From 70744d04c66f32d65dc968c8570ed7a397f4efcc Mon Sep 17 00:00:00 2001
From: Dominik Kaminski <kaminski@univention.de>
Date: Wed, 4 Oct 2023 13:49:41 +0200
Subject: [PATCH] fix(helmfile): Use signed bitnami charts from openDesk Mirror
 Builds

---
 README.md                            |  2 +-
 helmfile/apps/keycloak/helmfile.yaml | 10 +++++-----
 helmfile/apps/services/helmfile.yaml |  6 +++---
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 66317e61..06f3a4fc 100644
--- a/README.md
+++ b/README.md
@@ -383,7 +383,7 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
 
 | Repository                           | OCI |     Verifiable     |
 |--------------------------------------|:---:|:------------------:|
-| bitnami-repo                         | yes |        :x:         |
+| bitnami-repo (oD Build)              | yes | :white_check_mark: |
 | clamav-repo                          | yes | :white_check_mark: |
 | collabora-online-repo                | no  |        :x:         |
 | intercom-service-repo                | yes | :white_check_mark: |
diff --git a/helmfile/apps/keycloak/helmfile.yaml b/helmfile/apps/keycloak/helmfile.yaml
index a8712433..bae37610 100644
--- a/helmfile/apps/keycloak/helmfile.yaml
+++ b/helmfile/apps/keycloak/helmfile.yaml
@@ -7,10 +7,10 @@ repositories:
   - name: "bitnami-repo"
     oci: true
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
-         default "registry-1.docker.io/bitnamicharts" }}
-    # Bitnami charts are not signed, see https://github.com/bitnami/charts/issues/14491
-    verify: false
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
   # openDesk Keycloak Theme
   # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-keycloak-theme
   - name: "keycloak-theme-repo"
@@ -35,7 +35,7 @@ releases:
     condition: "keycloak.enabled"
   - name: "keycloak"
     chart: "bitnami-repo/keycloak"
-    version: "12.2.0"
+    version: "12.1.5"
     values:
       - "values-keycloak.gotmpl"
       - "values-keycloak.yaml"
diff --git a/helmfile/apps/services/helmfile.yaml b/helmfile/apps/services/helmfile.yaml
index 56612e89..9554e709 100644
--- a/helmfile/apps/services/helmfile.yaml
+++ b/helmfile/apps/services/helmfile.yaml
@@ -64,9 +64,9 @@ repositories:
     oci: true
     url: >-
       {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "registry-1.docker.io/bitnamicharts" }}
-    # Bitnami charts are not signed, see https://github.com/bitnami/charts/issues/14491
-    verify: false
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
   - name: "opendesk-certificates"