From f8c707d7ceb200471ce0499f2b5f7991417ee7c0 Mon Sep 17 00:00:00 2001
From: dbildungs-iam-server-gha <dbildungs-iam-server@dbildungsplattform.de>
Date: Mon, 25 Nov 2024 17:26:29 +0000
Subject: [PATCH] dbildungs-iam-server

---
 automation/dbildungs-iam-server/Chart.lock      |  2 +-
 automation/dbildungs-iam-server/Chart.yaml      |  4 ++--
 .../dbildungs-iam-server/config/secrets.json    |  2 +-
 .../templates/_dbildungs-iam-server-envs.tpl    | 15 +++++++++++++++
 .../templates/backend-servicemonitor.yaml       |  8 +++-----
 .../templates/configmap.yaml                    |  3 ---
 .../dbildungs-iam-server/templates/cronjob.yaml | 17 +++++++----------
 .../dbildungs-iam-server/templates/secret.yaml  |  3 +++
 automation/dbildungs-iam-server/values.yaml     | 13 +++++--------
 9 files changed, 37 insertions(+), 30 deletions(-)

diff --git a/automation/dbildungs-iam-server/Chart.lock b/automation/dbildungs-iam-server/Chart.lock
index fd59309c7..c9dce956a 100644
--- a/automation/dbildungs-iam-server/Chart.lock
+++ b/automation/dbildungs-iam-server/Chart.lock
@@ -3,4 +3,4 @@ dependencies:
   repository: https://charts.bitnami.com/bitnami
   version: 20.3.0
 digest: sha256:a42635c8459b26a7c01fd2cfeeba7cbb250bef345be41c70b8bfcd0025379057
-generated: "2024-11-25T16:53:00.497156046Z"
+generated: "2024-11-25T17:25:53.146157103Z"
diff --git a/automation/dbildungs-iam-server/Chart.yaml b/automation/dbildungs-iam-server/Chart.yaml
index ba2f6c01d..2eda53350 100644
--- a/automation/dbildungs-iam-server/Chart.yaml
+++ b/automation/dbildungs-iam-server/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: SPSH-1195
+appVersion: DBP-0000
 dependencies:
 - condition: redis.enabled
   name: redis
@@ -8,4 +8,4 @@ dependencies:
 description: dBildungs-IAM-server
 name: dbildungs-iam-server
 type: application
-version: 0.0.0-spsh-1195-20241125-1652
+version: 0.0.0-dbp-0000-20241125-1725
diff --git a/automation/dbildungs-iam-server/config/secrets.json b/automation/dbildungs-iam-server/config/secrets.json
index dc674376e..fd6df778d 100644
--- a/automation/dbildungs-iam-server/config/secrets.json
+++ b/automation/dbildungs-iam-server/config/secrets.json
@@ -5,4 +5,4 @@
     "REDIS": {
         "PASSWORD": "password"
     }
-}
+}
\ No newline at end of file
diff --git a/automation/dbildungs-iam-server/templates/_dbildungs-iam-server-envs.tpl b/automation/dbildungs-iam-server/templates/_dbildungs-iam-server-envs.tpl
index ab47c9675..e22a1bd7e 100644
--- a/automation/dbildungs-iam-server/templates/_dbildungs-iam-server-envs.tpl
+++ b/automation/dbildungs-iam-server/templates/_dbildungs-iam-server-envs.tpl
@@ -86,6 +86,21 @@
               secretKeyRef:
                   name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
                   key: pi-user-realm
+          - name: SYSTEM_RENAME_WAITING_TIME_IN_SECONDS
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: system-rename-waiting-time-in-seconds
+          - name: SYSTEM_STEP_UP_TIMEOUT_IN_SECONDS
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: system-step-up-timeout-in-seconds
+          - name: SYSTEM_STEP_UP_TIMEOUT_ENABLED
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: system-step-up-timeout-enabled
           - name: REDIS_PASSWORD
             valueFrom:
               secretKeyRef:
diff --git a/automation/dbildungs-iam-server/templates/backend-servicemonitor.yaml b/automation/dbildungs-iam-server/templates/backend-servicemonitor.yaml
index e59418bd7..a1d511019 100644
--- a/automation/dbildungs-iam-server/templates/backend-servicemonitor.yaml
+++ b/automation/dbildungs-iam-server/templates/backend-servicemonitor.yaml
@@ -1,8 +1,8 @@
-{{ if .Values.backend.serviceMonitor.enabled }}
+{{if .Values.backend.serviceMonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
-  name: {{ template "common.names.name" . }}
+  name: {{ template "common.names.name" . }}-backend
   namespace: {{ template "common.names.namespace" . }}
   labels:
     {{- include "common.labels" . | nindent 4 }}
@@ -13,11 +13,9 @@ spec:
       - {{ include "common.names.namespace" . | quote }}
   selector:
     matchLabels:
-      app.kubernetes.io/name: {{ template "common.names.name" . }}
+      app.kubernetes.io/name: {{ template "common.names.name" . }}-backend
       app.kubernetes.io/component: server-backend
   endpoints:
     - port: {{ (index .Values.backend.serviceMonitor.endpoints 0).port }}
-      path: {{ .Values.backend.serviceMonitor.path }}
-      interval: {{ .Values.backend.serviceMonitor.interval }}
 {{ end }}
 
diff --git a/automation/dbildungs-iam-server/templates/configmap.yaml b/automation/dbildungs-iam-server/templates/configmap.yaml
index c194e8e8c..d786d57cf 100644
--- a/automation/dbildungs-iam-server/templates/configmap.yaml
+++ b/automation/dbildungs-iam-server/templates/configmap.yaml
@@ -21,6 +21,3 @@ data:
   LDAP_OEFFENTLICHE_SCHULEN_DOMAIN: "{{ .Values.ldap.oeffentlicheSchulenDomain }}"
   LDAP_ERSATZSCHULEN_DOMAIN: "{{ .Values.ldap.ersatzschulenDomain }}"
   STATUS_REDIRECT_URL: "{{ .Values.status.url }}"
-  SYSTEM_RENAME_WAITING_TIME_IN_SECONDS: "{{ .Values.backend.env.renameWaitingTimeInSeconds }}"
-  SYSTEM_STEP_UP_TIMEOUT_ENABLED: "{{ .Values.backend.env.stepUpTimeoutEnabled }}"
-  SYSTEM_STEP_UP_TIMEOUT_IN_SECONDS: "{{ .Values.backend.env.stepUpTimeoutInSeconds }}"
diff --git a/automation/dbildungs-iam-server/templates/cronjob.yaml b/automation/dbildungs-iam-server/templates/cronjob.yaml
index b2b72b23f..64381b883 100644
--- a/automation/dbildungs-iam-server/templates/cronjob.yaml
+++ b/automation/dbildungs-iam-server/templates/cronjob.yaml
@@ -22,10 +22,9 @@ spec:
             image: "{{ $.Values.cronjobs.image.repository }}:{{ $.Values.cronjobs.image.tag }}"
             imagePullPolicy: {{ $.Values.cronjobs.image.pullPolicy | default "Always"}}
             securityContext:
-              # not yet possible since we need to install some tools
-              # privileged: false
-              # runAsUser: 1000
-              # runAsNonRoot: true
+              privileged: false
+              runAsUser: 1000
+              runAsNonRoot: true
               capabilities:
                 drop:
                   - ALL
@@ -52,11 +51,8 @@ spec:
               - "sh"
               - "-c"
               - |
-                  mkdir /scripts &&
-                  cp /scripts_tmp/*.sh /scripts/ &&
-                  chmod +x /scripts/*.sh &&
-                  touch /var/log/cron.log &&
-                  chmod 644 /var/log/cron.log &&
+                  touch /tmp/log/cron.log &&
+                  chmod 644 /tmp/log/cron.log &&
                   cd {{ $.Values.cronjobs.scriptDir }} &&
                   bash {{ $job_options.script }}
             volumeMounts:
@@ -65,7 +61,8 @@ spec:
                 subPath: jwks.json
                 readOnly: true
               - name: script-volume
-                mountPath: /scripts_tmp
+                mountPath: /scripts
+                defaultMode: 0555
                 readOnly: false
             ports:
             - containerPort: {{ $.Values.cronjobs.port }}
diff --git a/automation/dbildungs-iam-server/templates/secret.yaml b/automation/dbildungs-iam-server/templates/secret.yaml
index 10e959f4e..d87bfe75d 100644
--- a/automation/dbildungs-iam-server/templates/secret.yaml
+++ b/automation/dbildungs-iam-server/templates/secret.yaml
@@ -22,6 +22,9 @@ data:
   pi-admin-password: {{ .Values.auth.pi_admin_password }}
   pi-user-resolver: {{ .Values.auth.pi_user_resolver }}
   pi-user-realm: {{ .Values.auth.pi_user_realm }}
+  system-rename-waiting-time-in-seconds: {{ .Values.auth.system_rename_waiting_time_in_seconds }}
+  system-step-up-timeout-in-seconds: {{ .Values.auth.system_step_up_timeout_in_seconds }}
+  system-step-up-enabled: {{ .Values.auth.system_step_up_enabled }}
   secrets-json: {{ .Values.auth.secrets_json }}
   redis-password: {{ .Values.auth.redis_password }}
 {{- end }}
diff --git a/automation/dbildungs-iam-server/values.yaml b/automation/dbildungs-iam-server/values.yaml
index 2b0bfbc5b..bed6032ab 100644
--- a/automation/dbildungs-iam-server/values.yaml
+++ b/automation/dbildungs-iam-server/values.yaml
@@ -50,6 +50,9 @@ auth:
   pi_admin_password: ''
   pi_user_resolver: ''
   pi_user_realm: ''
+  system_rename_waiting_time_in_seconds: ''
+  system_step_up_timeout_in_seconds: ''
+  system_step_up_timeout_enabled: ''
   redis_password: ''
 
 backend:
@@ -111,8 +114,6 @@ backend:
       http: 80
   serviceMonitor:
     enabled: true
-    path: "/metrics"
-    interval: 30s
     endpoints:
       - port: 'web'
   extraEnvVars: []
@@ -126,10 +127,6 @@ backend:
       subPath: secrets-json
       name: secret-volume
   extraVolumeMounts: []
-  env:
-    renameWaitingTimeInSeconds: 3
-    stepUpTimeoutInSeconds: 900
-    stepUpTimeoutEnabled: 'false'
 
 redis:
   enabled: true
@@ -175,8 +172,8 @@ status:
 cronjobs:
   enabled: true
   image:
-    tag: DBP-1083-latest
-    repository: ghcr.io/hpi-schul-cloud/cron-tools
+    tag: '1.1.0'
+    repository: docker.io/schulcloud/cron-tools
     pullPolicy: IfNotPresent
   port: 5656
   keycloakTokenUrl: '/realms/SPSH/protocol/openid-connect/token'