feat(helm): Template support for XWiki external secrets

Signed-off-by: Axel Lender <lender@b1-systems.de>

docs/external-secrets.md

@@ -0,0 +1,38 @@
+<!--
+SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>External Secrets</h1>
+
+This document covers how to utilise external secrets and special requirements.
+
+<!-- TOC -->
+* [General](#general)
+* [Components](#components)
+  * [XWiki](#xwiki)
+<!-- TOC -->
+
+# General
+
+For most components when set the external secret will supersede e.g. a password in a `values.yaml` file.
+
+The file [`external_secrets.yaml`](/helmfile/environments/default/external_secrets.yaml.gotmpl) lists all possible references to external secrets that are currently implemented in openDesk.
+
+# Components
+
+This section covers information and special requirements to external secrets that some Helm Charts expect.
+
+## XWiki
+
+Properties listed in the file of the external secret will overwrite plain values.
+
+Like described in the [upstream `values.yaml`](https://github.com/xwiki-contrib/xwiki-helm/blob/master/charts/xwiki/values.yaml#L435) credentials and information about a user in external secrets listed in `propertiesSecret` have to be formatted as follows:
+
+```yaml
+stringData:
+  propertiesFile: |
+    propertie1=propertie1Value
+    propertie2=propertie2Value
+    propertie3=propertie3Value
+```

helmfile/apps/xwiki/values.yaml.gotmpl

@@ -30,10 +30,13 @@ javaOptsSecrets:
   trustStorePassword:
     option: "-Djavax.net.ssl.trustStorePassword="
     value: {{ .Values.secrets.certificates.password }}
+    secret:
+      name: {{ .Values.externalSecrets.certificates.password.name | quote }}
+      key: {{ .Values.externalSecrets.certificates.password.key | quote }}
   {{- end }}
 
 externalDB:
-  {{- if eq .Values.databases.xwiki.type "mariadb" }}
+   {{- if eq .Values.databases.xwiki.type "mariadb" }}
   password: {{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword | quote }}
   {{- else }}
   password: {{ .Values.databases.xwiki.password | default .Values.secrets.postgresql.xwikiUser | quote }}
@@ -42,7 +45,18 @@ externalDB:
   user: {{ .Values.databases.xwiki.username | quote }}
   host: {{ printf "%s:%d" .Values.databases.xwiki.host .Values.databases.xwiki.port | quote }}
   customKeyRef:
+    {{- if or (.Values.externalSecrets.mariadb.rootPassword.name) (.Values.externalSecrets.postgresql.xwikiUser.name) }}
+    enabled: true
+    {{- else }}
     enabled: false
+    {{- end }}
+    {{- if eq .Values.databases.xwiki.type "mariadb" }}
+    name: {{ .Values.externalSecrets.mariadb.rootPassword.name | quote }}
+    key: {{ .Values.externalSecrets.mariadb.rootPassword.key | quote }}
+    {{- else }}
+    name: {{ .Values.externalSecrets.postgresql.xwikiUser.name | quote }}
+    key: {{ .Values.externalSecrets.postgresql.xwikiUser.key | quote }}
+    {{- end }}
 
 securityContext:
   enabled: true
@@ -119,14 +133,26 @@ customConfigsSecrets:
     ## Password of "superadmin" user, disables account if not password is set
     xwiki.superadminpassword:
       value: {{ .Values.secrets.xwiki.superadminpassword | quote }}
+      secret:
+        name: {{ .Values.externalSecrets.xwiki.xwikiSuperadminpassword.name | quote }}
+        key: {{ .Values.externalSecrets.xwiki.xwikiSuperadminpassword.key | quote }}
     {{ end }}
     xwiki.authentication.ldap.bind_pass:
       value: {{ .Values.secrets.nubus.ldapSearch.xwiki | quote }}
+      secret:
+        name: {{ .Values.externalSecrets.nubus.ldapSearch.xwiki.name | quote }}
+        key: {{ .Values.externalSecrets.nubus.ldapSearch.xwiki.key | quote }}
   xwiki.properties:
     oidc.secret:
       value: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
+      secret:
+        name: {{ .Values.externalSecrets.keycloak.clientSecret.xwiki.name | quote }}
+        key: {{ .Values.externalSecrets.keycloak.clientSecret.xwiki.key | quote }}
     workplaceServices.portalSecret:
       value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+      secret:
+        name: {{ .Values.externalSecrets.centralnavigation.apiKey.name | quote }}
+        key: {{ .Values.externalSecrets.centralnavigation.apiKey.key | quote }}
 
 ingress:
   enabled: {{ .Values.ingress.enabled }}
@@ -235,8 +261,8 @@ properties:
 
 ## Properties listed in the secret file will overwrite plain values
 propertiesSecret:
-  name: ""
-  key: ""
+  name: {{ .Values.externalSecrets.xwiki.propertiesSecret.name | quote }}
+  key: {{ .Values.externalSecrets.xwiki.propertiesSecret.key | quote }}
 
 cluster:
   replicas: {{ .Values.replicas.xwiki }}

helmfile/environments/default/external_secrets.yaml.gotmpl

@@ -0,0 +1,40 @@
+{{/*
+SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+externalSecrets:
+  centralnavigation:
+    apiKey:
+      name: ~
+      key: ~
+  certificates:
+    password:
+      name: ~
+      key: ~
+  keycloak:
+    clientSecret:
+      xwiki:
+        name: ~
+        key: ~
+  nubus:
+    ldapSearch:
+      xwiki:
+        name: ~
+        key: ~
+  mariadb:
+    rootPassword:
+      name: ~
+      key: ~
+  postgresql:
+    xwikiUser:
+      name: ~
+      key: ~
+  xwiki:
+    xwikiSuperadminpassword:
+      name: ~
+      key: ~
+    propertiesSecret:
+      name: ~
+      key: ~
+...