From 01c5e6b359dd5eb42c98e818da301871bea79264 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= Date: Tue, 11 Jun 2024 13:53:58 +0200 Subject: [PATCH] fix(helmfile): Enable SMTP for XWiki and Element/Synapse; Streamline mail sender addresses within platform based on `@.` and allow configuration of ``. --- .gitlab-ci.yml | 8 +++-- cspell.json | 4 ++- dev/charts-local.py | 32 ++++++++----------- docs/debugging.md | 2 +- helmfile/apps/collabora/values.yaml.gotmpl | 2 +- .../apps/element/values-synapse.yaml.gotmpl | 7 ++++ .../values-nextcloud-mgmt.yaml.gotmpl | 5 ++- .../open-xchange/values-dovecot.yaml.gotmpl | 4 +-- helmfile/apps/openproject/values.yaml.gotmpl | 10 +++--- .../apps/services/values-postfix.yaml.gotmpl | 4 +-- .../values-umbrella.yaml.gotmpl | 6 ++-- helmfile/apps/xwiki/values.yaml.gotmpl | 7 ++++ helmfile/environments/default/charts.yaml | 16 +++++----- helmfile/environments/default/smtp.gotmpl | 2 ++ 14 files changed, 63 insertions(+), 46 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 0613dfd9..dc6f36e8 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -15,12 +15,16 @@ include: ref: "main" - local: "/.gitlab/lint/lint-opendesk.yml" rules: - - if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event|web|trigger|api'" + - if: > + $JOB_OPENDESK_LINTER_ENABLED == 'false' || + $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event|web|trigger|api' when: "never" - when: "always" - local: "/.gitlab/lint/lint-kyverno.yml" rules: - - if: "$JOB_KYVERNO_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event|web|trigger|api'" + - if: > + $JOB_OPENDESK_LINTER_ENABLED == 'false' || + $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event|web|trigger|api' when: "never" - when: "always" diff --git a/cspell.json b/cspell.json index 74ed2666..c6022d8e 100644 --- a/cspell.json +++ b/cspell.json @@ -67,7 +67,9 @@ "IMAPS", "xwiki", "cryptpad", - "clamav" + "clamav", + "templating", + "localpart" ], "ignoreWords": [], "import": [] diff --git a/dev/charts-local.py b/dev/charts-local.py index 386488aa..b0b5f7d8 100755 --- a/dev/charts-local.py +++ b/dev/charts-local.py @@ -69,18 +69,16 @@ def create_or_switch_branch_base_repo(): return branch -def clone_charts_locally(branch): +def clone_charts_locally(branch, charts): charts_clone_path = script_path+'/../../'+branch.replace('/', '_') charts_dict = {} - remote_dict = {} + doublette_dict = {} if os.path.isdir(charts_clone_path): logging.warning(f"Path {charts_clone_path} already exists, will not clone any charts.") else: logging.debug(f"creating directory {charts_clone_path} to clone charts into") Path(charts_clone_path).mkdir(parents=True, exist_ok=True) - with open(charts_yaml, 'r') as file: - charts = yaml.safe_load(file) for chart in charts['charts']: if 'opendesk/components/platform-development/charts' in charts['charts'][chart]['repository']: tag = charts['charts'][chart]['version'] @@ -88,9 +86,9 @@ def clone_charts_locally(branch): repository = charts['charts'][chart]['repository'] git_url = options.git_hostname+':'+repository chart_repo_path = charts_clone_path+'/'+charts['charts'][chart]['name'] - if git_url in remote_dict: - logging.debug(f"{chart} located at {git_url} is already checked out to {remote_dict[git_url]}") - charts_dict[chart] = remote_dict[git_url] + if git_url in doublette_dict: + logging.debug(f"{chart} located at {git_url} is already checked out to {doublette_dict[git_url]}") + charts_dict[chart] = doublette_dict[git_url] else: if os.path.isdir(chart_repo_path): logging.debug(f"Already exists {chart_repo_path} leaving it unmodified") @@ -99,8 +97,8 @@ def clone_charts_locally(branch): Repo.clone_from(git_url, chart_repo_path) chart_repo = Repo(path=chart_repo_path) chart_repo.git.checkout('v'+charts['charts'][chart]['version']) + doublette_dict[git_url] = chart_repo_path charts_dict[chart] = chart_repo_path - remote_dict[git_url] = chart_repo_path return charts_dict @@ -121,9 +119,8 @@ def get_child_helmfiles(): return child_helmfiles -def process_the_helmfiles(charts_dict): +def process_the_helmfiles(charts_dict, charts): chart_def_prefix = ' chart: "' - name_def_prefix = ' - name: "' child_helmfiles = get_child_helmfiles() for child_helmfile in child_helmfiles: child_helmfile_updated = False @@ -134,23 +131,18 @@ def process_the_helmfiles(charts_dict): for chart_ident in charts_dict: if '.Values.charts.'+chart_ident+'.name' in line: logging.debug(f"found match with {chart_ident} in {line.strip()}") - if name_def_prefix not in line_memory: - sys.exit(f"Script requires `name` definition before the actual `chart` definition. Not the case for '{chart_ident}'") - else: - name = re.search(rf"^{name_def_prefix}(.+)\"", line_memory).group(1) - line = chart_def_prefix+charts_dict[chart_ident]+'/charts/'+name+'" # replaced by local-dev script'+"\n" + line = chart_def_prefix+charts_dict[chart_ident]+'/charts/'+charts['charts'][chart_ident]['name']+'" # replaced by local-dev script'+"\n" child_helmfile_updated = True break output.append(line) - line_memory = line if child_helmfile_updated: child_helmfile_backup = child_helmfile+helmfile_backup_extension - logging.debug(f"Updated {child_helmfile}") if os.path.isfile(child_helmfile_backup): logging.debug("backup {child_helmfile_backup} already exists, will not create a new one.") else: logging.debug(f"creating backup {child_helmfile_backup}.") shutil.copy2(child_helmfile, child_helmfile_backup) + logging.debug(f"Updating {child_helmfile}") with open(child_helmfile, 'w') as file: file.writelines(output) @@ -172,5 +164,7 @@ if options.revert: revert_the_helmfiles() else: branch = create_or_switch_branch_base_repo() - charts_dict = clone_charts_locally(branch) - process_the_helmfiles(charts_dict) + with open(charts_yaml, 'r') as file: + charts = yaml.safe_load(file) + charts_dict = clone_charts_locally(branch, charts) + process_the_helmfiles(charts_dict, charts) diff --git a/docs/debugging.md b/docs/debugging.md index 3b4b6186..62d10215 100644 --- a/docs/debugging.md +++ b/docs/debugging.md @@ -64,7 +64,7 @@ The following example can e.g. be used to debug the `openDesk-Nextcloud-PHP` con shareProcessNamespace: true containers: - name: debugging - image: registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0 + image: registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:latest command: ["/bin/bash", "-c", "while true; do echo 'This is a temporary container for debugging'; sleep 5 ; done"] securityContext: capabilities: diff --git a/helmfile/apps/collabora/values.yaml.gotmpl b/helmfile/apps/collabora/values.yaml.gotmpl index bb17e3b2..e28fd3d0 100644 --- a/helmfile/apps/collabora/values.yaml.gotmpl +++ b/helmfile/apps/collabora/values.yaml.gotmpl @@ -7,7 +7,7 @@ autoscaling: enabled: false collabora: - extra_params: "--o:ssl.enable=false --o:ssl.termination=true --o:fetch_update_check=65536" + extra_params: "--o:ssl.enable=false --o:ssl.termination=true --o:fetch_update_check=0" username: "collabora-internal-admin" password: {{ .Values.secrets.collabora.adminPassword | quote }} aliasgroups: diff --git a/helmfile/apps/element/values-synapse.yaml.gotmpl b/helmfile/apps/element/values-synapse.yaml.gotmpl index 209bd6cc..dedae5da 100644 --- a/helmfile/apps/element/values-synapse.yaml.gotmpl +++ b/helmfile/apps/element/values-synapse.yaml.gotmpl @@ -41,6 +41,13 @@ configuration: url: null sender_localpart: intercom-service + smtp: + senderAddress: "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}" + host: {{ .Values.smtp.host | quote }} + port: {{ .Values.smtp.port }} + username: {{ .Values.smtp.username | quote }} + password: {{ .Values.smtp.password | quote }} + oidc: clientId: "opendesk-matrix" clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }} diff --git a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl index 674d2b61..6de69052 100644 --- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl +++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl @@ -78,6 +78,9 @@ configuration: value: {{ .Values.smtp.password | quote }} host: {{ .Values.smtp.host | quote }} port: {{ .Values.smtp.port | quote }} + fromAddress: {{ .Values.localpartNoReply | quote }} + mailDomain: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}" + serverinfo: token: {{ .Values.secrets.nextcloud.metricsToken | quote }} @@ -102,7 +105,7 @@ debug: image: registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudManagement.registry | quote }} - repository: "{{ .Values.images.nextcloudManagement.repository }}" + repository: {{ .Values.images.nextcloudManagement.repository | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} tag: {{ .Values.images.nextcloudManagement.tag | quote }} diff --git a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl index 1f943b28..1e4df0e5 100644 --- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl +++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl @@ -15,7 +15,7 @@ imagePullSecrets: {{- end }} dovecot: - mailDomain: {{ .Values.global.domain | quote }} + mailDomain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }} password: {{ .Values.secrets.dovecot.doveadm | quote }} ldap: enabled: true @@ -38,8 +38,6 @@ dovecot: ssl: "no" host: "postfix:25" - - certificate: secretName: {{ .Values.ingress.tls.secretName | quote }} diff --git a/helmfile/apps/openproject/values.yaml.gotmpl b/helmfile/apps/openproject/values.yaml.gotmpl index 48fbdf0c..7f3774a2 100644 --- a/helmfile/apps/openproject/values.yaml.gotmpl +++ b/helmfile/apps/openproject/values.yaml.gotmpl @@ -33,9 +33,6 @@ environment: OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak" OPENPROJECT_PER__PAGE__OPTIONS: "20, 50, 100, 200" OPENPROJECT_EMAIL__DELIVERY__METHOD: "smtp" - OPENPROJECT_SMTP__AUTHENTICATION: "plain" - OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true" - OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer" OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc" # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }} @@ -61,13 +58,16 @@ environment: OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }} OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }} OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}" - OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.domain | quote }} + OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.mailDomain | default .Values.global.domain | quote }} OPENPROJECT_SMTP__USER__NAME: {{ .Values.smtp.username | quote }} OPENPROJECT_SMTP__PASSWORD: {{ .Values.smtp.password | quote }} OPENPROJECT_SMTP__PORT: {{ .Values.smtp.port | quote }} OPENPROJECT_SMTP__SSL: "false" # (default=false) OPENPROJECT_SMTP__ADDRESS: {{ .Values.smtp.host | quote }} - OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}" + OPENPROJECT_SMTP__AUTHENTICATION: "plain" + OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true" + OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer" + OPENPROJECT_MAIL__FROM: "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}" OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }} OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}" OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/" diff --git a/helmfile/apps/services/values-postfix.yaml.gotmpl b/helmfile/apps/services/values-postfix.yaml.gotmpl index 726771e9..f515845d 100644 --- a/helmfile/apps/services/values-postfix.yaml.gotmpl +++ b/helmfile/apps/services/values-postfix.yaml.gotmpl @@ -41,7 +41,7 @@ podSecurityContext: postfix: amavisHost: "" amavisPortIn: "" - domain: {{ .Values.global.mailDomain | default .Values.global.domain }} + domain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }} hostname: "postfix" inetProtocols: "ipv4" milterDefaultAction: "accept" @@ -67,7 +67,7 @@ postfix: {{- else if .Values.clamavSimple.enabled }} smtpdMilters: "inet:clamav-simple:7357" {{- end }} - virtualMailboxDomains: {{ .Values.global.mailDomain | default .Values.global.domain }} + virtualMailboxDomains: {{ .Values.global.mailDomain | default .Values.global.domain | quote }} virtualTransport: "lmtps:dovecot:24" replicaCount: {{ .Values.replicas.postfix }} diff --git a/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl index 551b3137..567bcfb7 100644 --- a/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl @@ -613,7 +613,7 @@ stack-data-ums: # The openDesk configuration brings its own UMC policies. installUmcPolicies: false domainname: {{ .Values.global.domain | quote }} - externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }} + externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }} hostname: {{ .Values.global.hosts.univentionManagementStack | quote }} ldapHost: {{ .Values.ldap.host | quote }} ldapBase: {{ .Values.ldap.baseDn | quote }} @@ -654,7 +654,7 @@ stack-data-swp: {{- end }} externalDomainName: {{ .Values.global.domain | quote }} - externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }} + externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }} portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain | quote }} portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain | quote }} @@ -1172,7 +1172,7 @@ keycloak-extensions: ipProtectionEnable: true logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }} newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account" - mailFrom: "noreply@{{ .Values.global.domain }}" + mailFrom: "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}" securityContext: allowPrivilegeEscalation: false capabilities: diff --git a/helmfile/apps/xwiki/values.yaml.gotmpl b/helmfile/apps/xwiki/values.yaml.gotmpl index df646f2e..36f35e53 100644 --- a/helmfile/apps/xwiki/values.yaml.gotmpl +++ b/helmfile/apps/xwiki/values.yaml.gotmpl @@ -126,6 +126,13 @@ properties: "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.faviconSvg | b64enc }}" "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon16.png": "data:image/png;base64,{{ .Values.theme.imagery.favicon16PngB64 }}" "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon144.png": "data:image/png;base64,{{ .Values.theme.imagery.favicon144PngB64 }}" + ## SMTP settings + "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}" + "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ .Values.smtp.host | quote }} + "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.port": {{ .Values.smtp.port | quote }} + "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.username": {{ .Values.smtp.username | quote }} + "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.password": {{ .Values.smtp.password | quote }} + "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.properties": "mail.smtp.starttls.enable=true" ## Link LDAP users and users authenticated through OIDC "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1 "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}" diff --git a/helmfile/environments/default/charts.yaml b/helmfile/environments/default/charts.yaml index a1afce7d..b80cc10d 100644 --- a/helmfile/environments/default/charts.yaml +++ b/helmfile/environments/default/charts.yaml @@ -78,7 +78,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-element" name: "opendesk-element" - version: "3.0.0" + version: "3.2.0" verify: true elementWellKnown: # providerCategory: "Platform" @@ -88,7 +88,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-element" name: "opendesk-well-known" - version: "3.0.0" + version: "3.2.0" verify: true home: # providerCategory: "Platform" @@ -180,7 +180,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-element" name: "opendesk-matrix-user-verification-service" - version: "3.0.0" + version: "3.2.0" verify: true memcached: # providerCategory: "Community" @@ -210,7 +210,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud" name: "opendesk-nextcloud" - version: "1.5.2" + version: "2.0.0" verify: true nextcloudManagement: # providerCategory: "Platform" @@ -220,7 +220,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud" name: "opendesk-nextcloud-management" - version: "1.5.2" + version: "2.0.0" verify: true nginx: # providerCategory: "Community" @@ -346,7 +346,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-element" name: "opendesk-synapse" - version: "3.0.0" + version: "3.2.0" verify: true synapseCreateAccount: # providerCategory: "Platform" @@ -356,7 +356,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-element" name: "opendesk-synapse-create-account" - version: "3.0.0" + version: "3.2.0" verify: true synapseWeb: # providerCategory: "Platform" @@ -366,7 +366,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-element" name: "opendesk-synapse-web" - version: "3.0.0" + version: "3.2.0" verify: true ums: # providerCategory: "Supplier" diff --git a/helmfile/environments/default/smtp.gotmpl b/helmfile/environments/default/smtp.gotmpl index 0484d51c..20158e3f 100644 --- a/helmfile/environments/default/smtp.gotmpl +++ b/helmfile/environments/default/smtp.gotmpl @@ -8,4 +8,6 @@ smtp: port: 587 username: "" password: {{ env "SMTP_PASSWORD" | quote }} + +localpartNoReply: "no-reply" ...