From 3f2cf149e7121aaca5aa5f4b257cae8a620b54c6 Mon Sep 17 00:00:00 2001
From: Axel Lender <lender@b1-systems.de>
Date: Fri, 10 Oct 2025 12:42:46 +0200
Subject: [PATCH] feat(openproject): Template external secrets

Signed-off-by: Axel Lender <lender@b1-systems.de>
---
 docs/external-secrets.md                      | 15 +++++++++
 helmfile/apps/openproject/values.yaml.gotmpl  | 31 +++++++++++++++----
 .../default/external_secrets.yaml.gotmpl      | 22 +++++++++++--
 3 files changed, 59 insertions(+), 9 deletions(-)

diff --git a/docs/external-secrets.md b/docs/external-secrets.md
index 70afa75b..bc992168 100644
--- a/docs/external-secrets.md
+++ b/docs/external-secrets.md
@@ -14,6 +14,7 @@ This document covers how to utilise external secrets and special requirements. T
   * [Keycloak](#keycloak)
   * [MinIO](#minio)
   * [Notes](#notes)
+  * [OpenProject](#openproject)
   * [XWiki](#xwiki)
 <!-- TOC -->
 
@@ -150,6 +151,20 @@ backend:
       value: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7"
 ```
 
+## OpenProject
+
+Here we need a custom secret to inject confidential data into environment variables as expected by OpenProject.
+
+```yaml
+stringData:
+  OPENPROJECT_SEED__ENTERPRISE__TOKEN: {{ .Values.enterpriseKeys.openproject.token | quote }}
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.nubus.ldapSearch.openproject | quote }}
+  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
+  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
+  OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+  OPENPROJECT_SMTP__PASSWORD: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
+```
+
 ## XWiki
 
 Properties listed in the file of the external secret will overwrite plain values.
diff --git a/helmfile/apps/openproject/values.yaml.gotmpl b/helmfile/apps/openproject/values.yaml.gotmpl
index 9c5af17a..ecb0ff1f 100644
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -36,9 +36,17 @@ dbInit:
     {{ .Values.resources.openprojectDbInit | toYaml | nindent 4 }}
 
 environment:
-  {{- if and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.openproject.token }}
+  {{- if and (not .Values.externalSecrets.openproject.environment)
+             (and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.openproject.token) }}
   OPENPROJECT_SEED__ENTERPRISE__TOKEN: {{ .Values.enterpriseKeys.openproject.token | quote }}
   {{- end }}
+  {{- if not .Values.externalSecrets.openproject.environment }}
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.nubus.ldapSearch.openproject | quote }}
+  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
+  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
+  OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+  OPENPROJECT_SMTP__PASSWORD: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
+  {{- end }}
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
   OPENPROJECT_APP__TITLE: "Projekte - {{ .Values.theme.texts.productName }}"
@@ -52,7 +60,6 @@ environment:
   # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
   OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }}
   OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
-  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.nubus.ldapSearch.openproject | quote }}
   OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
   OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,{{ .Values.ldap.baseDn }}"
   OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "{{ .Values.ldap.baseDn }}"
@@ -69,13 +76,9 @@ environment:
     "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
   OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
   OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
-  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
-  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
-  OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
   OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
   OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
   OPENPROJECT_SMTP__USER__NAME: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
-  OPENPROJECT_SMTP__PASSWORD: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
   OPENPROJECT_SMTP__PORT: 587
   OPENPROJECT_SMTP__SSL: "false" # (default=false)
   OPENPROJECT_SMTP__ADDRESS: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
@@ -139,6 +142,10 @@ postgresql:
     password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser | quote }}
     username: {{ .Values.databases.openproject.username | quote }}
     database: {{ .Values.databases.openproject.name | quote }}
+    existingSecret: {{ .Values.externalSecrets.databases.openproject.name | quote }}
+    secretKeys:
+      adminPasswordKey: {{ .Values.externalSecrets.databases.openproject.adminPasswordKey | quote }}
+      userPasswordKey: {{ .Values.externalSecrets.databases.openproject.userPasswordKey | quote }}
   connection:
     host: {{ .Values.databases.openproject.host | quote }}
     port: {{ .Values.databases.openproject.port }}
@@ -164,6 +171,9 @@ openproject:
     # Lock the admin user, preventing internal logins.
     # Switch to true once the NC filestore bootstrapping is optimized.
     locked: false
+    secret: {{ .Values.externalSecrets.openproject.adminUser.name | quote }}
+    secretKeys:
+      password: {{ .Values.externalSecrets.openproject.adminUser.key | quote }}
   oidc:
     enabled: true
     authorizationEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
@@ -173,6 +183,10 @@ openproject:
     provider: "keycloak"
     scope: "[openid,opendesk-openproject-scope]"
     secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
+    existingSecret: {{ .Values.externalSecrets.keycloak.clientSecret.openproject.name | quote }}
+    secretKeys:
+      identifier: {{ .Values.externalSecrets.keycloak.clientSecret.openproject.identifier | quote }}
+      secret: {{ .Values.externalSecrets.keycloak.clientSecret.openproject.key | quote }}
     tokenEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
     userinfoEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
     attribute_map:
@@ -181,6 +195,7 @@ openproject:
   useTmpVolumes: true
   tmpVolumesAnnotations:
     {{ .Values.annotations.openproject.openprojectTempVolumes | toYaml | nindent 4 }}
+  extraEnvVarsSecret: {{ .Values.externalSecrets.openproject.environment | quote }}
 
 serviceAccount:
   annotations:
@@ -224,6 +239,10 @@ s3:
   auth:
     accessKeyId: {{ .Values.objectstores.openproject.username | quote }}
     secretAccessKey: {{ .Values.objectstores.openproject.secretKey | default .Values.secrets.minio.openprojectUser | quote }}
+    existingSecret: {{ .Values.externalSecrets.objectstores.openproject.name | quote }}
+    secretKeys:
+      accessKeyId: {{ .Values.externalSecrets.objectstores.openproject.accessKeyId | quote }}
+      secretAccessKey: {{ .Values.externalSecrets.objectstores.openproject.secretAccessKey | quote }}
 
 seederJob:
   annotations:
diff --git a/helmfile/environments/default/external_secrets.yaml.gotmpl b/helmfile/environments/default/external_secrets.yaml.gotmpl
index 0eec1da5..810d1a85 100644
--- a/helmfile/environments/default/external_secrets.yaml.gotmpl
+++ b/helmfile/environments/default/external_secrets.yaml.gotmpl
@@ -61,6 +61,10 @@ externalSecrets:
       user:
         name: ~
         key: ~
+    openproject:
+      name: ~
+      adminPasswordKey: ~
+      userPasswordKey: ~
     umsGuardianManagementApi:
       password:
         name: ~
@@ -111,13 +115,17 @@ externalSecrets:
       intercom:
         name: ~
         key: ~
+      nextcloudOidc:
+        name: ~
+        key: ~
       notes:
         name: ~
         key: ~
-      xwiki:
+      openproject:
         name: ~
         key: ~
-      nextcloudOidc:
+        identifier: ~
+      xwiki:
         name: ~
         key: ~
     clients:
@@ -201,7 +209,14 @@ externalSecrets:
       secretKey:
         name: ~
         key: ~
+    openproject:
+      name: ~
+      accessKeyId: ~
+      secretAccessKey: ~
   openproject:
+    adminUser:
+      name: ~
+      key: ~
     apiAdmin:
       password:
         name: ~
@@ -209,6 +224,7 @@ externalSecrets:
       username:
         name: ~
         key: ~
+    environment: ~
   openxchangeConnector:
     provisioningApiPassword:
       name: ~
@@ -242,4 +258,4 @@ externalSecrets:
     propertiesSecret:
       name: ~
       key: ~
-...
\ No newline at end of file
+...