feat(notes): Add templating for Notes in oD

Signed-off-by: Axel Lender <lender@b1-systems.de>
2025-12-06 07:21:36 +01:00 · 2025-08-21 12:28:38 +02:00
parent 602f3b659d
commit 7367d16287
3 changed files with 101 additions and 2 deletions
--- a/docs/external-secrets.md
+++ b/docs/external-secrets.md
@@ -13,6 +13,7 @@ This document covers how to utilise external secrets and special requirements.
  * [Cassandra](#cassandra)
  * [Keycloak](#keycloak)
  * [MinIO](#minio)
+  * [Notes](#notes)
  * [XWiki](#xwiki)
 <!-- TOC -->

@@ -73,6 +74,20 @@ stringData:

 Further we need the credentials introduced at MinIO in various other components that didn't implement the special format from MinIO. Hence we have to create key-value-pairs of the passwords for them.

+## Notes
+
+There are some values that consist of more than just one secret part.
+
+```yaml
+backend:
+  configuration:
+    django:
+      superuserEmail:
+        value: {{ printf "default.admin@%s" .Values.global.domain | quote }}
+    redisUrl:
+      value: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7"
+```
+
 ## XWiki

 Properties listed in the file of the external secret will overwrite plain values.
--- a/helmfile/apps/notes/values.yaml.gotmpl
+++ b/helmfile/apps/notes/values.yaml.gotmpl
@@ -4,12 +4,22 @@
 global:
  collaborationServerSecret:
    value: {{ .Values.secrets.notes.collaborationSecret | quote }}
+    existingSecret:
+      name: {{ .Values.externalSecrets.notes.collaborationSecret.name | quote }}
+      key: {{ .Values.externalSecrets.notes.collaborationSecret.key | quote }}
  fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  tlsSecretName: {{ .Values.ingress.tls.secretName | quote }}
  yProviderApiKey:
    value: {{ .Values.secrets.notes.collaborationSecret | quote }}
+    existingSecret:
+      name: {{ .Values.externalSecrets.notes.collaborationSecret.name | quote }}
+      key: {{ .Values.externalSecrets.notes.collaborationSecret.key | quote }}
+  fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
+  tlsSecretName: {{ .Values.ingress.tls.secretName | quote }}
+  fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
+  tlsSecretName: {{ .Values.ingress.tls.secretName | quote }}

 backend:
  image:
@@ -36,14 +46,23 @@ backend:
    ai:
      apiKey:
        value: {{ .Values.ai.apiKey }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.ai.apiKey.name | quote }}
+          key: {{ .Values.externalSecrets.ai.apiKey.key | quote }}
      baseUrl: {{ .Values.ai.endpoint }}
      model: {{ .Values.ai.model | quote }}
    aws:
      endpointUrl: {{ printf "https://%s" (.Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
      s3AccessKeyId:
        value: {{ .Values.objectstores.notes.username }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.objectstores.notes.s3AccessKeyId.name | quote }}
+          key: {{ .Values.externalSecrets.objectstores.notes.s3AccessKeyId.key | quote }}
      s3SecretAccessKey:
        value: {{ .Values.objectstores.notes.secretKey | default .Values.secrets.minio.notesUser | quote }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.objectstores.notes.s3SecretAccessKey.name | quote }}
+          key: {{ .Values.externalSecrets.objectstores.notes.s3SecretAccessKey.key | quote }}
      storageBucketName: {{ .Values.objectstores.notes.bucket }}
    collaboration:
      apiUrl: {{ printf "https://%s.%s/collaboration/api/" .Values.global.hosts.notes .Values.global.domain | quote }}
@@ -53,9 +72,15 @@ backend:
      name: {{ .Values.databases.notes.name | quote }}
      password:
        value: {{ .Values.databases.notes.password | default .Values.secrets.postgresql.notesUser | quote }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.databases.notes.password.name | quote  }}
+          key: {{ .Values.externalSecrets.databases.notes.password.key | quote }}
      port: {{ .Values.databases.notes.port | quote }}
      user:
        value: {{ .Values.databases.notes.username | quote }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.databases.notes.user.name | quote }}
+          key: {{ .Values.externalSecrets.databases.notes.user.key | quote }}
    email:
      brandName: "openDesk"
      from: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.mailDomain | default .Values.global.domain }}"
@@ -64,14 +89,23 @@ backend:
      logoImage: {{ printf "https://%s.%s/univention/portal/icons/entries/swp.notes.svg" .Values.global.hosts.nubus .Values.global.domain | quote }}
      user:
        value: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.postfix.opendeskSystemUsername.name | quote }}
+          key: {{ .Values.externalSecrets.postfix.opendeskSystemUsername.key | quote }}
      password:
        value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.postfix.opendeskSystemPassword.name | quote }}
+          key: {{ .Values.externalSecrets.postfix.opendeskSystemPassword.key | quote }}
    oidc:
      enabled: true
      rpClientId:
        value: "opendesk-notes"
      rpClientSecret:
        value: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.keycloak.clientSecret.notes.name | quote }}
+          key: {{ .Values.externalSecrets.keycloak.clientSecret.notes.key | quote }}
      opJWKSEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
      opAuthorizationEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
      opTokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
@@ -88,14 +122,26 @@ backend:
    django:
      secretKey:
        value: {{ .Values.secrets.notes.djangoSecretKey }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.notes.django.secretKey.name | quote }}
+          key: {{ .Values.externalSecrets.notes.django.secretKey.key | quote }}
      createSuperuser: true
      superuserEmail:
        value: {{ printf "default.admin@%s" .Values.global.domain | quote }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.notes.django.superuserEmail.name | quote }}
+          key: {{ .Values.externalSecrets.notes.django.superuserEmail.key | quote }}
      superuserPassword:
        value: {{ .Values.secrets.notes.superuser }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.notes.django.superuserPassword.name | quote }}
+          key: {{ .Values.externalSecrets.notes.django.superuserPassword.key | quote }}
    frontendTheme: "openDesk"
    redisUrl:
      value: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7"
+      existingSecret:
+        name: {{ .Values.externalSecrets.notes.redisUrl.name | quote }}
+        key: {{ .Values.externalSecrets.notes.redisUrl.key | quote }}
  extraEnvVars:
    - name: "FRONTEND_HOMEPAGE_FEATURE_ENABLED"
      value: "False"
--- a/helmfile/environments/default/external_secrets.yaml.gotmpl
+++ b/helmfile/environments/default/external_secrets.yaml.gotmpl
@@ -4,6 +4,10 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 externalSecrets:
+  ai:
+    apiKey:
+      name: "a"
+      key: "aiapikey"
  cache:
    intercom:
      password:
@@ -42,6 +46,13 @@ externalSecrets:
      username:
        name: ~
        key: ~
+    notes:
+      password:
+        name: "a"
+        key: "notesDatabasePassword"
+      user:
+        name: "a"
+        key: "notesDatabaseUser"
    xwiki:
      password:
        name:  ~
@@ -74,10 +85,13 @@ externalSecrets:
      intercom:
        name: ~
        key: ~
-      xwiki:
+      nextcloudOidc:
        name: ~
        key: ~
-      nextcloudOidc:
+      notes:
+        name: "a"
+        key: "keycloaknotes"
+      xwiki:
        name: ~
        key: ~
  minio:
@@ -96,6 +110,23 @@ externalSecrets:
    metricsToken:
      name: ~
      key: ~
+  notes:
+    collaborationSecret:
+      name: "a"
+      key: "notesCollaborationSecret"
+    django:
+      secretKey:
+        name: "a"
+        key: "notesDjangoSecretKey"
+      superuserEmail:
+        name: "a"
+        key: "notessuperuserEmail"
+      superuserPassword:
+        name: "a"
+        key: "notessuperuserPassword"
+    redisUrl:
+      name: "a"
+      key: "notesredisurl"
  nubus:
    ics:
      session:
@@ -125,6 +156,13 @@ externalSecrets:
      secretKey:
        name: ~
        key: ~
+    notes:
+      s3AccessKeyId:
+        name: "a"
+        key: "objectstoresNotesS3AccessKeyId"
+      s3SecretAccessKey:
+        name: "a"
+        key: "objectstoresNotesS3SecretAccessKey"
    nubus:
      accessKey:
        name: ~