sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 15:31:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat(notes): Switch to new Helm chart with support for self-signed deployments; review migrations.md for required upgrade steps

Browse Source
This commit is contained in:
Thomas Kaltenbrunner
2025-07-28 23:43:48 +02:00
committed by Thorsten Roßner
parent 8eaa12e53b
commit 3106ca793e
4 changed files with 220 additions and 284 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
docs/migrations.md
View File

@@ -11,6 +11,8 @@ SPDX-License-Identifier: Apache-2.0
* [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
* [Manual checks/actions](#manual-checksactions)
* [v1.7.0+](#v170)
* [Pre-upgrade to v1.7.0+](#pre-upgrade-to-v170)
* [Replace Helm chart: New Notes Helm chart with support for self-signed deployments](#replace-helm-chart-new-notes-helm-chart-with-support-for-self-signed-deployments)
* [Post-upgrade to v1.7.0+](#post-upgrade-to-v170)
* [Upstream fix: Provisioning of functional mailboxes](#upstream-fix-provisioning-of-functional-mailboxes)
* [v1.6.0+](#v160)
@@ -124,6 +126,27 @@ If you would like more details about the automated migrations, please read secti
## v1.7.0+
### Pre-upgrade to v1.7.0+
#### Replace Helm chart: New Notes Helm chart with support for self-signed deployments
**Target group:** All deployments that set `app.notes.enabled: true` (default is `false`).
We replaced the Helm Chart used for the Notes (aka "Impress") deployment. If you have enabled Notes in your deployment, you must manually uninstall the old chart before upgrading to openDesk v1.7.0.
```shell
helm uninstall -n <your_namespace> impress
```
In case you are using `annotation.notes` they have to be moved into one of the remaining dicts, see [`annotations.yaml.gotmpl`](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/develop/helmfile/environments/default/annotations.yaml.gotmpl) for details:
```yaml
annotation:
notesBackend: {}
notesFrontend: {}
notesYProvider: {}
```
### Post-upgrade to v1.7.0+
#### Upstream fix: Provisioning of functional mailboxes

458
helmfile/apps/notes/values.yaml.gotmpl
View File

@@ -1,285 +1,197 @@
# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-License-Identifier: Apache-2.0
---
image:
repository: {{ printf "%s/%s" (coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesBackend.registry) (.Values.images.notesBackend.repository) | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.notesBackend.tag }}
credentials:
name: {{ .Values.global.imagePullSecrets | first | quote }}
ingress:
enabled: {{ .Values.ingress.enabled }}
className: {{ .Values.ingress.ingressClassName }}
host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: {{ .Values.ingress.tls.secretName | quote }}
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "{{ .Values.ingress.parameters.bodySize.notes }}"
nginx.ingress.kubernetes.io/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.notes }}"
nginx.ingress.kubernetes.io/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.notes }}"
nginx.org/client-max-body-size: "{{ .Values.ingress.parameters.bodySize.notes }}"
nginx.org/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.notes }}s"
nginx.org/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.notes }}s"
ingressCollaborationWS:
enabled: {{ .Values.ingress.enabled }}
className: {{ .Values.ingress.ingressClassName }}
host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
path: "/collaboration/ws/"
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: {{ .Values.ingress.tls.secretName | quote }}
annotations:
nginx.ingress.kubernetes.io/enable-websocket: "true"
nginx.ingress.kubernetes.io/proxy-read-timeout: "86400"
nginx.ingress.kubernetes.io/proxy-send-timeout: "86400"
nginx.ingress.kubernetes.io/upstream-hash-by: $arg_room
nginx.ingress.kubernetes.io/auth-response-headers: null
nginx.ingress.kubernetes.io/auth-url: null
{{- with .Values.annotations.notes.ingressCollaborationWS }}
{{ . | toYaml | nindent 4 }}
{{- end }}
ingressAdmin:
enabled: {{ .Values.ingress.enabled }}
className: {{ .Values.ingress.ingressClassName }}
host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: {{ .Values.ingress.tls.secretName | quote }}
annotations:
{{ .Values.annotations.notes.ingressAdmin | toYaml | nindent 4 }}
ingressMedia:
enabled: {{ .Values.ingress.enabled }}
className: {{ .Values.ingress.ingressClassName }}
host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
annotations:
nginx.ingress.kubernetes.io/auth-response-headers: "Authorization, X-Amz-Date, X-Amz-Content-SHA256"
nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/api/v1.0/documents/media-auth/"
nginx.ingress.kubernetes.io/upstream-vhost: {{ .Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /{{ .Values.objectstores.notes.bucket }}/$1
nginx.ingress.kubernetes.io/session-cookie-path: /media
{{- with .Values.annotations.notes.ingressMedia }}
{{ . | toYaml | nindent 4 }}
{{- end }}
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: {{ .Values.ingress.tls.secretName | quote }}
ingressCollaborationApi:
enabled: {{ .Values.ingress.enabled }}
className: {{ .Values.ingress.ingressClassName }}
host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
path: /collaboration/api/
tls:
enabled: "{{ .Values.ingress.tls.enabled }}"
secretName: {{ .Values.ingress.tls.secretName | quote }}
annotations:
{{ .Values.annotations.notes.ingressCollaborationAPI | toYaml | nindent 4 }}
serviceMedia:
host: {{ .Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
port: {{ .Values.objectstores.notes.port | default 443 }}
annotations:
{{ .Values.annotations.notes.serviceMedia | toYaml | nindent 4 }}
frontend:
image:
repository: {{ printf "%s/%s" (coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesFrontend.registry) (.Values.images.notesFrontend.repository) | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.notesFrontend.tag }}
envVars:
PORT: 8080
NEXT_PUBLIC_API_ORIGIN: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
NEXT_PUBLIC_MEDIA_URL: {{ printf "https://%s" (.Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
runtimeEnvs:
ICS_BASE_URL: {{ printf "https://%s.%s" .Values.global.hosts.intercomService .Values.global.domain | quote }}
PORTAL_BASE_URL: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
replicas: {{ .Values.replicas.notesFrontend }}
resources:
{{ .Values.resources.notesFrontend | toYaml | nindent 4 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
runAsUser: 1001
runAsGroup: 1001
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.notesFrontend | toYaml | nindent 6 }}
podAnnotations:
{{ .Values.annotations.notesFrontend.pod | toYaml | nindent 4 }}
service:
annotations:
{{ .Values.annotations.notesFrontend.service | toYaml | nindent 6 }}
yProvider:
image:
repository: {{ printf "%s/%s" (coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.notesYProvider.registry) (.Values.images.notesYProvider.repository) | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.notesYProvider.tag }}
resources:
{{ .Values.resources.notesYProvider | toYaml | nindent 4 }}
replicas: {{ .Values.replicas.notesYProvider }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
runAsUser: 1001
runAsGroup: 1001
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }}
envVars:
COLLABORATION_BACKEND_BASE_URL: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
COLLABORATION_LOGGING: {{ if .Values.debug.enabled }}"true"{{ else }}"false"{{ end }}
COLLABORATION_SERVER_ORIGIN: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
COLLABORATION_SERVER_SECRET: {{ .Values.secrets.notes.collaborationSecret | quote }}
Y_PROVIDER_API_KEY: {{ .Values.secrets.notes.collaborationSecret | quote }}
podAnnotations:
{{ .Values.annotations.notesYProvider.pod | toYaml | nindent 4 }}
service:
annotations:
{{ .Values.annotations.notesYProvider.service | toYaml | nindent 6 }}
oidc:
clientId: "opendesk-notes"
clientSecret: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
aiApiKey: {{ .Values.ai.apiKey }}
aiBaseUrl: {{ .Values.ai.endpoint }}
djangoSuperUserEmail: "default.admin@{{ .Values.global.domain }}"
djangoSuperUserPass: {{ .Values.secrets.notes.superuser }}
djangoSecretKey: {{ .Values.secrets.notes.djangoSecretKey }}
global:
collaborationServerSecret:
value: {{ .Values.secrets.notes.collaborationSecret | quote }}
yProviderApiKey:
value: {{ .Values.secrets.notes.collaborationSecret | quote }}
fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
tlsSecretName: {{ .Values.ingress.tls.secretName | quote }}
backend:
image:
repository: {{ printf "%s/%s" (coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesBackend.registry) (.Values.images.notesBackend.repository) | quote }}
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.notesBackend.tag }}
replicas: {{ .Values.replicas.notesBackend }}
envVars:
DB_HOST: {{ .Values.databases.notes.host | quote }}
DB_NAME: {{ .Values.databases.notes.name | quote }}
DB_USER: {{ .Values.databases.notes.username | quote }}
DB_PASSWORD: {{ .Values.databases.notes.password | default .Values.secrets.postgresql.notesUser | quote }}
DB_PORT: {{ .Values.databases.notes.port | quote }}
POSTGRES_DB: {{ .Values.databases.notes.name | quote }}
POSTGRES_USER: {{ .Values.databases.notes.username | quote }}
POSTGRES_PASSWORD: {{ .Values.databases.notes.password | default .Values.secrets.postgresql.notesUser | quote }}
FRONTEND_THEME: "openDesk"
REDIS_URL: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7"
AWS_S3_ENDPOINT_URL: {{ printf "https://%s" (.Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
AWS_S3_ACCESS_KEY_ID: {{ .Values.objectstores.notes.username }}
AWS_S3_SECRET_ACCESS_KEY: {{ .Values.objectstores.notes.secretKey | default .Values.secrets.minio.notesUser | quote }}
AWS_STORAGE_BUCKET_NAME: {{ .Values.objectstores.notes.bucket }}
DJANGO_CSRF_TRUSTED_ORIGINS: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
DJANGO_SITE_DOMAIN: {{ printf "%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
DJANGO_SITE_NAME: {{ printf "%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
DJANGO_CONFIGURATION: Production
DJANGO_ALLOWED_HOSTS: "*"
DJANGO_SECRET_KEY: {{ .Values.secrets.notes.djangoSecretKey }}
DJANGO_SETTINGS_MODULE: impress.settings
DJANGO_SUPERUSER_PASSWORD: {{ .Values.secrets.notes.superuser }}
DJANGO_EMAIL_BRAND_NAME: "openDesk"
DJANGO_EMAIL_LOGO_IMG: {{ printf "https://%s.%s/univention/portal/icons/entries/swp.notes.svg" .Values.global.hosts.nubus .Values.global.domain | quote }}
DJANGO_EMAIL_FROM: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
DJANGO_EMAIL_HOST: "postfix"
DJANGO_EMAIL_PORT: 25
DJANGO_EMAIL_USE_SSL: False
DJANGO_EMAIL_HOST_USER: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
DJANGO_EMAIL_HOST_PASSWORD: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
DJANGO_EMAIL_USE_TLS: False
OIDC_RP_CLIENT_ID: "opendesk-notes"
OIDC_RP_CLIENT_SECRET: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
OIDC_OP_JWKS_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
OIDC_OP_AUTHORIZATION_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
OIDC_OP_TOKEN_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
OIDC_OP_USER_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
OIDC_OP_LOGOUT_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
OIDC_RP_SIGN_ALGO: RS256
OIDC_RP_SCOPES: "openid opendesk-notes-scope"
OIDC_USERINFO_SHORTNAME_FIELD: "given_name"
OIDC_USERINFO_FULLNAME_FIELDS: "given_name,family_name"
USER_OIDC_ESSENTIAL_CLAIMS: "email"
OIDC_REDIRECT_ALLOWED_HOSTS: {{ printf "https://%s.%s/*" .Values.global.hosts.notes .Values.global.domain | quote }}
OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{}"
OIDC_RENEW_ID_TOKEN: "False"
LOGIN_REDIRECT_URL: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
LOGIN_REDIRECT_URL_FAILURE: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
LOGOUT_REDIRECT_URL: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
AI_BASE_URL: {{ .Values.ai.endpoint | quote }}
AI_API_KEY: {{ .Values.ai.apiKey | quote }}
AI_MODEL: {{ .Values.ai.model | quote }}
Y_PROVIDER_API_KEY: {{ .Values.secrets.notes.collaborationSecret | quote }}
Y_PROVIDER_API_BASE_URL: {{ printf "https://%s.%s/api/" .Values.global.hosts.notes .Values.global.domain | quote }}
COLLABORATION_API_URL: {{ printf "https://%s.%s/collaboration/api/" .Values.global.hosts.notes .Values.global.domain | quote }}
COLLABORATION_SERVER_ORIGIN: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
COLLABORATION_SERVER_SECRET: {{ .Values.secrets.notes.collaborationSecret | quote }}
COLLABORATION_WS_URL: {{ printf "wss://%s.%s/collaboration/ws/" .Values.global.hosts.notes .Values.global.domain | quote }}
FRONTEND_HOMEPAGE_FEATURE_ENABLED: False
FRONTEND_FOOTER_FEATURE_ENABLED: False
migrate:
command:
- "/bin/sh"
- "-c"
- |
python manage.py migrate --no-input
restartPolicy: Never
migrateJobAnnotations:
{{ .Values.annotations.notesBackend.migrateJob | toYaml | nindent 4 }}
createsuperuser:
command:
- "/bin/sh"
- "-c"
- |
python manage.py createsuperuser --email default.admin@{{ .Values.global.domain }} --password {{ .Values.secrets.notes.superuser }}
restartPolicy: Never
podAnnotations:
{{ .Values.annotations.notesBackend.pod | toYaml | nindent 4 }}
resources:
{{ .Values.resources.notesBackend | toYaml | nindent 4 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
privileged: false
runAsUser: 1001
runAsGroup: 1001
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesBackend.registry | quote }}
repository: {{ .Values.images.notesBackend.repository | quote }}
pullPolicy: "IfNotPresent"
tag: {{ .Values.images.notesBackend.tag | quote }}
ingress:
annotations:
"nginx.ingress.kubernetes.io/proxy-body-size": "{{ .Values.ingress.parameters.bodySize.notes }}"
"nginx.ingress.kubernetes.io/proxy-read-timeout": "{{ .Values.ingress.parameters.bodyTimeout.notes }}"
"nginx.ingress.kubernetes.io/proxy-send-timeout": "{{ .Values.ingress.parameters.bodyTimeout.notes }}"
{{- if .Values.annotations.notesBackend.ingress }}
{{ .Values.annotations.notesBackend.ingress | toYaml | nindent 6 }}
{{- end }}
ingressAdmin:
enabled: true
annotations:
{{ .Values.annotations.notesBackend.ingressAdmin | toYaml | nindent 6 }}
replicaCount: {{ .Values.replicas.notesBackend }}
containerSecurityContext:
seLinuxOptions:
{{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }}
configuration:
ai:
apiKey:
value: {{ .Values.ai.apiKey }}
baseUrl: {{ .Values.ai.endpoint }}
model: {{ .Values.ai.model | quote }}
aws:
endpointUrl: {{ printf "https://%s" (.Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
s3AccessKeyId:
value: {{ .Values.objectstores.notes.username }}
s3SecretAccessKey:
value: {{ .Values.objectstores.notes.secretKey | default .Values.secrets.minio.notesUser | quote }}
storageBucketName: {{ .Values.objectstores.notes.bucket }}
collaboration:
apiUrl: {{ printf "https://%s.%s/collaboration/api/" .Values.global.hosts.notes .Values.global.domain | quote }}
wsUrl: {{ printf "wss://%s.%s/collaboration/ws/" .Values.global.hosts.notes .Values.global.domain | quote }}
database:
host: {{ .Values.databases.notes.host | quote }}
name: {{ .Values.databases.notes.name | quote }}
password:
value: {{ .Values.databases.notes.password | default .Values.secrets.postgresql.notesUser | quote }}
port: {{ .Values.databases.notes.port | quote }}
user:
value: {{ .Values.databases.notes.username | quote }}
email:
brandName: "openDesk"
from: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
host: "postfix"
port: "25"
logoImage: {{ printf "https://%s.%s/univention/portal/icons/entries/swp.notes.svg" .Values.global.hosts.nubus .Values.global.domain | quote }}
user:
value: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
password:
value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
oidc:
enabled: true
rpClientId:
value: "opendesk-notes"
rpClientSecret:
value: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
opJWKSEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
opAuthorizationEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
opTokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
opUserEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
opLogoutEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
rpScopes: "openid opendesk-notes-scope"
loginRedirectUrl: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
loginRedirectUrlFailure: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
logoutRedirectUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
redirectAllowedHosts: {{ printf "https://%s.%s/*" .Values.global.hosts.notes .Values.global.domain | quote }}
essentialClaims: "email"
fullnameFields: "given_name,family_name"
shortnameField: "given_name"
django:
secretKey:
value: {{ .Values.secrets.notes.djangoSecretKey }}
createSuperuser: true
superuserEmail:
value: {{ printf "default.admin@%s" .Values.global.domain | quote }}
superuserPassword:
value: {{ .Values.secrets.notes.superuser }}
frontendTheme: "openDesk"
redisUrl:
value: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7"
extraEnvVars:
- name: "FRONTEND_HOMEPAGE_FEATURE_ENABLED"
value: "False"
- name: "FRONTEND_FOOTER_FEATURE_ENABLED"
value: "False"
podAnnotations:
{{ .Values.annotations.notesBackend.pod | toYaml | nindent 4 }}
podAnnotationsCreateUser:
{{ .Values.annotations.notesBackend.createUserJob | toYaml | nindent 4 }}
podAnnotationsMigrate:
{{ .Values.annotations.notesBackend.migrateJob | toYaml | nindent 4 }}
resources:
{{ .Values.resources.notesBackend | toYaml | nindent 4 }}
service:
annotations:
{{ .Values.annotations.notesBackend.service | toYaml | nindent 6 }}
{{- if .Values.certificate.selfSigned }}
extraVolumes:
- name: "trusted-cert-secret-volume"
secret:
secretName: "opendesk-certificates-ca-tls"
items:
- key: "ca.crt"
path: "ca-certificates.crt"
extraVolumeMounts:
- name: "trusted-cert-secret-volume"
mountPath: "/usr/local/lib/python3.12/site-packages/certifi/cacert.pem"
subPath: "ca-certificates.crt"
{{- end }}
frontend:
image:
registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesFrontend.registry | quote }}
repository: {{ .Values.images.notesFrontend.repository | quote }}
pullPolicy: "IfNotPresent"
tag: {{ .Values.images.notesFrontend.tag | quote }}
ingressMedia:
enabled: true
annotations:
{{ .Values.annotations.notesFrontend.ingressMedia | toYaml | nindent 6 }}
extraEnvVars:
- name: "ICS_BASE_URL"
value: {{ printf "https://%s.%s" .Values.global.hosts.intercomService .Values.global.domain | quote }}
- name: "PORTAL_BASE_URL"
value: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
configuration:
objectStoreHost: {{ printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain | quote }}
resources:
{{ .Values.resources.notesFrontend | toYaml | nindent 4 }}
containerSecurityContext:
seLinuxOptions:
{{ .Values.seLinuxOptions.notesFrontend | toYaml | nindent 6 }}
podAnnotations:
{{ .Values.annotations.notesFrontend.pod | toYaml | nindent 4 }}
service:
annotations:
{{ .Values.annotations.notesFrontend.service | toYaml | nindent 6 }}
serviceMedia:
annotations:
{{ .Values.annotations.notesFrontend.service | toYaml | nindent 6 }}
y-provider:
image:
registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.notesYProvider.registry | quote }}
repository: {{ .Values.images.notesYProvider.repository | quote }}
pullPolicy: "IfNotPresent"
tag: {{ .Values.images.notesYProvider.tag }}
replicaCount: 1
debug: true
{{- if .Values.certificate.selfSigned }}
extraEnvVars:
- name: "NODE_EXTRA_CA_CERTS"
value: "/etc/ssl/certs/cacert.pem"
extraVolumes:
- name: "trusted-cert-secret-volume"
secret:
secretName: "opendesk-certificates-ca-tls"
items:
- key: "ca.crt"
path: "ca-certificates.crt"
extraVolumeMounts:
- name: "trusted-cert-secret-volume"
mountPath: "/etc/ssl/certs/cacert.pem"
subPath: "ca-certificates.crt"
{{- end }}
containerSecurityContext:
seLinuxOptions:
{{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }}
ingressCollaborationApi:
annotations:
{{ .Values.annotations.notesYProvider.ingressCollaborationAPI | toYaml | nindent 6 }}
ingressCollaborationWs:
annotations:
{{ .Values.annotations.notesYProvider.ingressCollaborationWS | toYaml | nindent 6 }}
podAnnotations:
{{ .Values.annotations.notesYProvider.pod | toYaml | nindent 4 }}
service:
annotations:
{{ .Values.annotations.notesYProvider.service | toYaml | nindent 6 }}
...

13
helmfile/environments/default/annotations.yaml.gotmpl
View File

@@ -126,20 +126,21 @@ annotations:
service: ~
serviceMetrics: ~
serviceAccount: ~
notes:
ingressAdmin: ~
ingressCollaborationWS: ~
ingressCollaborationAPI: ~
ingressMedia: ~
serviceMedia: ~
notesBackend:
createUserJob: ~
ingress: ~
ingressAdmin: ~
migrateJob: ~
pod: ~
service: ~
notesFrontend:
ingressMedia: ~
pod: ~
service: ~
serviceMedia: ~
notesYProvider:
ingressCollaborationAPI: ~
ingressCollaborationWS: ~
pod: ~
service: ~
nubus:

10
helmfile/environments/default/charts.yaml.gotmpl
View File

@@ -294,14 +294,14 @@ charts:
version: "1.0.1"
verify: true
notes:
# providerCategory: "Supplier"
# providerCategory: "Platform"
# providerResponsible: "openDesk"
# upstreamRegistry: "https://gitlab.opencode.de"
# packageName=bmi/opendesk/components/supplier/dinum/charts/notes
# upstreamRegistry: "https://registry.opencode.de"
# packageName=bmi/opendesk/components/platform-development/charts/opendesk-impress
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/supplier/dinum/charts/notes"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-impress"
name: "impress"
version: "2.0.0"
version: "1.0.0"
verify: true
nubus:
# providerCategory: "Supplier"