fix(helmfile): Splitting the directory ./helmfile/apps/services into -external and opendesk- services, please read migrations.md for more details

.gitlab-ci.yml

@@ -283,7 +283,7 @@ policies-deploy:
           ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_SERVICES != "no")
       when: "on_success"
   variables:
-    COMPONENT: "services"
+    COMPONENT: "opendesk-services"
     ADDITIONAL_ARGS: "-l name=opendesk-otterize"
 
 migrations-pre:
@@ -296,7 +296,7 @@ migrations-pre:
           ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_MIGRATIONS != "no")
       when: "on_success"
   variables:
-    COMPONENT: "migrations-pre"
+    COMPONENT: "opendesk-migrations-pre"
 
 migrations-post:
   stage: "090-migrations-post"
@@ -308,9 +308,9 @@ migrations-post:
           ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_MIGRATIONS != "no")
       when: "on_success"
   variables:
-    COMPONENT: "migrations-post"
+    COMPONENT: "opendesk-migrations-post"
 
-services-deploy:
+services-external-deploy:
   stage: "030-services"
   extends: ".deploy-common"
   rules:
@@ -320,7 +320,19 @@ services-deploy:
           ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_SERVICES != "no")
       when: "on_success"
   variables:
-    COMPONENT: "services"
+    COMPONENT: "services-external"
+
+opendesk-services-deploy:
+  stage: "030-services"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_SERVICES != "no")
+      when: "on_success"
+  variables:
+    COMPONENT: "opendesk-services"
 
 nubus-deploy:
   stage: "050-components"
@@ -417,7 +429,7 @@ openproject-bootstrap-deploy:
           ($DEPLOY_ALL_COMPONENTS != "no" || ($DEPLOY_OPENPROJECT != "no" && $DEPLOY_NEXTCLOUD != "no"))
       when: "on_success"
   variables:
-    COMPONENT: "openproject-bootstrap"
+    COMPONENT: "opendesk-openproject-bootstrap"
 
 jitsi-deploy:
   stage: "050-components"

docs/migrations.md

@@ -12,11 +12,13 @@ SPDX-License-Identifier: Apache-2.0
   * [From v1.0.0](#from-v100)
     * [Pre-upgrade: Manual checks/steps](#pre-upgrade-manual-checkssteps)
       * [Helmfile Cleanup: Consistent use of `*.yaml.gotmpl`](#helmfile-cleanup-consistent-use-of-yamlgotmpl)
-      * [New openDesk default: Enforce login](#new-opendesk-default-enforce-login)
+      * [Helmfile Cleanup: Prefixing certain app directories with `opendesk-`](#helmfile-cleanup-prefixing-certain-app-directories-with-opendesk-)
-      * [Changed openDesk default: Jitsi room history enabled](#changed-opendesk-default-jitsi-room-history-enabled)
+      * [Helmfile Cleanup: Helmfile Cleanup: Splitting external vs. openDesk services](#helmfile-cleanup-helmfile-cleanup-splitting-external-vs-opendesk-services)
-      * [Streamlining `openxchange` and `oxAppSuite` attribute names](#streamlining-openxchange-and-oxappsuite-attribute-names)
+      * [Helmfile cleanup: Streamlining `openxchange` and `oxAppSuite` attribute names](#helmfile-cleanup-streamlining-openxchange-and-oxappsuite-attribute-names)
-      * [Dicts to define `customization.release`](#dicts-to-define-customizationrelease)
+      * [Helmfile feature update: Dicts to define `customization.release`](#helmfile-feature-update-dicts-to-define-customizationrelease)
-      * [Redis 7.4](#redis-74)
+      * [openDesk defaults (new): Enforce login](#opendesk-defaults-new-enforce-login)
+      * [openDesk defaults (changed): Jitsi room history enabled](#opendesk-defaults-changed-jitsi-room-history-enabled)
+      * [External requirements: Redis 7.4](#external-requirements-redis-74)
   * [From v0.9.0](#from-v090)
     * [Pre-upgrade: Manual steps](#pre-upgrade-manual-steps)
       * [Configuration Cleanup: Removal of unnecessary OX-Profiles in Nubus](#configuration-cleanup-removal-of-unnecessary-ox-profiles-in-nubus)
@@ -81,34 +83,35 @@ This change requires manual action likely in two situations:
 1. You are referencing our upstream files from the aforementioned directory, e.g. in your Argo CD deployment. Please update your references to use the filenames with the new extension.
 2. You have custom files containing configuration information that are named just `*.yaml`: Please rename them to `*.yaml.gotmpl`.
 
-#### New openDesk default: Enforce login
+#### Helmfile Cleanup: Prefixing certain app directories with `opendesk-`
 
-Users accessing the openDesk portal are now automatically redirected to the login screen as a default.
+To make it more obvious that some elements from below the [`apps`](../helmfile/apps/) directory are completely
+provided by openDesk, we have prefixed these app directories with `opendesk-`.
 
-In case you want to keep the previous behavior you need to set the following `functional` flag:
+Affected are the following directories, here listed directly with the new prefix:
 
-```yaml
+- [`./helmfile/apps/opendesk-migrations-pre`](../helmfile/apps/opendesk-migrations-pre)
-functional:
+- [`./helmfile/apps/opendesk-migrations-post`](../helmfile/apps/opendesk-migrations-post)
-  portal:
+- [`./helmfile/apps/opendesk-openproject-bootstrap`](../helmfile/apps/opendesk-openproject-bootstrap)
-    enforceLogin: false
-```
 
-#### Changed openDesk default: Jitsi room history enabled
+The described changes most likely require manual action in the following situation:
 
-The default to store the Jitsi room history in the local storage of a user's browser has changed.
+- You are referencing our upstream files e.g. in your Argo CD deployment, please update your references to use the new directory names.
 
-It is now enabled and therefore stored by default.
+#### Helmfile Cleanup: Helmfile Cleanup: Splitting external vs. openDesk services
 
-To preserve the 1.0.0 behavior of not storing the room history you have to explicitly configure it:
+In v1.0.0 there was a directory `/helmfile/apps/services` that was intended to contain all the services an operator had to provide externally for production deployments.
 
-```
+As some services that are actually part of openDesk snuck in there, so we had to split the directory into two separate ones:
-functional:
-  dataProtection:
-    jitsiRoomHistory:
-      enabled: false
-```
 
-#### Streamlining `openxchange` and `oxAppSuite` attribute names
+- [`./helmfile/apps/opendesk-services`](../helmfile/apps/opendesk-services)
+- [`./helmfile/apps/services-external`](../helmfile/apps/services-external)
+
+The described changes most likely require manual action in the following situation:
+
+- You are referencing our upstream files e.g. in your Argo CD deployment, please update your references to use the new directory names.
+
+#### Helmfile cleanup: Streamlining `openxchange` and `oxAppSuite` attribute names
 
 We have updated some attribute names around Open-Xchange / OX App Suite to be consistent within our Helmfile
 deployment and to aligning with the actual brand names as well as with our rule of thumb for brand based
@@ -171,7 +174,7 @@ WAS: secrets.oxAppsuite: ...
 NOW: secrets.oxAppSuite: ...
 ```
 
-#### Dicts to define `customization.release`
+#### Helmfile feature update: Dicts to define `customization.release`
 
 If you make use of the `customization.release` option, you have to switch to a dictionary based definition of customization files e.g. from
 
@@ -192,7 +195,34 @@ customization:
 
 You can freely choose the `file1` dictionary key used in the example above, but it should start with a letter.
 
-#### Redis 7.4
+#### openDesk defaults (new): Enforce login
+
+Users accessing the openDesk portal are now automatically redirected to the login screen as a default.
+
+In case you want to keep the previous behavior you need to set the following `functional` flag:
+
+```yaml
+functional:
+  portal:
+    enforceLogin: false
+```
+
+#### openDesk defaults (changed): Jitsi room history enabled
+
+The default to store the Jitsi room history in the local storage of a user's browser has changed.
+
+It is now enabled and therefore stored by default.
+
+To preserve the 1.0.0 behavior of not storing the room history you have to explicitly configure it:
+
+```yaml
+functional:
+  dataProtection:
+    jitsiRoomHistory:
+      enabled: false
+```
+
+#### External requirements: Redis 7.4
 
 The update from openDesk 1.0.0 contains Redis 7.4.1, like the other openDesk bundled services the bundled Redis is as well not meant to be used in production.
 

helmfile/apps/opendesk-services/helmfile-child.yaml.gotmpl

@@ -0,0 +1,111 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+repositories:
+  # openDesk Otterize
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-otterize
+  - name: "otterize-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.otterize.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
+
+  # openDesk Home
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-home
+  - name: "home-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.home.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.home.registry }}/{{ .Values.charts.home.repository }}"
+
+  # openDesk Certificates
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates
+  - name: "certificates-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.certificates.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
+
+    # openDesk Alerts
+  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-alerts
+  - name: "opendesk-alerts-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.opendeskAlerts.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskAlerts.registry }}/{{ .Values.charts.opendeskAlerts.repository }}"
+
+    # openDesk Grafana Dashboards
+    # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dashboards
+  - name: "dashboards-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.opendeskDashboards.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskDashboards.registry }}/{{ .Values.charts.opendeskDashboards.repository }}"
+
+releases:
+  - name: "opendesk-otterize"
+    chart: "otterize-repo/{{ .Values.charts.otterize.name }}"
+    version: "{{ .Values.charts.otterize.version }}"
+    values:
+      - "values-otterize.yaml.gotmpl"
+      {{ range .Values.customization.release.opendeskOtterize }}
+      - {{ . }}
+      {{ end }}
+    installed: {{ .Values.security.otterizeIntents.enabled }}
+    timeout: 900
+
+  - name: "opendesk-home"
+    chart: "home-repo/{{ .Values.charts.home.name }}"
+    version: "{{ .Values.charts.home.version }}"
+    values:
+      - "values-home.yaml.gotmpl"
+      {{ range .Values.customization.release.opendeskHome }}
+      - {{ . }}
+      {{ end }}
+    installed: {{ .Values.home.enabled }}
+
+  - name: "opendesk-certificates"
+    chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
+    version: "{{ .Values.charts.certificates.version }}"
+    values:
+      - "values-certificates.yaml.gotmpl"
+      {{ range .Values.customization.release.opendeskCertificates }}
+      - {{ . }}
+      {{ end }}
+    installed: {{ .Values.certificates.enabled }}
+    timeout: 900
+
+  - name: "opendesk-alerts"
+    chart: "opendesk-alerts-repo/{{ .Values.charts.opendeskAlerts.name }}"
+    version: "{{ .Values.charts.opendeskAlerts.version }}"
+    values:
+      - "values-opendesk-alerts.yaml.gotmpl"
+      {{ range .Values.customization.release.opendeskAlerts}}
+      - {{ . }}
+      {{ end }}
+    installed: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
+    timeout: 900
+
+  - name: "opendesk-dashboards"
+    chart: "dashboards-repo/{{ .Values.charts.opendeskDashboards.name }}"
+    version: "{{ .Values.charts.opendeskDashboards.version }}"
+    values:
+      - "values-dashboards.yaml.gotmpl"
+      - {{ .Values.customization.release.opendeskDashboards | default "additionalValues: false" }}
+    installed: {{ .Values.monitoring.grafana.dashboards.enabled }}
+    timeout: 900
+
+commonLabels:
+  deployStage: "030-opendesk-services"
+  component: "opendesk-services"
+...

helmfile/apps/services-external/helmfile-child.yaml.gotmpl

@@ -2,36 +2,6 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  # openDesk Otterize
-  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-otterize
-  - name: "otterize-repo"
-    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-    verify: {{ .Values.charts.otterize.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
-
-  # openDesk Home
-  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-home
-  - name: "home-repo"
-    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-    verify: {{ .Values.charts.home.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.home.registry }}/{{ .Values.charts.home.repository }}"
-
-  # openDesk Certificates
-  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates
-  - name: "certificates-repo"
-    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-    verify: {{ .Values.charts.certificates.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
-
   # openDesk PostgreSQL
   # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postgresql
   - name: "postgresql-repo"
@@ -89,26 +59,6 @@ repositories:
     oci: true
     url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
 
-  # openDesk Alerts
-  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-alerts
-  - name: "opendesk-alerts-repo"
-    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-    verify: {{ .Values.charts.opendeskAlerts.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskAlerts.registry }}/{{ .Values.charts.opendeskAlerts.repository }}"
-
-    # openDesk Grafana Dashboards
-    # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dashboards
-  - name: "dashboards-repo"
-    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-    verify: {{ .Values.charts.opendeskDashboards.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskDashboards.registry }}/{{ .Values.charts.opendeskDashboards.repository }}"
-
   # VMWare Bitnami
   # Source: https://github.com/bitnami/charts/
   - name: "memcached-repo"
@@ -146,49 +96,6 @@ repositories:
     url: "{{ .Values.global.helmRegistry | default .Values.charts.cassandra.registry }}/{{ .Values.charts.cassandra.repository }}"
 
 releases:
-  - name: "opendesk-otterize"
-    chart: "otterize-repo/{{ .Values.charts.otterize.name }}"
-    version: "{{ .Values.charts.otterize.version }}"
-    values:
-      - "values-otterize.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskOtterize }}
-      - {{ . }}
-      {{ end }}
-    installed: {{ .Values.security.otterizeIntents.enabled }}
-    timeout: 900
-
-  - name: "opendesk-home"
-    chart: "home-repo/{{ .Values.charts.home.name }}"
-    version: "{{ .Values.charts.home.version }}"
-    values:
-      - "values-home.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskHome }}
-      - {{ . }}
-      {{ end }}
-    installed: {{ .Values.home.enabled }}
-
-  - name: "opendesk-certificates"
-    chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
-    version: "{{ .Values.charts.certificates.version }}"
-    values:
-      - "values-certificates.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskCertificates }}
-      - {{ . }}
-      {{ end }}
-    installed: {{ .Values.certificates.enabled }}
-    timeout: 900
-
-  - name: "opendesk-alerts"
-    chart: "opendesk-alerts-repo/{{ .Values.charts.opendeskAlerts.name }}"
-    version: "{{ .Values.charts.opendeskAlerts.version }}"
-    values:
-      - "values-opendesk-alerts.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskAlerts}}
-      - {{ . }}
-      {{ end }}
-    installed: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
-    timeout: 900
-
   - name: "redis"
     chart: "redis-repo/{{ .Values.charts.redis.name }}"
     version: "{{ .Values.charts.redis.version }}"
@@ -277,15 +184,6 @@ releases:
     installed: {{ .Values.clamavSimple.enabled }}
     timeout: 900
 
-  - name: "opendesk-dashboards"
-    chart: "dashboards-repo/{{ .Values.charts.opendeskDashboards.name }}"
-    version: "{{ .Values.charts.opendeskDashboards.version }}"
-    values:
-      - "values-dashboards.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskDashboards | default "additionalValues: false" }}
-    installed: {{ .Values.monitoring.grafana.dashboards.enabled }}
-    timeout: 900
-
   - name: "minio"
     chart: "minio-repo/{{ .Values.charts.minio.name }}"
     version: "{{ .Values.charts.minio.version }}"
@@ -309,6 +207,6 @@ releases:
     timeout: 900
 
 commonLabels:
-  deployStage: "030-services"
+  deployStage: "030-services-external"
-  component: "services"
+  component: "services-external"
 ...

helmfile/apps/services-external/helmfile.yaml.gotmpl

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml.gotmpl"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...

helmfile_generic.yaml.gotmpl

@@ -6,11 +6,13 @@
 #
 helmfiles:
   # Path to the helmfile state file being processed BEFORE releases in this state file
-  - path: "helmfile/apps/migrations-pre/helmfile-child.yaml.gotmpl"
+  - path: "helmfile/apps/opendesk-migrations-pre/helmfile-child.yaml.gotmpl"
     values: &values
       - "helmfile/environments/default/*.yaml.gotmpl"
       - {{ toYaml .Values | nindent 8 }}
-  - path: "helmfile/apps/services/helmfile-child.yaml.gotmpl"
+  - path: "helmfile/apps/opendesk-services/helmfile-child.yaml.gotmpl"
+    values: *values
+  - path: "helmfile/apps/services-external/helmfile-child.yaml.gotmpl"
     values: *values
   - path: "helmfile/apps/nubus/helmfile-child.yaml.gotmpl"
     values: *values
@@ -30,9 +32,9 @@ helmfiles:
     values: *values
   - path: "helmfile/apps/xwiki/helmfile-child.yaml.gotmpl"
     values: *values
-  - path: "helmfile/apps/openproject-bootstrap/helmfile-child.yaml.gotmpl"
+  - path: "helmfile/apps/opendesk-openproject-bootstrap/helmfile-child.yaml.gotmpl"
     values: *values
-  - path: "helmfile/apps/migrations-post/helmfile-child.yaml.gotmpl"
+  - path: "helmfile/apps/opendesk-migrations-post/helmfile-child.yaml.gotmpl"
     values: *values
 missingFileHandler: "Error"
 ...