Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

improve next #410

Merged
merged 5 commits into from
Oct 18, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 11 additions & 5 deletions charts/ocis/docs/values-desc-table.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -672,11 +672,11 @@ a| [subs=-attributes]
a| [subs=-attributes]
`true`
|
| features.sharing.passwordPolicies.bannedPasswordsList
| features.sharing.passwordPolicies.bannedPasswords
a| [subs=-attributes]
+string+
+list+
a| [subs=-attributes]
`""`
`[]`
|
| features.sharing.passwordPolicies.minCharacters
a| [subs=-attributes]
Expand Down Expand Up @@ -784,7 +784,7 @@ a| [subs=-attributes]
a| [subs=-attributes]
+string+
a| [subs=-attributes]
`"Always"`
`"IfNotPresent"`
| Image pull policy
| image.pullSecrets
a| [subs=-attributes]
Expand All @@ -802,7 +802,7 @@ a| [subs=-attributes]
a| [subs=-attributes]
+string+
a| [subs=-attributes]
`""`
`"c804f9b7120eebe276ec4d35975760e0d924fa197ba641e243ab22e118cec6ed"`
| Image sha / digest (optional).
| image.tag
a| [subs=-attributes]
Expand Down Expand Up @@ -1038,6 +1038,12 @@ a| [subs=-attributes]
a| [subs=-attributes]
`""`
| Reference to an existing keycloak client secret, used for the GDPR export. Only used if features.externalUserManagement.gdprExport.enabled equals true.
| secretRefs.globalNotificationsSecretRef
a| [subs=-attributes]
+string+
a| [subs=-attributes]
`""`
| The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints.
| secretRefs.idpSecretRef
a| [subs=-attributes]
+string+
Expand Down
18 changes: 12 additions & 6 deletions charts/ocis/docs/values.adoc.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,9 @@ image:
# -- Image tag. Defaults to the chart's appVersion.
tag: "latest"
# -- Image sha / digest (optional).
sha: ""
sha: "c804f9b7120eebe276ec4d35975760e0d924fa197ba641e243ab22e118cec6ed" # oCIS as of 18th October 2023
# -- Image pull policy
pullPolicy: Always
pullPolicy: IfNotPresent
# -- Names of the secret containing the credentials to pull an image from the registry. More
# information how a secret can be defined at https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
#
Expand Down Expand Up @@ -217,8 +217,10 @@ features:
minSpecialCharacters: 0
# the minimum amount of digits the password needs to have
minDigits: 0
# the path to the file containing the list of banned passwords
bannedPasswordsList: ""
# list of banned passwords
bannedPasswords: []
# - foo
# - bar
# Apps integration
appsIntegration:
# -- Enables the apps integration.
Expand Down Expand Up @@ -593,6 +595,8 @@ secretRefs:
s3CredentialsSecretRef: ""
# -- Reference to an existing service account secret (see xref:{secrets}[Secrets])
serviceAccountSecretRef: ""
# -- The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints.
globalNotificationsSecretRef: ""

# Security context options.
securityContext:
Expand Down Expand Up @@ -695,13 +699,15 @@ jobNodeSelector:
# kubernetes.io/arch: "amd64"

# -- Default priorityClassName to apply to all services, except per-service jobPriorityClassName configuration in `services.<service-name>.jobPriorityClassName` is set.
jobPriorityClassName: ""
jobPriorityClassName:
""
# ocis-low-priority
# ocis-medium-priority
# ocis-high-priority

# -- Default priorityClassName to apply to all services, except per-service priorityClassName configuration in `services.<service-name>.priorityClassName` is set.
priorityClassName: ""
priorityClassName:
""
# ocis-low-priority
# ocis-medium-priority
# ocis-high-priority
Expand Down
4 changes: 4 additions & 0 deletions charts/ocis/templates/_common/_configvalues.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,10 @@ All take the scope as the first and only parameter.
{{ .Values.secretRefs.serviceAccountSecretRef | default "service-account-secret" | quote }}
{{- end -}}

{{- define "secrets.globalNotificationsSecret" -}}
{{ required "messagingSystemCASecret can't be autogenerated" .Values.secretRefs.globalNotificationsSecretRef | quote }}
{{- end -}}

{{- define "secrets.messagingSystemCASecret" -}}
{{ required "messagingSystemCASecret can't be autogenerated" .Values.secretRefs.messagingSystemCaRef | quote }}
{{- end -}}
Expand Down
15 changes: 15 additions & 0 deletions charts/ocis/templates/frontend/config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{{- include "ocis.basicServiceTemplates" (dict "scope" . "appName" "appNameFrontend" "appNameSuffix" "") -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: sharing-banned-passwords
namespace: {{ template "ocis.namespace" . }}
labels:
{{- include "ocis.labels" . | nindent 4 }}
data:
sharing-banned-passwords.txt: |-
{{- with .Values.features.sharing.passwordPolicies.bannedPasswords -}}
{{- range . -}}
{{- . | nindent 4 }}
{{- end -}}
{{- end -}}
11 changes: 8 additions & 3 deletions charts/ocis/templates/frontend/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ spec:
{{- end }}
{{- include "ocis.deploymentStrategy" . | nindent 2 }}
template:
{{- include "ocis.templateMetadata" (dict "scope" $ "configCheck" false) | nindent 4 }}
{{- include "ocis.templateMetadata" (dict "scope" $ "configCheck" true) | nindent 4 }}
spec:
{{- include "ocis.serviceAccount" . | nindent 6 }}
{{- include "ocis.affinity" .Values.services.frontend | nindent 6 }}
Expand Down Expand Up @@ -152,7 +152,7 @@ spec:

# password policies
- name: FRONTEND_PASSWORD_POLICY_MIN_CHARACTERS
value: {{ .Values.features.sharing.passwordPolicies.minChars | quote }}
value: {{ .Values.features.sharing.passwordPolicies.minCharacters | quote }}
- name: FRONTEND_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS
value: {{ .Values.features.sharing.passwordPolicies.minLowerCharacters | quote }}
- name: FRONTEND_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS
Expand All @@ -162,7 +162,7 @@ spec:
- name: FRONTEND_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS
value: {{ .Values.features.sharing.passwordPolicies.minSpecialCharacters | quote }}
- name: FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST
value: {{ .Values.features.sharing.passwordPolicies.bannedPasswordsList | quote }}
value: /etc/ocis/sharing-banned-passwords.txt

{{- include "ocis.livenessProbe" . | nindent 10 }}

Expand All @@ -175,10 +175,15 @@ spec:
containerPort: 9141

volumeMounts:
- name: configs
mountPath: /etc/ocis
- name: tmp-volume
mountPath: /tmp

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
- name: tmp-volume
emptyDir: {}
- name: configs
configMap:
name: sharing-banned-passwords
9 changes: 8 additions & 1 deletion charts/ocis/templates/userlog/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ spec:
{{- include "ocis.containerSecurityContext" . | nindent 10 }}
env:
{{- include "ocis.serviceRegistry" . | nindent 12 }}

- name: USERLOG_LOG_COLOR
value: {{ .Values.logging.color | quote }}
- name: USERLOG_LOG_LEVEL
Expand Down Expand Up @@ -88,6 +87,14 @@ spec:
name: {{ include "secrets.serviceAccountSecret" . }}
key: service-account-secret

{{- if .Values.secretRefs.globalNotificationsSecretRef }}
- name: USERLOG_GLOBAL_NOTIFICATIONS_SECRET
valueFrom:
secretKeyRef:
name: {{ include "secrets.globalNotificationsSecret" . }}
key: notifications-secret
{{- end }}

- name: USERLOG_JWT_SECRET
valueFrom:
secretKeyRef:
Expand Down
18 changes: 12 additions & 6 deletions charts/ocis/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@ image:
# -- Image tag. Defaults to the chart's appVersion.
tag: "latest"
# -- Image sha / digest (optional).
sha: ""
sha: "c804f9b7120eebe276ec4d35975760e0d924fa197ba641e243ab22e118cec6ed" # oCIS as of 18th October 2023
# -- Image pull policy
pullPolicy: Always
pullPolicy: IfNotPresent
# -- Names of the secret containing the credentials to pull an image from the registry. More
# information how a secret can be defined at https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
#
Expand Down Expand Up @@ -216,8 +216,10 @@ features:
minSpecialCharacters: 0
# the minimum amount of digits the password needs to have
minDigits: 0
# the path to the file containing the list of banned passwords
bannedPasswordsList: ""
# list of banned passwords
bannedPasswords: []
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if this will be sufficient in the future. I heard that there will be thousands of passwords in this banned password list. But we can iterate over this later

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know where this should go. If we have thousands of passwords we might hit the ConfigMap size limit quite quickly.

But to be honest: is a list of thousands of passwords that is regularly updated still application configuration? I would rather thread this like eg. ClamAV virus signature databases... That need to be fetch from some sort of mirror

# - foo
# - bar
# Apps integration
appsIntegration:
# -- Enables the apps integration.
Expand Down Expand Up @@ -592,6 +594,8 @@ secretRefs:
s3CredentialsSecretRef: ""
# -- Reference to an existing service account secret (see ref:Secrets#secrets)
serviceAccountSecretRef: ""
# -- The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints.
globalNotificationsSecretRef: ""

# Security context options.
securityContext:
Expand Down Expand Up @@ -694,13 +698,15 @@ jobNodeSelector:
# kubernetes.io/arch: "amd64"

# -- Default priorityClassName to apply to all services, except per-service jobPriorityClassName configuration in `services.<service-name>.jobPriorityClassName` is set.
jobPriorityClassName: ""
jobPriorityClassName:
""
# ocis-low-priority
# ocis-medium-priority
# ocis-high-priority

# -- Default priorityClassName to apply to all services, except per-service priorityClassName configuration in `services.<service-name>.priorityClassName` is set.
priorityClassName: ""
priorityClassName:
""
# ocis-low-priority
# ocis-medium-priority
# ocis-high-priority
Expand Down