sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 23:41:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat(openproject): Template external secrets

Browse Source 
Signed-off-by: Axel Lender <lender@b1-systems.de>
This commit is contained in:
Axel Lender
2025-10-10 12:42:46 +02:00
parent c98aa3a0cd
commit 3f2cf149e7
3 changed files with 59 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
docs/external-secrets.md
View File

@@ -14,6 +14,7 @@ This document covers how to utilise external secrets and special requirements. T
* [Keycloak](#keycloak) * [Keycloak](#keycloak)
* [MinIO](#minio) * [MinIO](#minio)
* [Notes](#notes) * [Notes](#notes)
* [OpenProject](#openproject)
* [XWiki](#xwiki) * [XWiki](#xwiki)
<!-- TOC --> <!-- TOC -->
@@ -150,6 +151,20 @@ backend:
value: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7" value: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7"
``` ```
## OpenProject
Here we need a custom secret to inject confidential data into environment variables as expected by OpenProject.
```yaml
stringData:
OPENPROJECT_SEED__ENTERPRISE__TOKEN: {{ .Values.enterpriseKeys.openproject.token | quote }}
OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.nubus.ldapSearch.openproject | quote }}
OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
OPENPROJECT_SMTP__PASSWORD: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
```
## XWiki ## XWiki
Properties listed in the file of the external secret will overwrite plain values. Properties listed in the file of the external secret will overwrite plain values.

31
helmfile/apps/openproject/values.yaml.gotmpl
View File

@@ -36,9 +36,17 @@ dbInit:
{{ .Values.resources.openprojectDbInit | toYaml | nindent 4 }} {{ .Values.resources.openprojectDbInit | toYaml | nindent 4 }}
environment: environment:
{{- if and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.openproject.token }} {{- if and (not .Values.externalSecrets.openproject.environment)
(and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.openproject.token) }}
OPENPROJECT_SEED__ENTERPRISE__TOKEN: {{ .Values.enterpriseKeys.openproject.token | quote }} OPENPROJECT_SEED__ENTERPRISE__TOKEN: {{ .Values.enterpriseKeys.openproject.token | quote }}
{{- end }} {{- end }}
{{- if not .Values.externalSecrets.openproject.environment }}
OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.nubus.ldapSearch.openproject | quote }}
OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
OPENPROJECT_SMTP__PASSWORD: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
{{- end }}
# For more details and more options see # For more details and more options see
# https://www.openproject.org/docs/installation-and-operations/configuration/environment/ # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
OPENPROJECT_APP__TITLE: "Projekte - {{ .Values.theme.texts.productName }}" OPENPROJECT_APP__TITLE: "Projekte - {{ .Values.theme.texts.productName }}"
@@ -52,7 +60,6 @@ environment:
# Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }} OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }}
OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389" OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.nubus.ldapSearch.openproject | quote }}
OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap" OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,{{ .Values.ldap.baseDn }}" OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,{{ .Values.ldap.baseDn }}"
OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "{{ .Values.ldap.baseDn }}" OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "{{ .Values.ldap.baseDn }}"
@@ -69,13 +76,9 @@ environment:
"(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))" "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true" OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn" OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}" OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.mailDomain | default .Values.global.domain | quote }} OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
OPENPROJECT_SMTP__USER__NAME: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }} OPENPROJECT_SMTP__USER__NAME: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
OPENPROJECT_SMTP__PASSWORD: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
OPENPROJECT_SMTP__PORT: 587 OPENPROJECT_SMTP__PORT: 587
OPENPROJECT_SMTP__SSL: "false" # (default=false) OPENPROJECT_SMTP__SSL: "false" # (default=false)
OPENPROJECT_SMTP__ADDRESS: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }} OPENPROJECT_SMTP__ADDRESS: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
@@ -139,6 +142,10 @@ postgresql:
password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser | quote }} password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser | quote }}
username: {{ .Values.databases.openproject.username | quote }} username: {{ .Values.databases.openproject.username | quote }}
database: {{ .Values.databases.openproject.name | quote }} database: {{ .Values.databases.openproject.name | quote }}
existingSecret: {{ .Values.externalSecrets.databases.openproject.name | quote }}
secretKeys:
adminPasswordKey: {{ .Values.externalSecrets.databases.openproject.adminPasswordKey | quote }}
userPasswordKey: {{ .Values.externalSecrets.databases.openproject.userPasswordKey | quote }}
connection: connection:
host: {{ .Values.databases.openproject.host | quote }} host: {{ .Values.databases.openproject.host | quote }}
port: {{ .Values.databases.openproject.port }} port: {{ .Values.databases.openproject.port }}
@@ -164,6 +171,9 @@ openproject:
# Lock the admin user, preventing internal logins. # Lock the admin user, preventing internal logins.
# Switch to true once the NC filestore bootstrapping is optimized. # Switch to true once the NC filestore bootstrapping is optimized.
locked: false locked: false
secret: {{ .Values.externalSecrets.openproject.adminUser.name | quote }}
secretKeys:
password: {{ .Values.externalSecrets.openproject.adminUser.key | quote }}
oidc: oidc:
enabled: true enabled: true
authorizationEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth" authorizationEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
@@ -173,6 +183,10 @@ openproject:
provider: "keycloak" provider: "keycloak"
scope: "[openid,opendesk-openproject-scope]" scope: "[openid,opendesk-openproject-scope]"
secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }} secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
existingSecret: {{ .Values.externalSecrets.keycloak.clientSecret.openproject.name | quote }}
secretKeys:
identifier: {{ .Values.externalSecrets.keycloak.clientSecret.openproject.identifier | quote }}
secret: {{ .Values.externalSecrets.keycloak.clientSecret.openproject.key | quote }}
tokenEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token" tokenEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
userinfoEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo" userinfoEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
attribute_map: attribute_map:
@@ -181,6 +195,7 @@ openproject:
useTmpVolumes: true useTmpVolumes: true
tmpVolumesAnnotations: tmpVolumesAnnotations:
{{ .Values.annotations.openproject.openprojectTempVolumes | toYaml | nindent 4 }} {{ .Values.annotations.openproject.openprojectTempVolumes | toYaml | nindent 4 }}
extraEnvVarsSecret: {{ .Values.externalSecrets.openproject.environment | quote }}
serviceAccount: serviceAccount:
annotations: annotations:
@@ -224,6 +239,10 @@ s3:
auth: auth:
accessKeyId: {{ .Values.objectstores.openproject.username | quote }} accessKeyId: {{ .Values.objectstores.openproject.username | quote }}
secretAccessKey: {{ .Values.objectstores.openproject.secretKey | default .Values.secrets.minio.openprojectUser | quote }} secretAccessKey: {{ .Values.objectstores.openproject.secretKey | default .Values.secrets.minio.openprojectUser | quote }}
existingSecret: {{ .Values.externalSecrets.objectstores.openproject.name | quote }}
secretKeys:
accessKeyId: {{ .Values.externalSecrets.objectstores.openproject.accessKeyId | quote }}
secretAccessKey: {{ .Values.externalSecrets.objectstores.openproject.secretAccessKey | quote }}
seederJob: seederJob:
annotations: annotations:

22
helmfile/environments/default/external_secrets.yaml.gotmpl
View File

@@ -61,6 +61,10 @@ externalSecrets:
user: user:
name: ~ name: ~
key: ~ key: ~
openproject:
name: ~
adminPasswordKey: ~
userPasswordKey: ~
umsGuardianManagementApi: umsGuardianManagementApi:
password: password:
name: ~ name: ~
@@ -111,13 +115,17 @@ externalSecrets:
intercom: intercom:
name: ~ name: ~
key: ~ key: ~
nextcloudOidc:
name: ~
key: ~
notes: notes:
name: ~ name: ~
key: ~ key: ~
xwiki: openproject:
name: ~ name: ~
key: ~ key: ~
nextcloudOidc: identifier: ~
xwiki:
name: ~ name: ~
key: ~ key: ~
clients: clients:
@@ -201,7 +209,14 @@ externalSecrets:
secretKey: secretKey:
name: ~ name: ~
key: ~ key: ~
openproject:
name: ~
accessKeyId: ~
secretAccessKey: ~
openproject: openproject:
adminUser:
name: ~
key: ~
apiAdmin: apiAdmin:
password: password:
name: ~ name: ~
@@ -209,6 +224,7 @@ externalSecrets:
username: username:
name: ~ name: ~
key: ~ key: ~
environment: ~
openxchangeConnector: openxchangeConnector:
provisioningApiPassword: provisioningApiPassword:
name: ~ name: ~
@@ -242,4 +258,4 @@ externalSecrets:
propertiesSecret: propertiesSecret:
name: ~ name: ~
key: ~ key: ~
... ...