fix(helmfile): Improve debugging

docs/components.md

@@ -58,12 +58,14 @@ Some use cases require inter component integration.
 ```mermaid
 flowchart TD
   OXAppSuiteFrontend-->|SilentLogin, Filepicker, CentralNavigation|IntercomService
+  Element-->|CentralNavigation|IntercomService
   IntercomService-->|SilentLogin, TokenExchange|IdP
   IntercomService-->|Filepicker|Nextcloud
   IntercomService-->|CentralNavigation|Portal
   OXAppSuiteBackend-->|Filepicker|Nextcloud
   Nextcloud-->|CentralNavigation|Portal
   OpenProject-->|CentralNavigation|Portal
+  OpenProject-->|Filestore|Nextcloud
   XWiki-->|CentralNavigation|Portal
   Nextcloud-->|CentralContacts|OXAppSuiteBackend
   OXAppSuiteFrontend-->|Filepicker|OXAppSuiteBackend
@@ -124,7 +126,7 @@ flowchart TD
     A[OX AppSuite]-->L
     D[OX Dovecot]-->L
     P[Portal/Admin]-->L
-    X[XWiki]-->|in 2023|L
+    X[XWiki]-->L
     A-->K
     N-->K
     D-->K

docs/debugging.md

@@ -0,0 +1,83 @@
+<!--
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+-->
+<h1>Debugging</h1>
+
+* [Disclaimer](#disclaimer)
+* [Enable debugging](#enable-debugging)
+* [Components](#components)
+  * [MariaDB](#mariadb)
+  * [Nextcloud](#nextcloud)
+  * [OpenProject](#openproject)
+  * [PostgreSQL](#postgresql)
+
+# Disclaimer
+
+This document collects information how to deal with debugging an openDesk deployment.
+
+It will be extended over time as we have to deal with debugging cases.
+
+We for sure do not want to reinvent the wheel, so we might link to external sources that contain helpful
+information where available.
+
+**Note:** You should never enable debug in production environments! By looking up `debug.enable` in the deployment you
+will find the various places changes are applied when enabling debugging. So outside of development and test
+environments you may want to make use of them in a very thoughtful and selective manner if needed.
+
+# Enable debugging
+
+Set `debug.enable` to `true` in [`debug.yaml`](../helmfile/environments/default/debug.yaml) to set the
+component's loglevel to debug and it get some features like:
+- The `/admin` console is routed for Keycloak.
+- An ingress for `http://minio-console.<your_domain>` is configured.
+and set the loglevel for components to "Debug".
+
+**Note:** All containers should write their log output to STDOUT, if you find (valuable) logs inside a container, please let us know!
+
+# Components
+
+## MariaDB
+
+When using the openDesk bundled MariaDB you can explore database(s) using the MariaDB interactive terminal from the pod's command line: `mariadb -u root -p`. As password provide the value for `MARIADB_ROOT_PASSWORD` set in the pod's environment.
+
+While you will find all details for the CLI tool in [the online documentation](https://mariadb.com/kb/en/mariadb-command-line-client/), some quick commands are:
+
+- `help`: Get help on the psql command set
+- `show databases`: Lists all databases
+- `use <databasename>`: Connect to `<databasename>`
+- `show tables`: Lists tables within the currently connected database
+- `quit`: Quit the client
+
+## Nextcloud
+
+`occ` is the CLI for Nextcloud, all the details can be found in the [upstream documentation](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html).
+
+You can run occ commands in the `opendesk-nextcloud-php` pod like this: `php /var/www/html/occ config:list`
+
+## OpenProject
+
+OpenProject is a Ruby on Rails application. Therefore you can make use of the Rails console from the pod's command line `bundle exec rails console`
+
+and run debug code like this:
+
+```
+uri = URI('https://nextcloud.url/index.php/apps/integration_openproject/check-config')
+Net::HTTP.start(uri.host, uri.port,
+  :use_ssl => uri.scheme == 'https') do |http|
+  request = Net::HTTP::Get.new uri
+  response = http.request request # Net::HTTPResponse object
+end
+```
+
+## PostgreSQL
+
+When using the openDesk bundled PostgreSQL you can explore database(s) using the PostgreSQL interactive terminal from the pod's command line: `psql -U postgres`.
+
+While you will find all details in the [psql subsection](https://www.postgresql.org/docs/current/app-psql.html)) of the PostgreSQL documentation, some quick commands are:
+
+- `\?`: Get help on the psql command set
+- `\l`: Lists all databases
+- `\c <databasename>`: Connect to `<databasename>`
+- `\dt`: List (describe) tables within the currently connected database
+- `\q`: Quit the client

helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl

@@ -14,6 +14,9 @@ global:
 additionalAnnotations:
   intents.otterize.com/service-name: "opendesk-nextcloud-php"
 
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+
 configuration:
   administrator:
     username: "nextcloud"
@@ -84,6 +87,9 @@ containerSecurityContext:
   readOnlyRootFilesystem: false
   runAsNonRoot: true
 
+debug:
+  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
+
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudManagement.registry | quote }}
   repository: "{{ .Values.images.nextcloudManagement.repository }}"
@@ -95,4 +101,5 @@ theme:
 
 resources:
   {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}
+
 ...

helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl

@@ -75,6 +75,10 @@ php:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
+  cron:
+    successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
+  debug:
+    loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudPHP.registry | quote }}
     repository: "{{ .Values.images.nextcloudPHP.repository }}"

helmfile/apps/openproject/values.yaml.gotmpl

@@ -23,7 +23,7 @@ containerSecurityContext:
 environment:
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
-  OPENPROJECT_LOG__LEVEL: {{ .Values.debug.logLevel | lower | quote }}
+  OPENPROJECT_LOG__LEVEL: {{ if .Values.debug.enabled }}"debug"{{ else }}"info"{{ end }}
   OPENPROJECT_LOGIN__REQUIRED: "true"
   OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
   OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"

helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl

@@ -17,10 +17,10 @@ ingress:
 
 oxConnector:
   caCert: "ucctempldapstring"
-  debugLevel: "5"
+  debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
   domainName: {{ .Values.global.domain | quote }}
   ldapHost: {{ .Values.ldap.host | quote }}
-  logLevel: {{ .Values.debug.logLevel | quote }}
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
   ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
   ldapBaseDn: "dc=swp-ldap,dc=internal"
   ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"

helmfile/apps/services/values-minio.yaml.gotmpl

@@ -40,6 +40,7 @@ image:
   tag: "{{ .Values.images.minio.tag }}"
   pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
+{{- if .Values.debug.enabled }}
 ingress:
   enabled: {{ .Values.ingress.enabled }}
   ingressClassName: {{ .Values.ingress.ingressClassName }}
@@ -50,6 +51,7 @@ ingress:
       secretName: "{{ .Values.ingress.tls.secretName }}"
   annotations:
     nginx.org/websocket-services: "minio"
+{{- end }}
 
 livenessProbe:
   enabled: true

helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl

@@ -7,7 +7,7 @@ guardianAuthorizationApi:
   guardianAuthzAdapterAppPersistencePort: "udm_data"
   guardianAuthzAdapterPolicyPort: "opa"
   guardianAuthzAdapterAuthenticationPort: "fast_api_oauth"
-  guardianAuthzLoggingLevel: {{ .Values.debug.logLevel | quote }}
+  guardianAuthzLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
   guardianAuthzLoggingStructured: false
   guardianAuthzLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
   home: "/guardian_service_dir"

helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl

@@ -16,7 +16,7 @@ guardianManagementApi:
   guardianManagementAdapterAuthenticationPort: "fast_api_oauth"
   guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization"
   guardianManagementAdapterResourceAuthorizationPort: "always"
-  guardianManagementLoggingLevel: "DEBUG"
+  guardianManagementLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
   guardianManagementLoggingStructured: false
   guardianManagementLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
   guardianManagementBaseUrl: "http://0.0.0.0:8000"

helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -195,7 +195,7 @@ config:
         authorizationServicesEnabled: false
         attributes:
           backchannel.logout.session.required: true
-          backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/user_oidc/backchannel-logout/ncoidc"
+          backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/index.php/apps/user_oidc/backchannel-logout/opendesk-nextcloud"
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
         protocolMappers:
           - name: "context"

helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl

@@ -35,7 +35,7 @@ portalListener:
   portalDefaultDn: {{ printf "%s,%s" "cn=domain,cn=portal,cn=portals,cn=univention" .Values.ldap.baseDn | quote }}
   udmApiUrl: "http://ums-udm-rest-api/udm/"
   udmApiUsername: "cn=admin"
-  debugLevel: "4"
+  debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
   tlsMode: "off"
   udmApiUrl: "http://ums-udm-rest-api/udm/"
   udmApiUsername: "cn=admin"

helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl

@@ -16,7 +16,7 @@ portalServer:
   editable: "false"
   umcGetUrl: "http://ums-umc-server/get"
   umcSessionUrl: "http://ums-umc-server/get/session-info"
-  logLevel: {{ .Values.debug.logLevel | quote }}
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
   adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
   ucsInternalUrl: {{ printf "%s%s%s" "http://portal-server:" .Values.secrets.univentionManagementStack.storeDavUsers.portalServer "@ums-store-dav/portal-data" | quote }}
   centralNavigation:

helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl

@@ -44,7 +44,7 @@ selfserviceListener:
   machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
   notifierServer: {{ .Values.ldap.notifierHost | quote }}
   umcAdminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
-  debugLevel: "4"
+  debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
   tlsMode: "off"
   umcServerUrl: "http://ums-umc-server"
   umcAdminUser: "default.admin"

helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl

@@ -43,7 +43,6 @@ stackDataContext:
   ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
   initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
 
-
 stackDataUms:
   loadDevData: true
   udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}

helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl

@@ -59,6 +59,10 @@ proxy:
       nginx.org/proxy-buffer-size: "8k"
       nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
     paths:
+      {{- if .Values.debug.enabled }}
+      - pathType: "Prefix"
+        path: "/admin"
+      {{- end }}
       - pathType: "Prefix"
         path: "/realms"
       - pathType: "Prefix"

helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl

@@ -25,7 +25,7 @@ config:
     user: {{ .Values.databases.keycloak.username | quote }}
     database: {{ .Values.databases.keycloak.name | quote }}
     password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
-  logLevel: {{ .Values.debug.logLevel | quote }}
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
   enableMetrics: true
   # The availability of the admin console is already restricted through the path settings in the Keycloak Extensions
   # Proxy which is used in openDesk. The setting here is just relevant when Keycloak endpoints are exposed directly

helmfile/environments/default/debug.yaml

@@ -11,6 +11,9 @@ cleanup:
   # Keep additional resources, like certificates on deletion of this release.
   keepRessourceOnDelete: true
 debug:
-  # Currently used in: umsKeycloak
-  logLevel: "INFO"
+  # should activate debug output in all components and even allow e.g. successfully executed jobs
+  # to stay available. This is going to be implemented on a case by case basis when we actually
+  # need debugging in a component.
+  # Use: `{{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}`
+  enabled: false
 ...