sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 15:31:38 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
ac712f4063a887a8b24f721cf681dce79f3ec54a
opendesk/helmfile/apps/notes/values.yaml.gotmpl
Sven-Erik Schmidt 7aa717c050 fix(helmfile): Streamline annotations
2025-11-12 11:28:49 +01:00

284 lines
11 KiB
Go Template
Raw Blame History

# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-License-Identifier: Apache-2.0
---
global:
collaborationServerSecret:
value: {{ .Values.secrets.notes.collaborationSecret | quote }}
fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
tlsSecretName: {{ .Values.ingress.tls.secretName | quote }}
yProviderApiKey:
value: {{ .Values.secrets.notes.collaborationSecret | quote }}
backend:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesBackend.registry | quote }}
repository: {{ .Values.images.notesBackend.repository | quote }}
pullPolicy: "IfNotPresent"
tag: {{ .Values.images.notesBackend.tag | quote }}
ingress:
annotations:
"nginx.ingress.kubernetes.io/proxy-body-size": "{{ .Values.ingress.parameters.bodySize.notes }}"
"nginx.ingress.kubernetes.io/proxy-read-timeout": "{{ .Values.ingress.parameters.bodyTimeout.notes }}"
"nginx.ingress.kubernetes.io/proxy-send-timeout": "{{ .Values.ingress.parameters.bodyTimeout.notes }}"
{{- if .Values.annotations.notesBackend.ingress }}
{{ .Values.annotations.notesBackend.ingress | toYaml | nindent 6 }}
{{- end }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
ingressAdmin:
enabled: false
annotations:
{{ .Values.annotations.notesBackend.ingressAdmin | toYaml | nindent 6 }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
replicaCount: {{ .Values.replicas.notesBackend }}
configuration:
ai:
apiKey:
value: {{ .Values.ai.apiKey }}
baseUrl: {{ .Values.ai.endpoint }}
model: {{ .Values.ai.model | quote }}
aws:
endpointUrl: {{ printf "https://%s" (.Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
s3AccessKeyId:
value: {{ .Values.objectstores.notes.username }}
s3SecretAccessKey:
value: {{ .Values.objectstores.notes.secretKey | default .Values.secrets.minio.notesUser | quote }}
storageBucketName: {{ .Values.objectstores.notes.bucket }}
collaboration:
apiUrl: {{ printf "https://%s.%s/collaboration/api/" .Values.global.hosts.notes .Values.global.domain | quote }}
wsUrl: {{ printf "wss://%s.%s/collaboration/ws/" .Values.global.hosts.notes .Values.global.domain | quote }}
database:
host: {{ .Values.databases.notes.host | quote }}
name: {{ .Values.databases.notes.name | quote }}
password:
value: {{ .Values.databases.notes.password | default .Values.secrets.postgresql.notesUser | quote }}
port: {{ .Values.databases.notes.port | quote }}
user:
value: {{ .Values.databases.notes.username | quote }}
email:
brandName: "openDesk"
from: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.mailDomain | default .Values.global.domain }}"
host: "postfix"
port: "25"
logoImage: {{ printf "https://%s.%s/univention/portal/icons/entries/swp.notes.svg" .Values.global.hosts.nubus .Values.global.domain | quote }}
user:
value: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
password:
value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
oidc:
enabled: true
rpClientId:
value: "opendesk-notes"
rpClientSecret:
value: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
opJWKSEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
opAuthorizationEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
opTokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
opUserEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
opLogoutEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
rpScopes: "openid opendesk-notes-scope"
loginRedirectUrl: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
loginRedirectUrlFailure: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
logoutRedirectUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
redirectAllowedHosts: {{ printf "https://%s.%s/*" .Values.global.hosts.notes .Values.global.domain | quote }}
essentialClaims: "email"
fullnameFields: "given_name,family_name"
shortnameField: "given_name"
django:
secretKey:
value: {{ .Values.secrets.notes.djangoSecretKey }}
createSuperuser: true
superuserEmail:
value: {{ printf "default.admin@%s" .Values.global.domain | quote }}
superuserPassword:
value: {{ .Values.secrets.notes.superuser }}
frontendTheme: "openDesk"
redisUrl:
value: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7"
extraEnvVars:
- name: "FRONTEND_HOMEPAGE_FEATURE_ENABLED"
value: "False"
- name: "FRONTEND_FOOTER_FEATURE_ENABLED"
value: "False"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1001
runAsGroup: 1001
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }}
podAnnotations:
intents.otterize.com/service-name: "impress-backend"
{{- with .Values.annotations.notesBackend.pod }}
{{ . | toYaml | nindent 4 }}
{{- end }}
podAnnotationsCreateUser:
intents.otterize.com/service-name: "impress-create-user"
{{- with .Values.annotations.notesBackend.createUserJob }}
{{ . | toYaml | nindent 4 }}
{{- end }}
podAnnotationsMigrate:
intents.otterize.com/service-name: "impress-migrate"
{{- with .Values.annotations.notesBackend.migrateJob }}
{{ . | toYaml | nindent 4 }}
{{- end }}
podSecurityContext:
enabled: true
fsGroup: 1000
fsGroupChangePolicy: "Always"
resources:
{{ .Values.resources.notesBackend | toYaml | nindent 4 }}
service:
annotations:
{{ .Values.annotations.notesBackend.service | toYaml | nindent 6 }}
extraVolumes:
- name: "customization-volume"
configMap:
name: "impress-customization"
{{- if .Values.certificate.selfSigned }}
- name: "trusted-cert-secret-volume"
secret:
secretName: "opendesk-certificates-ca-tls"
items:
- key: "ca.crt"
path: "ca-certificates.crt"
{{- end }}
extraVolumeMounts:
- name: "customization-volume"
mountPath: "/app/impress/configuration/theme/default.json"
subPath: "theme.json"
{{- if .Values.certificate.selfSigned }}
- name: "trusted-cert-secret-volume"
mountPath: "/usr/local/lib/python3.13/site-packages/certifi/cacert.pem"
subPath: "ca-certificates.crt"
{{- end }}
frontend:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesFrontend.registry | quote }}
repository: {{ .Values.images.notesFrontend.repository | quote }}
pullPolicy: "IfNotPresent"
tag: {{ .Values.images.notesFrontend.tag | quote }}
ingress:
enabled: true
annotations:
{{ .Values.annotations.notesFrontend.ingress | toYaml | nindent 6 }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
ingressMedia:
enabled: true
annotations:
{{ .Values.annotations.notesFrontend.ingressMedia | toYaml | nindent 6 }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
configuration:
objectStoreHost: {{ printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain | quote }}
resources:
{{ .Values.resources.notesFrontend | toYaml | nindent 4 }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.notesFrontend | toYaml | nindent 6 }}
podAnnotations:
intents.otterize.com/service-name: "impress-frontend"
{{- with .Values.annotations.notesFrontend.pod }}
{{ . | toYaml | nindent 4 }}
{{- end }}
podSecurityContext:
enabled: true
fsGroup: 1000
fsGroupChangePolicy: "Always"
service:
annotations:
{{ .Values.annotations.notesFrontend.service | toYaml | nindent 6 }}
serviceMedia:
annotations:
{{ .Values.annotations.notesFrontend.service | toYaml | nindent 6 }}
extraVolumes:
- name: "customization-volume"
configMap:
name: "impress-customization"
extraVolumeMounts:
- name: "customization-volume"
mountPath: "/usr/share/nginx/html/runtime-env.js"
subPath: "runtime-env.js"
y-provider:
image:
registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.notesYProvider.registry | quote }}
repository: {{ .Values.images.notesYProvider.repository | quote }}
pullPolicy: "IfNotPresent"
tag: {{ .Values.images.notesYProvider.tag }}
replicaCount: 1
debug: true
{{- if .Values.certificate.selfSigned }}
extraEnvVars:
- name: "NODE_EXTRA_CA_CERTS"
value: "/etc/ssl/certs/cacert.pem"
extraVolumes:
- name: "trusted-cert-secret-volume"
secret:
secretName: "opendesk-certificates-ca-tls"
items:
- key: "ca.crt"
path: "ca-certificates.crt"
extraVolumeMounts:
- name: "trusted-cert-secret-volume"
mountPath: "/etc/ssl/certs/cacert.pem"
subPath: "ca-certificates.crt"
{{- end }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1001
runAsGroup: 1001
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }}
ingressCollaborationApi:
annotations:
{{ .Values.annotations.notesYProvider.ingressCollaborationAPI | toYaml | nindent 6 }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
ingressCollaborationWs:
annotations:
{{ .Values.annotations.notesYProvider.ingressCollaborationWS | toYaml | nindent 6 }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
podAnnotations:
intents.otterize.com/service-name: "impress-y-provider"
{{- with .Values.annotations.notesYProvider.pod }}
{{ . | toYaml | nindent 4 }}
{{- end }}
podSecurityContext:
enabled: true
fsGroup: 1001
fsGroupChangePolicy: "Always"
service:
annotations:
{{ .Values.annotations.notesYProvider.service | toYaml | nindent 6 }}
...
Reference in New Issue View Git Blame Copy Permalink