sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
b32996da347c7ec24fb53afe72fee8c07631bebe
opendesk/helmfile/apps/nubus/values-nubus.yaml.gotmpl

1429 lines
58 KiB
Go Template
Raw Blame History

{{/*
SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
certManagerIssuer: {{ .Values.certificate.issuerRef.name | quote }}
domain: {{ .Values.global.domain | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
ingressClass: {{ .Values.ingress.ingressClassName | default "nginx" | quote }}
keycloak:
realm: {{ .Values.platform.realm | quote }}
ldap:
baseDn: {{ .Values.ldap.baseDn | quote }}
domainName: {{ .Values.global.domain | quote }}
auth:
cnAdmin:
password: {{ .Values.secrets.nubus.ldapSecret | quote }}
nubusDeployment: true
nubusMasterPassword: {{ .Values.secrets.nubus.masterpassword | quote }}
objectStorage:
bucket: {{ .Values.objectstores.nubus.bucket | quote }}
connection:
host: "minio"
port: "9000"
protocol: "http"
subDomains:
portal: {{ .Values.global.hosts.nubus | quote }}
keycloak: {{ .Values.global.hosts.keycloak | quote }}
# -- Extensions to load. Add entries to load additional extensions into Nubus.
extensions:
- name: "ox"
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOxExtension.registry | quote }}
repository: {{ .Values.images.nubusOxExtension.repository }}
tag: {{ .Values.images.nubusOxExtension.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
- name: "opendesk"
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpendeskExtension.registry | quote }}
repository: {{ .Values.images.nubusOpendeskExtension.repository }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
tag: {{ .Values.images.nubusOpendeskExtension.tag }}
- name: "opendesk-a2g-mapper"
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpendeskExtensionA2gMapper.registry | quote }}
repository: {{ .Values.images.nubusOpendeskExtensionA2gMapper.repository }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
tag: {{ .Values.images.nubusOpendeskExtensionA2gMapper.tag }}
# -- Allows to configure the system extensions to load. This is intended for
# internal usage, prefer to use `global.extensions` for user configured
# extensions.
systemExtensions:
- name: "portal"
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalExtension.registry | quote }}
repository: {{ .Values.images.nubusPortalExtension.repository }}
tag: {{ .Values.images.nubusPortalExtension.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
configUcr:
directory:
manager:
rest:
authorized-groups:
domain-admins: __DELETE_KEY__
iam-api-full-access: "cn=IAM API - Full Access,cn=groups,{{ .Values.ldap.baseDn }}"
web:
modules:
users:
user:
add:
default: "cn=openDesk User,cn=templates,cn=univention,{{ .Values.ldap.baseDn }}"
properties:
description:
syntax: "TextArea"
firstname:
required: "true"
mailPrimaryAddress:
required: "true"
username:
syntax: "uid"
search:
autosearch: "True"
wizard:
property:
invite:
default: "True"
overridePWLength:
default: "False"
visible: "False"
pwdChangeNextLogin:
default: "True"
visible: "False"
wizard:
disabled: "No"
ucs:
web:
theme: "light"
umc:
cookie-banner:
show: "false"
login:
password-complexity-message:
de: "Das Passwort muss mindestens 8 Zeichen lang sein und darf keine Zahlenabfolge oder ganze Worte enthalten, wie '1234Test'."
en: "Password must be at least 8 characters long and cannot include a number series or regular words, like '1234Test'."
module:
udm:
oxmail:
oxcontext:
disabled: "True"
portals:
all:
disabled: "True"
self-service:
account-registration:
usertemplate: __DELETE_KEY__
passwordreset:
token_validity_period: 172800
blacklist:
groups: __DELETE_KEY__
ingress:
# temporary fix
{{- if not .Values.apps.minio.enabled }}
enabled: false
{{- end }}
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
# Nubus bundled services
postgresql:
enabled: false
provisioning:
enabled: false
minio:
enabled: false
# Nubus services which use customer supplied services
keycloak:
enabled: true
config:
exposeAdminConsole: {{ .Values.debug.enabled }}
logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsKeycloak | toYaml | nindent 6 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloak.registry | quote }}
repository: {{ .Values.images.nubusKeycloak.repository }}
tag: {{ .Values.images.nubusKeycloak.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
ingress:
enabled: false
keycloak:
auth:
username: "kcadmin"
existingSecret:
name: "ums-opendesk-keycloak-credentials"
keyMapping:
adminPassword: "admin_password"
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak"
postgresql:
connection:
host: {{ .Values.databases.keycloak.host | quote }}
port: {{ .Values.databases.keycloak.port | quote }}
auth:
username: {{ .Values.databases.keycloak.username | quote }}
database: {{ .Values.databases.keycloak.name | quote }}
existingSecret:
name: "ums-keycloak-postgresql-opendesk-credentials"
keyMapping:
password: keycloakDatabasePassword
replicaCount: {{ .Values.replicas.keycloak }}
resources:
{{ .Values.resources.umsKeycloak | toYaml | nindent 4 }}
{{- if .Values.certificate.selfSigned }}
extraVolumes:
- name: "trusted-cert-crt-secret-volume"
secret:
secretName: "opendesk-certificates-ca-tls"
items:
- key: "ca.crt"
path: "ca-certificates.crt"
- name: "trusted-cert-jks-secret-volume"
secret:
secretName: "opendesk-certificates-ca-tls"
items:
- key: "truststore.jks"
path: "truststore.jks"
extraVolumeMounts:
- name: "trusted-cert-crt-secret-volume"
mountPath: "/etc/ssl/certs/ca-certificates.crt"
subPath: "ca-certificates.crt"
- name: "trusted-cert-jks-secret-volume"
mountPath: "/etc/ssl/certs/truststore.jks"
subPath: "truststore.jks"
extraEnvVars:
- name: "KC_HTTPS_TRUST_STORE_FILE"
value: "/etc/ssl/certs/truststore.jks"
- name: "KC_HTTPS_TRUST_STORE_PASSWORD"
value: {{ .Values.secrets.certificates.password | quote }}
- name: "KC_HTTPS_TRUST_STORE_TYPE"
value: "jks"
{{- end }}
nubusGuardian:
authorizationApi:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianAuthorizationApi.registry | quote }}
repository: {{ .Values.images.nubusGuardianAuthorizationApi.repository }}
tag: {{ .Values.images.nubusGuardianAuthorizationApi.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
podAnnotations:
intents.otterize.com/service-name: "ums-guardian-authorization-api"
podSecurityContext:
fsGroup: 1000
fsGroupChangePolicy: "Always"
replicaCount: {{ .Values.replicas.umsGuardianAuthorizationApi }}
resources:
{{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
seLinuxOptions:
{{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }}
ingress:
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
managementApi:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementApi.registry | quote }}
repository: {{ .Values.images.nubusGuardianManagementApi.repository }}
tag: {{ .Values.images.nubusGuardianManagementApi.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
podAnnotations:
intents.otterize.com/service-name: "ums-guardian-management-api"
podSecurityContext:
fsGroup: 1000
fsGroupChangePolicy: "Always"
replicaCount: {{ .Values.replicas.umsGuardianManagementApi }}
resources:
{{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
seLinuxOptions:
{{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 8 }}
managementUi:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementUi.registry | quote }}
repository: {{ .Values.images.nubusGuardianManagementUi.repository }}
tag: {{ .Values.images.nubusGuardianManagementUi.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
podAnnotations:
intents.otterize.com/service-name: "ums-guardian-management-ui"
replicaCount: {{ .Values.replicas.umsGuardianManagementUi }}
resources:
{{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
seLinuxOptions:
{{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 8 }}
openPolicyAgent:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpenPolicyAgent.registry | quote }}
repository: {{ .Values.images.nubusOpenPolicyAgent.repository }}
tag: {{ .Values.images.nubusOpenPolicyAgent.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
podSecurityContext:
fsGroup: 1000
fsGroupChangePolicy: "Always"
podAnnotations:
intents.otterize.com/service-name: "ums-ums-open-policy-agent"
replicaCount: {{ .Values.replicas.umsGuardianOpenPolicyAgent }}
resources:
{{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
seLinuxOptions:
{{ .Values.seLinuxOptions.umsGuardianOpenPolicyAgent | toYaml | nindent 8 }}
postgresql:
connection:
host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
auth:
username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
credentialSecret:
name: "ums-guardian-postgresql-opendesk-credentials"
key: "guardianDatabasePassword"
provisioning:
enabled: false
config:
nubusBaseUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain }}
keycloak:
realm: {{ .Values.platform.realm | quote }}
username: "kcadmin"
connection:
host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
baseUrl: "http://ums-keycloak:8080"
credentialSecret:
name: "ums-opendesk-keycloak-credentials"
key: "admin_password"
managementApi:
credentialSecret:
name: "ums-opendesk-guardian-client-secret"
key: "managementApiClientSecret"
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianProvisioning.registry | quote }}
repository: {{ .Values.images.nubusGuardianProvisioning.repository }}
tag: {{ .Values.images.nubusGuardianProvisioning.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
nubusNotificationsApi:
enabled: false
additionalAnnotations:
intents.otterize.com/service-name: "ums-notifications-api"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsNotificationsApi | toYaml | nindent 6 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusNotificationsApi.registry | quote }}
repository: {{ .Values.images.nubusNotificationsApi.repository }}
tag: {{ .Values.images.nubusNotificationsApi.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
ingress:
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
postgresql:
connection:
host: {{ .Values.databases.umsNotificationsApi.host | quote }}
port: {{ .Values.databases.umsNotificationsApi.port | quote }}
auth:
username: {{ .Values.databases.umsNotificationsApi.username | quote }}
database: {{ .Values.databases.umsNotificationsApi.name | quote }}
existingSecret:
name: "ums-notifications-api-postgresql-opendesk-credentials"
serviceAccount:
create: true
replicaCount: {{ .Values.replicas.umsNotificationsApi }}
resources:
{{ .Values.resources.umsNotificationsApi | toYaml | nindent 4 }}
nubusPortalFrontend:
additionalAnnotations:
intents.otterize.com/service-name: "ums-portal-frontend"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsPortalFrontend | toYaml | nindent 6 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalFrontend.registry | quote }}
repository: {{ .Values.images.nubusPortalFrontend.repository }}
tag: {{ .Values.images.nubusPortalFrontend.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
ingress:
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName }}
portalFrontend:
branding:
css: {{ .Values.theme.styles.portal.main | toJson }}
# Requires .ico, .svg does not work.
favicon: {{ .Values.theme.imagery.portal.faviconIco | toJson }}
# The actual `logo` is set in customizing image, the logo down here is for for waiting spinner.
logo: {{ .Values.theme.imagery.portal.waitingSpinnerSvg | toJson }}
backgroundImage: {{ .Values.theme.imagery.portal.backgroundSvg | toJson }}
serviceAccount:
create: true
replicaCount: {{ .Values.replicas.umsPortalFrontend }}
resources:
{{ .Values.resources.umsPortalFrontend | toYaml | nindent 4 }}
nubusKeycloakExtensions:
enabled: true
keycloak:
auth:
username: "kcadmin"
existingSecret:
name: "ums-opendesk-keycloak-credentials"
keyMapping:
adminPassword: "admin_password"
proxy:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionProxy.registry | quote }}
repository: {{ .Values.images.nubusKeycloakExtensionProxy.repository }}
tag: {{ .Values.images.nubusKeycloakExtensionProxy.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
ingress:
paths:
{{- if .Values.debug.enabled }}
- pathType: "Prefix"
path: "/admin/"
{{- end }}
- pathType: "Prefix"
path: "/realms/"
- pathType: "Prefix"
path: "/js/"
- pathType: "Prefix"
path: "/resources/"
- pathType: "Prefix"
path: "/fingerprintjs"
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak-extensions-proxy"
replicaCount: {{ .Values.replicas.umsKeycloakExtensionsProxy }}
resources:
{{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
securityContext:
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions:
{{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }}
postgresql:
connection:
host: {{ .Values.databases.keycloakExtension.host | quote }}
port: {{ .Values.databases.keycloakExtension.port | quote }}
auth:
database: {{ .Values.databases.keycloakExtension.name | quote }}
username: {{ .Values.databases.keycloakExtension.username | quote }}
existingSecret:
name: "ums-keycloak-extensions-postgresql-opendesk-credentials"
keyMapping:
password: "umcKeycloakExtensionsDatabasePassword"
smtp:
connection:
host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
port: 25
ssl: false
starttls: false
auth:
enabled: false
username: ""
existingSecret:
name: "ums-keycloak-extensions-smtp-opendesk-credentials"
keyMapping:
password: "umcKeycloakExtensionsSmtpPassword"
handler:
appConfig:
newDeviceLoginNotificationEnable: {{ if .Values.functional.authentication.newDeviceLoginNotification.enabled }}"True"{{ else }}"False"{{ end }}
logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionHandler.registry | quote }}
repository: {{ .Values.images.nubusKeycloakExtensionHandler.repository }}
tag: {{ .Values.images.nubusKeycloakExtensionHandler.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak-extensions-handler"
replicaCount: {{ .Values.replicas.umsKeycloakExtensionsHandler }}
resources:
{{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 6 }}
securityContext:
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions:
{{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }}
nubusPortalListener:
enabled: false
nubusPortalConsumer:
enabled: true
portalConsumer:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalConsumer.registry | quote }}
repository: {{ .Values.images.nubusPortalConsumer.repository }}
tag: {{ .Values.images.nubusPortalConsumer.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
objectStorageEndpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
objectStorage:
auth:
accessKey: {{ .Values.objectstores.nubus.username | quote }}
secretKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
persistence:
size: {{ .Values.persistence.storages.nubusPortalConsumer.size | quote }}
storageClass: {{ coalesce .Values.persistence.storages.nubusPortalConsumer.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
podAnnotations:
intents.otterize.com/service-name: "ums-portal-consumer"
provisioningApi:
auth:
username: "portal-consumer"
password: {{ .Values.secrets.nubus.portalConsumer.provisioningApiPassword | quote }}
replicaCount: {{ .Values.replicas.umsPortalConsumer }}
resources:
{{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }}
resourcesWaitForDependency:
{{ .Values.resources.umsPortalConsumerDependencies | toYaml | nindent 4 }}
securityContext:
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions:
{{ .Values.seLinuxOptions.umsPortalConsumer | toYaml | nindent 6 }}
waitForDependency:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
repository: {{ .Values.images.nubusWaitForDependency.repository }}
tag: {{ .Values.images.nubusWaitForDependency.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
{{- if .Values.certificate.selfSigned }}
extraVolumes:
- name: "trusted-cert-secret-volume"
secret:
secretName: "opendesk-certificates-ca-tls"
items:
- key: "ca.crt"
path: "ca-certificates.crt"
- key: "ca.crt"
path: "cacert.pem"
extraVolumeMounts:
- name: "trusted-cert-secret-volume"
mountPath: "/etc/ssl/certs/ca-certificates.crt"
subPath: "ca-certificates.crt"
waitForDependency:
extraVolumeMounts:
- name: "trusted-cert-secret-volume"
readOnly: true
mountPath: "/etc/ssl/certs/ca-certificates.crt"
subPath: "ca-certificates.crt"
- name: "trusted-cert-secret-volume"
readOnly: true
mountPath: "/usr/local/lib/python3.11/dist-packages/certifi/cacert.pem"
subPath: "cacert.pem"
extraEnvVars:
- name: "REQUESTS_CA_BUNDLE"
value: "/etc/ssl/certs/ca-certificates.crt"
- name: "DEFAULT_CA_BUNDLE_PATH"
value: "/etc/ssl/certs/ca-certificates.crt"
- name: "SSL_CERT_FILE"
value: "/etc/ssl/certs/ca-certificates.crt"
{{- end }}
nubusPortalServer:
additionalAnnotations:
intents.otterize.com/service-name: "ums-portal-server"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsPortalServer | toYaml | nindent 6 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalServer.registry | quote }}
repository: {{ .Values.images.nubusPortalServer.repository }}
tag: {{ .Values.images.nubusPortalServer.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
ingress:
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
objectStorage:
auth:
accessKey: {{ .Values.objectstores.nubus.username | quote }}
secretKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
portalServer:
objectStorageEndpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
objectStorageCredentialSecret:
name: "ums-portal-server-minio-opendesk-credentials"
accessKeyKey: "access-key-id"
secretKeyKey: "secret-key-id"
centralNavigation:
enabled: true
authenticatorSecretName: "ums-opendesk-portal-server-central-navigation"
replicaCount: {{ .Values.replicas.umsPortalServer }}
resources:
{{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}
serviceAccount:
create: true
{{- if .Values.certificate.selfSigned }}
extraVolumes:
- name: "trusted-cert-crt-secret-volume"
secret:
secretName: "opendesk-certificates-ca-tls"
items:
- key: "ca.crt"
path: "ca-certificates.crt"
- key: "ca.crt"
path: "cacert.pem"
extraVolumeMounts:
- name: "trusted-cert-crt-secret-volume"
readOnly: true
mountPath: "/etc/ssl/certs/ca-certificates.crt"
subPath: "ca-certificates.crt"
- name: "trusted-cert-crt-secret-volume"
readOnly: true
mountPath: "/usr/local/lib/python3.11/dist-packages/certifi/cacert.pem"
subPath: "cacert.pem"
- name: "trusted-cert-crt-secret-volume"
readOnly: true
mountPath: "/usr/lib/python3/dist-packages/botocore/cacert.pem"
subPath: "cacert.pem"
- name: "trusted-cert-crt-secret-volume"
readOnly: true
mountPath: "/usr/lib/python3/dist-packages/certifi/cacert.pem"
subPath: "cacert.pem"
{{- end }}
nubusUdmRestApi:
additionalAnnotations:
intents.otterize.com/service-name: "ums-udm-rest-api"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsUdmRestApi | toYaml | nindent 6 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
ingress:
enabled: {{ .Values.functional.externalServices.nubus.udmRestApi.enabled }}
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
initResources:
{{ .Values.resources.umsUdmRestApiInit | toYaml | nindent 4 }}
replicaCount: {{ .Values.replicas.umsUdmRestApi }}
resources:
{{ .Values.resources.umsUdmRestApi | toYaml | nindent 4 }}
serviceAccount:
annotations:
intended.usage: "compliance"
udmRestApi:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUdmRestApi.registry | quote }}
repository: {{ .Values.images.nubusUdmRestApi.repository }}
tag: {{ .Values.images.nubusUdmRestApi.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
nubusLdapNotifier:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 101
runAsGroup: 102
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsLdapNotifier | toYaml | nindent 6 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapNotifier.registry | quote }}
repository: {{ .Values.images.nubusLdapNotifier.repository }}
tag: {{ .Values.images.nubusLdapNotifier.tag }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
podAnnotations:
intents.otterize.com/service-name: "ums-ldap-notifier"
replicaCount: {{ .Values.replicas.umsLdapNotifier }}
resources:
{{ .Values.resources.umsLdapNotifier | toYaml | nindent 4 }}
nubusLdapServer:
global:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
additionalAnnotations:
intents.otterize.com/service-name: "ums-ldap-server"
dhInitcontainer:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServerDhInitContainer.registry | quote }}
repository: {{ .Values.images.nubusLdapServerDhInitContainer.repository }}
tag: {{ .Values.images.nubusLdapServerDhInitContainer.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
initResources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
ldapServer:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServer.registry | quote }}
repository: {{ .Values.images.nubusLdapServer.repository }}
tag: {{ .Values.images.nubusLdapServer.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
leaderElector:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServerLeaderElector.registry | quote }}
repository: {{ .Values.images.nubusLdapServerLeaderElector.repository }}
tag: {{ .Values.images.nubusLdapServerLeaderElector.tag }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
persistence:
size: {{ .Values.persistence.storages.nubusLdapServerData.size | quote }}
storageClass: {{ coalesce .Values.persistence.storages.nubusLdapServerData.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
replicaCountPrimary: {{ .Values.replicas.umsLdapServerPrimary }}
replicaCountSecondary: {{ .Values.replicas.umsLdapServerSecondary }}
replicaCountProxy: {{ .Values.replicas.umsLdapServerProxy }}
resources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
serviceAccount:
create: true
waitForDependency:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
repository: {{ .Values.images.nubusWaitForDependency.repository }}
tag: {{ .Values.images.nubusWaitForDependency.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
nubusProvisioning:
enabled: true
api:
additionalAnnotations:
intents.otterize.com/service-name: "ums-provisioning-api"
auth:
adminPassword: {{ .Values.secrets.nubus.provisioning.api.adminPassword | quote }}
prefillPassword: {{ .Values.secrets.nubus.provisioning.api.prefillPassword | quote}}
udmTransformerPassword: {{ .Values.secrets.nubus.provisioning.api.udmTransformerPassword | quote}}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }}
repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
nats:
auth:
password: {{ .Values.secrets.nubus.provisioning.api.natsPassword | quote}}
resources:
{{ .Values.resources.umsProvisioningApi | toYaml | nindent 6 }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsProvisioning | toYaml | nindent 6 }}
dispatcher:
additionalAnnotations:
intents.otterize.com/service-name: "ums-provisioning-dispatcher"
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningDispatcher.registry | quote }}
repository: {{ .Values.images.nubusProvisioningDispatcher.repository }}
tag: {{ .Values.images.nubusProvisioningDispatcher.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
nats:
auth:
password: {{ .Values.secrets.nubus.provisioning.dispatcherNatsPassword | quote}}
resources:
{{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 6 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
ldap:
auth:
password: {{ .Values.secrets.nubus.ldapSecret | quote }}
nats:
additionalAnnotations:
intents.otterize.com/service-name: "ums-provisioning-nats"
auth:
adminPassword: {{ .Values.secrets.nats.natsAdminPassword | quote }}
config:
cluster:
replicas: {{ .Values.replicas.umsProvisioningNats }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsProvisioningNats | toYaml | nindent 8 }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
nats:
image:
registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNats.registry | quote }}
repository: {{ .Values.images.nubusNats.repository }}
tag: {{ .Values.images.nubusNats.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
natsBox:
image:
registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsBox.registry | quote }}
repository: {{ .Values.images.nubusNatsBox.repository }}
tag: {{ .Values.images.nubusNatsBox.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
persistence:
size: {{ .Values.persistence.storages.nubusProvisioningNats.size }}
storageClass: {{ coalesce .Values.persistence.storages.nubusProvisioningNats.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
reloader:
image:
registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsReloader.registry | quote }}
repository: {{ .Values.images.nubusNatsReloader.repository }}
tag: {{ .Values.images.nubusNatsReloader.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
resources:
{{ .Values.resources.umsProvisioningNats | toYaml | nindent 6 }}
serviceAccount:
create: true
prefill:
additionalAnnotations:
intents.otterize.com/service-name: "ums-provisioning-prefill"
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }}
repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
nats:
auth:
password: {{ .Values.secrets.nubus.provisioning.prefillNatsPassword | quote}}
resources:
{{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 6 }}
udmTransformer:
additionalAnnotations:
intents.otterize.com/service-name: "ums-provisioning-udm-transformer"
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmTransformer.registry | quote }}
repository: {{ .Values.images.nubusProvisioningUdmTransformer.repository }}
tag: {{ .Values.images.nubusProvisioningUdmTransformer.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
nats:
auth:
password: {{ .Values.secrets.nubus.provisioning.udmTransformerNatsPassword | quote}}
resources:
{{ .Values.resources.umsProvisioningUdmTransformer | toYaml | nindent 6 }}
replicaCount:
dispatcher: {{ .Values.replicas.umsProvisioningDispatcher }}
udmTransformer: {{ .Values.replicas.umsProvisioningUdmTransformer }}
prefill: {{ .Values.replicas.umsProvisioningPrefill }}
api: {{ .Values.replicas.umsProvisioningApi }}
registerConsumers:
additionalAnnotations:
intents.otterize.com/service-name: "ums-provisioning-register-consumers"
createUsers:
oxConsumer:
existingSecret:
name: ums-provisioning-ox-credentials
keyMapping:
password: "ox-connector.json"
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
repository: {{ .Values.images.nubusWaitForDependency.repository }}
tag: {{ .Values.images.nubusWaitForDependency.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
podAnnotations:
intents.otterize.com/service-name: "ums-provisioning-register-consumers"
resources:
registerConsumers:
{{ .Values.resources.umsProvisioningRegisterConsumers | toYaml | nindent 6 }}
serviceAccount:
create: true
nubusUdmListener:
enabled: true
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 102
runAsGroup: 65534
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsUdmListener | toYaml | nindent 6 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmListener.registry | quote }}
repository: {{ .Values.images.nubusProvisioningUdmListener.repository }}
tag: {{ .Values.images.nubusProvisioningUdmListener.tag }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
replicaCount: {{ .Values.replicas.umsUdmListener }}
resources:
{{ .Values.resources.umsUdmListener | toYaml | nindent 4 }}
nubusSelfServiceListener:
enabled: false
resources:
{{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
resourcesWaitForDependency:
{{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
nubusSelfServiceConsumer:
enabled: true
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsSelfserviceConsumer | toYaml | nindent 6 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfServiceConsumer.registry | quote }}
repository: {{ .Values.images.nubusSelfServiceConsumer.repository }}
tag: {{ .Values.images.nubusSelfServiceConsumer.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
podAnnotations:
intents.otterize.com/service-name: "ums-selfservice-listener"
provisioningApi:
auth:
password: {{ .Values.secrets.nubus.selfserviceConsumer.provisioningApiPassword | quote}}
resources:
{{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
replicaCount: {{ .Values.replicas.umsSelfserviceConsumer }}
waitForDependency:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
repository: {{ .Values.images.nubusWaitForDependency.repository }}
tag: {{ .Values.images.nubusWaitForDependency.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
# Nubus services
nubusStackDataUms:
additionalAnnotations:
argocd.argoproj.io/hook: "Sync"
argocd.argoproj.io/hook-delete-policy: "HookSucceeded"
intents.otterize.com/service-name: "ums-stack-data-ums"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsStackDataUms | toYaml | nindent 6 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }}
repository: {{ .Values.images.nubusDataLoader.repository }}
tag: {{ .Values.images.nubusDataLoader.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
initResources:
{{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
# In openDesk the external memcache does not expect a username to be set. Overwriting
# the default username of `selfservice` is part of the customizing:
nubusUmcServer:
memcached:
auth:
username: ""
pullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
resources:
{{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
stackDataContext:
umcPostgresqlHostname: {{ .Values.databases.umsSelfservice.host | quote }}
umcPostgresqlUsername: {{ .Values.databases.umsSelfservice.username | quote }}
umcMemcachedHostname: {{ .Values.cache.umsSelfservice.host | quote }}
umcMemcachedUsername: ""
externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
umcHtmlTitle: "Portal - {{ .Values.theme.texts.productName }}"
smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
smtpPort: 25
smtpUser: ""
smtpStartTls: false
ldapBase: {{ .Values.ldap.baseDn }}
templateContext:
initialPasswordAdministrator: {{ .Values.secrets.nubus.systemAccounts.administratorPassword | quote }}
apps: {{ .Values.apps | toYaml | nindent 6 }}
opendeskEnterprise: {{ env "OPENDESK_ENTERPRISE" }}
opendeskAdminAttributes: true
opendeskGroupAttributes: true
opendeskUserAttributes: true
portalEnforceLogin: {{ .Values.functional.portal.enforceLogin }}
portalHeaderLogo: {{ toYaml .Values.theme.imagery.logoHeaderSvgB64 | quote }}
portalTiles: {{ toYaml .Values.theme.imagery.portalTiles | nindent 6 }}
portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain }}
portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain }}
portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain }}
portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain }}
portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain }}
portalNotesLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain }}
portalTitleDE: "Portal - {{ .Values.theme.texts.productName }}"
portalTitleEN: "Portal - {{ .Values.theme.texts.productName }}"
portalLinkLegalNotice: {{ .Values.functional.portal.linkLegalNotice }}
portalLinkPrivacyStatement: {{ .Values.functional.portal.linkPrivacyStatement }}
oxDefaultContext: "1"
ldapSearchUsers:
{{- range $username, $password := .Values.secrets.nubus.ldapSearch }}
- username: {{ printf "ldapsearch_%s" $username | quote }}
password: {{ $password | quote }}
lastname: "LDAP-Search-User"
{{- end }}
ldapSystemUsers: []
portaltileGroupUserStandard:
- 'cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}'
portaltileGroupUserAdmin:
- 'cn=Domain Admins,cn=groups,{{ .Values.ldap.baseDn }}'
- 'cn=Support,cn=groups,{{ .Values.ldap.baseDn }}'
portaltileGroupUserAll:
- 'cn=Domain Admins,cn=groups,{{ .Values.ldap.baseDn }}'
- 'cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}'
portaltileGroupGroupware:
- 'cn=managed-by-attribute-Groupware,cn=groups,{{ .Values.ldap.baseDn }}'
portaltileGroupFileshare:
- 'cn=managed-by-attribute-Fileshare,cn=groups,{{ .Values.ldap.baseDn }}'
portaltileGroupManagementProject:
- 'cn=managed-by-attribute-Projectmanagement,cn=groups,{{ .Values.ldap.baseDn }}'
portaltileGroupManagementKnowledge:
- 'cn=managed-by-attribute-Knowledgemanagement,cn=groups,{{ .Values.ldap.baseDn }}'
portaltileGroupManagementLearn:
- 'cn=managed-by-attribute-Learnmanagement,cn=groups,{{ .Values.ldap.baseDn }}'
portaltileGroupLiveCollaboration:
- 'cn=managed-by-attribute-Livecollaboration,cn=groups,{{ .Values.ldap.baseDn }}'
portaltileGroupVideoconference:
- 'cn=managed-by-attribute-Videoconference,cn=groups,{{ .Values.ldap.baseDn }}'
portaltileGroupNotes:
- 'cn=managed-by-attribute-Notes,cn=groups,{{ .Values.ldap.baseDn }}'
systemInformation:
releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}{{ if eq (env "OPENDESK_ENTERPRISE") "true" }}-ee{{ end }}"
{{- if .Values.functional.admin.portal.deploymentTimestamp.enabled }}
deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
{{- else }}
deployDate: false
{{- end }}
# executes a list of UDM commands as step `03-custom-initializer.yaml` of the opendesk-nubus customization
# Ref. https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-nubus/-/tree/main/udm/udm-data-loader
udmCustomInitializer: []
# executes a list of UDM commands as step `97-custom-finalizer.yaml` of the opendesk-nubus customization
# Ref. https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-nubus/-/tree/main/udm/udm-data-loader
udmCustomFinalizer: []
nubusUmcServer:
additionalAnnotations:
intents.otterize.com/service-name: "ums-umc-server"
containerSecurityContext:
enabled: true
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
runAsUser: 0
runAsGroup: 0
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: false
seLinuxOptions:
{{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
containerSecurityContextInit:
enabled: true
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
runAsUser: 0
runAsGroup: 0
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: false
seLinuxOptions:
{{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
containerSecurityContextSssd:
enabled: true
allowPrivilegeEscalation: true
capabilities:
drop:
- "ALL"
add:
- "DAC_OVERRIDE"
- "SETGID"
- "AUDIT_WRITE"
- "SETUID"
- "CHOWN"
- "SETPCAP"
- "FOWNER"
- "FSETID"
- "KILL"
- "MKNOD"
- "NET_BIND_SERVICE"
- "SYS_CHROOT"
runAsUser: 0
runAsGroup: 0
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: false
seLinuxOptions:
{{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcServer.registry | quote }}
repository: {{ .Values.images.nubusUmcServer.repository }}
tag: {{ .Values.images.nubusUmcServer.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
ingress:
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
memcached:
bundled: false
server: {{ .Values.cache.umsSelfservice.host | quote }}
auth:
existingSecret:
name: "ums-umc-server-memcached-opendesk-credentials"
keyMapping:
memcached-password: "umcServerMemcachedPassword"
postgresql:
bundled: false
connection:
host: {{ .Values.databases.umsSelfservice.host | quote }}
port: {{ .Values.databases.umsSelfservice.port | quote }}
auth:
username: {{ .Values.databases.umsSelfservice.username | quote }}
database: {{ .Values.databases.umsSelfservice.name | quote }}
existingSecret:
name: "ums-umc-server-postgresql-opendesk-credentials"
keyMapping:
password: "umcServerDatabasePassword"
proxy:
image:
registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusUmcServerProxy.registry | quote }}
repository: {{ .Values.images.nubusUmcServerProxy.repository }}
tag: {{ .Values.images.nubusUmcServerProxy.tag }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
replicaCount: {{ .Values.replicas.umsUmcServerProxy }}
replicaCount: {{ .Values.replicas.umsUmcServer }}
resources:
{{ .Values.resources.umsUmcServer | toYaml | nindent 4 }}
selfService:
passwordresetEmailBody: |
Sehr geehrte Benutzerin, sehr geehrter Benutzer,
Ihr Benutzername für {domainname} lautet: {username}
Sie erhalten diese Nachricht, da Sie Ihr Passwort zurücksetzen möchten oder weil Ihr Benutzer neu im System angelegt wurde.
Klicken Sie bitte auf den folgenden Link, um Ihr Passwort zu setzen:
https://{fqdn}/univention/portal/#/selfservice/newpassword/?token={token}&username={username}
Der genannte Link ist nur 48 Stunden gültig, danach fordern Sie ihn bitte erneut an unter:
https://{fqdn}/univention/portal/#/selfservice/passwordforgotten
Mit freundlichen Grüßen
Ihr {domainname} Passwort-Service
smtp:
existingSecret:
name: "ums-umc-server-smtp-credentials-custom"
nubusUmcGateway:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.umsUmcGateway | toYaml | nindent 6 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcGateway.registry | quote }}
repository: {{ .Values.images.nubusUmcGateway.repository }}
tag: {{ .Values.images.nubusUmcGateway.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
ingress:
certManager:
enabled: false
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
initResources:
{{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
replicaCount: {{ .Values.replicas.umsUmcGateway }}
resources:
{{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
umcGateway:
umcHtmlTitle: "Portal - {{ .Values.theme.texts.productName }}"
nubusKeycloakBootstrap:
additionalAnnotations:
argocd.argoproj.io/hook: "Sync"
bootstrap:
ldapMappers:
- ldapAndUserModelAttributeName: "opendeskProjectmanagementAdmin"
- ldapAndUserModelAttributeName: "oxContextIDNum"
twoFactorAuthentication:
enabled: true
group: "2fa-users"
containerSecurityContext:
enabled: true
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: false
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions:
{{ .Values.seLinuxOptions.umsKeycloakBootstrap | toYaml | nindent 6 }}
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }}
repository: {{ .Values.images.nubusKeycloakBootstrap.repository }}
tag: {{ .Values.images.nubusKeycloakBootstrap.tag }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
keycloak:
auth:
username: "kcadmin"
existingSecret:
name: "ums-opendesk-keycloak-credentials"
ldap:
auth:
bindDn: {{ printf "uid=ldapsearch_keycloak,cn=users,%s" .Values.ldap.baseDn }}
existingSecret:
name: "ums-keycloak-bootstrap-ldap-opendesk-credentials"
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak-bootstrap"
resources:
{{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 4 }}
# Credential secrets for accessing customer supplied services
extraSecrets:
- name: "ums-opendesk-portal-server-central-navigation"
stringData:
authenticator.secret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
- name: "ums-opendesk-guardian-client-secret"
stringData:
managementApiClientSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
- name: "ums-opendesk-keycloak-credentials"
stringData:
admin_password: {{ .Values.secrets.keycloak.adminPassword | quote }}
- name: "ums-keycloak-postgresql-opendesk-credentials"
stringData:
keycloakDatabasePassword: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
- name: "ums-guardian-postgresql-opendesk-credentials"
stringData:
guardianDatabasePassword: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
- name: "ums-notifications-api-postgresql-opendesk-credentials"
stringData:
password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
- name: "ums-umc-server-postgresql-opendesk-credentials"
stringData:
umcServerDatabasePassword: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
- name: "ums-umc-server-memcached-opendesk-credentials"
stringData:
umcServerMemcachedPassword: ""
- name: "ums-keycloak-extensions-postgresql-opendesk-credentials"
stringData:
umcKeycloakExtensionsDatabasePassword: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
- name: "ums-keycloak-extensions-smtp-opendesk-credentials"
stringData:
umcKeycloakExtensionsSmtpPassword: ""
- name: "ums-keycloak-bootstrap-ldap-opendesk-credentials"
stringData:
password: {{ .Values.secrets.nubus.ldapSearch.keycloak | quote }}
- name: "ums-portal-server-minio-opendesk-credentials"
stringData:
access-key-id: {{ .Values.objectstores.nubus.username | quote }}
secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
- name: "ums-umc-server-smtp-credentials-custom"
stringData:
password: ""
- name: "ums-provisioning-ox-credentials"
stringData:
ox-connector.json: "{ \"name\": \"ox-connector\", \"realms_topics\": [{\"realm\": \"udm\", \"topic\": \"oxmail/oxcontext\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/accessprofile\"}, {\"realm\": \"udm\", \"topic\": \"users/user\"}, {\"realm\": \"udm\", \"topic\": \"oxresources/oxresources\"}, {\"realm\": \"udm\", \"topic\": \"groups/group\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/functional_account\"}], \"request_prefill\": true, \"password\": \"{{ .Values.secrets.oxConnector.provisioningApiPassword }}\" }"
Reference in New Issue View Git Blame Copy Permalink