mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-06 15:31:38 +01:00
feat(openproject): Template external secrets
Signed-off-by: Axel Lender <lender@b1-systems.de>
This commit is contained in:
Axel Lender
@@ -14,6 +14,7 @@ This document covers how to utilise external secrets and special requirements. T
|
||||
* [Keycloak](#keycloak)
|
||||
* [MinIO](#minio)
|
||||
* [Notes](#notes)
|
||||
* [OpenProject](#openproject)
|
||||
* [XWiki](#xwiki)
|
||||
<!-- TOC -->
|
||||
|
||||
@@ -150,6 +151,20 @@ backend:
|
||||
value: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7"
|
||||
```
|
||||
|
||||
## OpenProject
|
||||
|
||||
Here we need a custom secret to inject confidential data into environment variables as expected by OpenProject.
|
||||
|
||||
```yaml
|
||||
stringData:
|
||||
OPENPROJECT_SEED__ENTERPRISE__TOKEN: {{ .Values.enterpriseKeys.openproject.token | quote }}
|
||||
OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.nubus.ldapSearch.openproject | quote }}
|
||||
OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
|
||||
OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
|
||||
OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
|
||||
OPENPROJECT_SMTP__PASSWORD: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
|
||||
```
|
||||
|
||||
## XWiki
|
||||
|
||||
Properties listed in the file of the external secret will overwrite plain values.
|
||||
|
||||
@@ -36,9 +36,17 @@ dbInit:
|
||||
{{ .Values.resources.openprojectDbInit | toYaml | nindent 4 }}
|
||||
|
||||
environment:
|
||||
{{- if and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.openproject.token }}
|
||||
{{- if and (not .Values.externalSecrets.openproject.environment)
|
||||
(and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.openproject.token) }}
|
||||
OPENPROJECT_SEED__ENTERPRISE__TOKEN: {{ .Values.enterpriseKeys.openproject.token | quote }}
|
||||
{{- end }}
|
||||
{{- if not .Values.externalSecrets.openproject.environment }}
|
||||
OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.nubus.ldapSearch.openproject | quote }}
|
||||
OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
|
||||
OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
|
||||
OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
|
||||
OPENPROJECT_SMTP__PASSWORD: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
|
||||
{{- end }}
|
||||
# For more details and more options see
|
||||
# https://www.openproject.org/docs/installation-and-operations/configuration/environment/
|
||||
OPENPROJECT_APP__TITLE: "Projekte - {{ .Values.theme.texts.productName }}"
|
||||
@@ -52,7 +60,6 @@ environment:
|
||||
# Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
|
||||
OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }}
|
||||
OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
|
||||
OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.nubus.ldapSearch.openproject | quote }}
|
||||
OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
|
||||
OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,{{ .Values.ldap.baseDn }}"
|
||||
OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "{{ .Values.ldap.baseDn }}"
|
||||
@@ -69,13 +76,9 @@ environment:
|
||||
"(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
|
||||
OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
|
||||
OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
|
||||
OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
|
||||
OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
|
||||
OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
|
||||
OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
|
||||
OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
|
||||
OPENPROJECT_SMTP__USER__NAME: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
|
||||
OPENPROJECT_SMTP__PASSWORD: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
|
||||
OPENPROJECT_SMTP__PORT: 587
|
||||
OPENPROJECT_SMTP__SSL: "false" # (default=false)
|
||||
OPENPROJECT_SMTP__ADDRESS: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
|
||||
@@ -139,6 +142,10 @@ postgresql:
|
||||
password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser | quote }}
|
||||
username: {{ .Values.databases.openproject.username | quote }}
|
||||
database: {{ .Values.databases.openproject.name | quote }}
|
||||
existingSecret: {{ .Values.externalSecrets.databases.openproject.name | quote }}
|
||||
secretKeys:
|
||||
adminPasswordKey: {{ .Values.externalSecrets.databases.openproject.adminPasswordKey | quote }}
|
||||
userPasswordKey: {{ .Values.externalSecrets.databases.openproject.userPasswordKey | quote }}
|
||||
connection:
|
||||
host: {{ .Values.databases.openproject.host | quote }}
|
||||
port: {{ .Values.databases.openproject.port }}
|
||||
@@ -164,6 +171,9 @@ openproject:
|
||||
# Lock the admin user, preventing internal logins.
|
||||
# Switch to true once the NC filestore bootstrapping is optimized.
|
||||
locked: false
|
||||
secret: {{ .Values.externalSecrets.openproject.adminUser.name | quote }}
|
||||
secretKeys:
|
||||
password: {{ .Values.externalSecrets.openproject.adminUser.key | quote }}
|
||||
oidc:
|
||||
enabled: true
|
||||
authorizationEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
|
||||
@@ -173,6 +183,10 @@ openproject:
|
||||
provider: "keycloak"
|
||||
scope: "[openid,opendesk-openproject-scope]"
|
||||
secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
|
||||
existingSecret: {{ .Values.externalSecrets.keycloak.clientSecret.openproject.name | quote }}
|
||||
secretKeys:
|
||||
identifier: {{ .Values.externalSecrets.keycloak.clientSecret.openproject.identifier | quote }}
|
||||
secret: {{ .Values.externalSecrets.keycloak.clientSecret.openproject.key | quote }}
|
||||
tokenEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
|
||||
userinfoEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
|
||||
attribute_map:
|
||||
@@ -181,6 +195,7 @@ openproject:
|
||||
useTmpVolumes: true
|
||||
tmpVolumesAnnotations:
|
||||
{{ .Values.annotations.openproject.openprojectTempVolumes | toYaml | nindent 4 }}
|
||||
extraEnvVarsSecret: {{ .Values.externalSecrets.openproject.environment | quote }}
|
||||
|
||||
serviceAccount:
|
||||
annotations:
|
||||
@@ -224,6 +239,10 @@ s3:
|
||||
auth:
|
||||
accessKeyId: {{ .Values.objectstores.openproject.username | quote }}
|
||||
secretAccessKey: {{ .Values.objectstores.openproject.secretKey | default .Values.secrets.minio.openprojectUser | quote }}
|
||||
existingSecret: {{ .Values.externalSecrets.objectstores.openproject.name | quote }}
|
||||
secretKeys:
|
||||
accessKeyId: {{ .Values.externalSecrets.objectstores.openproject.accessKeyId | quote }}
|
||||
secretAccessKey: {{ .Values.externalSecrets.objectstores.openproject.secretAccessKey | quote }}
|
||||
|
||||
seederJob:
|
||||
annotations:
|
||||
|
||||
@@ -61,6 +61,10 @@ externalSecrets:
|
||||
user:
|
||||
name: ~
|
||||
key: ~
|
||||
openproject:
|
||||
name: ~
|
||||
adminPasswordKey: ~
|
||||
userPasswordKey: ~
|
||||
umsGuardianManagementApi:
|
||||
password:
|
||||
name: ~
|
||||
@@ -111,13 +115,17 @@ externalSecrets:
|
||||
intercom:
|
||||
name: ~
|
||||
key: ~
|
||||
nextcloudOidc:
|
||||
name: ~
|
||||
key: ~
|
||||
notes:
|
||||
name: ~
|
||||
key: ~
|
||||
xwiki:
|
||||
openproject:
|
||||
name: ~
|
||||
key: ~
|
||||
nextcloudOidc:
|
||||
identifier: ~
|
||||
xwiki:
|
||||
name: ~
|
||||
key: ~
|
||||
clients:
|
||||
@@ -201,7 +209,14 @@ externalSecrets:
|
||||
secretKey:
|
||||
name: ~
|
||||
key: ~
|
||||
openproject:
|
||||
name: ~
|
||||
accessKeyId: ~
|
||||
secretAccessKey: ~
|
||||
openproject:
|
||||
adminUser:
|
||||
name: ~
|
||||
key: ~
|
||||
apiAdmin:
|
||||
password:
|
||||
name: ~
|
||||
@@ -209,6 +224,7 @@ externalSecrets:
|
||||
username:
|
||||
name: ~
|
||||
key: ~
|
||||
environment: ~
|
||||
openxchangeConnector:
|
||||
provisioningApiPassword:
|
||||
name: ~
|
||||
@@ -242,4 +258,4 @@ externalSecrets:
|
||||
propertiesSecret:
|
||||
name: ~
|
||||
key: ~
|
||||
...
|
||||
...
|
||||
|
||||
Reference in New Issue
Block a user