fix(nextcloud): Add secret for BasicAuth on /status.php

docs/migrations.md

@@ -10,8 +10,11 @@ SPDX-License-Identifier: Apache-2.0
 * [Deprecation warnings](#deprecation-warnings)
 * [Overview and mandatory upgrade path](#overview-and-mandatory-upgrade-path)
 * [Manual checks/actions](#manual-checksactions)
-  * [Versions ≥ v1.10.0](#versions--v1100)
+  * [Versions ≥ v1.11.0](#versions--v1110)
     * [Pre-upgrade to versions ≥ v1.10.0](#pre-upgrade-to-versions--v1100)
+      * [Helmfile new secret: `secrets.nextcloud.statusPassword`](#helmfile-new-secret-secretsnextcloudstatuspassword)
+  * [Versions ≥ v1.10.0](#versions--v1100)
+    * [Pre-upgrade to versions ≥ v1.10.0](#pre-upgrade-to-versions--v1100-1)
       * [Helmfile new secret: `secrets.nubus.ldapSearch.postfix`](#helmfile-new-secret-secretsnubusldapsearchpostfix)
       * [Helmfile new secret: `secrets.doveocot.sharedMailboxesMasterPassword`](#helmfile-new-secret-secretsdoveocotsharedmailboxesmasterpassword)
       * [New Helmfile default: Nubus provisioning debug container no longer deployed](#new-helmfile-default-nubus-provisioning-debug-container-no-longer-deployed)
@@ -181,6 +184,24 @@ If you would like more details about the automated migrations, please read secti
 > listed no extra manual steps are required when upgrading to that version, e.g. in the case of an update from
 > version 1.7.0 to version 1.7.1.
 
+## Versions ≥ v1.11.0
+
+### Pre-upgrade to versions ≥ v1.10.0
+
+#### Helmfile new secret: `secrets.nextcloud.statusPassword`
+
+**Target group:** All existing deployments that use self-defined secrets and have deployed Nextcloud.
+
+Access to Nextcloud's `/status.php` requires now BasicAuth. The related password is set in
+[`secrets.yaml.gotmpl`](../helmfile/environments/default/secrets.yaml.gotmpl) by the key
+`secrets.nextcloud.statusPassword`.
+
+If you define your own secrets, please ensure that you provide a value for this secret, otherwise it will
+be derived from the `MASTER_PASSWORD`.
+
+> [!note]
+> The username for the BasicAuth is hardcoded to "status-access"
+
 ## Versions ≥ v1.10.0
 
 ### Pre-upgrade to versions ≥ v1.10.0

helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl

@@ -118,6 +118,10 @@ aio:
           value: {{ .Values.databases.nextcloud.password | quote }}
           {{- end }}
     trustedProxy: {{ join " " .Values.cluster.networking.cidr | quote }}
+    status:
+      password:
+        value: {{ .Values.secrets.nextcloud.statusPassword | quote }}
+
   containerSecurityContext:
     allowPrivilegeEscalation: false
     capabilities:

helmfile/apps/opendesk-openproject-bootstrap/values.yaml.gotmpl

@@ -34,6 +34,9 @@ config:
         value: "nextcloud"
       password:
         value: {{ .Values.secrets.nextcloud.adminPassword | quote }}
+    status:
+      password:
+        value: {{ .Values.secrets.nextcloud.statusPassword | quote }}
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/environments/default/secrets.yaml.gotmpl

@@ -101,6 +101,7 @@ secrets:
   nextcloud:
     adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "nextcloud_admin_user" | sha1sum | quote }}
     metricsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "metricsToken" | sha1sum | quote }}
+    statusPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "nextcloud_status_user" | sha1sum | quote }}
   openproject:
     adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_admin_user" | sha1sum | quote }}
     apiAdminUsername: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_api_admin_username" | sha1sum | quote }}