sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 15:31:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat(docs): Add initial documentation for external secrets

Browse Source 
Signed-off-by: Axel Lender <lender@b1-systems.de>
This commit is contained in:
Axel Lender
2025-06-06 08:35:08 +02:00
parent 2c13b9672e
commit 311c05c420
2 changed files with 51 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
docs/external-secrets.md Normal file
View File

@@ -0,0 +1,40 @@
<!--
SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
SPDX-License-Identifier: Apache-2.0
-->
<h1>External Secrets</h1>
This document covers how to utilise external secrets and special requirements.
<!-- TOC -->
* [General](#general)
* [Components](#components)
* [MinIO](#minio)
<!-- TOC -->
# General
For most components when set the external secret will supersede e.g. a password in a `values.yaml` file.
The file [`external_secrets.yaml`](/helmfile/environments/default/external_secrets.yaml.gotmpl) lists all possible references to external secrets that are currently implemented in openDesk.
# Components
This section covers information and special requirements to external secrets that some Helm Charts expect.
## MinIO
Like described in the [upstream `values.yaml`](https://github.com/bitnami/charts/blob/main/bitnami/minio/values.yaml#L1595) credentials and information about a user in external secrets listed in `usersExistingSecrets` have to be formatted as follows:
```yaml
stringData:
username1: |
username=test-username
password=test-password
disabled=false
policies=readwrite,consoleAdmin,diagnostics
setPolicies=fa
```
Further we need the credentials introduced at MinIO in various other components that didn't implement the special format from MinIO. Hence we have to create key-value-pairs of the passwords for them.

14
docs/security.md
View File

@@ -1,4 +1,5 @@
<!-- <!--
SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0 SPDX-License-Identifier: Apache-2.0
--> -->
@@ -8,9 +9,10 @@ SPDX-License-Identifier: Apache-2.0
This document covers the current status of security measures. This document covers the current status of security measures.
<!-- TOC --> <!-- TOC -->
* [Helm chart trust chain](#helm-chart-trust-chain) * [Helm Chart Trust Chain](#helm-chart-trust-chain)
* [Kubernetes security enforcements](#kubernetes-security-enforcements) * [Kubernetes Security Enforcements](#kubernetes-security-enforcements)
* [Network policies](#network-policies) * [NetworkPolicies](#networkpolicies)
* [External Secrets](#external-secrets)
<!-- TOC --> <!-- TOC -->
# Helm chart trust chain # Helm chart trust chain
@@ -49,3 +51,9 @@ security:
otterizeIntents: otterizeIntents:
enabled: true enabled: true
``` ```
# External Secrets
We urge you to use external secrets for your confidential credentials.
For further explanation and documentation please visit [External Secrets](./docs/external-secrets.md).