From cdf50d324a7c9ac6f8e5500bf6e7a69db9f599e4 Mon Sep 17 00:00:00 2001 From: Willy Kloucek <34452982+wkloucek@users.noreply.github.com> Date: Wed, 18 Oct 2023 12:10:42 +0200 Subject: [PATCH 1/5] improve next (#410) * add userlog_global_notifications_secret (#400) * add userlog_global_notifications_secret * add secrets for userlog * add secrets for userlog * add secret options * fix notifications secrets * fix notifications secrets * fix notifications secrets * add docs * pin latest ocis version * allow to actually configure banned passwords * generate documentation --------- Co-authored-by: DanielY <55952458+case0sh@users.noreply.github.com> --- charts/ocis/docs/values-desc-table.adoc | 16 +++++++++++----- charts/ocis/docs/values.adoc.yaml | 18 ++++++++++++------ .../ocis/templates/_common/_configvalues.tpl | 4 ++++ charts/ocis/templates/frontend/config.yaml | 15 +++++++++++++++ charts/ocis/templates/frontend/deployment.yaml | 11 ++++++++--- charts/ocis/templates/userlog/deployment.yaml | 9 ++++++++- charts/ocis/values.yaml | 18 ++++++++++++------ 7 files changed, 70 insertions(+), 21 deletions(-) create mode 100644 charts/ocis/templates/frontend/config.yaml diff --git a/charts/ocis/docs/values-desc-table.adoc b/charts/ocis/docs/values-desc-table.adoc index 8db71ca92..0a669de9a 100644 --- a/charts/ocis/docs/values-desc-table.adoc +++ b/charts/ocis/docs/values-desc-table.adoc @@ -672,11 +672,11 @@ a| [subs=-attributes] a| [subs=-attributes] `true` | -| features.sharing.passwordPolicies.bannedPasswordsList +| features.sharing.passwordPolicies.bannedPasswords a| [subs=-attributes] -+string+ ++list+ a| [subs=-attributes] -`""` +`[]` | | features.sharing.passwordPolicies.minCharacters a| [subs=-attributes] @@ -784,7 +784,7 @@ a| [subs=-attributes] a| [subs=-attributes] +string+ a| [subs=-attributes] -`"Always"` +`"IfNotPresent"` | Image pull policy | image.pullSecrets a| [subs=-attributes] @@ -802,7 +802,7 @@ a| [subs=-attributes] a| [subs=-attributes] +string+ a| [subs=-attributes] -`""` +`"c804f9b7120eebe276ec4d35975760e0d924fa197ba641e243ab22e118cec6ed"` | Image sha / digest (optional). | image.tag a| [subs=-attributes] @@ -1038,6 +1038,12 @@ a| [subs=-attributes] a| [subs=-attributes] `""` | Reference to an existing keycloak client secret, used for the GDPR export. Only used if features.externalUserManagement.gdprExport.enabled equals true. +| secretRefs.globalNotificationsSecretRef +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`""` +| The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints. | secretRefs.idpSecretRef a| [subs=-attributes] +string+ diff --git a/charts/ocis/docs/values.adoc.yaml b/charts/ocis/docs/values.adoc.yaml index 86baaa120..e29b5c05c 100644 --- a/charts/ocis/docs/values.adoc.yaml +++ b/charts/ocis/docs/values.adoc.yaml @@ -7,9 +7,9 @@ image: # -- Image tag. Defaults to the chart's appVersion. tag: "latest" # -- Image sha / digest (optional). - sha: "" + sha: "c804f9b7120eebe276ec4d35975760e0d924fa197ba641e243ab22e118cec6ed" # oCIS as of 18th October 2023 # -- Image pull policy - pullPolicy: Always + pullPolicy: IfNotPresent # -- Names of the secret containing the credentials to pull an image from the registry. More # information how a secret can be defined at https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # @@ -217,8 +217,10 @@ features: minSpecialCharacters: 0 # the minimum amount of digits the password needs to have minDigits: 0 - # the path to the file containing the list of banned passwords - bannedPasswordsList: "" + # list of banned passwords + bannedPasswords: [] + # - foo + # - bar # Apps integration appsIntegration: # -- Enables the apps integration. @@ -593,6 +595,8 @@ secretRefs: s3CredentialsSecretRef: "" # -- Reference to an existing service account secret (see xref:{secrets}[Secrets]) serviceAccountSecretRef: "" + # -- The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints. + globalNotificationsSecretRef: "" # Security context options. securityContext: @@ -695,13 +699,15 @@ jobNodeSelector: # kubernetes.io/arch: "amd64" # -- Default priorityClassName to apply to all services, except per-service jobPriorityClassName configuration in `services..jobPriorityClassName` is set. -jobPriorityClassName: "" +jobPriorityClassName: + "" # ocis-low-priority # ocis-medium-priority # ocis-high-priority # -- Default priorityClassName to apply to all services, except per-service priorityClassName configuration in `services..priorityClassName` is set. -priorityClassName: "" +priorityClassName: + "" # ocis-low-priority # ocis-medium-priority # ocis-high-priority diff --git a/charts/ocis/templates/_common/_configvalues.tpl b/charts/ocis/templates/_common/_configvalues.tpl index 306062775..4445b95a2 100644 --- a/charts/ocis/templates/_common/_configvalues.tpl +++ b/charts/ocis/templates/_common/_configvalues.tpl @@ -40,6 +40,10 @@ All take the scope as the first and only parameter. {{ .Values.secretRefs.serviceAccountSecretRef | default "service-account-secret" | quote }} {{- end -}} +{{- define "secrets.globalNotificationsSecret" -}} +{{ required "messagingSystemCASecret can't be autogenerated" .Values.secretRefs.globalNotificationsSecretRef | quote }} +{{- end -}} + {{- define "secrets.messagingSystemCASecret" -}} {{ required "messagingSystemCASecret can't be autogenerated" .Values.secretRefs.messagingSystemCaRef | quote }} {{- end -}} diff --git a/charts/ocis/templates/frontend/config.yaml b/charts/ocis/templates/frontend/config.yaml new file mode 100644 index 000000000..f591ff453 --- /dev/null +++ b/charts/ocis/templates/frontend/config.yaml @@ -0,0 +1,15 @@ +{{- include "ocis.basicServiceTemplates" (dict "scope" . "appName" "appNameFrontend" "appNameSuffix" "") -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: sharing-banned-passwords + namespace: {{ template "ocis.namespace" . }} + labels: + {{- include "ocis.labels" . | nindent 4 }} +data: + sharing-banned-passwords.txt: |- + {{- with .Values.features.sharing.passwordPolicies.bannedPasswords -}} + {{- range . -}} + {{- . | nindent 4 }} + {{- end -}} + {{- end -}} diff --git a/charts/ocis/templates/frontend/deployment.yaml b/charts/ocis/templates/frontend/deployment.yaml index b07863cc1..377d7f1c8 100644 --- a/charts/ocis/templates/frontend/deployment.yaml +++ b/charts/ocis/templates/frontend/deployment.yaml @@ -9,7 +9,7 @@ spec: {{- end }} {{- include "ocis.deploymentStrategy" . | nindent 2 }} template: - {{- include "ocis.templateMetadata" (dict "scope" $ "configCheck" false) | nindent 4 }} + {{- include "ocis.templateMetadata" (dict "scope" $ "configCheck" true) | nindent 4 }} spec: {{- include "ocis.serviceAccount" . | nindent 6 }} {{- include "ocis.affinity" .Values.services.frontend | nindent 6 }} @@ -152,7 +152,7 @@ spec: # password policies - name: FRONTEND_PASSWORD_POLICY_MIN_CHARACTERS - value: {{ .Values.features.sharing.passwordPolicies.minChars | quote }} + value: {{ .Values.features.sharing.passwordPolicies.minCharacters | quote }} - name: FRONTEND_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS value: {{ .Values.features.sharing.passwordPolicies.minLowerCharacters | quote }} - name: FRONTEND_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS @@ -162,7 +162,7 @@ spec: - name: FRONTEND_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS value: {{ .Values.features.sharing.passwordPolicies.minSpecialCharacters | quote }} - name: FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST - value: {{ .Values.features.sharing.passwordPolicies.bannedPasswordsList | quote }} + value: /etc/ocis/sharing-banned-passwords.txt {{- include "ocis.livenessProbe" . | nindent 10 }} @@ -175,6 +175,8 @@ spec: containerPort: 9141 volumeMounts: + - name: configs + mountPath: /etc/ocis - name: tmp-volume mountPath: /tmp @@ -182,3 +184,6 @@ spec: volumes: - name: tmp-volume emptyDir: {} + - name: configs + configMap: + name: sharing-banned-passwords diff --git a/charts/ocis/templates/userlog/deployment.yaml b/charts/ocis/templates/userlog/deployment.yaml index 9ecca59bd..823d6eadd 100644 --- a/charts/ocis/templates/userlog/deployment.yaml +++ b/charts/ocis/templates/userlog/deployment.yaml @@ -26,7 +26,6 @@ spec: {{- include "ocis.containerSecurityContext" . | nindent 10 }} env: {{- include "ocis.serviceRegistry" . | nindent 12 }} - - name: USERLOG_LOG_COLOR value: {{ .Values.logging.color | quote }} - name: USERLOG_LOG_LEVEL @@ -88,6 +87,14 @@ spec: name: {{ include "secrets.serviceAccountSecret" . }} key: service-account-secret + {{- if .Values.secretRefs.globalNotificationsSecretRef }} + - name: USERLOG_GLOBAL_NOTIFICATIONS_SECRET + valueFrom: + secretKeyRef: + name: {{ include "secrets.globalNotificationsSecret" . }} + key: notifications-secret + {{- end }} + - name: USERLOG_JWT_SECRET valueFrom: secretKeyRef: diff --git a/charts/ocis/values.yaml b/charts/ocis/values.yaml index a5d4d4c41..5401acc7f 100644 --- a/charts/ocis/values.yaml +++ b/charts/ocis/values.yaml @@ -6,9 +6,9 @@ image: # -- Image tag. Defaults to the chart's appVersion. tag: "latest" # -- Image sha / digest (optional). - sha: "" + sha: "c804f9b7120eebe276ec4d35975760e0d924fa197ba641e243ab22e118cec6ed" # oCIS as of 18th October 2023 # -- Image pull policy - pullPolicy: Always + pullPolicy: IfNotPresent # -- Names of the secret containing the credentials to pull an image from the registry. More # information how a secret can be defined at https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # @@ -216,8 +216,10 @@ features: minSpecialCharacters: 0 # the minimum amount of digits the password needs to have minDigits: 0 - # the path to the file containing the list of banned passwords - bannedPasswordsList: "" + # list of banned passwords + bannedPasswords: [] + # - foo + # - bar # Apps integration appsIntegration: # -- Enables the apps integration. @@ -592,6 +594,8 @@ secretRefs: s3CredentialsSecretRef: "" # -- Reference to an existing service account secret (see ref:Secrets#secrets) serviceAccountSecretRef: "" + # -- The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints. + globalNotificationsSecretRef: "" # Security context options. securityContext: @@ -694,13 +698,15 @@ jobNodeSelector: # kubernetes.io/arch: "amd64" # -- Default priorityClassName to apply to all services, except per-service jobPriorityClassName configuration in `services..jobPriorityClassName` is set. -jobPriorityClassName: "" +jobPriorityClassName: + "" # ocis-low-priority # ocis-medium-priority # ocis-high-priority # -- Default priorityClassName to apply to all services, except per-service priorityClassName configuration in `services..priorityClassName` is set. -priorityClassName: "" +priorityClassName: + "" # ocis-low-priority # ocis-medium-priority # ocis-high-priority From 4b4f5cc07fa5eb8f56fd405b3911ef401ee7140f Mon Sep 17 00:00:00 2001 From: Willy Kloucek <34452982+wkloucek@users.noreply.github.com> Date: Wed, 18 Oct 2023 12:13:20 +0200 Subject: [PATCH 2/5] fix clientlog restart loop (#411) --- charts/ocis/templates/clientlog/deployment.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/charts/ocis/templates/clientlog/deployment.yaml b/charts/ocis/templates/clientlog/deployment.yaml index 55eba9555..43062e15c 100644 --- a/charts/ocis/templates/clientlog/deployment.yaml +++ b/charts/ocis/templates/clientlog/deployment.yaml @@ -45,8 +45,7 @@ spec: - name: CLIENTLOG_DEBUG_PPROF value: {{ .Values.debug.profiling | quote }} - # NOTE: change to CLIENTLOG... once fix has landed in master - - name: USERLOG_DEBUG_ADDR + - name: CLIENTLOG_DEBUG_ADDR value: 0.0.0.0:9260 - name: CLIENTLOG_STORE From 7ea2b53325709aa3da53631c3244b657a70483da Mon Sep 17 00:00:00 2001 From: Willy Kloucek <34452982+wkloucek@users.noreply.github.com> Date: Wed, 18 Oct 2023 15:42:19 +0200 Subject: [PATCH 3/5] remove auth machine secret where no longer needed (#412) --- charts/ocis/templates/graph/deployment.yaml | 6 ------ charts/ocis/templates/notifications/deployment.yaml | 6 ------ charts/ocis/templates/ocs/deployment.yaml | 6 ------ charts/ocis/templates/policies/deployment.yaml | 5 ----- charts/ocis/templates/search/deployment.yaml | 6 ------ charts/ocis/templates/storageusers/deployment.yaml | 6 ------ 6 files changed, 35 deletions(-) diff --git a/charts/ocis/templates/graph/deployment.yaml b/charts/ocis/templates/graph/deployment.yaml index fce5725df..59117c085 100644 --- a/charts/ocis/templates/graph/deployment.yaml +++ b/charts/ocis/templates/graph/deployment.yaml @@ -192,12 +192,6 @@ spec: value: {{ .Values.features.quotas.default | quote }} {{- end }} - - name: USERLOG_MACHINE_AUTH_API_KEY - valueFrom: - secretKeyRef: - name: {{ include "secrets.machineAuthAPIKeySecret" . }} - key: machine-auth-api-key - {{- if .Values.features.gdprReport.integrations.keycloak.enabled }} - name: GRAPH_KEYCLOAK_BASE_PATH value: {{ .Values.features.gdprReport.integrations.keycloak.basePath | quote }} diff --git a/charts/ocis/templates/notifications/deployment.yaml b/charts/ocis/templates/notifications/deployment.yaml index 7cb89b6ef..d9acf856d 100644 --- a/charts/ocis/templates/notifications/deployment.yaml +++ b/charts/ocis/templates/notifications/deployment.yaml @@ -97,12 +97,6 @@ spec: {{- end }} {{- end }} - - name: NOTIFICATIONS_MACHINE_AUTH_API_KEY - valueFrom: - secretKeyRef: - name: {{ include "secrets.machineAuthAPIKeySecret" . }} - key: machine-auth-api-key - - name: NOTIFICATIONS_SERVICE_ACCOUNT_ID valueFrom: configMapKeyRef: diff --git a/charts/ocis/templates/ocs/deployment.yaml b/charts/ocis/templates/ocs/deployment.yaml index dd9c69cfc..cb0b007db 100644 --- a/charts/ocis/templates/ocs/deployment.yaml +++ b/charts/ocis/templates/ocs/deployment.yaml @@ -63,12 +63,6 @@ spec: name: {{ include "secrets.jwtSecret" . }} key: jwt-secret - - name: OCS_MACHINE_AUTH_API_KEY - valueFrom: - secretKeyRef: - name: {{ include "secrets.machineAuthAPIKeySecret" . }} - key: machine-auth-api-key - {{- include "ocis.cors" . |nindent 12 }} {{- include "ocis.livenessProbe" . | nindent 10 }} diff --git a/charts/ocis/templates/policies/deployment.yaml b/charts/ocis/templates/policies/deployment.yaml index 9934ee01c..ec7ea5e19 100644 --- a/charts/ocis/templates/policies/deployment.yaml +++ b/charts/ocis/templates/policies/deployment.yaml @@ -78,11 +78,6 @@ spec: secretKeyRef: name: {{ include "secrets.jwtSecret" $ }} key: jwt-secret - - name: POLICIES_MACHINE_AUTH_API_KEY - valueFrom: - secretKeyRef: - name: {{ include "secrets.machineAuthAPIKeySecret" . }} - key: machine-auth-api-key - name: POLICIES_DEBUG_PPROF value: {{ .Values.debug.profiling | quote }} diff --git a/charts/ocis/templates/search/deployment.yaml b/charts/ocis/templates/search/deployment.yaml index 4185dceab..5e6005f96 100644 --- a/charts/ocis/templates/search/deployment.yaml +++ b/charts/ocis/templates/search/deployment.yaml @@ -105,12 +105,6 @@ spec: name: {{ include "secrets.jwtSecret" . }} key: jwt-secret - - name: SEARCH_MACHINE_AUTH_API_KEY - valueFrom: - secretKeyRef: - name: {{ include "secrets.machineAuthAPIKeySecret" . }} - key: machine-auth-api-key - - name: SEARCH_SERVICE_ACCOUNT_ID valueFrom: configMapKeyRef: diff --git a/charts/ocis/templates/storageusers/deployment.yaml b/charts/ocis/templates/storageusers/deployment.yaml index 44e39b20c..8e6503416 100644 --- a/charts/ocis/templates/storageusers/deployment.yaml +++ b/charts/ocis/templates/storageusers/deployment.yaml @@ -132,12 +132,6 @@ spec: - name: STORAGE_USERS_PURGE_TRASH_BIN_PROJECT_DELETE_BEFORE value: {{ .Values.services.storageusers.maintenance.purgeExpiredTrashBinItems.projectDeleteBefore | quote }} - - name: OCIS_MACHINE_AUTH_API_KEY - valueFrom: - secretKeyRef: - name: {{ include "secrets.machineAuthAPIKeySecret" . }} - key: machine-auth-api-key - - name: STORAGE_USERS_SERVICE_ACCOUNT_ID valueFrom: configMapKeyRef: From 13feb53956a22ee2e8caabb1a81d02f9a0cf966b Mon Sep 17 00:00:00 2001 From: Willy Kloucek <34452982+wkloucek@users.noreply.github.com> Date: Wed, 18 Oct 2023 17:08:33 +0200 Subject: [PATCH 4/5] remove non existing AUTH_SERVICE_API_KEY (#413) --- charts/ocis/templates/authservice/deployment.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/charts/ocis/templates/authservice/deployment.yaml b/charts/ocis/templates/authservice/deployment.yaml index 061141a9d..130184211 100644 --- a/charts/ocis/templates/authservice/deployment.yaml +++ b/charts/ocis/templates/authservice/deployment.yaml @@ -56,12 +56,6 @@ spec: name: {{ include "secrets.jwtSecret" . }} key: jwt-secret - - name: AUTH_SERVICE_API_KEY - valueFrom: - secretKeyRef: - name: {{ include "secrets.machineAuthAPIKeySecret" . }} - key: machine-auth-api-key - - name: AUTH_SERVICE_SERVICE_ACCOUNT_ID valueFrom: configMapKeyRef: From a99b6b01b5dbd1cf9325f110bf5c32778b4a1647 Mon Sep 17 00:00:00 2001 From: DanielY <55952458+case0sh@users.noreply.github.com> Date: Thu, 19 Oct 2023 00:06:38 +0800 Subject: [PATCH 5/5] language conf (#408) * fix env name for default lang option * fix env name for default lang option * fix env name for default lang option * fix env name for default lang option --- charts/ocis/templates/notifications/deployment.yaml | 3 +++ charts/ocis/templates/settings/deployment.yaml | 6 +++--- charts/ocis/templates/userlog/deployment.yaml | 4 ++++ 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/charts/ocis/templates/notifications/deployment.yaml b/charts/ocis/templates/notifications/deployment.yaml index d9acf856d..8d38de102 100644 --- a/charts/ocis/templates/notifications/deployment.yaml +++ b/charts/ocis/templates/notifications/deployment.yaml @@ -26,6 +26,9 @@ spec: {{- include "ocis.containerSecurityContext" . | nindent 10 }} env: {{- include "ocis.serviceRegistry" . | nindent 12 }} + + - name: OCIS_DEFAULT_LANGUAGE + value: {{ default "en" .Values.features.language.default | quote }} - name: NOTIFICATIONS_LOG_COLOR value: {{ .Values.logging.color | quote }} diff --git a/charts/ocis/templates/settings/deployment.yaml b/charts/ocis/templates/settings/deployment.yaml index ca5601210..3ffe4a92a 100644 --- a/charts/ocis/templates/settings/deployment.yaml +++ b/charts/ocis/templates/settings/deployment.yaml @@ -26,6 +26,9 @@ spec: env: {{- include "ocis.serviceRegistry" . | nindent 12 }} + - name: OCIS_DEFAULT_LANGUAGE + value: {{ default "en" .Values.features.language.default | quote }} + - name: SETTINGS_LOG_COLOR value: {{ .Values.logging.color | quote }} - name: SETTINGS_LOG_LEVEL @@ -45,9 +48,6 @@ spec: - name: SETTINGS_DEBUG_PPROF value: {{ .Values.debug.profiling | quote }} - - name: SETTINGS_DEFAULT_LANGUAGE - value: {{ default "en" .Values.features.language.default | quote }} - # cache - name: SETTINGS_CACHE_STORE value: {{ default "memory" .Values.cache.type | quote }} diff --git a/charts/ocis/templates/userlog/deployment.yaml b/charts/ocis/templates/userlog/deployment.yaml index 823d6eadd..2c87afc16 100644 --- a/charts/ocis/templates/userlog/deployment.yaml +++ b/charts/ocis/templates/userlog/deployment.yaml @@ -26,6 +26,10 @@ spec: {{- include "ocis.containerSecurityContext" . | nindent 10 }} env: {{- include "ocis.serviceRegistry" . | nindent 12 }} + + - name: OCIS_DEFAULT_LANGUAGE + value: {{ default "en" .Values.features.language.default | quote }} + - name: USERLOG_LOG_COLOR value: {{ .Values.logging.color | quote }} - name: USERLOG_LOG_LEVEL