From 3106ca793ee1e0021f7c03e620873c49adb54199 Mon Sep 17 00:00:00 2001 From: Thomas Kaltenbrunner Date: Mon, 28 Jul 2025 23:43:48 +0200 Subject: [PATCH] feat(notes): Switch to new Helm chart with support for self-signed deployments; review `migrations.md` for required upgrade steps --- docs/migrations.md | 23 + helmfile/apps/notes/values.yaml.gotmpl | 458 +++++++----------- .../default/annotations.yaml.gotmpl | 13 +- .../environments/default/charts.yaml.gotmpl | 10 +- 4 files changed, 220 insertions(+), 284 deletions(-) diff --git a/docs/migrations.md b/docs/migrations.md index 06d98e24..aaed7d32 100644 --- a/docs/migrations.md +++ b/docs/migrations.md @@ -11,6 +11,8 @@ SPDX-License-Identifier: Apache-2.0 * [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path) * [Manual checks/actions](#manual-checksactions) * [v1.7.0+](#v170) + * [Pre-upgrade to v1.7.0+](#pre-upgrade-to-v170) + * [Replace Helm chart: New Notes Helm chart with support for self-signed deployments](#replace-helm-chart-new-notes-helm-chart-with-support-for-self-signed-deployments) * [Post-upgrade to v1.7.0+](#post-upgrade-to-v170) * [Upstream fix: Provisioning of functional mailboxes](#upstream-fix-provisioning-of-functional-mailboxes) * [v1.6.0+](#v160) @@ -124,6 +126,27 @@ If you would like more details about the automated migrations, please read secti ## v1.7.0+ +### Pre-upgrade to v1.7.0+ + +#### Replace Helm chart: New Notes Helm chart with support for self-signed deployments + +**Target group:** All deployments that set `app.notes.enabled: true` (default is `false`). + +We replaced the Helm Chart used for the Notes (aka "Impress") deployment. If you have enabled Notes in your deployment, you must manually uninstall the old chart before upgrading to openDesk v1.7.0. + +```shell +helm uninstall -n impress +``` + +In case you are using `annotation.notes` they have to be moved into one of the remaining dicts, see [`annotations.yaml.gotmpl`](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/develop/helmfile/environments/default/annotations.yaml.gotmpl) for details: + +```yaml +annotation: + notesBackend: {} + notesFrontend: {} + notesYProvider: {} +``` + ### Post-upgrade to v1.7.0+ #### Upstream fix: Provisioning of functional mailboxes diff --git a/helmfile/apps/notes/values.yaml.gotmpl b/helmfile/apps/notes/values.yaml.gotmpl index 80b449ed..7720c54f 100644 --- a/helmfile/apps/notes/values.yaml.gotmpl +++ b/helmfile/apps/notes/values.yaml.gotmpl @@ -1,285 +1,197 @@ -# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH +# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH # SPDX-License-Identifier: Apache-2.0 --- -image: - repository: {{ printf "%s/%s" (coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesBackend.registry) (.Values.images.notesBackend.repository) | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.notesBackend.tag }} - credentials: - name: {{ .Values.global.imagePullSecrets | first | quote }} - -ingress: - enabled: {{ .Values.ingress.enabled }} - className: {{ .Values.ingress.ingressClassName }} - host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}" - tls: - enabled: "{{ .Values.ingress.tls.enabled }}" - secretName: {{ .Values.ingress.tls.secretName | quote }} - annotations: - nginx.ingress.kubernetes.io/proxy-body-size: "{{ .Values.ingress.parameters.bodySize.notes }}" - nginx.ingress.kubernetes.io/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.notes }}" - nginx.ingress.kubernetes.io/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.notes }}" - nginx.org/client-max-body-size: "{{ .Values.ingress.parameters.bodySize.notes }}" - nginx.org/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.notes }}s" - nginx.org/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.notes }}s" - -ingressCollaborationWS: - enabled: {{ .Values.ingress.enabled }} - className: {{ .Values.ingress.ingressClassName }} - host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}" - path: "/collaboration/ws/" - tls: - enabled: "{{ .Values.ingress.tls.enabled }}" - secretName: {{ .Values.ingress.tls.secretName | quote }} - annotations: - nginx.ingress.kubernetes.io/enable-websocket: "true" - nginx.ingress.kubernetes.io/proxy-read-timeout: "86400" - nginx.ingress.kubernetes.io/proxy-send-timeout: "86400" - nginx.ingress.kubernetes.io/upstream-hash-by: $arg_room - nginx.ingress.kubernetes.io/auth-response-headers: null - nginx.ingress.kubernetes.io/auth-url: null - {{- with .Values.annotations.notes.ingressCollaborationWS }} - {{ . | toYaml | nindent 4 }} - {{- end }} - -ingressAdmin: - enabled: {{ .Values.ingress.enabled }} - className: {{ .Values.ingress.ingressClassName }} - host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}" - tls: - enabled: "{{ .Values.ingress.tls.enabled }}" - secretName: {{ .Values.ingress.tls.secretName | quote }} - annotations: - {{ .Values.annotations.notes.ingressAdmin | toYaml | nindent 4 }} - -ingressMedia: - enabled: {{ .Values.ingress.enabled }} - className: {{ .Values.ingress.ingressClassName }} - host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}" - annotations: - nginx.ingress.kubernetes.io/auth-response-headers: "Authorization, X-Amz-Date, X-Amz-Content-SHA256" - nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/api/v1.0/documents/media-auth/" - nginx.ingress.kubernetes.io/upstream-vhost: {{ .Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }} - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" - nginx.ingress.kubernetes.io/use-regex: "true" - nginx.ingress.kubernetes.io/rewrite-target: /{{ .Values.objectstores.notes.bucket }}/$1 - nginx.ingress.kubernetes.io/session-cookie-path: /media - {{- with .Values.annotations.notes.ingressMedia }} - {{ . | toYaml | nindent 4 }} - {{- end }} - tls: - enabled: "{{ .Values.ingress.tls.enabled }}" - secretName: {{ .Values.ingress.tls.secretName | quote }} - -ingressCollaborationApi: - enabled: {{ .Values.ingress.enabled }} - className: {{ .Values.ingress.ingressClassName }} - host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}" - path: /collaboration/api/ - tls: - enabled: "{{ .Values.ingress.tls.enabled }}" - secretName: {{ .Values.ingress.tls.secretName | quote }} - annotations: - {{ .Values.annotations.notes.ingressCollaborationAPI | toYaml | nindent 4 }} - -serviceMedia: - host: {{ .Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }} - port: {{ .Values.objectstores.notes.port | default 443 }} - annotations: - {{ .Values.annotations.notes.serviceMedia | toYaml | nindent 4 }} - -frontend: - image: - repository: {{ printf "%s/%s" (coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesFrontend.registry) (.Values.images.notesFrontend.repository) | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.notesFrontend.tag }} - envVars: - PORT: 8080 - NEXT_PUBLIC_API_ORIGIN: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }} - NEXT_PUBLIC_MEDIA_URL: {{ printf "https://%s" (.Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }} - runtimeEnvs: - ICS_BASE_URL: {{ printf "https://%s.%s" .Values.global.hosts.intercomService .Values.global.domain | quote }} - PORTAL_BASE_URL: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }} - replicas: {{ .Values.replicas.notesFrontend }} - resources: - {{ .Values.resources.notesFrontend | toYaml | nindent 4 }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - privileged: false - runAsUser: 1001 - runAsGroup: 1001 - seccompProfile: - type: "RuntimeDefault" - readOnlyRootFilesystem: true - runAsNonRoot: true - seLinuxOptions: - {{ .Values.seLinuxOptions.notesFrontend | toYaml | nindent 6 }} - - podAnnotations: - {{ .Values.annotations.notesFrontend.pod | toYaml | nindent 4 }} - - service: - annotations: - {{ .Values.annotations.notesFrontend.service | toYaml | nindent 6 }} - -yProvider: - image: - repository: {{ printf "%s/%s" (coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.notesYProvider.registry) (.Values.images.notesYProvider.repository) | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.notesYProvider.tag }} - resources: - {{ .Values.resources.notesYProvider | toYaml | nindent 4 }} - replicas: {{ .Values.replicas.notesYProvider }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - privileged: false - runAsUser: 1001 - runAsGroup: 1001 - seccompProfile: - type: "RuntimeDefault" - readOnlyRootFilesystem: true - runAsNonRoot: true - seLinuxOptions: - {{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }} - envVars: - COLLABORATION_BACKEND_BASE_URL: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }} - COLLABORATION_LOGGING: {{ if .Values.debug.enabled }}"true"{{ else }}"false"{{ end }} - COLLABORATION_SERVER_ORIGIN: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }} - COLLABORATION_SERVER_SECRET: {{ .Values.secrets.notes.collaborationSecret | quote }} - Y_PROVIDER_API_KEY: {{ .Values.secrets.notes.collaborationSecret | quote }} - - podAnnotations: - {{ .Values.annotations.notesYProvider.pod | toYaml | nindent 4 }} - - service: - annotations: - {{ .Values.annotations.notesYProvider.service | toYaml | nindent 6 }} - -oidc: - clientId: "opendesk-notes" - clientSecret: {{ .Values.secrets.keycloak.clientSecret.notes | quote }} - -aiApiKey: {{ .Values.ai.apiKey }} -aiBaseUrl: {{ .Values.ai.endpoint }} - -djangoSuperUserEmail: "default.admin@{{ .Values.global.domain }}" -djangoSuperUserPass: {{ .Values.secrets.notes.superuser }} -djangoSecretKey: {{ .Values.secrets.notes.djangoSecretKey }} +global: + collaborationServerSecret: + value: {{ .Values.secrets.notes.collaborationSecret | quote }} + yProviderApiKey: + value: {{ .Values.secrets.notes.collaborationSecret | quote }} + fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}" + tlsSecretName: {{ .Values.ingress.tls.secretName | quote }} backend: image: - repository: {{ printf "%s/%s" (coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesBackend.registry) (.Values.images.notesBackend.repository) | quote }} - pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - tag: {{ .Values.images.notesBackend.tag }} - replicas: {{ .Values.replicas.notesBackend }} - envVars: - DB_HOST: {{ .Values.databases.notes.host | quote }} - DB_NAME: {{ .Values.databases.notes.name | quote }} - DB_USER: {{ .Values.databases.notes.username | quote }} - DB_PASSWORD: {{ .Values.databases.notes.password | default .Values.secrets.postgresql.notesUser | quote }} - DB_PORT: {{ .Values.databases.notes.port | quote }} - POSTGRES_DB: {{ .Values.databases.notes.name | quote }} - POSTGRES_USER: {{ .Values.databases.notes.username | quote }} - POSTGRES_PASSWORD: {{ .Values.databases.notes.password | default .Values.secrets.postgresql.notesUser | quote }} - FRONTEND_THEME: "openDesk" - REDIS_URL: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7" - AWS_S3_ENDPOINT_URL: {{ printf "https://%s" (.Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }} - AWS_S3_ACCESS_KEY_ID: {{ .Values.objectstores.notes.username }} - AWS_S3_SECRET_ACCESS_KEY: {{ .Values.objectstores.notes.secretKey | default .Values.secrets.minio.notesUser | quote }} - AWS_STORAGE_BUCKET_NAME: {{ .Values.objectstores.notes.bucket }} - DJANGO_CSRF_TRUSTED_ORIGINS: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }} - DJANGO_SITE_DOMAIN: {{ printf "%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }} - DJANGO_SITE_NAME: {{ printf "%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }} - DJANGO_CONFIGURATION: Production - DJANGO_ALLOWED_HOSTS: "*" - DJANGO_SECRET_KEY: {{ .Values.secrets.notes.djangoSecretKey }} - DJANGO_SETTINGS_MODULE: impress.settings - DJANGO_SUPERUSER_PASSWORD: {{ .Values.secrets.notes.superuser }} - DJANGO_EMAIL_BRAND_NAME: "openDesk" - DJANGO_EMAIL_LOGO_IMG: {{ printf "https://%s.%s/univention/portal/icons/entries/swp.notes.svg" .Values.global.hosts.nubus .Values.global.domain | quote }} - DJANGO_EMAIL_FROM: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}" - DJANGO_EMAIL_HOST: "postfix" - DJANGO_EMAIL_PORT: 25 - DJANGO_EMAIL_USE_SSL: False - DJANGO_EMAIL_HOST_USER: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }} - DJANGO_EMAIL_HOST_PASSWORD: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }} - DJANGO_EMAIL_USE_TLS: False - OIDC_RP_CLIENT_ID: "opendesk-notes" - OIDC_RP_CLIENT_SECRET: {{ .Values.secrets.keycloak.clientSecret.notes | quote }} - OIDC_OP_JWKS_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs" - OIDC_OP_AUTHORIZATION_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth" - OIDC_OP_TOKEN_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token" - OIDC_OP_USER_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo" - OIDC_OP_LOGOUT_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout" - OIDC_RP_SIGN_ALGO: RS256 - OIDC_RP_SCOPES: "openid opendesk-notes-scope" - OIDC_USERINFO_SHORTNAME_FIELD: "given_name" - OIDC_USERINFO_FULLNAME_FIELDS: "given_name,family_name" - USER_OIDC_ESSENTIAL_CLAIMS: "email" - OIDC_REDIRECT_ALLOWED_HOSTS: {{ printf "https://%s.%s/*" .Values.global.hosts.notes .Values.global.domain | quote }} - OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{}" - OIDC_RENEW_ID_TOKEN: "False" - LOGIN_REDIRECT_URL: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }} - LOGIN_REDIRECT_URL_FAILURE: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }} - LOGOUT_REDIRECT_URL: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }} - AI_BASE_URL: {{ .Values.ai.endpoint | quote }} - AI_API_KEY: {{ .Values.ai.apiKey | quote }} - AI_MODEL: {{ .Values.ai.model | quote }} - Y_PROVIDER_API_KEY: {{ .Values.secrets.notes.collaborationSecret | quote }} - Y_PROVIDER_API_BASE_URL: {{ printf "https://%s.%s/api/" .Values.global.hosts.notes .Values.global.domain | quote }} - COLLABORATION_API_URL: {{ printf "https://%s.%s/collaboration/api/" .Values.global.hosts.notes .Values.global.domain | quote }} - COLLABORATION_SERVER_ORIGIN: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }} - COLLABORATION_SERVER_SECRET: {{ .Values.secrets.notes.collaborationSecret | quote }} - COLLABORATION_WS_URL: {{ printf "wss://%s.%s/collaboration/ws/" .Values.global.hosts.notes .Values.global.domain | quote }} - FRONTEND_HOMEPAGE_FEATURE_ENABLED: False - FRONTEND_FOOTER_FEATURE_ENABLED: False - migrate: - command: - - "/bin/sh" - - "-c" - - | - python manage.py migrate --no-input - restartPolicy: Never - - migrateJobAnnotations: - {{ .Values.annotations.notesBackend.migrateJob | toYaml | nindent 4 }} - - createsuperuser: - command: - - "/bin/sh" - - "-c" - - | - python manage.py createsuperuser --email default.admin@{{ .Values.global.domain }} --password {{ .Values.secrets.notes.superuser }} - restartPolicy: Never - - podAnnotations: - {{ .Values.annotations.notesBackend.pod | toYaml | nindent 4 }} - - resources: - {{ .Values.resources.notesBackend | toYaml | nindent 4 }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - privileged: false - runAsUser: 1001 - runAsGroup: 1001 - seccompProfile: - type: "RuntimeDefault" - readOnlyRootFilesystem: true - runAsNonRoot: true + registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesBackend.registry | quote }} + repository: {{ .Values.images.notesBackend.repository | quote }} + pullPolicy: "IfNotPresent" + tag: {{ .Values.images.notesBackend.tag | quote }} + ingress: + annotations: + "nginx.ingress.kubernetes.io/proxy-body-size": "{{ .Values.ingress.parameters.bodySize.notes }}" + "nginx.ingress.kubernetes.io/proxy-read-timeout": "{{ .Values.ingress.parameters.bodyTimeout.notes }}" + "nginx.ingress.kubernetes.io/proxy-send-timeout": "{{ .Values.ingress.parameters.bodyTimeout.notes }}" + {{- if .Values.annotations.notesBackend.ingress }} + {{ .Values.annotations.notesBackend.ingress | toYaml | nindent 6 }} + {{- end }} + ingressAdmin: + enabled: true + annotations: + {{ .Values.annotations.notesBackend.ingressAdmin | toYaml | nindent 6 }} + replicaCount: {{ .Values.replicas.notesBackend }} + containerSecurityContext: seLinuxOptions: {{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }} - + configuration: + ai: + apiKey: + value: {{ .Values.ai.apiKey }} + baseUrl: {{ .Values.ai.endpoint }} + model: {{ .Values.ai.model | quote }} + aws: + endpointUrl: {{ printf "https://%s" (.Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }} + s3AccessKeyId: + value: {{ .Values.objectstores.notes.username }} + s3SecretAccessKey: + value: {{ .Values.objectstores.notes.secretKey | default .Values.secrets.minio.notesUser | quote }} + storageBucketName: {{ .Values.objectstores.notes.bucket }} + collaboration: + apiUrl: {{ printf "https://%s.%s/collaboration/api/" .Values.global.hosts.notes .Values.global.domain | quote }} + wsUrl: {{ printf "wss://%s.%s/collaboration/ws/" .Values.global.hosts.notes .Values.global.domain | quote }} + database: + host: {{ .Values.databases.notes.host | quote }} + name: {{ .Values.databases.notes.name | quote }} + password: + value: {{ .Values.databases.notes.password | default .Values.secrets.postgresql.notesUser | quote }} + port: {{ .Values.databases.notes.port | quote }} + user: + value: {{ .Values.databases.notes.username | quote }} + email: + brandName: "openDesk" + from: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}" + host: "postfix" + port: "25" + logoImage: {{ printf "https://%s.%s/univention/portal/icons/entries/swp.notes.svg" .Values.global.hosts.nubus .Values.global.domain | quote }} + user: + value: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }} + password: + value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }} + oidc: + enabled: true + rpClientId: + value: "opendesk-notes" + rpClientSecret: + value: {{ .Values.secrets.keycloak.clientSecret.notes | quote }} + opJWKSEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs" + opAuthorizationEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth" + opTokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token" + opUserEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo" + opLogoutEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout" + rpScopes: "openid opendesk-notes-scope" + loginRedirectUrl: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }} + loginRedirectUrlFailure: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }} + logoutRedirectUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }} + redirectAllowedHosts: {{ printf "https://%s.%s/*" .Values.global.hosts.notes .Values.global.domain | quote }} + essentialClaims: "email" + fullnameFields: "given_name,family_name" + shortnameField: "given_name" + django: + secretKey: + value: {{ .Values.secrets.notes.djangoSecretKey }} + createSuperuser: true + superuserEmail: + value: {{ printf "default.admin@%s" .Values.global.domain | quote }} + superuserPassword: + value: {{ .Values.secrets.notes.superuser }} + frontendTheme: "openDesk" + redisUrl: + value: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7" + extraEnvVars: + - name: "FRONTEND_HOMEPAGE_FEATURE_ENABLED" + value: "False" + - name: "FRONTEND_FOOTER_FEATURE_ENABLED" + value: "False" + podAnnotations: + {{ .Values.annotations.notesBackend.pod | toYaml | nindent 4 }} + podAnnotationsCreateUser: + {{ .Values.annotations.notesBackend.createUserJob | toYaml | nindent 4 }} + podAnnotationsMigrate: + {{ .Values.annotations.notesBackend.migrateJob | toYaml | nindent 4 }} + resources: + {{ .Values.resources.notesBackend | toYaml | nindent 4 }} service: annotations: {{ .Values.annotations.notesBackend.service | toYaml | nindent 6 }} + {{- if .Values.certificate.selfSigned }} + extraVolumes: + - name: "trusted-cert-secret-volume" + secret: + secretName: "opendesk-certificates-ca-tls" + items: + - key: "ca.crt" + path: "ca-certificates.crt" + extraVolumeMounts: + - name: "trusted-cert-secret-volume" + mountPath: "/usr/local/lib/python3.12/site-packages/certifi/cacert.pem" + subPath: "ca-certificates.crt" + {{- end }} +frontend: + image: + registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesFrontend.registry | quote }} + repository: {{ .Values.images.notesFrontend.repository | quote }} + pullPolicy: "IfNotPresent" + tag: {{ .Values.images.notesFrontend.tag | quote }} + ingressMedia: + enabled: true + annotations: + {{ .Values.annotations.notesFrontend.ingressMedia | toYaml | nindent 6 }} + extraEnvVars: + - name: "ICS_BASE_URL" + value: {{ printf "https://%s.%s" .Values.global.hosts.intercomService .Values.global.domain | quote }} + - name: "PORTAL_BASE_URL" + value: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }} + configuration: + objectStoreHost: {{ printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain | quote }} + resources: + {{ .Values.resources.notesFrontend | toYaml | nindent 4 }} + containerSecurityContext: + seLinuxOptions: + {{ .Values.seLinuxOptions.notesFrontend | toYaml | nindent 6 }} + podAnnotations: + {{ .Values.annotations.notesFrontend.pod | toYaml | nindent 4 }} + service: + annotations: + {{ .Values.annotations.notesFrontend.service | toYaml | nindent 6 }} + serviceMedia: + annotations: + {{ .Values.annotations.notesFrontend.service | toYaml | nindent 6 }} + +y-provider: + image: + registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.notesYProvider.registry | quote }} + repository: {{ .Values.images.notesYProvider.repository | quote }} + pullPolicy: "IfNotPresent" + tag: {{ .Values.images.notesYProvider.tag }} + replicaCount: 1 + debug: true + {{- if .Values.certificate.selfSigned }} + extraEnvVars: + - name: "NODE_EXTRA_CA_CERTS" + value: "/etc/ssl/certs/cacert.pem" + extraVolumes: + - name: "trusted-cert-secret-volume" + secret: + secretName: "opendesk-certificates-ca-tls" + items: + - key: "ca.crt" + path: "ca-certificates.crt" + extraVolumeMounts: + - name: "trusted-cert-secret-volume" + mountPath: "/etc/ssl/certs/cacert.pem" + subPath: "ca-certificates.crt" + {{- end }} + containerSecurityContext: + seLinuxOptions: + {{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }} + ingressCollaborationApi: + annotations: + {{ .Values.annotations.notesYProvider.ingressCollaborationAPI | toYaml | nindent 6 }} + ingressCollaborationWs: + annotations: + {{ .Values.annotations.notesYProvider.ingressCollaborationWS | toYaml | nindent 6 }} + podAnnotations: + {{ .Values.annotations.notesYProvider.pod | toYaml | nindent 4 }} + service: + annotations: + {{ .Values.annotations.notesYProvider.service | toYaml | nindent 6 }} ... diff --git a/helmfile/environments/default/annotations.yaml.gotmpl b/helmfile/environments/default/annotations.yaml.gotmpl index f9b00a1b..28281c92 100644 --- a/helmfile/environments/default/annotations.yaml.gotmpl +++ b/helmfile/environments/default/annotations.yaml.gotmpl @@ -126,20 +126,21 @@ annotations: service: ~ serviceMetrics: ~ serviceAccount: ~ - notes: - ingressAdmin: ~ - ingressCollaborationWS: ~ - ingressCollaborationAPI: ~ - ingressMedia: ~ - serviceMedia: ~ notesBackend: + createUserJob: ~ + ingress: ~ + ingressAdmin: ~ migrateJob: ~ pod: ~ service: ~ notesFrontend: + ingressMedia: ~ pod: ~ service: ~ + serviceMedia: ~ notesYProvider: + ingressCollaborationAPI: ~ + ingressCollaborationWS: ~ pod: ~ service: ~ nubus: diff --git a/helmfile/environments/default/charts.yaml.gotmpl b/helmfile/environments/default/charts.yaml.gotmpl index 242a82a8..9685092c 100644 --- a/helmfile/environments/default/charts.yaml.gotmpl +++ b/helmfile/environments/default/charts.yaml.gotmpl @@ -294,14 +294,14 @@ charts: version: "1.0.1" verify: true notes: - # providerCategory: "Supplier" + # providerCategory: "Platform" # providerResponsible: "openDesk" - # upstreamRegistry: "https://gitlab.opencode.de" - # packageName=bmi/opendesk/components/supplier/dinum/charts/notes + # upstreamRegistry: "https://registry.opencode.de" + # packageName=bmi/opendesk/components/platform-development/charts/opendesk-impress registry: "registry.opencode.de" - repository: "bmi/opendesk/components/supplier/dinum/charts/notes" + repository: "bmi/opendesk/components/platform-development/charts/opendesk-impress" name: "impress" - version: "2.0.0" + version: "1.0.0" verify: true nubus: # providerCategory: "Supplier"