sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 15:31:38 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
e0ff58a3a42665662183e1b45dff35ae19b42bc4
opendesk/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
jconde 83ac645fae fix(univention-management-stack): Support for object-storage icons and portal files 
fix(univention-management-stack): Test otterize policies
2024-02-15 15:32:12 +00:00

307 lines
9.4 KiB
Go Template
Raw Blame History

# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
global:
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
fullnameOverride: "ums-stack-gateway"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsStackGateway.registry | quote }}
repository: {{ .Values.images.umsStackGateway.repository | quote }}
tag: {{ .Values.images.umsStackGateway.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
ingress:
annotations:
# Ensure that the ingress controller can handle responses with plenty of
# headers. This is a requirement from the UDM Rest API.
nginx.org/proxy-buffer-size: "64k"
nginx.org/proxy-buffers: "4 128k"
enabled: {{ .Values.ingress.enabled }}
extraTls:
- hosts:
- {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
hostname: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
tls: false
podSecurityContext:
enabled: true
fsGroup: 1001
containerSecurityContext:
enabled: true
runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.umsStackGateway }}
service:
type: "ClusterIP"
serviceAccount:
create: true
fullnameOverride: "ums-stack-gateway"
# The content of the "serverBlock" does resemble the Ingress configuration of
# the UMS components. The "location" entries do intentionally reflect precisely
# the respective paths which are configured.
serverBlock: |
server {
listen 8080;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_x_forwarded_host;
proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
## portal-frontend
# The frontend does not own "/univention/portal" nor
# "/univention/selfservice", only these two bits
location = /univention/portal/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
location = /univention/portal/index.html {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
location = /univention/selfservice/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
# The following prefixes are owned by the frontend
location /univention/portal/css/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/fonts/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/i18n/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/media/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/js/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/oidc/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/css/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/fonts/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/i18n/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/media/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/js/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/oidc/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
## frontend redirects
location = / {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention/ {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention/portal {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention/selfservice {
absolute_redirect off;
return 302 /univention/selfservice/;
}
## portal-server
location = /univention/portal/portal.json {
proxy_pass http://ums-portal-server:80;
}
location = /univention/selfservice/portal.json {
proxy_pass http://ums-portal-server:80;
}
location = /univention/portal/navigation.json {
proxy_pass http://ums-portal-server:80;
}
## object storage (minio)
location /univention/portal/icons/entries/ {
rewrite ^/univention/portal(/icons/entries/.*)$ /ums/portal-assets$1 break;
proxy_pass http://minio:9000;
}
location /univention/portal/icons/logos/ {
rewrite ^/univention/portal(/icons/logos/.*)$ /ums/portal-assets$1 break;
proxy_pass http://minio:9000;
}
location /univention/selfservice/icons/entries/ {
rewrite ^/univention/selfservice(/icons/entries/.*)$ /ums/portal-assets$1 break;
proxy_pass http://minio:9000;
}
location /univention/selfservice/icons/logos/ {
rewrite ^/univention/selfservice(/icons/logos/.*)$ /ums/portal-assets$1 break;
proxy_pass http://minio:9000;
}
## udm-rest-api
location /univention/udm/ {
# The UDM Rest API does return on some endpoints a lot of headers
proxy_busy_buffers_size 128k;
proxy_buffers 4 128k;
proxy_buffer_size 64k;
rewrite ^/univention(/udm/.*)$ $1 break;
proxy_pass http://ums-udm-rest-api:80;
}
## umc-gateway
location = /univention/languages.json {
proxy_pass http://ums-umc-gateway:80;
}
location = /univention/meta.json {
proxy_pass http://ums-umc-gateway:80;
}
location = /univention/theme.css {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/js/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/login/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/management/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/themes/ {
proxy_pass http://ums-umc-gateway:80;
}
## umc-server
location = /univention/auth {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
proxy_set_header X-UMC-HTTPS 'on';
}
location /univention/logout {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/saml {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
proxy_set_header X-UMC-HTTPS 'on';
}
location /univention/get {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/set {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/command {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/upload {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
## notifications-api
location /univention/portal/notifications-api/ {
rewrite ^/univention/portal/notifications-api(/.*)$ $1 break;
proxy_pass http://ums-notifications-api:80;
}
## openDesk branding
location = /favicon.ico {
proxy_pass http://ums-portal-frontend:80/;
}
location /univention/portal/custom/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
location /univention/portal/icons/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
## ums-provisioning
location /univention/provisioning-api/ {
rewrite ^/univention/provisioning-api(/.*)$ $1 break;
proxy_pass http://ums-provisioning-events-and-consumer-api:80;
}
## guardian
location /univention/guardian/management-ui {
proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui;
}
location /guardian/opa {
rewrite ^/guardian/opa(/.*)$ $1 break;
proxy_pass http://ums-open-policy-agent:80/;
}
location /guardian/management {
proxy_pass http://ums-guardian-management-api:80/guardian/management;
}
location /guardian/authorization {
proxy_pass http://ums-guardian-authorization-api:80/guardian/authorization;
}
}
...
Reference in New Issue View Git Blame Copy Permalink