6. Reference#

This section provides a reference for the configuration values of the Helm Chart used to deploy Univention Nubus. For overwriting default values before installation of the Helm Chart, refer to Customizing the Chart Before Installation.

Important

The Helm Chart is still under active development and not yet stable. Some configuration settings are still subject to change and not fully documented.

However, this section gives you an idea of what the reference looks like.

The reference you see is a one-time extract from the Helm Chart with some manual adjustments. After the Helm Chart reaches a stable state, the Operation Manual includes an automatically generated configuration settings reference from the Helm Chart documentation strings here.

6.1. Global#

global.imagePullPolicy#

Description: …
Default value: …

global.registry#

Description: Configures the location of the registry for the service images. More specific settings in subcharts overwrite this value.
Default value: …

global.domain#

Description: Domain in which Nubus will be deployed in.
Default value: …

global.nubusMasterPassword#

Description: Secret from which the services secrets are derived.
Default value: …

global.ldap.domainName#

Description: LDAP domain name.
Default value: …

6.2. Nubus Stack Gateway#

nubusStackGateway.ingress.hostname#

Description: Hostname for the Nubus Gateway Ingress.
Default value: …

6.3. Keycloak#

keycloak.config.admin.existingSecret.key#

Description: The key which identifies the password in the secret file.
Default value: ""
Allowed values: N/A

keycloak.config.admin.existingSecret.name#

Description: Existing secret which contains the Keycloak administration password.
Default value: ""
Allowed values: N/A

keycloak.config.admin.password#

Description: Administration password or as secret through keycloak.config.admin.existingSecret.name.
Default value: ""
Allowed values: N/A

keycloak.config.admin.username#

Description: Admin username.
Default value: "kcadmin"
Allowed values: N/A

keycloak.config.database.existingSecret.key#

Description: The key which identifies the password in the secret file.
Default value: "databasePassword"
Allowed values: N/A

keycloak.config.database.existingSecret.name#

Description: Existing secret which contains the Keycloak database password.
Default value: ""
Allowed values: N/A

keycloak.config.database.host#

Description: Database host.
Default value: "postgresql"
Allowed values: N/A

keycloak.config.database.name#

Description: Database name.
Default value: "keycloak"
Allowed values: N/A

keycloak.config.database.password#

Description: Database password or as secret through existingSecret.
Default value: ""
Allowed values: N/A

keycloak.config.database.port#

Description: Database port.
Default value: 5432
Allowed values: N/A

keycloak.config.database.properties#

Description: Database properties.
Default value: ""
Allowed values: N/A

keycloak.config.database.type#

Description: Database vendor.
Default value: "postgres"
Allowed values: dev-file, dev-mem, mariadb, mssql, mysql, oracle, postgres

keycloak.config.database.username#

Description: Database username.
Default value: "keycloak_user"
Allowed values: N/A

keycloak.config.enableMetrics#

Description: Enables Keycloak metrics endpoint. For reference, see https://www.keycloak.org/server/configuration-metrics.
Default value: true
Allowed values: N/A

keycloak.config.exposeAdminConsole#

Description: Expose admin console, if set to true no Ingress path restrictions are applied. Otherwise only /realms/ and /resources/ are made available to the public internet. Ref.: https://www.keycloak.org/server/reverseproxy#_exposed_path_recommendations
Default value: false
Allowed values: N/A

keycloak.config.features.disabled#

Description: Disables a set of one or more features for Keycloak.
Default value: []
Allowed values: N/A

keycloak.config.features.enabled#

Description: Enables a set of one or more features for Keycloak.
Default value: ["admin-fine-grained-authz","token-exchange"]
Allowed values: N/A

keycloak.config.hostname#

Description: Hostname. Fore reference, see https://www.keycloak.org/server/hostname.
Default value: {{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}
Allowed values: N/A

keycloak.config.logLevel#

Description: Set log level.
Default value: "INFO"
Allowed values: For reference, see keycloak/log/level

keycloak.config.proxy#

Description: Proxy mode.
Default value: "edge"
Allowed values: For reference, see https://www.keycloak.org/server/reverseproxy

6.4. LDAP Server#

ldap-server.ldapServer.config.domainName#

Description

Internal domain name of the UCS system.

Example:: domainName: "univention-organization.intranet"

Default value

""

Allowed values

N/A

ldap-server.ldapServer.config.ldapBaseDn#

Description

Base DN of the LDAP directory.

Example:: ldapBaseDn: "dc=univention-organization,dc=intranet"

Default value

""

Allowed values

N/A

ldap-server.ldapServer.config.logLevel#

Description

Log level for slapd. Pass a comma-separated list of values from the OpenLDAP docs.

Example:: "conn,stats".

Default value

"stats"

Allowed values

N/A

ldap-server.ldapServer.config.samlMetadataUrl#

Description

URL of the IdP that contains the SAML metadata.

Example:: samlMetadataUrl: "http://myportal.local:8097/realms/ucs/protocol/saml/descriptor"

Default value

""

Allowed values

N/A

ldap-server.ldapServer.config.samlMetadataUrlInternal#

Description

Internal URL of the IdP to download SAML metadata from, in the case that ldap-server.ldapServer.config.samlMetadataUrl isn’t visible to the container.

Example:: samlMetadataUrlInternal: "http://keycloak.myportal.local/realms/ucs/protocol/saml/descriptor"

Default value

""

Allowed values

N/A

ldap-server.ldapServer.config.samlServiceProviders#

Description

A comma separated list of SAML 2 Service Provider URLs. The LDAP Server requires those URLs.

Example:: samlServiceProviders: "http://myportal.local:8000/univention/saml/metadata,http://myportal.local:8000/auth/realms/ucs"

Default value

""

Allowed values

N/A

ldap-server.ldapServer.credentialSecret#

Description

Optional reference to a different secret for credentials

Example:: credentialSecret: {name: "custom-credentials", adminPasswordKey: "adminPassword"}

Default value

{}

Allowed values

N/A

ldap-server.ldapServer.generateDHparam#

Description: N/A
Default value: true
Allowed values: N/A

ldap-server.ldapServer.image.imagePullPolicy#

Description: Image pull policy. This setting has higher precedence than global.imagePullPolicy.
Default value: "IfNotPresent"
Allowed values: N/A

ldap-server.ldapServer.image.registry#

Description: Container registry address. This setting has higher precedence than global.registry.
Default value: "gitregistry.knut.univention.de"
Allowed values: N/A

ldap-server.ldapServer.image.repository#

Description: Path to the OCI repository in the registry, where Helm can find the image for the LDAP Server. The path contains the image name itself.
Default value: "univention/customers/dataport/upx/container-ldap/ldap-server"
Allowed values: N/A

ldap-server.ldapServer.image.tag#

Description: N/A
Default value: "latest"
Allowed values: N/A

ldap-server.ldapServer.legacy.shareSamlSize#

Description: N/A
Default value: "100Mi"
Allowed values: N/A

ldap-server.ldapServer.legacy.sharedRunSize#

Description: N/A
Default value: "1Gi"
Allowed values: N/A

ldap-server.ldapServer.tls.caCertificateFile#

Description: Optional reference to the secret to use for reading Diffie-Hellman parameters. dhparamSecret: "custom-dhparam". Path the CA certificate file (TLSCACertPath (slapd), CA_CERT_FILE(entrypoint))
Default value: "/certificates/ca.crt"
Allowed values: N/A

ldap-server.ldapServer.tls.certificateFile#

Description: N/A
Default value: "/certificates/tls.crt"
Allowed values: N/A

ldap-server.ldapServer.tls.certificateKeyFile#

Description: N/A
Default value: "/certificates/tls.key"
Allowed values: N/A

ldap-server.ldapServer.tls.enabled#

Description: N/A
Default value: false
Allowed values: N/A

6.5. LDAP Notifier#

ldap-notifier.ldapNotifier.ldapServerGid#

Description: LDAP Server group ID running the LDAP server.
Default value: 102
Allowed values: N/A

ldap-notifier.ldapNotifier.ldapServerUid#

Description: LDAP Server user ID running the LDAP server.
Default value: 101
Allowed values: N/A

6.6. Portal Frontend#

portal-frontend.portalFrontend.environment#

Description: Deployment environment
Default value: "production"
Allowed values: "development", "production"

portal-frontend.portalFrontend.logLevel#

Description: Log level
Default value: "WARNING"
Allowed values: "DEBUG", "INFO", "WARNING", "ERROR"

6.7. Portal Server#

portal-server.portalServer.adminGroup#

Description: Define LDAP Admin Group. Example: "cn=Domain Admins,cn=groups,dc=example,dc=com"
Default value: null
Allowed values: N/A

portal-server.portalServer.authMode#

Description: Define the authentication mode for the portal.
Default value: "ucs"
Allowed values: "ucs", "saml"

portal-server.portalServer.centralNavigation.authenticatorSecret#

Description: Provide a custom secret, if no value is provided, a random string is generated instead.
Default value: null
Allowed values: N/A

portal-server.portalServer.centralNavigation.enabled#

Description: Activate the SecretAuthenticator for the portal.
Default value: false
Allowed values: N/A

portal-server.portalServer.credentialSecret#

Description

Optional reference to a different secret for credentials,

Example:: credentialSecret: {name: "custom-credentials", accessKeyId: "ums_user", secretAccessKey: "ums_password"}

Default value

{}

Allowed values

N/A

portal-server.portalServer.editable#

Description: Defines if members of the Admin group can use the edit mode in the portal.
Default value: "true"
Allowed values: N/A

portal-server.portalServer.environment#

Description: Deployment environment
Default value: "production"
Allowed values: "development", "production"

portal-server.portalServer.logLevel#

Description: Log level
Default value: "WARNING"
Allowed values: “DEBUG”, “INFO”, “WARNING”, “ERROR”

portal-server.portalServer.objectStorageAccessKeyId#

Description: User for the object storage
Default value: "stub_user"
Allowed values: N/A

portal-server.portalServer.objectStorageBucket#

Description: Bucket in the object storage for storing the portal and assets
Default value: "ums"
Allowed values: N/A

portal-server.portalServer.objectStorageEndpoint#

Description: Object storage endpoint
Default value: "http://ums-minio:9000"
Allowed values: N/A

portal-server.portalServer.objectStorageSecretAccessKey#

Description: Password for access to object storage
Default value: "stub_password"
Allowed values: N/A

portal-server.portalServer.port#

Description: Port on which the portal server listens
Default value: 80
Allowed values: N/A

portal-server.portalServer.ucsInternalPath#

Description

Define object storage path inside the bucket where files are placed.

Example:: "portal-assets"

Default value

"portal-data"

Allowed values

N/A

portal-server.portalServer.umcGetUrl#

Description

Define UMC get endpoint.

Example:: "https://portal.example.com/univention/internal/umc/get"

Default value

null

Allowed values

N/A

portal-server.portalServer.umcSessionUrl#

Description

Define UMC session-info” endpoint.

Example:: "https://portal.example.com/univention/internal/umc/get/session-info"

Default value

null

Allowed values

N/A

6.8. Portal Listener#

portal-listener.portalListener.adminGroup#

Description

Define LDAP Admin Group.

Example:: "cn=Domain Admins,cn=groups,dc=example,dc=com"

Default value

null

Allowed values

N/A

portal-listener.portalListener.assetsRootPath#

Description: Where to store the assets inside the object storage bucket, e.g. portal entry icons
Default value: "portal-assets"
Allowed values: N/A

portal-listener.portalListener.authMode#

Description: Define the authentication mode for the portal.
Default value: "ucs"
Allowed values: "ucs", "saml"

portal-listener.portalListener.caCert#

Description: CA root certificate, base64-encoded. Optional; will be written to "caCertFile" if set.
Default value: ""
Allowed values: N/A

portal-listener.portalListener.caCertFile#

Description: The path to the "caCertFile" Docker secret or a plain file.
Default value: "/run/secrets/ca_cert"
Allowed values: N/A

portal-listener.portalListener.debugLevel#

Description: Debug level of the listener
Default value: "4"
Allowed values: N/A

portal-listener.portalListener.domainName#

Description: Internal domain name of the UCS machine
Default value: "univention.intranet"
Allowed values: N/A

portal-listener.portalListener.editable#

Description: Defines if members of the Admin group can use the edit mode in the portal.
Default value: "true"
Allowed values: N/A

portal-listener.portalListener.ldapBaseDn#

Description: Base DN of the LDAP directory
Default value: null
Allowed values: N/A

portal-listener.portalListener.ldapHost#

Description: Hostname of the LDAP server
Default value: null
Allowed values: N/A

portal-listener.portalListener.ldapHostDn#

Description: DN of the UCS machine
Default value: null
Allowed values: N/A

portal-listener.portalListener.ldapHostIp#

Description: The IP address of the LDAP server.
Default value: null
Allowed values: N/A

portal-listener.portalListener.ldapPort#

Description: Port to connect to the LDAP server.
Default value: "389"
Allowed values: N/A

portal-listener.portalListener.ldapSecret#

Description: LDAP password for cn=admin. Will be written to "ldapSecretFile", if set.
Default value: null
Allowed values: N/A

portal-listener.portalListener.ldapSecretFile#

Description: The path to the "ldapSecretFile" Docker secret or a plain file
Default value: "/var/secrets/ldap_secret"
Allowed values: N/A

portal-listener.portalListener.logLevel#

Description: TODO: Clarify usage of this parameter
Default value: "WARNING"
Allowed values: N/A

portal-listener.portalListener.machineSecret#

Description: LDAP password for ldapHostDn. Will be written to "machineSecretFile", if set.
Default value: null
Allowed values: N/A

portal-listener.portalListener.machineSecretFile#

Description: The path to the "machineSecretFile" Docker secret or a plain file
Default value: "/var/secrets/machine_secret"
Allowed values: N/A

portal-listener.portalListener.notifierServer#

Description: Hostname where the notifier can be reached.
Default value: null
Allowed values: N/A

portal-listener.portalListener.objectStorageAccessKeyId#

Description: User for the object storage
Default value: "stub_user"
Allowed values: N/A

portal-listener.portalListener.objectStorageBucket#

Description: Bucket in the object storage for storing the portal and assets
Default value: "ums"
Allowed values: N/A

portal-listener.portalListener.objectStorageEndpoint#

Description: Object storage endpoint
Default value: "http://ums-minio:9000"
Allowed values: N/A

portal-listener.portalListener.objectStorageSecretAccessKey#

Description: Password for access to object storage
Default value: "stub_password"
Allowed values: N/A

portal-listener.portalListener.portalDefaultDn#

Description: DN of the default portal
Default value: null
Allowed values: N/A

portal-listener.portalListener.tlsMode#

Description: Whenever to start encryption and validate certificates.
Default value: "secure"
Allowed values: "off", "unvalidated" and "secure"

portal-listener.portalListener.ucsInternalPath#

Description

Define UCS internal endpoint where the portal, Self Service and groups are defined.

Example:: "https://portal.example.com/univention/internal"

Default value

"portal-data"

Allowed values

N/A

portal-listener.portalListener.udmApiSecretFile#

Description: UDM API password file. The default value is the same as portal-listener.portalListener.machineSecretFile.
Default value: "/var/secrets/machine_secret"
Allowed values: N/A

portal-listener.portalListener.udmApiUrl#

Description: UDM API connection URL
Default value: null
Allowed values: N/A

portal-listener.portalListener.udmApiUsername#

Description: UDM API username.
Default value: "cn=admin"
Allowed values: N/A

portal-listener.portalListener.umcGetUrl#

Description

Define UMC get endpoint.

Example:: "https://portal.example.com/univention/internal/umc/get"

Default value

null

Allowed values

N/A

portal-listener.portalListener.umcSessionUrl#

Description

Define UMC “session-info” endpoint.

Example:: "https://portal.example.com/univention/internal/umc/get/session-info"

Default value

null

Allowed values

N/A

6.9. Notifications API#

notifications-api.notificationsApi.apiPrefix#

Description: The URL prefix under which the API shall be deployed.
Default value: "/univention/portal/notifications-api/"
Allowed values: N/A

notifications-api.notificationsApi.applyDatabaseMigrations#

Description: Apply database migrations automatically
Default value: "True"
Allowed values: N/A

notifications-api.notificationsApi.devMode#

Description: Activate the development mode. Do not use this in production deployments.
Default value: "False"
Allowed values: N/A

notifications-api.notificationsApi.environment#

Description: TODO: Clarify usage of this parameter
Default value: "production"
Allowed values: N/A

notifications-api.notificationsApi.logLevel#

Description: Log level configuration.
Default value: "WARNING"
Allowed values: "DEBUG", "INFO", "WARNING", "ERROR"

notifications-api.notificationsApi.sqlEcho#

Description: SQL command logging.
Default value: "False"
Allowed values: "True" or "False"

6.10. UDM Listener#

udm-listener.config.caCert#

Description: CA root certificate, base64-encoded. Optional; will be written to "caCertFile", if set.
Default value: ""
Allowed values: N/A

udm-listener.config.caCertFile#

Description: Where to search for the CA Certificate file.
Default value: ""
Allowed values: N/A

udm-listener.config.eventsUsernameUdm#

Description: Messages-API Port
Default value: "udm"
Allowed values: N/A

udm-listener.config.internalApiHost#

Description: Messages-API Hostname
Default value: "provisioning-api"
Allowed values: N/A

udm-listener.config.ldapHostIp#

Description: Will add a mapping from "ldapHost" to "ldapHostIp" into /etc/hosts, if set.
Default value: nil
Allowed values: N/A

udm-listener.config.ldapPassword#

Description: LDAP password for cn=admin. Will be written to "ldapPasswordFile", if set.
Default value: ""
Allowed values: N/A

udm-listener.config.ldapPasswordFile#

Description: The path to the "ldapPasswordFile" Docker secret or a plain file.
Default value: "/var/secrets/ldap_secret"
Allowed values: N/A

udm-listener.config.natsHost#

Description: NATS requires the host, if the configuration has provisioning.nats.bundled set to false.
Default value: nil
Allowed values: N/A

udm-listener.config.natsPassword#

Description: NATS: password
Default value: "password"
Allowed values: N/A

udm-listener.config.natsPort#

Description: NATS requires the port, if the configuration has provisioning.nats.bundled set to false.
Default value: "4222"
Allowed values: N/A

udm-listener.config.natsUser#

Description: NATS: user name
Default value: "udmlistener"
Allowed values: N/A

udm-listener.config.notifierServer#

Description: Defaults to "ldapHost", if not set.
Default value: "ldap-notifier"
Allowed values: N/A

udm-listener.config.tlsMode#

Description: Whether to start encryption and validate certificates.
Default value: "off"
Allowed values: "off", "unvalidated", "secure"

6.11. Provisioning#

6.11.1. API#

provisioning.events-and-consumer-api.config.CORS_ALL#

Description: N/A
Default value: "false"
Allowed values: N/A

provisioning.events-and-consumer-api.config.DEBUG#

Description: N/A
Default value: "true"
Allowed values: N/A

provisioning.events-and-consumer-api.config.LOG_LEVEL#

Description: N/A
Default value: "INFO"
Allowed values: N/A

provisioning.events-and-consumer-api.config.ROOT_PATH#

Description: N/A
Default value: "/univention/provisioning-api"
Allowed values: N/A

provisioning.events-and-consumer-api.credentialSecretName#

Description: N/A
Default value: ""
Allowed values: N/A

provisioning.events-and-consumer-api.image.imagePullPolicy#

Description: N/A
Default value: "IfNotPresent"
Allowed values: N/A

provisioning.events-and-consumer-api.image.registry#

Description: N/A
Default value: ""
Allowed values: N/A

provisioning.events-and-consumer-api.image.repository#

Description: N/A
Default value: "univention/customers/dataport/upx/provisioning/provisioning-events-and-consumer-api"
Allowed values: N/A

provisioning.events-and-consumer-api.image.tag#

Description: N/A
Default value: "0.14.0"
Allowed values: N/A

6.11.2. Dispatcher#

provisioning.dispatcher.config.LOG_LEVEL#

Description: N/A
Default value: "INFO"
Allowed values: N/A

provisioning.dispatcher.config.UDM_HOST#

Description: N/A
Default value: ""
Allowed values: N/A

provisioning.dispatcher.config.UDM_PORT#

Description: N/A
Default value: 80
Allowed values: N/A

provisioning.dispatcher.credentialSecretName#

Description: N/A
Default value: ""
Allowed values: N/A

provisioning.dispatcher.image.imagePullPolicy#

Description: N/A
Default value: "IfNotPresent"
Allowed values: N/A

provisioning.dispatcher.image.registry#

Description: N/A
Default value: ""
Allowed values: N/A

provisioning.dispatcher.image.repository#

Description: N/A
Default value: "univention/customers/dataport/upx/provisioning/provisioning-dispatcher"
Allowed values: N/A

provisioning.dispatcher.image.tag#

Description: N/A
Default value: "0.14.0"
Allowed values: N/A

6.11.3. NATS#

provisioning.nats.bundled#

Description: Set to true if you want NATS to be installed as well.
Default value: true
Allowed values: N/A

provisioning.nats.connection.host#

Description: The NATS service to connect to.
Default value: ""
Allowed values: N/A

provisioning.nats.connection.port#

Description: The port to connect to the NATS service.
Default value: ""
Allowed values: N/A

provisioning.nats.connection.tls.caFile#

Description: The CA to verify the server’s identity when initializing the connection.
Default value: "/certificates/ca.crt"
Allowed values: N/A

provisioning.nats.connection.tls.certFile#

Description: The certificate to present when initializing the connection.
Default value: "/certificates/tls.crt"
Allowed values: N/A

provisioning.nats.connection.tls.keyFile#

Description: The private key to use for the connection.
Default value: "/certificates/tls.key"
Allowed values: N/A

6.12. Stack Data UMS#

stack-data-ums.stackDataContext.domainname#

Description: Domain name of the instance. Example: "example.org"
Default value: "univention-organization.intranet"
Allowed values: N/A.

stack-data-ums.stackDataContext.externalMailDomain#

Description: Interim. The external mail domain in use. Currently required to create the Administrator account.
Default value: "univention-organization.test"
Allowed values: N/A.

stack-data-ums.stackDataContext.hostname#

Description: Host name of the instance. Example: "souvap"
Default value: "portal"
Allowed values: N/A.

stack-data-ums.stackDataContext.idpFqdn#

Description: The FQDN of the identity provider (w/o the protocol specification). Example: "id.souvap.example.org"
Default value: null
Allowed values: N/A.

stack-data-ums.stackDataContext.idpSamlMetadataUrl#

Description: SAML Identity Provider metadata URL (as visible from the user/internet). Example: "https://id.souvap.example.org/realms/ucs/protocol/saml/descriptor"
Default value: null
Allowed values: N/A.

stack-data-ums.stackDataContext.idpSamlMetadataUrlInternal#

Description: SAML Identity Provider metadata URL (as visible from inside the container), optional. Example: "http://keycloak:8080/realms/ucs/protocol/saml/descriptor"
Default value: ""
Allowed values: N/A.

stack-data-ums.stackDataContext.initialPasswordAdministrator#

Description: The initial password of the user “Administrator”.
Default value: null
Allowed values: N/A.

stack-data-ums.stackDataContext.initialPasswordSysIdpUser#

Description: The initial password of the user "sys-idp-user".
Default value: null
Allowed values: N/A.

stack-data-ums.stackDataContext.installUmcPolicies#

Description: This parameter allows to skip the installation of the default UMC policies if set to “false”.
Default value: true
Allowed values: N/A.

stack-data-ums.stackDataContext.ldapBase#

Description: Base DN of the LDAP directory. Example: "dc=example,dc=org"
Default value: "dc=univention-organization,dc=intranet"
Allowed values: N/A.

stack-data-ums.stackDataContext.ldapHost#

Description: Hostname of the LDAP server. Example: "ucs-1234.univention.intranet"
Default value: "ldap-server"
Allowed values: N/A.

stack-data-ums.stackDataContext.ldapHostDn#

Description: DN of the UMS instance. Example: "cn=ucs-1234,cn=dc,cn=computers,dc=example,dc=org"
Default value: "cn=admin,dc=univention-organization,dc=intranet"
Allowed values: N/A.

stack-data-ums.stackDataContext.ldapPort#

Description: Port to connect to the LDAP server. Example: 389
Default value: 389
Allowed values: N/A.

stack-data-ums.stackDataContext.ldapSamlSpUrls#

Description: List of SAML Service Provider URLs which the LDAP server should trust (comma-separated). Example: "https://portal.souvap.example.org/univention/saml/metadata"
Default value: null
Allowed values: N/A.

stack-data-ums.stackDataContext.umcMemcachedHostname#

Description: Hostname to use for Memcached of the Self Service in UMC. This sets the UCR variable umc/self-service/memcached/socket.
Default value: "umc-server-memcached"
Allowed values: N/A.

stack-data-ums.stackDataContext.umcMemcachedUsername#

Description: Username to use for Memcached of the Self Service in UMC. This sets the UCR variable umc/self-service/memcached/username.
Default value: "selfservice"
Allowed values: N/A.

stack-data-ums.stackDataContext.umcPostgresqlHostname#

Description: Hostname to use for PostgreSQL of the Self Service in UMC. This sets the UCR variable umc/self-service/postgresql/hostname.
Default value: "umc-server-postgresql"
Allowed values: N/A.

stack-data-ums.stackDataContext.umcPostgresqlUsername#

Description: Username to use for PostgreSQL of the Self Service in UMC. This sets the UCR variable umc/self-service/postgresql/username.
Default value: "selfservice"
Allowed values: N/A.

stack-data-ums.stackDataContext.umcSamlSchemes#

Description

Which address scheme to consider for SAML ACS (string, comma-separated).

Example:: "https, http"

Default value

"https"

Allowed values

N/A.

stack-data-ums.stackDataContext.umcSamlSpFqdn#

Description: SAML Service Provider hostname (FQDN of the UMC, which is the service provider) Example: "portal.souvap.example.org"
Default value: null
Allowed values: N/A.

stack-data-ums.stackDataUms.dependencyUdmApiWait#

Description: Wait for the UDM HTTP REST API to be available.
Default value: true
Allowed values: N/A.

stack-data-ums.stackDataUms.loadDevData#

Description: Load data which is useful during development (opt-in)
Default value: false
Allowed values: N/A.

stack-data-ums.stackDataUms.udmApiPassword#

Description: The password to access the UDM Rest API
Default value: null
Allowed values: N/A.

stack-data-ums.stackDataUms.udmApiPasswordFile#

Description: The filename which contains the password
Default value: "/run/secrets/univention.de/data-loader/udm_secret"
Allowed values: N/A.

stack-data-ums.stackDataUms.udmApiUrl#

Description: The URL by which the UDM Rest API can be reached
Default value: "http://udm-rest-api/udm/"
Allowed values: N/A.

stack-data-ums.stackDataUms.udmApiUser#

Description: The username to use to connect to the UDM Rest API
Default value: "cn=admin"
Allowed values: N/A.

6.13. Stack Data SWP#

stack-data-swp.stackDataContext.adminPassword#

Description: Password for the default.admin user. This is only evaluated if loadDevData is set to true.
Default value: null
Allowed values: N/A.

stack-data-swp.stackDataContext.portalTitleDE#

Description: Portal title in German.
Default value: "Souveräner Arbeitsplatz"
Allowed values: N/A.

stack-data-swp.stackDataContext.portalTitleEN#

Description: Portal title (English)
Default value: "Sovereign Workplace"
Allowed values: N/A.

stack-data-swp.stackDataContext.smtpHost#

Description: Self-service emails: SMTP host
Default value: null
Allowed values: N/A.

stack-data-swp.stackDataContext.smtpPort#

Description: Self-service emails: SMTP port (default: 587)
Default value: 587
Allowed values: N/A.

stack-data-swp.stackDataContext.smtpStartTls#

Description: Self-service emails: SMTP via TLS (default: true)
Default value: true
Allowed values: N/A.

stack-data-swp.stackDataContext.smtpUser#

Description: Self-service emails: SMTP username
Default value: null
Allowed values: N/A.

stack-data-swp.stackDataContext.userPassword#

Description: Password for the default.user user. This is only evaluated, if loadDevData is set to true.
Default value: null
Allowed values: N/A.

stack-data-swp.stackDataSwp.dataConfigMapName#

Description: The name of the ConfigMap to import the data from
Default value: null
Allowed values: N/A.

stack-data-swp.stackDataSwp.demoUsers#

Description: An additional set of demo users, typically supplied in a separate values file in the form: username: dummy.user firstname: Dummy lastname: User primaryGroupCN: Domain Users password: secretPW
Default value: null
Allowed values: N/A.

stack-data-swp.stackDataSwp.dependencyUdmApiWait#

Description: Wait for the UDM REST API to be available
Default value: true
Allowed values: N/A.

stack-data-swp.stackDataSwp.extraDataFiles#

Description: Allow to configure additional data files. This has to be a map from the desired filename to the content. The content has to be a valid YAML stream which the data loader is able to process.
Default value: null
Allowed values: N/A.

stack-data-swp.stackDataSwp.loadDevData#

Description: Load data which is useful during development (opt-in)
Default value: false
Allowed values: N/A.

stack-data-swp.stackDataSwp.systemInformation#

Description: Display release version and deploy date in the portal menu
Default value: null
Allowed values: N/A.

stack-data-swp.stackDataSwp.udmApiPassword#

Description: The password to access the UDM Rest API
Default value: null
Allowed values: N/A.

stack-data-swp.stackDataSwp.udmApiPasswordFile#

Description: The filename which contains the password
Default value: "/run/secrets/univention.de/data-loader/udm_secret"
Allowed values: N/A.

stack-data-swp.stackDataSwp.udmApiUrl#

Description: The URL by which the UDM Rest API can be reached
Default value: "http://udm-rest-api/udm/"
Allowed values: N/A.

stack-data-swp.stackDataSwp.udmApiUser#

Description: The username to use to connect to the UDM Rest API
Default value: "cn=admin"
Allowed values: N/A.

6.14. Self-Service Listener#

selfservice-listener.selfserviceListener.caCert#

Description: CA root certificate, base64-encoded. Optional. Will be written to "caCertFile", if set.
Default value: ""
Allowed values: N/A.

selfservice-listener.selfserviceListener.caCertFile#

Description

Where to search for the CA Certificate file.

Example:: caCertFile: "/var/secrets/ca_cert"

Default value

""

Allowed values

N/A.

selfservice-listener.selfserviceListener.debugLevel#

Description: N/A
Default value: "4"
Allowed values: N/A.

selfservice-listener.selfserviceListener.environment#

Description: N/A
Default value: "production"
Allowed values: N/A.

selfservice-listener.selfserviceListener.ldapBaseDn#

Description: N/A
Default value: null
Allowed values: N/A.

selfservice-listener.selfserviceListener.ldapHost#

Description: N/A
Default value: "ucs-machine"
Allowed values: N/A.

selfservice-listener.selfserviceListener.ldapHostDn#

Description: N/A
Default value: null
Allowed values: N/A.

selfservice-listener.selfserviceListener.ldapPassword#

Description: LDAP password for cn=admin. Will be written to "ldapPasswordFile", if set.
Default value: null
Allowed values: N/A.

selfservice-listener.selfserviceListener.ldapPasswordFile#

Description: The path to the "ldapPasswordFile" Docker secret or a plain file
Default value: "/var/secrets/ldap_secret"
Allowed values: N/A.

selfservice-listener.selfserviceListener.ldapPort#

Description: Will add a mapping from "ldapHost" to "ldapHostIp" into /etc/hosts, if set.
Default value: "389"
Allowed values: N/A.

selfservice-listener.selfserviceListener.notifierServer#

Description: Defaults to "ldapHost", if not set.
Default value: null
Allowed values: N/A.

selfservice-listener.selfserviceListener.tlsMode#

Description: Whether to start encryption and validate certificates.
Default value: "secure"
Allowed values: "off", "unvalidated", "secure".

6.15. UDM REST API#

udm-rest-api.udmRestApi.image.imagePullPolicy#

Description: Image pull policy. This setting has higher precedence than global.imagePullPolicy.
Default value: "IfNotPresent"
Allowed values: N/A.

udm-rest-api.udmRestApi.image.registry#

Description: Container registry address. This setting has higher precedence than global.registry.
Default value: "gitregistry.knut.univention.de"
Allowed values: N/A.

udm-rest-api.udmRestApi.ldap.baseDN#

Description

The LDAP base DN to use when connecting.

Example:: baseDN: "dc=univention-organization,dc=intranet"

Default value

""

Allowed values

N/A.

udm-rest-api.udmRestApi.ldap.uri#

Description

The LDAP URI to connect to.

Example:: uri: "ldap://my-ldap-server:389"

Default value

""

Allowed values

N/A.

udm-rest-api.udmRestApi.secretRef#

Description

The reference to the secret containing the LDAP and machine secret.

Example:: secretRef: "udm-rest-api-credentials"

Default value

""

Allowed values

N/A.

udm-rest-api.udmRestApi.tls.caCertificateFile#

Description: Path the CA certificate file (TLSCACertPath (slapd), CA_CERT_FILE(entrypoint))
Default value: "/certificates/ca.crt"
Allowed values: N/A.

udm-rest-api.udmRestApi.tls.certificateFile#

Description: Path the servers certificate file
Default value: "/certificates/tls.crt"
Allowed values: N/A.

udm-rest-api.udmRestApi.tls.certificateKeyFile#

Description: Path the servers private-key file
Default value: "/certificates/tls.key"
Allowed values: N/A.

udm-rest-api.udmRestApi.tls.enabled#

Description: Enable TLS for LDAP connection.
Default value: false
Allowed values: N/A.

6.16. UMC Server#

umc-server.umcServer.caCert#

Description: Additional CA Certificate to trust. The value is optional.
Default value: null
Allowed values: N/A.

umc-server.umcServer.caCertFile#

Description: Path to file with the CA certificate.
Default value: "/var/secrets/ca_cert"
Allowed values: N/A.

umc-server.umcServer.certPem#

Description: Certificate used in the context of SAML to verify metadata signatures. A self-signed certificate will be generated together with the private key if none is provided.
Default value: null
Allowed values: N/A.

umc-server.umcServer.certPemFile#

Description: Path to file with the certificate in PEM format.
Default value: "/var/secrets/cert_pem"
Allowed values: N/A.

umc-server.umcServer.ldapSecretFile#

Description: Path to file with the LDAP secret.
Default value: "/var/secrets/ldap_secret"
Allowed values: N/A.

umc-server.umcServer.machineSecretFile#

Description: Path to file with the LDAP machine secret.
Default value: "/var/secrets/machine_secret"
Allowed values: N/A.

umc-server.umcServer.privateKey#

Description: The private key related to "certPem" used to sign messages in the context of SAML.
Default value: null
Allowed values: N/A.

umc-server.umcServer.privateKeyFile#

Description: Path to file with the certificate’s private key (.key).
Default value: "/var/secrets/private_key"
Allowed values: N/A.

umc-server.umcServer.smtpSecretFile#

Description: Path to file with SMTP password.
Default value: "/var/secrets/smtp_password"
Allowed values: N/A.

umc-server.memcached.auth.enabled#

Description: This parameter is only used by the bundled Memcached.
Default value: true
Allowed values: N/A.

umc-server.memcached.auth.password#

Description: Memcached password.
Default value: ""
Allowed values: N/A.

umc-server.memcached.auth.username#

Description: Memcached username.
Default value: "selfservice"
Allowed values: N/A.

umc-server.memcached.bundled#

Description: Set to true if you want Memcached to be installed as well.
Default value: true
Allowed values: N/A.

umc-server.memcached.extraEnvVars#

Description: Defaults from /ucs/management/univention-self-service/conffiles/etc/memcached_univention-self-service.conf
Default value: See example below.
Allowed values: N/A.

Example:

[
  {
    "name": "MEMCACHED_CACHE_SIZE",
    "value": "64"
  },
  {
    "name": "MEMCACHED_EXTRA_FLAGS",
    "value": "--disable-evictions"
  }
]

umc-server.memcached.server#

Description: Memcached server. This is required if you use an external Memcached.
Default value: null
Allowed values: For possible values, see https://sendapatch.se/projects/pylibmc/reference.html

6.17. Keycloak Extensions#

keycloak-extensions.global.keycloak.adminPassword#

Description: Administration password for the Keycloak administration command line interface provided user.
Default value: "univention"
Allowed values: N/A.

keycloak-extensions.global.keycloak.adminUsername#

Description: Admin user for Keycloak administration command line interface.
Default value: "admin"
Allowed values: N/A.

keycloak-extensions.global.keycloak.host#

Description: Host where Keycloak is accessible (specify port if needed).
Default value: "keycloak"
Allowed values: N/A.

keycloak-extensions.global.keycloak.realm#

Description: Keycloak realm to listen events on (master allows to listen for all realms).
Default value: "ucs"
Allowed values: N/A.

keycloak-extensions.global.postgresql.auth.database#

Description: Database for the proxy and handler to use.
Default value: "bfp"
Allowed values: N/A.

keycloak-extensions.global.postgresql.auth.password#

Description: Password for the PostgreSQL database.
Default value: "correcthorsebatterystaple"
Allowed values: N/A.

keycloak-extensions.global.postgresql.auth.postgresPassword#

Description: Currently unused.
Default value: "correcthorsebatterystaple"
Allowed values: N/A.

keycloak-extensions.global.postgresql.auth.username#

Description: User for the PostgreSQL database.
Default value: "bfp"
Allowed values: N/A.

keycloak-extensions.global.postgresql.connection.host#

Description: Hostname or IP address of the server hosting the PostgreSQL database.
Default value: "keycloak-extensions-postgresql"
Allowed values: N/A.

keycloak-extensions.global.postgresql.connection.port#

Description: Port number that the PostgreSQL database is exposed on.
Default value: "5432"
Allowed values: N/A.

keycloak-extensions.handler.appConfig.captchaProtectionEnable#

Description: Whether to enable captcha protection.
Default value: "false"
Allowed values: N/A.

keycloak-extensions.handler.appConfig.mailFrom#

Description: Email address to use as sender for email notifications.
Default value: "univention@example.org"
Allowed values: N/A.

keycloak-extensions.handler.appConfig.smtpHost#

Description: SMTP host to use for sending emails.
Default value: "mail.example.org"
Allowed values: N/A.

keycloak-extensions.handler.appConfig.smtpPassword#

Description: Password for the SMTP server.
Default value: "some_password"
Allowed values: N/A.

keycloak-extensions.handler.appConfig.smtpPort#

Description: Port to use for the SMTP server.
Default value: "587"
Allowed values: N/A.

keycloak-extensions.handler.appConfig.smtpUsername#

Description: Username for the SMTP server.
Default value: "univention"
Allowed values: N/A.

keycloak-extensions.handler.image.tag#

Description: N/A.
Default value: "latest"
Allowed values: N/A.

keycloak-extensions.postgresql#

Description: PostgreSQL settings. The Bitnami Helm Chart contains all details of what you can configure. See bitnami/charts.
Default value: {"enabled":true}
Allowed values: N/A.

keycloak-extensions.postgresql.enabled#

Description: Set to true if you want PostgreSQL to be installed as well.
Default value: true
Allowed values: N/A.

keycloak-extensions.proxy.appConfig.captchaSecretKey#

Description: N/A.
Default value: "some_secret_key"
Allowed values: N/A.

keycloak-extensions.proxy.appConfig.captchaSiteKey#

Description: N/A.

Default

6.18. MinIO#

For the MinIO configuration parameters, see MinIO Helm Chart.

Nubus for Kubernetes - Operation Manual 0.5.1 (Alpha)

Reference

Contents

6. Reference#

6.1. Global#

6.2. Nubus Stack Gateway#

6.3. Keycloak#

6.4. LDAP Server#

6.5. LDAP Notifier#

6.6. Portal Frontend#

6.7. Portal Server#

6.8. Portal Listener#

6.9. Notifications API#

6.10. UDM Listener#

6.11. Provisioning#

6.11.1. API#

6.11.2. Dispatcher#

6.11.3. NATS#

6.12. Stack Data UMS#

6.13. Stack Data SWP#

6.14. Self-Service Listener#

6.15. UDM REST API#

6.16. UMC Server#

6.17. Keycloak Extensions#

6.18. MinIO#