diff --git a/docs/external-secrets.md b/docs/external-secrets.md new file mode 100644 index 00000000..85664635 --- /dev/null +++ b/docs/external-secrets.md @@ -0,0 +1,38 @@ + + +

External Secrets

+ +This document covers how to utilise external secrets and special requirements. + + +* [General](#general) +* [Components](#components) + * [XWiki](#xwiki) + + +# General + +For most components when set the external secret will supersede e.g. a password in a `values.yaml` file. + +The file [`external_secrets.yaml`](/helmfile/environments/default/external_secrets.yaml.gotmpl) lists all possible references to external secrets that are currently implemented in openDesk. + +# Components + +This section covers information and special requirements to external secrets that some Helm Charts expect. + +## XWiki + +Properties listed in the file of the external secret will overwrite plain values. + +Like described in the [upstream `values.yaml`](https://github.com/xwiki-contrib/xwiki-helm/blob/master/charts/xwiki/values.yaml#L435) credentials and information about a user in external secrets listed in `propertiesSecret` have to be formatted as follows: + +```yaml +stringData: + propertiesFile: | + propertie1=propertie1Value + propertie2=propertie2Value + propertie3=propertie3Value +``` \ No newline at end of file diff --git a/helmfile/apps/xwiki/values.yaml.gotmpl b/helmfile/apps/xwiki/values.yaml.gotmpl index 4bcc7d82..72d096d8 100644 --- a/helmfile/apps/xwiki/values.yaml.gotmpl +++ b/helmfile/apps/xwiki/values.yaml.gotmpl @@ -30,10 +30,13 @@ javaOptsSecrets: trustStorePassword: option: "-Djavax.net.ssl.trustStorePassword=" value: {{ .Values.secrets.certificates.password }} + secret: + name: {{ .Values.externalSecrets.certificates.password.name | quote }} + key: {{ .Values.externalSecrets.certificates.password.key | quote }} {{- end }} externalDB: - {{- if eq .Values.databases.xwiki.type "mariadb" }} + {{- if eq .Values.databases.xwiki.type "mariadb" }} password: {{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword | quote }} {{- else }} password: {{ .Values.databases.xwiki.password | default .Values.secrets.postgresql.xwikiUser | quote }} @@ -42,7 +45,18 @@ externalDB: user: {{ .Values.databases.xwiki.username | quote }} host: {{ printf "%s:%d" .Values.databases.xwiki.host .Values.databases.xwiki.port | quote }} customKeyRef: + {{- if or (.Values.externalSecrets.mariadb.rootPassword.name) (.Values.externalSecrets.postgresql.xwikiUser.name) }} + enabled: true + {{- else }} enabled: false + {{- end }} + {{- if eq .Values.databases.xwiki.type "mariadb" }} + name: {{ .Values.externalSecrets.mariadb.rootPassword.name | quote }} + key: {{ .Values.externalSecrets.mariadb.rootPassword.key | quote }} + {{- else }} + name: {{ .Values.externalSecrets.postgresql.xwikiUser.name | quote }} + key: {{ .Values.externalSecrets.postgresql.xwikiUser.key | quote }} + {{- end }} securityContext: enabled: true @@ -119,14 +133,26 @@ customConfigsSecrets: ## Password of "superadmin" user, disables account if not password is set xwiki.superadminpassword: value: {{ .Values.secrets.xwiki.superadminpassword | quote }} + secret: + name: {{ .Values.externalSecrets.xwiki.xwikiSuperadminpassword.name | quote }} + key: {{ .Values.externalSecrets.xwiki.xwikiSuperadminpassword.key | quote }} {{ end }} xwiki.authentication.ldap.bind_pass: value: {{ .Values.secrets.nubus.ldapSearch.xwiki | quote }} + secret: + name: {{ .Values.externalSecrets.nubus.ldapSearch.xwiki.name | quote }} + key: {{ .Values.externalSecrets.nubus.ldapSearch.xwiki.key | quote }} xwiki.properties: oidc.secret: value: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }} + secret: + name: {{ .Values.externalSecrets.keycloak.clientSecret.xwiki.name | quote }} + key: {{ .Values.externalSecrets.keycloak.clientSecret.xwiki.key | quote }} workplaceServices.portalSecret: value: {{ .Values.secrets.centralnavigation.apiKey | quote }} + secret: + name: {{ .Values.externalSecrets.centralnavigation.apiKey.name | quote }} + key: {{ .Values.externalSecrets.centralnavigation.apiKey.key | quote }} ingress: enabled: {{ .Values.ingress.enabled }} @@ -235,8 +261,8 @@ properties: ## Properties listed in the secret file will overwrite plain values propertiesSecret: - name: "" - key: "" + name: {{ .Values.externalSecrets.xwiki.propertiesSecret.name | quote }} + key: {{ .Values.externalSecrets.xwiki.propertiesSecret.key | quote }} cluster: replicas: {{ .Values.replicas.xwiki }} diff --git a/helmfile/environments/default/external_secrets.yaml.gotmpl b/helmfile/environments/default/external_secrets.yaml.gotmpl new file mode 100644 index 00000000..e775ed39 --- /dev/null +++ b/helmfile/environments/default/external_secrets.yaml.gotmpl @@ -0,0 +1,40 @@ +{{/* +SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +externalSecrets: + centralnavigation: + apiKey: + name: ~ + key: ~ + certificates: + password: + name: ~ + key: ~ + keycloak: + clientSecret: + xwiki: + name: ~ + key: ~ + nubus: + ldapSearch: + xwiki: + name: ~ + key: ~ + mariadb: + rootPassword: + name: ~ + key: ~ + postgresql: + xwikiUser: + name: ~ + key: ~ + xwiki: + xwikiSuperadminpassword: + name: ~ + key: ~ + propertiesSecret: + name: ~ + key: ~ +... \ No newline at end of file