opendesk/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl

{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---

api:
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
    repository: {{ .Values.images.umsProvisioningEventsAndConsumerApi.repository | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.umsProvisioningEventsAndConsumerApi.tag | quote }}
    pullSecrets:
      {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
      {{- end }}
  config:
    rootPath: "/univention/provisioning-api"
  resources:
    {{ .Values.resources.umsProvisioningEventsAndConsumerApi | toYaml | nindent 4 }}
  credentialSecretName: "ums-provisioning-api-credentials"

dispatcher:
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningDispatcher.registry | quote }}
    repository: {{ .Values.images.umsProvisioningDispatcher.repository | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.umsProvisioningDispatcher.tag | quote }}
    pullSecrets:
      {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
      {{- end }}
  resources:
    {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 4 }}
  config:
    UDM_HOST: "ums-udm-rest-api"
    UDM_PORT: 80
  credentialSecretName: "ums-provisioning-dispatcher-credentials"
  
prefill:
  image: 
    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningPrefill.registry | quote }}
    repository: {{ .Values.images.umsProvisioningPrefill.repository | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.umsProvisioningPrefill.tag | quote }}
    pullSecrets:
      {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
      {{- end }}
  resources:
    {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 4 }}
  config:
    UDM_HOST: "ums-udm-rest-api"
    UDM_PORT: 80
  credentialSecretName: "ums-provisioning-prefill-credentials"

nats:
  affinity: ""
  nameOverride: ""
  bundled: true
  connection:
    host: "ums-provisioning-nats"
    port: 4222
  config:
    authorization:
      enabled: true
      users:
        - user: "$NATS_USER"
          password: "$NATS_PASSWORD"
          permissions:
            publish: ">"
            subscribe: ">"
        - user: "$NATS_API_USER"
          password: "$NATS_API_PASSWORD"
          permissions:
            publish: ">"
            subscribe: ">"
        - user: "$NATS_DISPATCHER_USER"
          password: "$NATS_DISPATCHER_PASSWORD"
          permissions:
            publish: ">"
            subscribe: ">"
        - user: "$NATS_PREFILL_USER"
          password: "$NATS_PREFILL_PASSWORD"
          permissions:
            publish: ">"
            subscribe: ">"
        - user: "$NATS_UDMLISTENER_USER"
          password: "$NATS_UDMLISTENER_PASSWORD"
          permissions:
            publish: ">"
            subscribe: ">"
        - user: "$NATS_ADMIN_USER"
          password: "$NATS_ADMIN_PASSWORD"
          permissions:
            publish: ">"
            subscribe: ">"
  resources:
    {{ .Values.resources.umsProvisioningNats | toYaml | nindent 4 }}

  extraEnvVars:
    - name: NATS_USER
      value: "master_admin"
    - name: NATS_PASSWORD
      valueFrom:
        secretKeyRef:
          name: ums-provisioning-nats-credentials
          key: admin_password
    - name: NATS_ADMIN_USER
      valueFrom:
        secretKeyRef:
          name: ums-provisioning-api-credentials
          key: ADMIN_NATS_USER
    - name: NATS_ADMIN_PASSWORD
      valueFrom:
        secretKeyRef:
          name: ums-provisioning-api-credentials
          key: ADMIN_NATS_PASSWORD
    - name: NATS_API_USER
      valueFrom:
        secretKeyRef:
          name: ums-provisioning-api-credentials
          key: NATS_USER
    - name: NATS_API_PASSWORD
      valueFrom:
        secretKeyRef:
          name: ums-provisioning-api-credentials
          key: NATS_PASSWORD
    - name: NATS_DISPATCHER_USER
      valueFrom:
        secretKeyRef:
          name: ums-provisioning-dispatcher-credentials
          key: NATS_USER
    - name: NATS_DISPATCHER_PASSWORD
      valueFrom:
        secretKeyRef:
          name: ums-provisioning-dispatcher-credentials
          key: NATS_PASSWORD
    - name: NATS_PREFILL_USER
      valueFrom:
        secretKeyRef:
          name: ums-provisioning-prefill-credentials
          key: NATS_USER
    - name: NATS_PREFILL_PASSWORD
      valueFrom:
        secretKeyRef:
          name: ums-provisioning-prefill-credentials
          key: NATS_PASSWORD
    - name: NATS_UDMLISTENER_USER
      valueFrom:
        secretKeyRef:
          name: ums-provisioning-udmlistener-credentials
          key: NATS_USER
    - name: NATS_UDMLISTENER_PASSWORD
      valueFrom:
        secretKeyRef:
          name: ums-provisioning-udmlistener-credentials
          key: NATS_PASSWORD

extraSecrets:
  - name: ums-provisioning-nats-credentials
    stringData:
      admin_password: {{ .Values.secrets.nats.natsAdminPassword }}
  - name: ums-provisioning-api-credentials
    stringData:
      NATS_USER: "api"
      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiNatsPassword }}
      ADMIN_NATS_USER: "admin"
      ADMIN_NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminNatsPassword }}
      UDM_HOST: "udm-rest-api"
      ADMIN_USERNAME: "admin"
      ADMIN_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminPassword }}
      DISPATCHER_USERNAME: "dispatcher"
      DISPATCHER_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherPassword }}
      PREFILL_USERNAME: "prefill"
      PREFILL_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillPassword }}
      EVENTS_USERNAME_UDM: "udmproducer"
      EVENTS_PASSWORD_UDM: {{ .Values.secrets.univentionManagementStack.provisioning.udmProducerPassword }}
  - name: ums-provisioning-dispatcher-credentials
    stringData:
      NATS_USER: "dispatcher"
      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherNatsPassword }}
      DISPATCHER_USERNAME: "dispatcher"
      DISPATCHER_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherPassword }}
  - name: ums-provisioning-prefill-credentials
    stringData:
      NATS_USER: "prefill"
      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillNatsPassword }}
      UDM_USERNAME: "cn=admin"
      UDM_PASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
      PREFILL_USERNAME: "prefill"
      PREFILL_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillPassword }}
  - name: ums-provisioning-udmlistener-credentials
    stringData:
      NATS_USER: "udmlistener"
      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.udmListenerNatsPassword }}

containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  runAsUser: 1000
  runAsGroup: 1000
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true

podSecurityContext:
  enabled: true
  fsGroup: 1000
  fsGroupChangePolicy: "Always"
  sysctls:
    - name: "net.ipv4.ip_unprivileged_port_start"
      value: "1"



...