-credentials"
keyMapping:
password: keycloakDatabasePassword
replicaCount: {{ .Values.replicas.keycloak }}
resources:
{{ .Values.resources.umsKeycloak | toYaml | nindent 4 }}
service:
annotations:
{{ .Values.annotations.nubusKeycloak.service | toYaml | nindent 6 }}
serviceAccount:
annotations:
{{ .Values.annotations.nubusKeycloak.serviceAccount | toYaml | nindent 6 }}
{{- if .Values.certificate.selfSigned }}
extraVolumes:
- name: "trusted-cert-crt-secret-volume"
secret:
secretName: "opendesk-certificates-ca-tls"
items:
- key: "ca.crt"
path: "ca-certificates.crt"
- name: "trusted-cert-jks-secret-volume"
secret:
secretName: "opendesk-certificates-ca-tls"
items:
- key: "truststore.jks"
path: "truststore.jks"
extraVolumeMounts:
- name: "trusted-cert-crt-secret-volume"
mountPath: "/etc/ssl/certs/ca-certificates.crt"
subPath: "ca-certificates.crt"
- name: "trusted-cert-jks-secret-volume"
mountPath: "/etc/ssl/certs/truststore.jks"
subPath: "truststore.jks"
extraEnvVars:
- name: "KC_HTTPS_TRUST_STORE_FILE"
value: "/etc/ssl/certs/truststore.jks"
- name: "KC_TRUSTSTORE_PATHS"
value: "/etc/ssl/certs/ca-certificates.crt"
- name: "KC_HTTPS_TRUST_STORE_PASSWORD"
value: {{ .Values.secrets.certificates.password | quote }}
- name: "KC_HTTPS_TRUST_STORE_TYPE"
value: "jks"
{{- end }}
nubusGuardian:
enabled: false
nubusTwofaHelpdesk:
enabled: false
nubusNotificationsApi:
enabled: false
additionalAnnotations:
{{- with .Values.annotations.nubusNotificationsApi.additional }}
{{ . | toYaml | nindent 4 }}
{{- end }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsNotificationsApi | toYaml | nindent 6 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusNotificationsApi.registry | quote }}
repository: {{ .Values.images.nubusNotificationsApi.repository }}
tag: {{ .Values.images.nubusNotificationsApi.tag }}
ingress:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: "/$2$3"
nginx.ingress.kubernetes.io/use-regex: "true"
{{- with .Values.annotations.nubusNotificationsApi.ingress }}
{{. | toYaml | nindent 6 }}
{{- end }}
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
persistence:
annotations:
{{ .Values.annotations.nubusNotificationsApi.persistence | toYaml | nindent 6 }}
podAnnotations:
intents.otterize.com/service-name: "ums-notifications-api"
{{- with .Values.annotations.nubusNotificationsApi.pod }}
{{ . | toYaml | nindent 4 }}
{{- end }}
postgresql:
connection:
host: {{ .Values.databases.umsNotificationsApi.host | quote }}
port: {{ .Values.databases.umsNotificationsApi.port | quote }}
auth:
username: {{ .Values.databases.umsNotificationsApi.username | quote }}
database: {{ .Values.databases.umsNotificationsApi.name | quote }}
password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
# NOTE: Nubus has still an existing secret configured for legacy reasons.
# This disables the existing secret and ensures that the value from above
# is used.
existingSecret:
name: null
service:
annotations:
{{ .Values.annotations.nubusNotificationsApi.service | toYaml | nindent 6 }}
serviceAccount:
annotations:
{{ .Values.annotations.nubusNotificationsApi.serviceAccount | toYaml | nindent 6 }}
create: true
replicaCount: {{ .Values.replicas.umsNotificationsApi }}
resources:
{{ .Values.resources.umsNotificationsApi | toYaml | nindent 4 }}
nubusPortalFrontend:
additionalAnnotations:
{{- with .Values.annotations.nubusPortalFrontend.additional }}
{{ . | toYaml | nindent 4 }}
{{- end }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsPortalFrontend | toYaml | nindent 6 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalFrontend.registry | quote }}
repository: {{ .Values.images.nubusPortalFrontend.repository }}
tag: {{ .Values.images.nubusPortalFrontend.tag }}
ingress:
annotations:
{{ .Values.annotations.nubusPortalFrontend.ingressIngress | toYaml | nindent 6 }}
certManager:
enabled: false
items:
- name: rewrites
host: ""
paths:
- path: /univention/(portal|selfservice)/$
pathType: ImplementationSpecific
- path: /univention/(portal|selfservice)/index.html$
pathType: ImplementationSpecific
- path: /univention/(portal|selfservice)/(css|fonts|i18n|media|js|oidc|custom)(/.*)$
pathType: ImplementationSpecific
- path: /univention/(portal)/(icons)(/.*)$
pathType: ImplementationSpecific
ingressClassName: ""
annotations:
nginx.ingress.kubernetes.io/rewrite-target: "/$2$3"
nginx.ingress.kubernetes.io/use-regex: "true"
{{- with .Values.annotations.nubusPortalFrontend.ingressRewrites }}
{{ . | toYaml | nindent 10 }}
{{- end }}
tls:
secretName: ""
- name: redirects
host: ""
paths:
- pathType: ImplementationSpecific
path: /$
- pathType: ImplementationSpecific
path: /univention$
- pathType: ImplementationSpecific
path: /univention/$
- pathType: ImplementationSpecific
path: /univention/portal$
- pathType: ImplementationSpecific
path: /univention/selfservice$
ingressClassName: ""
annotations:
nginx.ingress.kubernetes.io/permanent-redirect: "/univention/portal/"
{{- with .Values.annotations.nubusPortalFrontend.ingressRedirects }}
{{ . | toYaml | nindent 10 }}
{{- end }}
tls:
secretName: ""
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName }}
persistence:
annotations:
{{ .Values.annotations.nubusPortalFrontend.persistence | toYaml | nindent 6 }}
podAnnotations:
intents.otterize.com/service-name: "ums-portal-frontend"
{{- with .Values.annotations.nubusPortalFrontend.pod }}
{{ . | toYaml | nindent 4 }}
{{- end }}
portalFrontend:
branding:
css: {{ .Values.theme.styles.portal.main | toJson }}
favicon: {{ .Values.theme.imagery.portal.faviconIco | toJson }}
faviconSvg: {{ .Values.theme.imagery.portal.faviconSvg | toJson }}
favicon96Png: {{ .Values.theme.imagery.portal.favicon96Png | toJson }}
appleTouchIcon: {{ .Values.theme.imagery.portal.appleTouchIcon | toJson }}
webManifestIcon192: {{ .Values.theme.imagery.portal.webManifestIcon192 | toJson }}
webManifestIcon512: {{ .Values.theme.imagery.portal.webManifestIcon512 | toJson }}
# The actual `logo` is set in customizing image, the logo down here is for waiting spinner.
logo: {{ .Values.theme.imagery.portal.waitingSpinnerSvg | toJson }}
backgroundImage: {{ .Values.theme.imagery.portal.backgroundSvg | toJson }}
service:
annotations:
{{ .Values.annotations.nubusPortalFrontend.service | toYaml | nindent 6 }}
serviceAccount:
annotations:
{{ .Values.annotations.nubusPortalFrontend.serviceAccount | toYaml | nindent 6 }}
create: true
replicaCount: {{ .Values.replicas.umsPortalFrontend }}
resources:
{{ .Values.resources.umsPortalFrontend | toYaml | nindent 4 }}
nubusKeycloakExtensions:
enabled: true
keycloak:
auth:
username: "kcadmin"
proxy:
additionalAnnotations:
{{ .Values.annotations.nubusKeycloakExtensions.proxyAdditional | toYaml | nindent 6 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionProxy.registry | quote }}
repository: {{ .Values.images.nubusKeycloakExtensionProxy.repository }}
tag: {{ .Values.images.nubusKeycloakExtensionProxy.tag }}
ingress:
annotations:
nginx.org/proxy-buffer-size: "8k"
nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
{{- with .Values.annotations.nubusKeycloakExtensions.proxyIngress }}
{{ . | toYaml | nindent 8 }}
{{- end }}
paths:
{{- if .Values.debug.enabled }}
- pathType: "Prefix"
path: "/admin/"
{{- end }}
- pathType: "Prefix"
path: "/realms/"
- pathType: "Prefix"
path: "/js/"
- pathType: "Prefix"
path: "/resources/"
- pathType: "Prefix"
path: "/fingerprintjs"
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak-extensions-proxy"
{{- with .Values.annotations.nubusKeycloakExtensions.proxyPod }}
{{ . | toYaml | nindent 6 }}
{{- end }}
replicaCount: {{ .Values.replicas.umsKeycloakExtensionsProxy }}
resources:
{{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions:
{{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }}
service:
annotations:
{{ .Values.annotations.nubusKeycloakExtensions.proxyService | toYaml | nindent 8 }}
serviceAccount:
annotations:
{{ .Values.annotations.nubusKeycloakExtensions.proxyServiceAccount | toYaml | nindent 8 }}
postgresql:
connection:
host: {{ .Values.databases.keycloakExtension.host | quote }}
port: {{ .Values.databases.keycloakExtension.port | quote }}
ssl: {{ .Values.databases.keycloakExtension.ssl | quote }}
auth:
database: {{ .Values.databases.keycloakExtension.name | quote }}
username: {{ .Values.databases.keycloakExtension.username | quote }}
# TODO: Pending secrets refactoring for this component chart
existingSecret:
name: "ums-keycloak-extensions-postgresql-opendesk-credentials"
keyMapping:
password: "umcKeycloakExtensionsDatabasePassword"
smtp:
connection:
host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
port: 25
ssl: false
starttls: false
auth:
enabled: true
username: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
# TODO: Pending secrets refactoring in the component chart
password: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
existingSecret:
name: "ums-keycloak-extensions-smtp-opendesk-credentials"
keyMapping:
password: "umcKeycloakExtensionsSmtpPassword"
handler:
additionalAnnotations:
{{ .Values.annotations.nubusKeycloakExtensions.handlerAdditional | toYaml | nindent 6 }}
appConfig:
newDeviceLoginNotificationEnable: {{ if .Values.functional.authentication.newDeviceLoginNotification.enabled }}"True"{{ else }}"False"{{ end }}
logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.mailDomain | default .Values.global.domain }}"
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionHandler.registry | quote }}
repository: {{ .Values.images.nubusKeycloakExtensionHandler.repository }}
tag: {{ .Values.images.nubusKeycloakExtensionHandler.tag }}
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak-extensions-handler"
{{- with .Values.annotations.nubusKeycloakExtensions.handlerPod }}
{{ . | toYaml | nindent 6 }}
{{- end }}
replicaCount: {{ .Values.replicas.umsKeycloakExtensionsHandler }}
resources:
{{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 6 }}
securityContext:
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions:
{{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }}
service:
annotations:
{{ .Values.annotations.nubusKeycloakExtensions.handlerService | toYaml | nindent 8 }}
serviceAccount:
annotations:
{{ .Values.annotations.nubusKeycloakExtensions.handlerServiceAccount | toYaml | nindent 8 }}
nubusPortalConsumer:
enabled: true
portalConsumer:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalConsumer.registry | quote }}
repository: {{ .Values.images.nubusPortalConsumer.repository }}
tag: {{ .Values.images.nubusPortalConsumer.tag }}
assetsBaseUrl: {{ printf "https://%s.%s/univention/portal" .Values.global.hosts.nubus .Values.global.domain | quote }}
logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
objectStorage:
auth:
accessKeyId: {{ .Values.objectstores.nubus.username | quote }}
secretAccessKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
existingSecret: null
bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
persistence:
groupMembershipCache:
size: {{ .Values.persistence.storages.nubusPortalConsumer.size | quote }}
storageClass: {{ coalesce .Values.persistence.storages.nubusPortalConsumer.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
podAnnotations:
intents.otterize.com/service-name: "ums-portal-consumer"
{{- with .Values.annotations.nubusPortalConsumer.pod }}
{{ . | toYaml | nindent 4 }}
{{- end }}
provisioningApi:
auth:
username: "portal-consumer"
password: {{ .Values.secrets.nubus.portalConsumer.provisioningApiPassword | quote }}
replicaCount: {{ .Values.replicas.umsPortalConsumer }}
resources:
{{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }}
initResources:
{{ .Values.resources.umsPortalConsumerDependencies | toYaml | nindent 4 }}
containerSecurityContext:
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions:
{{ .Values.seLinuxOptions.umsPortalConsumer | toYaml | nindent 6 }}
waitForDependency:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
repository: {{ .Values.images.nubusWaitForDependency.repository }}
tag: {{ .Values.images.nubusWaitForDependency.tag }}
{{- if .Values.certificate.selfSigned }}
extraVolumeMounts:
- name: "trusted-cert-secret-volume"
readOnly: true
mountPath: "/etc/ssl/certs/ca-certificates.crt"
subPath: "ca-certificates.crt"
- name: "trusted-cert-secret-volume"
readOnly: true
mountPath: "/usr/local/lib/python3.11/dist-packages/certifi/cacert.pem"
subPath: "cacert.pem"
extraEnvVars:
- name: "REQUESTS_CA_BUNDLE"
value: "/etc/ssl/certs/ca-certificates.crt"
- name: "DEFAULT_CA_BUNDLE_PATH"
value: "/etc/ssl/certs/ca-certificates.crt"
- name: "SSL_CERT_FILE"
value: "/etc/ssl/certs/ca-certificates.crt"
{{- end }}
{{- if .Values.certificate.selfSigned }}
extraVolumes:
- name: "trusted-cert-secret-volume"
secret:
secretName: "opendesk-certificates-ca-tls"
items:
- key: "ca.crt"
path: "ca-certificates.crt"
- key: "ca.crt"
path: "cacert.pem"
extraVolumeMounts:
- name: "trusted-cert-secret-volume"
mountPath: "/etc/ssl/certs/ca-certificates.crt"
subPath: "ca-certificates.crt"
{{- end }}
nubusPortalServer:
additionalAnnotations:
{{- with .Values.annotations.nubusPortalServer.additional }}
{{ . | toYaml | nindent 4 }}
{{- end }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsPortalServer | toYaml | nindent 6 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalServer.registry | quote }}
repository: {{ .Values.images.nubusPortalServer.repository }}
tag: {{ .Values.images.nubusPortalServer.tag }}
ingress:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: "/$2$3"
nginx.ingress.kubernetes.io/use-regex: "true"
{{- with .Values.annotations.nubusPortalServer.ingress }}
{{ . | toYaml | nindent 8 }}
{{- end }}
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
objectStorage:
auth:
accessKeyId: {{ .Values.objectstores.nubus.username | quote }}
secretAccessKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
existingSecret: null
bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
persistence:
annotations:
{{ .Values.annotations.nubusPortalServer.persistence | toYaml | nindent 6 }}
podAnnotations:
intents.otterize.com/service-name: "ums-portal-server"
{{- with .Values.annotations.nubusPortalServer.pod }}
{{ . | toYaml | nindent 4 }}
{{- end }}
portalServer:
centralNavigation:
enabled: true
auth:
sharedSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
featureToggles:
notifications_api: false
centered_layout: true
# Also enable adjustments in helmfile/files/theme/portal/stylesheet.css when enabling left_sidebar
left_sidebar: false
newsfeed: {{ and .Values.apps.xwiki.enabled .Values.functional.portal.newsfeed.enabled }}
umc_session_refresh: true
welcome_message: {{ .Values.functional.portal.welcomeMessage.enabled }}
newsfeed:
feedType: "xwiki"
feedUrl:
en_US: {{ printf "https://%s.%s/wiki/bin/get/Blog/BlogRss?xpage=plain&blog=openDesk.Newsfeed.WebHome" .Values.global.hosts.intercomService .Values.global.domain }}
de_DE: {{ printf "https://%s.%s/wiki/bin/get/Blog/BlogRss?xpage=plain&blog=openDesk.Newsfeed.WebHome" .Values.global.hosts.intercomService .Values.global.domain }}
homeUrl:
en_US: {{ printf "https://%s.%s/bin/view/openDesk/Newsfeed/" .Values.global.hosts.xwiki .Values.global.domain }}
de_DE: {{ printf "https://%s.%s/bin/view/openDesk/Newsfeed/" .Values.global.hosts.xwiki .Values.global.domain }}
icsSilentLoginUrl: {{ printf "https://%s.%s/silent" .Values.global.hosts.intercomService .Values.global.domain }}
objectStorageEndpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
objectStorageCredentialSecret:
name: "ums-portal-server-minio-opendesk-credentials"
accessKeyKey: "access-key-id"
secretKeyKey: "secret-key-id"
replicaCount: {{ .Values.replicas.umsPortalServer }}
resources:
{{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}
service:
annotations:
{{ .Values.annotations.nubusPortalServer.service | toYaml | nindent 6 }}
serviceAccount:
annotations:
{{ .Values.annotations.nubusPortalServer.serviceAccount | toYaml | nindent 6 }}
create: true
{{- if .Values.certificate.selfSigned }}
extraVolumes:
- name: "trusted-cert-crt-secret-volume"
secret:
secretName: "opendesk-certificates-ca-tls"
items:
- key: "ca.crt"
path: "ca-certificates.crt"
- key: "ca.crt"
path: "cacert.pem"
extraVolumeMounts:
- name: "trusted-cert-crt-secret-volume"
readOnly: true
mountPath: "/etc/ssl/certs/ca-certificates.crt"
subPath: "ca-certificates.crt"
- name: "trusted-cert-crt-secret-volume"
readOnly: true
mountPath: "/usr/local/lib/python3.11/dist-packages/certifi/cacert.pem"
subPath: "cacert.pem"
- name: "trusted-cert-crt-secret-volume"
readOnly: true
mountPath: "/usr/lib/python3/dist-packages/botocore/cacert.pem"
subPath: "cacert.pem"
- name: "trusted-cert-crt-secret-volume"
readOnly: true
mountPath: "/usr/lib/python3/dist-packages/certifi/cacert.pem"
subPath: "cacert.pem"
{{- end }}
nubusUdmRestApi:
additionalAnnotations:
intents.otterize.com/service-name: "ums-udm-rest-api"
{{- with .Values.annotations.nubusUdmRestApi.additional }}
{{ . | toYaml | nindent 4 }}
{{- end }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsUdmRestApi | toYaml | nindent 6 }}
ingress:
enabled: {{ .Values.functional.externalServices.nubus.udmRestApi.enabled }}
annotations:
nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
nginx.ingress.kubernetes.io/proxy-busy-buffers-size: "128k"
nginx.ingress.kubernetes.io/configuration-snippet-disabled: |
rewrite ^/univention(/udm/.*)$ $1 break;
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: "/$2$3"
{{- with .Values.annotations.nubusUdmRestApi.ingress }}
{{ . | toYaml | nindent 6 }}
{{- end }}
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
initResources:
{{ .Values.resources.umsUdmRestApiInit | toYaml | nindent 4 }}
waitForDependency:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
repository: {{ .Values.images.nubusWaitForDependency.repository }}
tag: {{ .Values.images.nubusWaitForDependency.tag }}
blocklistCleanup:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusBlocklistCleanup.registry | quote }}
repository: {{ .Values.images.nubusBlocklistCleanup.repository }}
tag: {{ .Values.images.nubusBlocklistCleanup.tag }}
ldapUpdateUniventionObjectIdentifier:
enabled: true
suspend: false
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapUpdateUniventionObjectIdentifier.registry | quote }}
repository: {{ .Values.images.nubusLdapUpdateUniventionObjectIdentifier.repository }}
tag: {{ .Values.images.nubusLdapUpdateUniventionObjectIdentifier.tag }}
persistence:
annotations:
{{ .Values.annotations.nubusUdmRestApi.persistence | toYaml | nindent 6 }}
podAnnotations:
intents.otterize.com/service-name: "ums-udm-rest-api"
{{- with .Values.annotations.nubusUdmRestApi.pod }}
{{ . | toYaml | nindent 4 }}
{{- end}}
replicaCount: {{ .Values.replicas.umsUdmRestApi }}
resources:
{{ .Values.resources.umsUdmRestApi | toYaml | nindent 4 }}
service:
annotations:
{{ .Values.annotations.nubusUdmRestApi.service | toYaml | nindent 6 }}
serviceAccount:
annotations:
intended.usage: "compliance"
{{- with .Values.annotations.nubusUdmRestApi.serviceAccount }}
{{ . | toYaml | nindent 6 }}
{{- end }}
udmRestApi:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUdmRestApi.registry | quote }}
repository: {{ .Values.images.nubusUdmRestApi.repository }}
tag: {{ .Values.images.nubusUdmRestApi.tag }}
nubusLdapNotifier:
additionalAnnotations:
{{ .Values.annotations.nubusLdapNotifier.additional | toYaml | nindent 4 }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 101
runAsGroup: 102
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsLdapNotifier | toYaml | nindent 6 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapNotifier.registry | quote }}
repository: {{ .Values.images.nubusLdapNotifier.repository }}
tag: {{ .Values.images.nubusLdapNotifier.tag }}
podAnnotations:
intents.otterize.com/service-name: "ums-ldap-notifier"
{{- with .Values.annotations.nubusLdapNotifier.pod }}
{{ . | toYaml | nindent 4 }}
{{- end }}
replicaCount: {{ .Values.replicas.umsLdapNotifier }}
resources:
{{ .Values.resources.umsLdapNotifier | toYaml | nindent 4 }}
service:
annotations:
{{ .Values.annotations.nubusLdapNotifier.service | toYaml | nindent 6 }}
serviceAccount:
annotations:
{{ .Values.annotations.nubusLdapNotifier.serviceAccount | toYaml | nindent 6 }}
nubusLdapServer:
additionalAnnotations:
{{ .Values.annotations.nubusLdapServer.additional | toYaml | nindent 4 }}
additionalAnnotations:
{{ .Values.annotations.nubusLdapServer.additional | toYaml | nindent 4 }}
dhInitcontainer:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServerDhInitContainer.registry | quote }}
repository: {{ .Values.images.nubusLdapServerDhInitContainer.repository }}
tag: {{ .Values.images.nubusLdapServerDhInitContainer.tag }}
initResources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
ldapServer:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServer.registry | quote }}
repository: {{ .Values.images.nubusLdapServer.repository }}
tag: {{ .Values.images.nubusLdapServer.tag }}
auth:
password: {{ .Values.secrets.nubus.ldapSecret | quote }}
leaderElector:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServerLeaderElector.registry | quote }}
repository: {{ .Values.images.nubusLdapServerLeaderElector.repository }}
tag: {{ .Values.images.nubusLdapServerLeaderElector.tag }}
persistence:
size: {{ .Values.persistence.storages.nubusLdapServerData.size | quote }}
storageClass: {{ coalesce .Values.persistence.storages.nubusLdapServerData.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
podAnnotations:
intents.otterize.com/service-name: "ums-ldap-server"
{{- with .Values.annotations.nubusLdapServer.pod }}
{{ . | toYaml | nindent 4 }}
{{- end }}
replicaCountPrimary: {{ .Values.replicas.umsLdapServerPrimary }}
replicaCountSecondary: {{ .Values.replicas.umsLdapServerSecondary }}
replicaCountProxy: {{ .Values.replicas.umsLdapServerProxy }}
resources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
resourcesPrimary: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
resourcesSecondary: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
service:
annotations:
{{ .Values.annotations.nubusLdapServer.service | toYaml | nindent 6 }}
serviceAccount:
annotations:
{{ .Values.annotations.nubusLdapServer.serviceAccount | toYaml | nindent 6 }}
create: true
waitForDependency:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
repository: {{ .Values.images.nubusWaitForDependency.repository }}
tag: {{ .Values.images.nubusWaitForDependency.tag }}
nubusProvisioning:
enabled: true
additionalAnnotations:
{{ .Values.annotations.nubusProvisioning.additional | toYaml | nindent 4 }}
api:
additionalAnnotations:
{{- with .Values.annotations.nubusProvisioning.apiAdditional }}
{{ . | toYaml | nindent 6 }}
{{- end }}
auth:
admin:
password: {{ .Values.secrets.nubus.provisioning.api.adminPassword | quote }}
prefill:
password: {{ .Values.secrets.nubus.provisioning.api.prefillPassword | quote}}
eventsUdm:
password: {{ .Values.secrets.nubus.provisioning.api.udmTransformerPassword | quote}}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }}
repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
nats:
auth:
password: {{ .Values.secrets.nubus.provisioning.api.natsPassword | quote}}
podAnnotations:
intents.otterize.com/service-name: "ums-provisioning-api"
{{- with .Values.annotations.nubusProvisioning.apiPod }}
{{ . | toYaml | nindent 6 }}
{{- end }}
resources:
{{ .Values.resources.umsProvisioningApi | toYaml | nindent 6 }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsProvisioning | toYaml | nindent 6 }}
dispatcher:
additionalAnnotations:
{{- with .Values.annotations.nubusProvisioning.dispatcherAdditional }}
{{ . | toYaml | nindent 6 }}
{{- end }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningDispatcher.registry | quote }}
repository: {{ .Values.images.nubusProvisioningDispatcher.repository }}
tag: {{ .Values.images.nubusProvisioningDispatcher.tag }}
nats:
auth:
password: {{ .Values.secrets.nubus.provisioning.dispatcherNatsPassword | quote}}
podAnnotations:
intents.otterize.com/service-name: "ums-provisioning-dispatcher"
{{- with .Values.annotations.nubusProvisioning.dispatcherPod }}
{{ . | toYaml | nindent 6 }}
{{- end }}
resources:
{{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 6 }}
nats:
additionalAnnotations:
{{- with .Values.annotations.nubusProvisioning.natsAdditional }}
{{ . | toYaml | nindent 6 }}
{{- end }}
config:
cluster:
replicas: {{ .Values.replicas.umsProvisioningNats }}
createUsers:
adminUser:
auth:
password: {{ .Values.secrets.nats.natsAdminPassword | quote }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsProvisioningNats | toYaml | nindent 8 }}
nats:
image:
registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNats.registry | quote }}
repository: {{ .Values.images.nubusNats.repository }}
tag: {{ .Values.images.nubusNats.tag }}
natsBox:
enabled: {{ or .Values.technical.nubus.provisioning.nats.natsBox.enabled .Values.debug.enabled }}
image:
registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsBox.registry | quote }}
repository: {{ .Values.images.nubusNatsBox.repository }}
tag: {{ .Values.images.nubusNatsBox.tag }}
persistence:
size: {{ .Values.persistence.storages.nubusProvisioningNats.size }}
# storageClassName: -- coalesce .Values.persistence.storages.nubusProvisioningNats.storageClassName .Values.persistence.storageClassNames.RWO | quote --
reloader:
image:
registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsReloader.registry | quote }}
repository: {{ .Values.images.nubusNatsReloader.repository }}
tag: {{ .Values.images.nubusNatsReloader.tag }}
# NOTE: The subchart does not yet fully support
# "global.imagePullPolicy". This can be removed once the subchart has
# been adjusted.
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.umsProvisioningNats | toYaml | nindent 6 }}
serviceAccount:
create: true
podAnnotations:
intents.otterize.com/service-name: "ums-provisioning-nats"
{{- with .Values.annotations.nubusProvisioning.pod }}
{{ . | toYaml | nindent 4 }}
{{- end }}
prefill:
additionalAnnotations:
{{- with .Values.annotations.nubusProvisioning.prefillAdditional }}
{{ . | toYaml | nindent 6 }}
{{- end }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }}
repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
nats:
auth:
password: {{ .Values.secrets.nubus.provisioning.prefillNatsPassword | quote}}
podAnnotations:
intents.otterize.com/service-name: "ums-provisioning-prefill"
{{- with .Values.annotations.nubusProvisioning.prefillPod }}
{{ . | toYaml | nindent 6 }}
{{- end }}
resources:
{{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 6 }}
udmTransformer:
additionalAnnotations:
{{- with .Values.annotations.nubusProvisioning.udmTransformerAdditional }}
{{ . | toYaml | nindent 6 }}
{{- end }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmTransformer.registry | quote }}
repository: {{ .Values.images.nubusProvisioningUdmTransformer.repository }}
tag: {{ .Values.images.nubusProvisioningUdmTransformer.tag }}
nats:
auth:
password: {{ .Values.secrets.nubus.provisioning.udmTransformerNatsPassword | quote}}
podAnnotations:
intents.otterize.com/service-name: "ums-provisioning-udm-transformer"
{{- with .Values.annotations.nubusProvisioning.udmTransformerPod }}
{{ . | toYaml | nindent 6 }}
{{- end }}
resources:
{{ .Values.resources.umsProvisioningUdmTransformer | toYaml | nindent 6 }}
replicaCount:
dispatcher: {{ .Values.replicas.umsProvisioningDispatcher }}
udmTransformer: {{ .Values.replicas.umsProvisioningUdmTransformer }}
prefill: {{ .Values.replicas.umsProvisioningPrefill }}
api: {{ .Values.replicas.umsProvisioningApi }}
registerConsumers:
additionalAnnotations:
intents.otterize.com/service-name: "ums-provisioning-register-consumers"
{{- with .Values.annotations.nubusProvisioning.registerConsumersAdditional }}
{{ . | toYaml | nindent 6 }}
{{- end }}
{{- if .Values.apps.oxAppSuite.enabled }}
createUsers:
oxConsumer:
existingSecret:
name: ums-provisioning-ox-credentials
keyMapping:
registration: "ox-connector.json"
{{- end }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
repository: {{ .Values.images.nubusWaitForDependency.repository }}
tag: {{ .Values.images.nubusWaitForDependency.tag }}
podAnnotations:
intents.otterize.com/service-name: "ums-provisioning-register-consumers"
{{- with .Values.annotations.nubusProvisioning.registerConsumersPod }}
{{ . | toYaml | nindent 6 }}
{{- end }}
resources:
registerConsumers:
{{ .Values.resources.umsProvisioningRegisterConsumers | toYaml | nindent 6 }}
service:
annotations:
{{ .Values.annotations.nubusProvisioning.service | toYaml | nindent 6 }}
serviceAccount:
annotations:
{{ .Values.annotations.nubusProvisioning.serviceAccount | toYaml | nindent 6 }}
create: true
nubusUdmListener:
enabled: true
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 102
runAsGroup: 65534
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsUdmListener | toYaml | nindent 6 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmListener.registry | quote }}
repository: {{ .Values.images.nubusProvisioningUdmListener.repository }}
tag: {{ .Values.images.nubusProvisioningUdmListener.tag }}
waitForDependency:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
repository: {{ .Values.images.nubusWaitForDependency.repository }}
tag: {{ .Values.images.nubusWaitForDependency.tag }}
persistence:
size: {{ .Values.persistence.storages.nubusUdmListener.size | quote }}
# storageClass: -- coalesce .Values.persistence.storages.nubusUdmListener.storageClassName .Values.persistence.storageClassNames.RWO | quote --
podAnnotations:
intents.otterize.com/service-name: "ums-provisioning-udm-listener"
{{- with .Values.annotations.nubusUdmListener.pod }}
{{ . | toYaml | nindent 4 }}
{{- end }}
replicaCount: {{ .Values.replicas.umsUdmListener }}
resources:
{{ .Values.resources.umsUdmListener | toYaml | nindent 4 }}
nats:
auth:
password: {{ .Values.secrets.nubus.provisioning.udmListenerNatsPassword | quote}}
serviceAccount:
annotations:
{{ .Values.annotations.nubusUdmListener.serviceAccount | toYaml | nindent 6 }}
nubusSelfServiceConsumer:
enabled: true
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsSelfserviceConsumer | toYaml | nindent 6 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfServiceConsumer.registry | quote }}
repository: {{ .Values.images.nubusSelfServiceConsumer.repository }}
tag: {{ .Values.images.nubusSelfServiceConsumer.tag }}
initResources:
{{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
podAnnotations:
intents.otterize.com/service-name: "ums-selfservice-listener"
{{- with .Values.annotations.nubusSelfserviceConsumer.pod }}
{{ . | toYaml | nindent 4 }}
{{- end }}
provisioningApi:
auth:
password: {{ .Values.secrets.nubus.selfserviceConsumer.provisioningApiPassword | quote}}
resources:
{{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
replicaCount: {{ .Values.replicas.umsSelfserviceConsumer }}
serviceAccount:
annotations:
{{ .Values.annotations.nubusSelfserviceConsumer.serviceAccount | toYaml | nindent 6 }}
waitForDependency:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
repository: {{ .Values.images.nubusWaitForDependency.repository }}
tag: {{ .Values.images.nubusWaitForDependency.tag }}
# Nubus services
nubusStackDataUms:
additionalAnnotations:
intents.otterize.com/service-name: "ums-stack-data-ums"
argocd.argoproj.io/hook: "Sync"
argocd.argoproj.io/hook-delete-policy: "BeforeHookCreation"
{{- with .Values.annotations.nubusStackDataUms.additional }}
{{ . | toYaml | nindent 4 }}
{{- end }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsStackDataUms | toYaml | nindent 6 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }}
repository: {{ .Values.images.nubusDataLoader.repository }}
tag: {{ .Values.images.nubusDataLoader.tag }}
# TODO: Are these used for anything?
nubusPortalConsumer:
objectStorage:
bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
nubusPortalServer:
objectStorage:
bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
initResources:
{{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
# In openDesk the external memcache does not expect a username to be set. Overwriting
# the default username of `selfservice` is part of the customizing:
nubusUmcServer:
memcached:
auth:
username: ""
connection:
host: {{ .Values.cache.umsSelfservice.host | quote }}
postgresql:
auth:
database: {{ .Values.databases.umsSelfservice.name | quote }}
username: {{ .Values.databases.umsSelfservice.username | quote }}
connection:
host: {{ .Values.databases.umsSelfservice.host | quote }}
podAnnotations:
intents.otterize.com/service-name: "ums-stack-data-ums"
{{- with .Values.annotations.nubusStackDataUms.pod }}
{{ . | toYaml | nindent 4 }}
{{- end }}
resources:
{{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
stackDataContext:
externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
umcHtmlTitle: "Portal - {{ .Values.theme.texts.productName }}"
# NOTE: The sub-chart is not yet properly respecting the configuration of
# "global.subDomains.portal". This value should be removed once this is
# supported in the sub-chart.
ldapSamlSpUrls: {{ printf "https://%s.%s/univention/saml/metadata" .Values.global.hosts.nubus .Values.global.domain | quote }}
portalFqdn: {{ printf "%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
smtpPort: 25
smtpUser: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
smtpStartTls: false
ldapBase: {{ .Values.ldap.baseDn }}
serviceAccount:
annotations:
{{ .Values.annotations.nubusStackDataUms.serviceAccount | toYaml | nindent 6 }}
templateContext:
initialPasswordAdministrator: {{ .Values.secrets.nubus.systemAccounts.administratorPassword | quote }}
additionalMailDomains: {{ .Values.global.additionalMailDomains | toYaml | nindent 6 }}
apps: {{ .Values.apps | toYaml | nindent 6 }}
defaultGroupOtherObjects: "cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}"
opendeskEnterprise: {{ env "OPENDESK_ENTERPRISE" }}
opendeskAdminAttributes: true
opendeskGroupAttributes: true
opendeskUserAttributes: true
{{- if eq .Values.functional.weboffice.defaultFormat "OOXML"}}
portalDirectDocsExtensionText: "docx"
portalDirectDocsExtensionSheet: "xlsx"
portalDirectDocsExtensionPresentation: "pptx"
{{- else }}
portalDirectDocsExtensionText: "odt"
portalDirectDocsExtensionSheet: "ods"
portalDirectDocsExtensionPresentation: "odp"
{{- end }}
portalEnforceLogin: {{ .Values.functional.portal.enforceLogin }}
portalHeaderLogo: {{ toYaml .Values.theme.imagery.logoHeaderSvgB64 | quote }}
portalTiles: {{ toYaml .Values.theme.imagery.portalTiles | nindent 6 }}
portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain }}
portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain }}
portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain }}
portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain }}
portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain }}
portalNotesLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain }}
portalTitleDE: "Portal - {{ .Values.theme.texts.productName }}"
portalTitleEN: "Portal - {{ .Values.theme.texts.productName }}"
portalLinkLegalNotice: {{ .Values.functional.portal.linkLegalNotice | quote }}
portalLinkPrivacyStatement: {{ .Values.functional.portal.linkPrivacyStatement | quote }}
portalLinkDocumentation: {{ .Values.functional.portal.linkDocumentation | quote }}
portalLinkSupport: {{ .Values.functional.portal.linkSupport | quote }}
portalLinkFeedback: {{ .Values.functional.portal.linkFeedback | quote }}
oxDefaultContext: "1"
oxDefaultLanguage: {{ .Values.functional.internationalization.defaultLanguage | quote }}
oxContextHidden: true
oxSystemUserPassword: {{ .Values.secrets.nubus.ldapSearch.ox }}
portalOxLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
ldapSearchUsers:
{{- range $username, $password := .Values.secrets.nubus.ldapSearch }}
- username: {{ printf "ldapsearch_%s" $username | quote }}
password: {{ $password | quote }}
lastname: "LDAP-Search-User"
{{- end }}
ldapSystemUsers: []
portaltileGroupUserStandard:
- "cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}"
portaltileGroupUserAdmin:
- "cn=Domain Admins,cn=groups,{{ .Values.ldap.baseDn }}"
- "cn=Support,cn=groups,{{ .Values.ldap.baseDn }}"
portaltileGroupUserAll:
- "cn=Domain Admins,cn=groups,{{ .Values.ldap.baseDn }}"
- "cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}"
portaltileGroupGroupware:
- "cn=managed-by-attribute-Groupware,cn=groups,{{ .Values.ldap.baseDn }}"
portaltileGroupFileshare:
- "cn=managed-by-attribute-Fileshare,cn=groups,{{ .Values.ldap.baseDn }}"
portaltileGroupManagementProject:
- "cn=managed-by-attribute-Projectmanagement,cn=groups,{{ .Values.ldap.baseDn }}"
portaltileGroupManagementKnowledge:
- "cn=managed-by-attribute-Knowledgemanagement,cn=groups,{{ .Values.ldap.baseDn }}"
portaltileGroupManagementLearn:
- "cn=managed-by-attribute-Learnmanagement,cn=groups,{{ .Values.ldap.baseDn }}"
portaltileGroupLiveCollaboration:
- "cn=managed-by-attribute-Livecollaboration,cn=groups,{{ .Values.ldap.baseDn }}"
portaltileGroupVideoconference:
- "cn=managed-by-attribute-Videoconference,cn=groups,{{ .Values.ldap.baseDn }}"
portaltileGroupNotes:
- "cn=managed-by-attribute-Notes,cn=groups,{{ .Values.ldap.baseDn }}"
systemInformation:
releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}{{ if eq (env "OPENDESK_ENTERPRISE") "true" }}-ee{{ end }}"
{{- if .Values.functional.admin.portal.deploymentTimestamp.enabled }}
deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
{{- else }}
deployDate: false
{{- end }}
# executes a list of UDM commands as step `03-custom-initializer.yaml` of the opendesk-nubus customization
# Ref. https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-nubus/-/tree/main/udm/udm-data-loader
udmCustomInitializer: []
# executes a list of UDM commands as step `97-custom-finalizer.yaml` of the opendesk-nubus customization
# Ref. https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-nubus/-/tree/main/udm/udm-data-loader
udmCustomFinalizer: []
nubusUmcServer:
additionalAnnotations:
intents.otterize.com/service-name: "ums-umc-server"
{{- with .Values.annotations.nubusUmcServer.additional }}
{{ . | toYaml | nindent 4 }}
{{- end }}
containerSecurityContext:
enabled: true
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
runAsUser: 999
runAsGroup: 999
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
containerSecurityContextInit:
enabled: true
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
runAsUser: 999
runAsGroup: 999
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
containerSecurityContextSssd:
enabled: true
allowPrivilegeEscalation: true
capabilities:
drop:
- "ALL"
add:
- "DAC_OVERRIDE"
- "SETGID"
- "AUDIT_WRITE"
- "SETUID"
- "CHOWN"
- "SETPCAP"
- "FOWNER"
- "FSETID"
- "KILL"
- "MKNOD"
- "NET_BIND_SERVICE"
- "SYS_CHROOT"
runAsUser: 999
runAsGroup: 999
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcServer.registry | quote }}
repository: {{ .Values.images.nubusUmcServer.repository }}
tag: {{ .Values.images.nubusUmcServer.tag }}
ingress:
annotations:
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: "/$2$3"
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header X-UMC-HTTPS 'on';
{{- with .Values.annotations.nubusUmcServer.ingress }}
{{ . | toYaml | nindent 6 }}
{{- end }}
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
memcached:
bundled: false
server: {{ .Values.cache.umsSelfservice.host | quote }}
auth:
# The memcached connection is not authenticated in openDesk but the umc-server pod needs a secret it can mount.
password: "stub-value"
existingSecret: null
podAnnotations:
intents.otterize.com/service-name: "ums-umc-server"
{{- with .Values.annotations.nubusUmcServer.pod }}
{{ . | toYaml | nindent 4 }}
{{- end }}
# Ref.: https://docs.software-univention.de/nubus-kubernetes-operation/1.x/en/reference.html#envvar-nubusUmcServer.podManagementPolicy
podManagementPolicy: "{{ if gt .Values.replicas.umsUmcServer 4 }}Parallel{{ else }}OrderedReady{{ end }}"
postgresql:
selfservice:
connection:
host: {{ .Values.databases.umsSelfservice.host | quote }}
port: {{ .Values.databases.umsSelfservice.port | quote }}
auth:
username: {{ .Values.databases.umsSelfservice.username | quote }}
database: {{ .Values.databases.umsSelfservice.name | quote }}
password: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
# NOTE: Nubus has still an existing secret configured for legacy reasons.
# This disables the existing secret and ensures that the value from above
# is used.
existingSecret:
name: null
authSession:
connection:
host: {{ .Values.databases.umsAuthSession.host | quote }}
port: {{ .Values.databases.umsAuthSession.port | quote }}
auth:
username: {{ .Values.databases.umsAuthSession.username | quote }}
database: {{ .Values.databases.umsAuthSession.name | quote }}
password: {{ .Values.databases.umsAuthSession.password | default .Values.secrets.postgresql.umsAuthSessionUser | quote }}
# NOTE: Nubus has still an existing secret configured for legacy reasons.
# This disables the existing secret and ensures that the value from above
# is used.
existingSecret:
name: null
proxy:
image:
registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusUmcServerProxy.registry | quote }}
repository: {{ .Values.images.nubusUmcServerProxy.repository }}
tag: {{ .Values.images.nubusUmcServerProxy.tag }}
replicaCount: {{ .Values.replicas.umsUmcServerProxy }}
replicaCount: {{ .Values.replicas.umsUmcServer }}
resources:
{{ .Values.resources.umsUmcServer | toYaml | nindent 4 }}
selfService:
passwordresetEmailBody: |
Sehr geehrte Benutzerin, sehr geehrter Benutzer,
Ihr Benutzername für {domainname} lautet: {username}
Sie erhalten diese Nachricht, da Sie Ihr Passwort zurücksetzen möchten oder weil Ihr Benutzer neu im System angelegt wurde.
Klicken Sie bitte auf den folgenden Link, um Ihr Passwort zu setzen:
https://{fqdn}/univention/portal/#/selfservice/newpassword/?token={token}&username={username}
Der genannte Link ist nur 48 Stunden gültig, danach fordern Sie ihn bitte erneut an unter:
https://{fqdn}/univention/portal/#/selfservice/passwordforgotten
Mit freundlichen Grüßen
Ihr {domainname} Passwort-Service
serviceAccount:
annotations:
{{ .Values.annotations.nubusUmcServer.serviceAccount | toYaml | nindent 6 }}
smtp:
auth:
password: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
nubusUmcGateway:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsUmcGateway | toYaml | nindent 6 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcGateway.registry | quote }}
repository: {{ .Values.images.nubusUmcGateway.repository }}
tag: {{ .Values.images.nubusUmcGateway.tag }}
ingress:
annotations:
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: "/$2$3"
{{- with .Values.annotations.nubusUmcGateway.ingress }}
{{ . | toYaml | nindent 4 }}
{{- end }}
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
initResources:
{{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
podAnnotations:
intents.otterize.com/service-name: "ums-umc-gateway"
{{- with .Values.annotations.nubusUmcGateway.pod }}
{{ . | toYaml | nindent 4 }}
{{- end }}
replicaCount: {{ .Values.replicas.umsUmcGateway }}
serviceAccount:
annotations:
{{ .Values.annotations.nubusUmcGateway.serviceAccount | toYaml | nindent 6 }}
resources:
{{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
nubusKeycloakBootstrap:
additionalAnnotations:
argocd.argoproj.io/hook: "Sync"
argocd.argoproj.io/hook-delete-policy: "BeforeHookCreation"
{{- with .Values.annotations.nubusKeycloakBootstrapNubus.additional }}
{{ . | toYaml | nindent 4 }}
{{- end }}
bootstrap:
ldapMappers:
- ldapAndUserModelAttributeName: "opendeskProjectmanagementAdmin"
- ldapAndUserModelAttributeName: "oxContextIDNum"
twoFactorAuthentication:
enabled: true
config:
debug:
enabled: {{ .Values.debug.enabled }}
containerSecurityContext:
enabled: true
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions:
{{ .Values.seLinuxOptions.umsKeycloakBootstrap | toYaml | nindent 6 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }}
repository: {{ .Values.images.nubusKeycloakBootstrap.repository }}
tag: {{ .Values.images.nubusKeycloakBootstrap.tag }}
keycloak:
auth:
username: "kcadmin"
ldap:
auth:
bindDn: {{ printf "uid=ldapsearch_keycloak,cn=users,%s" .Values.ldap.baseDn }}
existingSecret:
name: "ums-keycloak-bootstrap-ldap-opendesk-credentials"
oidc:
rp:
umcServer:
password: {{ .Values.secrets.keycloak.clientSecret.portal | quote }}
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak-bootstrap"
{{- with .Values.annotations.nubusKeycloakBootstrapNubus.pod }}
{{ . | toYaml | nindent 4 }}
{{- end }}
resources:
{{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 4 }}
waitForDependency:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
repository: {{ .Values.images.nubusWaitForDependency.repository }}
tag: {{ .Values.images.nubusWaitForDependency.tag }}
# NOTE: The subchart does not yet fully support
# "global.imagePullPolicy". This can be removed once the subchart has
# been adjusted.
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
serviceAccount:
annotations:
{{ .Values.annotations.nubusKeycloakBootstrapNubus.serviceAccount | toYaml | nindent 6 }}
# Credential secrets for accessing customer supplied services
extraSecrets:
- name: "ums-opendesk-guardian-client-secret"
stringData:
managementApiClientSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
- name: "ums-keycloak-postgresql-opendesk-credentials"
stringData:
keycloakDatabasePassword: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
- name: "ums-guardian-postgresql-opendesk-credentials"
stringData:
guardianDatabasePassword: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
- name: "ums-keycloak-extensions-postgresql-opendesk-credentials"
stringData:
umcKeycloakExtensionsDatabasePassword: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
- name: "ums-keycloak-extensions-smtp-opendesk-credentials"
stringData:
umcKeycloakExtensionsSmtpPassword: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
- name: "ums-keycloak-bootstrap-ldap-opendesk-credentials"
stringData:
password: {{ .Values.secrets.nubus.ldapSearch.keycloak | quote }}
- name: "ums-provisioning-ox-credentials"
stringData:
ox-connector.json: "{ \"name\": \"ox-connector\", \"realms_topics\": [{\"realm\": \"udm\", \"topic\": \"oxmail/oxcontext\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/accessprofile\"}, {\"realm\": \"udm\", \"topic\": \"users/user\"}, {\"realm\": \"udm\", \"topic\": \"oxresources/oxresources\"}, {\"realm\": \"udm\", \"topic\": \"groups/group\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/functional_account\"}], \"request_prefill\": true, \"password\": \"{{ .Values.secrets.oxConnector.provisioningApiPassword }}\" }"
Reference in New Issue View Git Blame Copy Permalink