From 6fd52b167eeed5c7e9eda2a21b209680131380ee Mon Sep 17 00:00:00 2001
From: Thomas Kaltenbrunner <tom@kaltenbrunner.it>
Date: Thu, 24 Jul 2025 16:24:05 +0200
Subject: [PATCH] fix(open-xchange): Use dedicated pod for migration

---
 .../groupware-migration.md                    |  4 +-
 .../values-openxchange.yaml.gotmpl            | 48 ++++++++++++++-----
 2 files changed, 39 insertions(+), 13 deletions(-)

diff --git a/docs/enhanced-configuration/groupware-migration.md b/docs/enhanced-configuration/groupware-migration.md
index a1a532c4..075fa35f 100644
--- a/docs/enhanced-configuration/groupware-migration.md
+++ b/docs/enhanced-configuration/groupware-migration.md
@@ -77,7 +77,7 @@ With openDesk 1.0 Enterprise, you can set openDesk's email components (OX AppSui
 ```
 secrets:
   oxAppSuite:
-    adminPassword: "your_temporary_master_password"
+    migrationsMasterPassword: "your_temporary_master_password"
 functional:
   migration:
     oxAppSuite:
@@ -89,7 +89,7 @@ functional:
 
 To validate the master authentication mode please read the appendix section at the end of the document.
 
-Updating your deployment with these settings will allow you to continue with the migration scenario. Once the migration is completed, you can remove `secrets.oxAppSuite.adminPassword` and need to turn off the migration mode by setting `functional.migration.oxAppSuite.enabled` to `false` or removing that setting, as `false` is the default before you update your deployment once again.
+Updating your deployment with these settings will allow you to continue with the migration scenario. Once the migration is completed, you can remove `secrets.oxAppSuite.migrationsMasterPassword` and need to turn off the migration mode by setting `functional.migration.oxAppSuite.enabled` to `false` or removing that setting, as `false` is the default before you update your deployment once again.
 
 > **Note**<br>
 > For the changes to take effect, it is sufficient to re-deploy the `open-xchange` component alone. But you have to restart the Dovecot Pod(s) manually when switching to/from the master authentication mode for the changes to take effect.
diff --git a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
index 3a5ef2b8..61a9d4cc 100644
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -240,9 +240,35 @@ appsuite:
               open-xchange-admin-soap: "enabled"
               open-xchange-admin-soap-usercopy: "enabled"
               open-xchange-admin-user-copy: "enabled"
-    {{- if .Values.technical.oxAppSuite.provisioning.dedicatedCoreMwPod }}
+      {{- if .Values.functional.migration.oxAppSuite.enabled }}
+      migration:
+        values:
+          packages:
+            status:
+              open-xchange-oidc: "disabled"
+              open-xchange-authentication-masterpassword: "enabled"
+          properties:
+            com.openexchange.calendar.allowOrganizerPartStatChanges: "true"
+          propertiesFiles:
+            /opt/open-xchange/etc/masterpassword-authentication.properties:
+              com.openexchange.authentication.masterpassword.password: {{ .Values.secrets.oxAppSuite.migrationsMasterPassword | quote }}
+        services:
+          - type: ClusterIP
+            ports:
+              - port: 80
+                targetPort: http
+                protocol: TCP
+                name: http
+      {{- end }}
     scaling:
       nodes:
+        {{- if .Values.functional.migration.oxAppSuite.enabled }}
+        migration:
+          replicas: 1
+          roles:
+            - "migration"
+        {{- end }}
+        {{- if .Values.technical.oxAppSuite.provisioning.dedicatedCoreMwPod }}
         groupware:
           replicas: {{ .Values.replicas.openxchangeCoreMW }}
           roles:
@@ -254,7 +280,16 @@ appsuite:
           replicas: 1
           roles:
             - "admin"
-    {{- end }}
+        {{- else }}
+        groupware:
+          replicas: {{ .Values.replicas.openxchangeCoreMW }}
+          roles:
+            - "http-api"
+            - "sync"
+            - "businessmobility"
+            - "request-analyzer"
+            - "admin"
+        {{- end }}
     masterAdmin: "admin"
     masterPassword: {{ .Values.secrets.oxAppSuite.adminPassword | quote }}
     hzGroupName: "hzgroup"
@@ -319,13 +354,8 @@ appsuite:
           chown open-xchange:open-xchange /opt/open-xchange/guard-files
     packages:
       status:
-        {{- if .Values.functional.migration.oxAppSuite.enabled }}
-        open-xchange-oidc: "disabled"
-        open-xchange-authentication-masterpassword: "enabled"
-        {{- else }}
         open-xchange-oidc: "enabled"
         open-xchange-authentication-masterpassword: "disabled"
-        {{- end }}
         open-xchange-authentication-oauth: "disabled"
         open-xchange-authentication-database: "disabled"
         open-xchange-authentication-ldap: "disabled"
@@ -502,10 +532,6 @@ appsuite:
       com.openexchange.share.cryptKey: {{ .Values.secrets.oxAppSuite.shareCryptKey | quote }}
       com.openexchange.conference.element.authToken: {{ .Values.secrets.oxAppSuite.synapseAsToken | quote }}
     propertiesFiles:
-      {{- if .Values.functional.migration.oxAppSuite.enabled }}
-      /opt/open-xchange/etc/masterpassword-authentication.properties:
-        com.openexchange.authentication.masterpassword.password: {{ .Values.secrets.oxAppSuite.migrationsMasterPassword | quote }}
-      {{- end }}
       /opt/open-xchange/etc/AdminDaemon.properties:
         MASTER_ACCOUNT_OVERRIDE: "true"
       /opt/open-xchange/etc/AdminUser.properties: