fix(nextcloud): Update Helm chart and images to fix warnings in admin overview and have /status.php behind BasicAuth; review migrations.md for required upgrade steps

2025-12-06 07:21:36 +01:00 · 2025-11-18 10:49:32 +01:00
parent 8867d1b204
commit 195a9eae55
7 changed files with 30 additions and 7 deletions
--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -13,6 +13,7 @@ SPDX-License-Identifier: Apache-2.0
  * [Versions ≥ v1.11.0](#versions--v1110)
    * [Pre-upgrade to versions ≥ v1.11.0](#pre-upgrade-to-versions--v1110)
      * [Helmfile new option: Annotations for external services (Dovecot, Jitsi JVB, Postfix)](#helmfile-new-option-annotations-for-external-services-dovecot-jitsi-jvb-postfix)
      * [Helmfile new secret: `secrets.nextcloud.statusPassword`](#helmfile-new-secret-secretsnextcloudstatuspassword)
  * [Versions ≥ v1.10.0](#versions--v1100)
    * [Pre-upgrade to versions ≥ v1.10.0](#pre-upgrade-to-versions--v1100)
      * [Deployment cleanup: Collabora Controller](#deployment-cleanup-collabora-controller)
@@ -214,6 +215,20 @@ Setting service annotation by `annotations.openxchangePostfix.service` applied t
 and external service. This key now only sets annotations for the internal service. If you want to set
 annotations for the external service use the newly introduced key `annotations.openxchangePostfix.serviceExternal`.
 #### Helmfile new secret: `secrets.nextcloud.statusPassword`
 **Target group:** All existing deployments that use self-defined secrets and have deployed Nextcloud.
 Access to Nextcloud's `/status.php` requires now BasicAuth. The related password is set in
 [`secrets.yaml.gotmpl`](../helmfile/environments/default/secrets.yaml.gotmpl) by the key
 `secrets.nextcloud.statusPassword`.
 If you define your own secrets, please ensure that you provide a value for this secret, otherwise it will
 be derived from the `MASTER_PASSWORD`.
 > [!note]
 > The username for the BasicAuth is hardcoded to "status-access".
 ## Versions ≥ v1.10.0
 ### Pre-upgrade to versions ≥ v1.10.0
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -118,6 +118,10 @@ aio:
          value: {{ .Values.databases.nextcloud.password | quote }}
          {{- end }}
    trustedProxy: {{ join " " .Values.cluster.networking.cidr | quote }}
    status:
      password:
        value: {{ .Values.secrets.nextcloud.statusPassword | quote }}
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
--- a/helmfile/apps/opendesk-openproject-bootstrap/values.yaml.gotmpl
+++ b/helmfile/apps/opendesk-openproject-bootstrap/values.yaml.gotmpl
@@ -33,6 +33,9 @@ config:
        value: "nextcloud"
      password:
        value: {{ .Values.secrets.nextcloud.adminPassword | quote }}
    status:
      password:
        value: {{ .Values.secrets.nextcloud.statusPassword | quote }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
--- a/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
@@ -13,7 +13,7 @@ images:
  nextcloud:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/nextcloud/images/opendesk-nextcloud"
-    tag: "1.6.11@sha256:79bab3b5745eb2c0fdd5a8858d277495deb7f6e43b42c7046d5bfbee039aed0a"
+    tag: "1.7.1@sha256:aa91feaa89989178d859f21bb25633ef07facea19ac3ef696186256492a13b17"
  openxchangeCoreMW:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/middleware-public-sector-pro"
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -249,7 +249,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud"
-    version: "4.4.4"
+    version: "4.5.0"
    verify: true
  nextcloudManagement:
    # providerCategory: "Platform"
@@ -259,7 +259,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud-management"
-    version: "4.4.4"
+    version: "4.5.0"
    verify: true
  nextcloudNotifyPush:
    # providerCategory: "Platform"
@@ -269,7 +269,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud-notifypush"
-    version: "4.4.4"
+    version: "4.5.0"
    verify: true
  nginx:
    # providerCategory: "Community"
@@ -383,7 +383,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-openproject-bootstrap"
    name: "opendesk-openproject-bootstrap"
-    version: "2.2.0"
+    version: "2.3.0"
    verify: true
  otterize:
    # providerCategory: "Platform"
--- a/helmfile/environments/default/images.yaml.gotmpl
+++ b/helmfile/environments/default/images.yaml.gotmpl
@@ -330,7 +330,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
-    tag: "2.10.12@sha256:8a4cd73fdceb1da2c58a22a85d605eba575a2b1487e3927ab1971c9f1120549a"
+    tag: "2.11.0@sha256:481e83fb913c98d2ede8ae734f406ac5c12f805093af0a34cb9c86eeaa56bc01"
  nextcloudExporter:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -770,7 +770,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-openproject-bootstrap"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-openproject-bootstrap"
-    tag: "1.1.4@sha256:2fd97a316114428849aaeef87fb8755274e675830088a93afcafac91bb048d1d"
+    tag: "1.2.0@sha256:7d2ab97a8cd17aa2c12a6d613044c848edf0371974662390eb08c197aa12b84a"
  openprojectDbInit:
    # providerCategory: "Community"
    # providerResponsible: "OpenProject"
--- a/helmfile/environments/default/secrets.yaml.gotmpl
+++ b/helmfile/environments/default/secrets.yaml.gotmpl
@@ -101,6 +101,7 @@ secrets:
  nextcloud:
    adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "nextcloud_admin_user" | sha1sum | quote }}
    metricsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "metricsToken" | sha1sum | quote }}
    statusPassword: {{ derivePassword 1 "medium" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "nextcloud_status_user" | sha1sum | quote }}
  openproject:
    adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_admin_user" | sha1sum | quote }}
    apiAdminUsername: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_api_admin_username" | sha1sum | quote }}