sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
e6fe2a7c18581f637d6bd4d0553d558f753dadd2
opendesk/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl

1582 lines
61 KiB
Go Template
Raw Blame History

# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
global:
configMapUcrDefaults: "ums-stack-data-ums-ucr"
configMapUcr: "ums-stack-data-swp-ucr"
configMapUcrForced: null
domain: {{ .Values.global.domain | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
tags:
pre-release: true
guardian:
enabled: false
authorizationApi:
podAnnotations:
intents.otterize.com/service-name: "ums-guardian-authorization-api"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianAuthorizationApi.registry | quote }}
repository: {{ .Values.images.umsGuardianAuthorizationApi.repository | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsGuardianAuthorizationApi.tag | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
config:
guardianAuthzLoggingStructured: false
oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
opaAdapterUrl: "http://ums-guardian-open-policy-agent/"
udmDataAdapterUrl: "http://ums-udm-rest-api/udm/"
udmDataAdapterUsername: "cn=admin"
udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
ingress:
enabled: false
resources:
{{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }}
managementApi:
podAnnotations:
intents.otterize.com/service-name: "ums-guardian-management-api"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementApi.registry | quote }}
repository: {{ .Values.images.umsGuardianManagementApi.repository | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsGuardianManagementApi.tag | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
config:
guardianManagementLoggingStructured: false
guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization"
oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
secretRef: "guardian-keycloak-client-secret"
ingress:
enabled: false
resources:
{{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }}
managementUi:
podAnnotations:
intents.otterize.com/service-name: "ums-guardian-management-ui"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementUi.registry | quote }}
repository: {{ .Values.images.umsGuardianManagementUi.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsGuardianManagementUi.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
config:
viteKeycloakAuthenticationAdapterClientId: "guardian-ui"
viteManagementUiAdapterAuthenticationPort: "keycloak"
viteManagementUiAdapterDataPort: "api"
viteApiDataAdapterUri: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/management"
viteKeycloakAuthenticationAdapterSsoUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
viteKeycloakAuthenticationAdapterRealm: {{ .Values.platform.realm | quote }}
ingress:
enabled: false
resources:
{{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}
openPolicyAgent:
podAnnotations:
intents.otterize.com/service-name: "ums-ums-open-policy-agent"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsOpenPolicyAgent.registry | quote }}
repository: {{ .Values.images.umsOpenPolicyAgent.repository | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsOpenPolicyAgent.tag | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
config:
opaGuardianManagementUrl: "http://ums-guardian-management-api/guardian/management"
ingress:
enabled: false
resources:
{{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }}
provisioning:
enabled: true
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianProvisioning.registry | quote }}
repository: {{ .Values.images.umsGuardianProvisioning.repository | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsGuardianProvisioning.tag | quote }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
config:
nubusBaseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
keycloak:
url: "http://ums-keycloak:8080"
fqdn: "id.uv-example.gaia.open-desk.cloud"
realm: "opendesk"
admin: "kcadmin"
credentialSecretName: "guardian-keycloak-secret"
postgresql:
bundled: false
connection:
host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
auth:
username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
password: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
ldap-notifier:
enabled: true
podAnnotations:
intents.otterize.com/service-name: "ums-ldap-notifier"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapNotifier.registry | quote }}
repository: {{ .Values.images.umsLdapNotifier.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsLdapNotifier.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
replicaCount: {{ .Values.replicas.umsLdapNotifier }}
resources:
{{ .Values.resources.umsLdapNotifier | toYaml | nindent 4 }}
securityContext:
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions:
{{- .Values.seLinuxOptions.umsPortalListener | toYaml | nindent 6 }}
volumes:
claims:
shared-data: "shared-data-ums-ldap-server-0"
shared-run: "shared-run-ums-ldap-server-0"
ldap-server:
enabled: true
additionalAnnotations:
intents.otterize.com/service-name: "ums-ldap-server"
replicaCount: {{ .Values.replicas.umsLdapServer }}
serviceAccount:
annotations:
intended.usage: "compliance"
waitForDependency:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
repository: {{ .Values.images.umsWaitForDependency.repository }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
ldapServer:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
repository: {{ .Values.images.umsLdapServer.repository | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
tag: {{ .Values.images.umsLdapServer.tag | quote }}
config:
domainName: "{{ .Release.Namespace }}.{{ .Values.global.domain}}"
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
samlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
samlMetadataUrlInternal: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
samlServiceProviders: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
credentialSecret:
name: ums-ldap-credentials
key: adminPassword
extraVolumes:
- name: "opendesk-schemas"
configMap:
name: "ums-stack-data-swp-schemas"
extraVolumeMounts:
- name: "opendesk-schemas"
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskFileshare.schema"
subPath: "opendeskFileshare.schema"
- name: "opendesk-schemas"
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskKnowledgemanagement.schema"
subPath: "opendeskKnowledgemanagement.schema"
- name: "opendesk-schemas"
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLearnmanagement.schema"
subPath: "opendeskLearnmanagement.schema"
- name: "opendesk-schemas"
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLivecollaboration.schema"
subPath: "opendeskLivecollaboration.schema"
- name: "opendesk-schemas"
mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema"
subPath: "opendeskProjectmanagement.schema"
persistence:
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
resources:
{{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
initResources:
{{ .Values.resources.umsLdapServerInit | toYaml | nindent 4 }}
notifications-api:
enabled: true
additionalAnnotations:
intents.otterize.com/service-name: "ums-notifications-api"
serviceAccount:
annotations:
intended.usage: "compliance"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsNotificationsApi.registry | quote }}
repository: {{ .Values.images.umsNotificationsApi.repository }}
pullPolicy: {{ .Values.global.imagePullPolicy }}
tag: {{ .Values.images.umsNotificationsApi.tag }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
postgresql:
bundled: false
connection:
host: {{ .Values.databases.umsNotificationsApi.host | quote }}
port: {{ .Values.databases.umsNotificationsApi.port | quote }}
auth:
username: {{ .Values.databases.umsNotificationsApi.username | quote }}
database: {{ .Values.databases.umsNotificationsApi.name | quote }}
existingSecret: "ums-notifications-api-postgresql-credentials"
replicaCount: {{ .Values.replicas.umsNotificationsApi }}
notificationsapi:
apply_database_migrations: "True"
dev_mode: "False"
environment: "staging"
log_level: "DEBUG"
sql_echo: "False"
api_prefix: "/univention/portal/notifications-api"
resources:
{{ .Values.resources.umsNotificationsApi | toYaml | nindent 4 }}
portal-frontend:
enabled: true
additionalAnnotations:
intents.otterize.com/service-name: "ums-portal-frontend"
serviceAccount:
annotations:
intended.usage: "compliance"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalFrontend.registry | quote }}
repository: {{ .Values.images.umsPortalFrontend.repository }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
tag: {{ .Values.images.umsPortalFrontend.tag }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
extraVolumes:
- name: "opendesk-branding"
configMap:
name: "ums-stack-data-swp-branding"
extraVolumeMounts:
- name: "opendesk-branding"
mountPath: "/var/www/html/favicon.ico"
subPath: "favicon.ico"
- name: "opendesk-branding"
mountPath: "/var/www/html/css/custom.css"
subPath: "custom.css"
- name: "opendesk-branding"
mountPath: "/var/www/html/icons/logo.svg"
subPath: "logo.svg"
- name: "opendesk-branding"
mountPath: "/var/www/html/icons/logo_small_border.svg"
subPath: "logo_small_border.svg"
- name: "opendesk-branding"
mountPath: "/var/www/html/custom/portal_background_image.png"
subPath: "portal_background_image.png"
- name: "opendesk-branding"
mountPath: "/var/www/html/custom/portal_background_image.svg"
subPath: "portal_background_image.svg"
replicaCount: {{ .Values.replicas.umsPortalFrontend }}
resources:
{{ .Values.resources.umsPortalFrontend | toYaml | nindent 4 }}
portal-listener:
enabled: true
podAnnotations:
intents.otterize.com/service-name: "ums-portal-listener"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalListener.registry | quote }}
repository: {{ .Values.images.umsPortalListener.repository }}
pullPolicy: {{ .Values.global.imagePullPolicy }}
tag: {{ .Values.images.umsPortalListener.tag }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
waitForDependency:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
repository: {{ .Values.images.umsWaitForDependency.repository }}
pullPolicy: {{ .Values.global.imagePullPolicy }}
tag: {{ .Values.images.umsWaitForDependency.tag }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
persistence:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }}
portalListener:
adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
assetsRootPath: "portal-assets"
ucsInternalPath: "portal-data"
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
notifierServer: {{ .Values.ldap.notifierHost | quote }}
portalDefaultDn: {{ printf "%s,%s" "cn=domain,cn=portal,cn=portals,cn=univention" .Values.ldap.baseDn | quote }}
udmApiUrl: "http://ums-udm-rest-api/udm/"
udmApiUsername: "cn=admin"
debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
tlsMode: "off"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
objectStorageAccessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }}
objectStorageSecretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
replicaCount: {{ .Values.replicas.umsPortalListener }}
resources:
{{ .Values.resources.umsPortalListener | toYaml | nindent 4 }}
resourcesWaitForDependency:
{{ .Values.resources.umsPortalListenerDependencies | toYaml | nindent 4 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions:
{{- .Values.seLinuxOptions.umsPortalListener | toYaml | nindent 6 }}
portal-server:
enabled: true
additionalAnnotations:
intents.otterize.com/service-name: "ums-portal-server"
serviceAccount:
annotations:
intended.usage: "compliance"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalServer.registry | quote }}
repository: {{ .Values.images.umsPortalServer.repository }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
tag: {{ .Values.images.umsPortalServer.tag }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
portalServer:
authMode: "saml"
editable: "false"
adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
ucsInternalPath: "portal-data"
umcGetUrl: "http://ums-umc-server/get"
umcSessionUrl: "http://ums-umc-server/get/session-info"
objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
centralNavigation:
enabled: true
objectStorageCredentialSecret:
name: "ums-portal-server-minio-credentials"
accessKeyKey: "nubus-s3-access-key-id"
secretKeyKey: "nubus-s3-secret-key-id"
extraVolumes:
- name: authenticator-secret
secret:
secretName: ums-portal-server-authenticator-credentials
extraVolumeMounts:
- name: authenticator-secret
mountPath: "/var/secrets/authenticator.secret"
subPath: "authenticator.secret"
replicaCount: {{ .Values.replicas.umsPortalServer }}
resources:
{{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}
provisioning:
enabled: false
api:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
repository: {{ .Values.images.umsProvisioningEventsAndConsumerApi.repository }}
pullPolicy: {{ .Values.global.imagePullPolicy }}
tag: {{ .Values.images.umsProvisioningEventsAndConsumerApi.tag }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
credentialSecretName: "ums-provisioning-api-credentials"
dispatcher:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningDispatcher.registry | quote }}
repository: {{ .Values.images.umsProvisioningDispatcher.repository }}
pullPolicy: {{ .Values.global.imagePullPolicy }}
tag: {{ .Values.images.umsProvisioningDispatcher.tag }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
credentialSecretName: "ums-provisioning-dispatcher-credentials"
prefill:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningPrefill.registry | quote }}
repository: {{ .Values.images.umsProvisioningPrefill.repository }}
pullPolicy: {{ .Values.global.imagePullPolicy }}
tag: {{ .Values.images.umsProvisioningPrefill.tag }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
credentialSecretName: "ums-provisioning-prefill-credentials"
nats:
config:
authorization:
enabled: false
users:
- user: "admin"
password: "$NATS_PASSWORD"
permissions:
publish: ">"
subscribe: ">"
- user: "$NATS_API_USER"
password: "$NATS_API_PASSWORD"
permissions:
publish: ">"
subscribe: ">"
- user: "$NATS_DISPATCHER_USER"
password: "$NATS_DISPATCHER_PASSWORD"
permissions:
publish: ">"
subscribe: ">"
- user: "$NATS_PREFILL_USER"
password: "$NATS_PREFILL_PASSWORD"
permissions:
publish: ">"
subscribe: ">"
extraEnvVars:
- name: NATS_USER
value: "admin"
- name: NATS_PASSWORD
valueFrom:
secretKeyRef:
name: ums-provisioning-nats-credentials
key: admin_password
- name: NATS_API_USER
valueFrom:
secretKeyRef:
name: ums-provisioning-api-credentials
key: NATS_USER
- name: NATS_API_PASSWORD
valueFrom:
secretKeyRef:
name: ums-provisioning-api-credentials
key: NATS_PASSWORD
- name: NATS_DISPATCHER_USER
valueFrom:
secretKeyRef:
name: ums-provisioning-dispatcher-credentials
key: NATS_USER
- name: NATS_DISPATCHER_PASSWORD
valueFrom:
secretKeyRef:
name: ums-provisioning-dispatcher-credentials
key: NATS_PASSWORD
- name: NATS_PREFILL_USER
valueFrom:
secretKeyRef:
name: ums-provisioning-prefill-credentials
key: NATS_USER
- name: NATS_PREFILL_PASSWORD
valueFrom:
secretKeyRef:
name: ums-provisioning-prefill-credentials
key: NATS_PASSWORD
nats:
nats:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsNats.registry | quote }}
repository: {{ .Values.images.umsNats.repository | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsNats.tag | quote }}
natsBox:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsNatsBox.registry | quote }}
repository: {{ .Values.images.umsNatsBox.repository | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsNatsBox.tag | quote }}
reloader:
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsNatsReloader.registry | quote }}
repository: {{ .Values.images.umsNatsReloader.repository | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsNatsReloader.tag | quote }}
ingress:
host: "localhost"
tls:
enabled: false
udm-listener:
enabled: false
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }}
repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
config:
debugLevel: "4"
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
ldapPort: "389"
notifierServer: "ums-ldap-notifier"
tlsMode: "off"
natsHost: "ums-provisioning-nats"
stack-data-ums:
enabled: true
additionalAnnotations:
intents.otterize.com/service-name: "ums-stack-data-ums"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsDataLoader.registry | quote }}
repository: {{ .Values.images.umsDataLoader.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsDataLoader.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
stackDataUms:
loadDevData: true
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
udmApiUrl: "http://ums-udm-rest-api/udm/"
udmApiUser: "cn=admin"
stackDataContext:
idpSamlMetadataUrlInternal: null
umcSamlSchemes: "https"
# The openDesk configuration brings its own UMC policies.
installUmcPolicies: false
domainname: {{ .Values.global.domain | quote }}
externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
hostname: {{ .Values.global.hosts.univentionManagementStack | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
ldapBase: {{ .Values.ldap.baseDn | quote }}
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
idpSamlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
umcSamlSpFqdn: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
idpFqdn: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.systemAccounts.administratorPassword | quote }}
initialPasswordSysIdpUser: {{ .Values.secrets.univentionManagementStack.systemAccounts.sysIdpUserPassword | quote }}
umcPostgresqlHostname: {{ .Values.databases.umsSelfservice.host | quote }}
umcPostgresqlUsername: {{ .Values.databases.umsSelfservice.username | quote }}
umcMemcachedHostname: {{ .Values.cache.umsSelfservice.host | quote }}
umcMemcachedUsername: ""
stack-data-swp:
enabled: true
additionalAnnotations:
intents.otterize.com/service-name: "ums-stack-data-swp"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsDataLoader.registry | quote }}
repository: {{ .Values.images.umsDataLoader.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsDataLoader.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
stackDataContext:
ldapBase: {{ .Values.ldap.baseDn }}
oxDefaultContext: "1"
smtpStartTls: true
ldapSearchUsers:
{{- range $username, $password := .Values.secrets.univentionManagementStack.ldapSearch }}
- username: {{ printf "ldapsearch_%s" $username | quote }}
password: {{ $password | quote }}
lastname: "LDAP-Search-User"
{{- end }}
externalDomainName: {{ .Values.global.domain | quote }}
externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain | quote }}
portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain | quote }}
portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain | quote }}
portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain | quote }}
portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain | quote }}
portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain | quote }}
portalTitleDE: "{{ .Values.theme.texts.productName }} Portal"
portalTitleEN: "{{ .Values.theme.texts.productName }} Portal"
smtpHost: {{ .Values.smtp.host | quote }}
smtpPort: {{ .Values.smtp.port | quote }}
smtpUser: {{ .Values.smtp.username | quote }}
userPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.userPassword | quote }}
adminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
stackDataSwp:
udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
systemInformation:
deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
udmApiUser: "cn=admin"
udmApiUrl: "http://ums-udm-rest-api/udm/"
loadDevData: true
resources:
{{ .Values.resources.umsStackDataSwp | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions:
{{- .Values.seLinuxOptions.umsDataLoader | toYaml | nindent 6 }}
selfservice-listener:
enabled: true
podAnnotations:
intents.otterize.com/service-name: "ums-selfservice-listener"
image:
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
selfserviceListener:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsSelfserviceListener.registry | quote }}
repository: {{ .Values.images.umsSelfserviceListener.repository | quote }}
tag: {{ .Values.images.umsSelfserviceListener.tag | quote }}
selfserviceInvitation:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsSelfserviceInvitation.registry | quote }}
repository: {{ .Values.images.umsSelfserviceInvitation.repository | quote }}
tag: {{ .Values.images.umsSelfserviceInvitation.tag | quote }}
waitForDependency:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
persistence:
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
size: {{ .Values.persistence.size.univentionManagementStack.selfserviceListener | quote }}
resources:
{{ .Values.resources.umsSelfserviceListener | toYaml | nindent 4 }}
resourcesDependencyWaiter:
{{ .Values.resources.umsSelfserviceListenerDependencies | toYaml | nindent 4 }}
replicaCount: {{ .Values.replicas.umsSelfserviceListener }}
selfserviceListener:
ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
ldapHost: {{ .Values.ldap.host | quote }}
ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
notifierServer: {{ .Values.ldap.notifierHost | quote }}
umcAdminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
tlsMode: "off"
umcServerUrl: "http://ums-umc-server"
umcAdminUser: "default.admin"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions: {{ .Values.seLinuxOptions.umsSelfserviceListener }}
udm-rest-api:
enabled: true
additionalAnnotations:
intents.otterize.com/service-name: "ums-udm-rest-api"
serviceAccount:
annotations:
intended.usage: "compliance"
udmRestApi:
secretRef: ums-udm-rest-api-credentials
ldap:
uri: "ldap://ums-ldap-server:389"
baseDn: {{ .Values.ldap.baseDn | quote }}
tls:
enabled: false
secretName: "portal.{{ .Release.Namespace }}.gaia.open-desk.cloud"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsUdmRestApi.registry | quote }}
repository: {{ .Values.images.umsUdmRestApi.repository | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsUdmRestApi.tag | quote }}
extraVolumes:
- name: "attribute-to-group-mapper-hook"
configMap:
name: "ums-stack-data-swp-attribute-to-group-mapper-hook"
extraVolumeMounts:
- name: "attribute-to-group-mapper-hook"
mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py"
subPath: "AttributeToGroupMapper.py"
- name: "attribute-to-group-mapper-hook"
mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
subPath: "flag_to_group_mapping.json"
resources:
{{ .Values.resources.umsUdmRestApi | toYaml | nindent 4 }}
initResources:
{{ .Values.resources.umsUdmRestApiInit | toYaml | nindent 4 }}
replicaCount: {{ .Values.replicas.umsUdmRestApi }}
umc-gateway:
enabled: true
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcGateway.registry | quote }}
repository: {{ .Values.images.umsUmcGateway.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsUmcGateway.tag | quote }}
replicaCount: {{ .Values.replicas.umsUmcGateway }}
umcGateway:
umcHtmlTitle: "openDesk - Admin"
extraVolumes:
- name: "entrypoint-swp-patches"
configMap:
name: "ums-stack-data-swp-umc-gateway-entrypoint"
defaultMode: 0555
- name: "announcements-customization"
configMap:
name: "ums-stack-data-swp-umc-server-announcements"
defaultMode: 0444
extraVolumeMounts:
- name: "entrypoint-swp-patches"
mountPath: "/entrypoint.d/90-swp.sh"
subPath: "90-swp.sh"
- name: "announcements-customization"
mountPath:
"/usr/share/univention-management-console-frontend/js/dijit/themes\
/umc/icons/16x16/udm-portals-announcement.png"
subPath: "udm-portals-announcement.png"
ingress:
host: localhost
enabled: false
tls:
enabled: false
resources:
{{ .Values.resources.umsUmcGateway | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcGateway }}
umc-server:
enabled: true
additionalAnnotations:
intents.otterize.com/service-name: "ums-umc-server"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcServer.registry | quote }}
repository: {{ .Values.images.umsUmcServer.repository | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.umsUmcServer.tag | quote }}
pullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
replicaCount: {{ .Values.replicas.umsUmcServer }}
umcServer:
certPemFile: "/var/secrets/ssl/tls.crt"
caCert: "Cg=="
certPem: "Cg=="
privateKey: "Cg=="
ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
smtpSecret: {{ .Values.smtp.password | quote }}
privateKeyFile: "/var/secrets/ssl/tls.key"
extraVolumes:
- name: "certificates"
secret:
secretName: "opendesk-certificates-tls"
- name: "entrypoint-swp-patches"
configMap:
name: "ums-stack-data-swp-umc-server-entrypoint"
defaultMode: 0555
- name: "self-service-emails"
configMap:
name: "ums-stack-data-swp-self-service-emails"
defaultMode: 0444
- name: "attribute-to-group-mapper-hook"
configMap:
name: "ums-stack-data-swp-attribute-to-group-mapper-hook"
- name: "announcements-customization"
configMap:
name: "ums-stack-data-swp-umc-server-announcements"
defaultMode: 0444
extraVolumeMounts:
- name: "certificates"
mountPath: "/var/secrets/ssl"
- name: "entrypoint-swp-patches"
mountPath: "/entrypoint.d/90-customization.sh"
subPath: "90-customization.sh"
- name: "self-service-emails"
mountPath: "/usr/share/univention-self-service/email_bodies"
- name: "attribute-to-group-mapper-hook"
mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py"
subPath: "AttributeToGroupMapper.py"
- name: "attribute-to-group-mapper-hook"
mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
subPath: "flag_to_group_mapping.json"
- name: "announcements-customization"
mountPath: "/usr/share/univention-management-console/modules/udm-portals-announcement.xml"
subPath: "udm-portals-announcement.xml"
ingress:
host: localhost
enabled: false
tls:
enabled: false
memcached:
bundled: false
server: {{ .Values.cache.umsSelfservice.host | quote }}
postgresql:
bundled: false
connection:
host: {{ .Values.databases.umsSelfservice.host | quote }}
port: {{ .Values.databases.umsSelfservice.port | quote }}
auth:
username: {{ .Values.databases.umsSelfservice.username | quote }}
database: {{ .Values.databases.umsSelfservice.name | quote }}
password: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
postgresPassword: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
resources:
{{ .Values.resources.umsUmcServer | toYaml | nindent 2 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcServer }}
keycloak:
enabled: true
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak"
serviceAccount:
annotations:
intended.usage: "compliance"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloak.registry | quote }}
repository: {{ .Values.images.umsKeycloak.repository | quote }}
tag: {{ .Values.images.umsKeycloak.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
config:
admin:
password: {{ .Values.secrets.keycloak.adminPassword | quote }}
database:
host: {{ .Values.databases.keycloak.host | quote }}
port: {{ .Values.databases.keycloak.port }}
user: {{ .Values.databases.keycloak.username | quote }}
database: {{ .Values.databases.keycloak.name | quote }}
existingSecret:
name: "ums-keycloak-postgresql-credentials"
key: "keycloakDatabasePassword"
logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
enableMetrics: true
# The availability of the admin console is already restricted through the path settings in the Keycloak Extensions
# Proxy which is used in openDesk. The setting here is just relevant when Keycloak endpoints are exposed directly
# through an own ingress.
exposeAdminConsole: false
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
privileged: false
readOnlyRootFilesystem: false
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloak }}
podSecurityContext:
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
theme:
univentionTheme: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/theme.css"
univentionCustomTheme: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/css/custom.css"
favIcon: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/favicon.ico"
replicaCount: {{ .Values.replicas.keycloak }}
resources:
{{ .Values.resources.umsKeycloak | toYaml | nindent 2 }}
keycloak-bootstrap:
enabled: true
serviceAccount:
annotations:
intended.usage: "compliance"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakBootstrap.registry | quote }}
repository: {{ .Values.images.umsKeycloakBootstrap.repository | quote }}
tag: {{ .Values.images.umsKeycloakBootstrap.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
config:
keycloak:
adminUser: "kcadmin"
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
realm: {{ .Values.platform.realm | quote }}
intraCluster:
enabled: true
internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
loginLinks:
- link_number: 1
language: "de"
description: "Passwort vergessen?"
href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten"
- link_number: 1
language: "en"
description: "Forgot password?"
href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten"
ums:
ldap:
internalHostname: {{ .Values.ldap.host | quote }}
baseDN: {{ .Values.ldap.baseDn | quote }}
readUserDN: "uid=ldapsearch_keycloak,cn=users,dc=swp-ldap,dc=internal"
readUserPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.keycloak | quote }}
mappers:
- ldapAndUserModelAttributeName: "opendeskProjectmanagementAdmin"
- ldapAndUserModelAttributeName: "oxContextIDNum"
saml:
serviceProviderHostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
twoFactorAuthentication:
enabled: true
group: "2fa-users"
containerSecurityContext:
enabled: true
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: false
privileged: false
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions:
{{ .Values.seLinuxOptions.umsKeycloakBootstrap | toYaml | nindent 6 }}
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak-bootstrap"
podSecurityContext:
enabled: true
fsGroup: 1000
fsGroupChangePolicy: "Always"
resources:
{{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 2 }}
keycloak-extensions:
enabled: true
keycloak:
host: "ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
adminUsername: "kcadmin"
adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
adminRealm: "master"
realm: {{ .Values.platform.realm | quote }}
postgresql:
connection:
host: {{ .Values.databases.keycloakExtension.host | quote }}
port: {{ .Values.databases.keycloakExtension.port }}
auth:
database: {{ .Values.databases.keycloakExtension.name | quote }}
username: {{ .Values.databases.keycloakExtension.username | quote }}
password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
handler:
replicaCount: {{ .Values.replicas.umsKeycloakExtensionsHandler }}
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak-extensions-handler"
# nameOverride: "keycloak-extensions-handler"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakExtensionHandler.registry | quote }}
repository: {{ .Values.images.umsKeycloakExtensionHandler.repository | quote }}
tag: {{ .Values.images.umsKeycloakExtensionHandler.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets: {{ .Values.global.imagePullSecrets }}
appConfig:
captchaProtectionEnable: false
deviceProtectionEnable: true
ipProtectionEnable: true
logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
smtpPassword: {{ .Values.smtp.password | quote }}
smtpHost: {{ .Values.smtp.host | quote }}
smtpPort: {{ .Values.smtp.port | quote }}
smtpUsername: {{ .Values.smtp.username | quote }}
mailFrom: "noreply@{{ .Values.global.domain }}"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
privileged: false
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler }}
resources:
{{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 6 }}
proxy:
replicaCount: {{ .Values.replicas.umsKeycloakExtensionsProxy }}
podAnnotations:
intents.otterize.com/service-name: "ums-keycloak-extensions-proxy"
# nameOverride: "keycloak-extensions-proxy"
appConfig:
logLevel: {{ if .Values.debug.enabled }}"debug"{{ else }}"warn"{{ end }}
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakExtensionProxy.registry | quote }}
repository: {{ .Values.images.umsKeycloakExtensionProxy.repository | quote }}
tag: {{ .Values.images.umsKeycloakExtensionProxy.tag | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
imagePullSecrets: {{ .Values.global.imagePullSecrets }}
ingress:
annotations:
nginx.org/proxy-buffer-size: "8k"
nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
paths:
{{- if .Values.debug.enabled }}
- pathType: "Prefix"
path: "/admin"
{{- end }}
- pathType: "Prefix"
path: "/realms"
- pathType: "Prefix"
path: "/resources"
- pathType: "Prefix"
path: "/fingerprintjs"
- pathType: "Exact"
path: "/univention/meta.json"
backend:
service:
name: "ums-stack-gateway"
port:
name: "http"
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | default "nginx" | quote }}
host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
tls:
enabled: {{ .Values.ingress.tls.enabled }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
privileged: false
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionProxy }}
resources:
{{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
keycloak-postgresql:
enabled: false
stack-gateway:
enabled: true
additionalAnnotations:
intents.otterize.com/service-name: "ums-stack-gateway"
fullnameOverride: "ums-stack-gateway"
image:
registry: {{ .Values.global.imageRegistry | default .Values.images.umsStackGateway.registry | quote }}
repository: {{ .Values.images.umsStackGateway.repository | quote }}
tag: {{ .Values.images.umsStackGateway.tag | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
ingress:
annotations:
# Ensure that the ingress controller can handle responses with plenty of
# headers. This is a requirement from the UDM Rest API.
nginx.org/proxy-buffer-size: "64k"
nginx.org/proxy-buffers: "4 128k"
enabled: {{ .Values.ingress.enabled }}
extraTls:
- hosts:
- {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
secretName: {{ .Values.ingress.tls.secretName | quote }}
hostname: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
ingressClassName: {{ .Values.ingress.ingressClassName | default "nginx" | quote }}
tls: false
podSecurityContext:
enabled: true
fsGroup: 1001
replicaCount: {{ .Values.replicas.umsStackGateway }}
resources:
{{ .Values.resources.umsStackGateway | toYaml | nindent 4 }}
containerSecurityContext:
enabled: true
runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
seLinuxOptions: {{ .Values.seLinuxOptions.umsStackGateway }}
service:
type: "ClusterIP"
serviceAccount:
create: true
# The content of the "serverBlock" does resemble the Ingress configuration of
# the UMS components. The "location" entries do intentionally reflect precisely
# the respective paths which are configured.
serverBlock: |
server {
listen 8080;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_x_forwarded_host;
proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
## portal-frontend
# The frontend does not own "/univention/portal" nor
# "/univention/selfservice", only these two bits
location = /univention/portal/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
location = /univention/portal/index.html {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
location = /univention/selfservice/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
# The following prefixes are owned by the frontend
location /univention/portal/css/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/fonts/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/i18n/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/media/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/js/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/portal/oidc/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/css/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/fonts/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/i18n/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/media/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/js/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
location /univention/selfservice/oidc/ {
rewrite ^/univention/selfservice(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80;
}
## frontend redirects
location = / {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention/ {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention/portal {
absolute_redirect off;
return 302 /univention/portal/;
}
location = /univention/selfservice {
absolute_redirect off;
return 302 /univention/selfservice/;
}
## portal-server
location = /univention/portal/portal.json {
proxy_pass http://ums-portal-server:80;
}
location = /univention/selfservice/portal.json {
proxy_pass http://ums-portal-server:80;
}
location = /univention/portal/navigation.json {
proxy_pass http://ums-portal-server:80;
}
## udm-rest-api
location /univention/udm/ {
# The UDM Rest API does return on some endpoints a lot of headers
proxy_busy_buffers_size 128k;
proxy_buffers 4 128k;
proxy_buffer_size 64k;
rewrite ^/univention(/udm/.*)$ $1 break;
proxy_pass http://ums-udm-rest-api:80;
}
## umc-gateway
location = /univention/languages.json {
proxy_pass http://ums-umc-gateway:80;
}
location = /univention/meta.json {
proxy_pass http://ums-umc-gateway:80;
}
location = /univention/theme.css {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/js/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/login/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/management/ {
proxy_pass http://ums-umc-gateway:80;
}
location /univention/themes/ {
proxy_pass http://ums-umc-gateway:80;
}
## umc-server
location = /univention/auth {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
proxy_set_header X-UMC-HTTPS 'on';
}
location /univention/logout {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/saml {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
proxy_set_header X-UMC-HTTPS 'on';
}
location /univention/get {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/set {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/command {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
location /univention/upload {
rewrite ^/univention(/.*)$ $1 break;
proxy_pass http://ums-umc-server:80;
}
## notifications-api
location /univention/portal/notifications-api/ {
rewrite ^/univention/portal/notifications-api(/.*)$ $1 break;
proxy_pass http://ums-notifications-api:80;
}
## openDesk branding
location = /favicon.ico {
proxy_pass http://ums-portal-frontend:80/;
}
location /univention/portal/custom/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
location /univention/portal/icons/ {
rewrite ^/univention/portal(/.*)$ $1 break;
proxy_pass http://ums-portal-frontend:80/;
}
## provisioning-api
# location /univention/provisioning-api/ {
# rewrite ^/univention/provisioning-api(/.*)$ $1 break;
# proxy_pass http://ums-provisioning-api:80;
# }
## guardian
# location /univention/guardian/management-ui {
# proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui;
# }
# location /guardian/management {
# proxy_pass http://ums-guardian-management-api:80/guardian/management;
# }
# location /guardian/authorization {
# proxy_pass http://ums-guardian-authorization-api:80/guardian/authorization;
# }
## object storage (minio)
location /univention/portal/icons/entries/ {
rewrite ^/univention/portal(/icons/entries/.*)$ /ums/portal-assets$1 break;
# proxy_pass {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "http://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) }}:9000;
proxy_pass http://minio:9000;
}
location /univention/portal/icons/logos/ {
rewrite ^/univention/portal(/icons/logos/.*)$ /ums/portal-assets$1 break;
# proxy_pass {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "http://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) }}:9000;
proxy_pass http://minio:9000;
}
location /univention/selfservice/icons/entries/ {
rewrite ^/univention/selfservice(/icons/entries/.*)$ /ums/portal-assets$1 break;
# proxy_pass {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "http://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) }}:9000;
proxy_pass http://minio:9000;
}
location /univention/selfservice/icons/logos/ {
rewrite ^/univention/selfservice(/icons/logos/.*)$ /ums/portal-assets$1 break;
# proxy_pass {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "http://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) }}:9000;
proxy_pass http://minio:9000;
}
}
minio:
enabled: false
extraSecrets:
- name: ums-ldap-credentials
stringData:
adminPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
- name: ums-notifications-api-postgresql-credentials
stringData:
password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
- name: ums-keycloak-extensions-postgresql-credentials
stringData:
password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
- name: ums-portal-server-minio-credentials
stringData:
nubus-s3-access-key-id: {{ .Values.objectstores.univentionManagementStack.username | quote }}
nubus-s3-secret-key-id: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
- name: ums-portal-server-authenticator-credentials
stringData:
authenticator.secret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
- name: ums-provisioning-api-credentials
stringData:
NATS_USER: "api"
NATS_PASSWORD: "password"
- name: ums-provisioning-dispatcher-credentials
stringData:
UDM_USERNAME: "cn=admin"
UDM_PASSWORD: "password"
NATS_USER: "dispatcher"
NATS_PASSWORD: "password"
- name: ums-provisioning-prefill-credentials
stringData:
NATS_USER: "prefill"
NATS_PASSWORD: "password"
- name: ums-provisioning-nats-credentials
stringData:
admin_password: "nimda"
- name: ums-udm-rest-api-credentials
stringData:
ldap.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
machine.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
- name: "ums-keycloak-postgresql-credentials"
stringData:
keycloakDatabasePassword: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
- name: "guardian-keycloak-client-secret"
stringData:
oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
- name: "guardian-keycloak-secret"
stringData:
KEYCLOAK_ADMIN_PASSWORD: {{ .Values.secrets.keycloak.adminPassword | quote }}
GUARDIAN_MANAGEMENT_API_CLIENT_SECRET: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
...
Reference in New Issue View Git Blame Copy Permalink