chore(helmfile): Quote string and fix line endings

README.md

@@ -336,6 +336,10 @@ turn:
 
 ## Security
 
+This section summarizes various aspects of security and compliance aspects.
+
+### Kubernetes Security Enforcements
+
 This list gives you an overview of default security settings and if they comply with security standards:
 
 
@@ -365,6 +369,11 @@ This list gives you an overview of default security settings and if they comply
 | PostgreSQL | postgresql               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 
 
+### Helm Chart Trust Chain
+
+Helm Charts which are released via openDesk CI/CD process are always signed. The public GPG keys are present in
+`pubkey.gpg` file and are validated during helmfile installation.
+
 # Component integration
 
 ## Functional use cases

helmfile/apps/jitsi/helmfile.yaml

@@ -8,7 +8,7 @@ repositories:
       {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
          "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-jitsi" }}
     verify: true
-    keyring: ../../../pubkey.gpg
+    keyring: "../../../pubkey.gpg"
 releases:
   - name: "jitsi"
     chart: "jitsi-repo/sovereign-workplace-jitsi"

helmfile/apps/nextcloud/helmfile.yaml

@@ -8,9 +8,9 @@ repositories:
     url: >-
       {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
          "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap" }}
-    verify: true
-    keyring: ../../../pubkey.gpg
     # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../../pubkey.gpg"
   - name: "nextcloud-repo"
     url: >-
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |

helmfile/apps/services/helmfile.yaml

@@ -6,11 +6,13 @@ repositories:
   # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-certificates
   - name: "opendesk-certificates-repo"
     oci: true
+    # yamllint disable rule:line-length
     url: >-
       {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
          default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-certificates" }}
+    # yamllint enable rule:line-length
     verify: true
-    keyring: ../../../pubkey.gpg
+    keyring: "../../../pubkey.gpg"
   # openDesk PostgreSQL
   # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postgresql
   - name: "postgresql-repo"
@@ -19,7 +21,7 @@ repositories:
       {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
          default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postgresql" }}
     verify: true
-    keyring: ../../../pubkey.gpg
+    keyring: "../../../pubkey.gpg"
   # openDesk MariaDB
   # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-mariadb
   - name: "mariadb-repo"
@@ -28,25 +30,25 @@ repositories:
       {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
          default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/mariadb" }}
     verify: true
-    keyring: ../../../pubkey.gpg
+    keyring: "../../../pubkey.gpg"
   # openDesk Postfix
   # https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postfix
   - name: "postfix-repo"
     oci: true
     url: >-
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |
-         default "https://gitlab.souvap-univention.de/souvap/tooling/charts/postfix" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postfix" }}
     verify: true
-    keyring: ../../../pubkey.gpg
+    keyring: "../../../pubkey.gpg"
   # openDesk Istio Resources
   # https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-istio-resources
   - name: "istio-resources-repo"
     oci: true
     url: >-
       {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/souvap/tooling/charts/istio-ressources" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/istio-ressources" }}
     verify: true
-    keyring: ../../../pubkey.gpg
+    keyring: "../../../pubkey.gpg"
   # openDesk ClamAV
   # https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-clamav
   - name: "clamav-repo"
@@ -55,7 +57,7 @@ repositories:
       {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
          default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/clamav" }}
     verify: true
-    keyring: ../../../pubkey.gpg
+    keyring: "../../../pubkey.gpg"
   # VMWare Bitnami
   # Source: https://github.com/bitnami/charts/
   - name: "bitnami-repo"

helmfile/environments/default/debug.yaml

@@ -10,4 +10,4 @@ cleanup:
   keepPVCOnDelete: false
   # Keep additional resources, like certificates on deletion of this release.
   keepRessourceOnDelete: true
-...
+...