feat(nubus): Add templating support for Nubus

Signed-off-by: Axel Lender <lender@b1-systems.de>
2025-12-06 15:31:38 +01:00 · 2025-08-21 08:02:54 +02:00
parent cac1e9850d
commit 1fd7cd7d34
5 changed files with 63 additions and 0 deletions
--- a/docs/external-secrets.md
+++ b/docs/external-secrets.md
@@ -11,6 +11,7 @@ This document covers how to utilise external secrets and special requirements.
 * [General](#general)
 * [Components](#components)
  * [Cassandra](#cassandra)
+  * [Keycloak](#keycloak)
  * [MinIO](#minio)
  * [XWiki](#xwiki)
 <!-- TOC -->
@@ -45,6 +46,17 @@ Cassandra is pre-populated with information regarding Dovecot with a `cql` scrip

 This has to be adapted into a secret that also holds a `cql` script and is named in `initDBSecret`.

+## Keycloak
+
+The Keycloak bootstrap chart exepcts a special format for the admin credentials. The following example shows the format with the openDesk default values:
+
+```yaml
+stringData:
+  admin.yaml: |
+    username: "kcadmin"
+    password: "{{ .Values.secrets.keycloak.adminPassword }}"
+```
+
 ## MinIO

 Like described in the [upstream `values.yaml`](https://github.com/bitnami/charts/blob/main/bitnami/minio/values.yaml#L1595) credentials and information about a user in external secrets listed in `usersExistingSecrets` have to be formatted as follows:
--- a/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
@@ -53,6 +53,10 @@ global:
 ics:
  session:
    secret: {{ .Values.secrets.intercom.secret | quote }}
+    existingSecret:
+      name: {{ .Values.externalSecrets.nubus.ics.session.name | quote }}
+      keyMapping:
+        secret: {{ .Values.externalSecrets.nubus.ics.session.key | quote }}
  issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
  originRegex: "{{ .Values.global.domain }}"
  enableSessionCookie: true
@@ -66,21 +70,37 @@ ics:
  oidc:
    id: "opendesk-intercom"
    clientSecret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
+    existingSecret:
+      name: {{ .Values.externalSecrets.keycloak.clientSecret.intercom.name | quote}}
+      keyMapping:
+        clientSecret: {{ .Values.externalSecrets.keycloak.clientSecret.intercom.key | quote }}
  matrix:
    subdomain: {{ .Values.global.hosts.synapse | quote }}
    serverName: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
    auth:
      applicationServiceSecret: {{ .Values.secrets.intercom.synapseAsToken | quote }}
+      existingSecret:
+        name: {{ .Values.externalSecrets.nubus.ics.synapseAsToken.name | quote }}
+        keyMapping:
+          password: {{ .Values.externalSecrets.nubus.ics.synapseAsToken.key | quote }}
  nordeck:
    subdomain: {{ .Values.global.hosts.matrixNeoDateFixBot | quote }}
  portal:
    auth:
      sharedSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+      existingSecret:
+        name: {{ .Values.externalSecrets.centralnavigation.apiKey.name | quote }}
+        keyMapping:
+          password: {{ .Values.externalSecrets.centralnavigation.apiKey.key | quote }}
  redis:
    host: {{ .Values.cache.intercomService.host | quote }}
    port: {{ .Values.cache.intercomService.port }}
    auth:
      password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }}
+      existingSecret:
+        name: {{ .Values.externalSecrets.redis.existingSecret | quote }}
+        keyMapping:
+          password: {{ .Values.externalSecrets.redis.existingSecretPasswordKey | quote }}
  openxchange:
    oci: true
    url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
--- a/helmfile/apps/nubus/values-nginx-s3-gateway.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nginx-s3-gateway.yaml.gotmpl
@@ -38,8 +38,14 @@ configuration:
  credentials:
    accessKey:
      value: {{ .Values.objectstores.nubus.username | quote }}
+      existingSecret:
+        name: {{ .Values.externalSecrets.objectstores.nubus.accessKey.name | quote }}
+        key: {{ .Values.externalSecrets.objectstores.nubus.accessKey.key | quote }}
    secretKey:
      value: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
+      existingSecret:
+        name: {{ .Values.externalSecrets.objectstores.nubus.secretKey.name | quote }}
+        key: {{ .Values.externalSecrets.objectstores.nubus.secretKey.key | quote }}

 podAnnotations:
  {{ .Values.annotations.nubusNginxS3Gateway.pod | toYaml | nindent 2 }}
--- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -92,6 +92,8 @@ config:
      values:
        username: "kcadmin"
        password: {{ .Values.secrets.keycloak.adminPassword | quote }}
+      secret:
+        name: {{ .Values.externalSecrets.keycloak.adminSecret | quote }}
    realm: {{ .Values.platform.realm | quote }}
    intraCluster:
      enabled: true
--- a/helmfile/environments/default/external_secrets.yaml.gotmpl
+++ b/helmfile/environments/default/external_secrets.yaml.gotmpl
@@ -5,6 +5,10 @@ SPDX-License-Identifier: Apache-2.0
 ---
 externalSecrets:
  cache:
+    intercom:
+      password:
+        name: ~
+        key: ~
    nextcloudUsername:
      name: ~
      key: ~
@@ -42,7 +46,12 @@ externalSecrets:
        name:  ~
        key: ~
  keycloak:
+    adminSecret:
+      name: ~
    clientSecret:
+      intercom:
+        name: ~
+        key: ~
      xwiki:
        name: ~
        key: ~
@@ -65,6 +74,13 @@ externalSecrets:
      name: ~
      key: ~
  nubus:
+    ics:
+      session:
+        name: ~
+        key: ~
+      synapseAsToken:
+        name: ~
+        key: ~
    ldapSearch:
      nextcloud:
        name: ~
@@ -79,6 +95,13 @@ externalSecrets:
    nextcloudSecretKey:
      name: ~
      key: ~
+    nubus:
+      accessKey:
+        name: ~
+        key: ~
+      secretKey:
+        name: ~
+        key: ~
  openproject:
    apiAdminPassword:
      name: ~