diff --git a/docs/getting-started.md b/docs/getting-started.md index 34e5ad8c..61045f54 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -381,6 +381,18 @@ To prevent others from using your openDesk instance, you must set your individua export MASTER_PASSWORD="your_individual_master_password" ``` +> **Note**
+> Currently a [documented](https://docs.software-univention.de/nubus-kubernetes-operation/1.x/en/configuration/nats.html#configure-the-secrets) upstream [bug](https://forge.univention.org/bugzilla/show_bug.cgi?id=58357) causes a failure when passwords/secrets beginning with certain numbers are using for the Nubus subcomponent NATS. +> With openDesk 1.6.0 an update-aware workaround was implemented that prefixes the affected secrets in the openDesk included `secrets.yaml.gotmpl` that derives all secrets from the previously mentioned `MASTER_PASSWORD`. +> When you are using externally provided passwords/secrets you best ensure that non of the ones listed below are starting with a number: +> +> - `secrets.nubus.provisioning.api.natsPassword` +> - `secrets.nubus.provisioning.dispatcherNatsPassword` +> - `secrets.nubus.provisioning.prefillNatsPassword` +> - `secrets.nubus.provisioning.udmListenerNatsPassword` +> - `secrets.nubus.provisioning.udmTransformerNatsPassword` +> - `secrets.nats.natsAdminPassword` + ## Install After setting your environment-specific values in `dev` environment, you can start deployment by: diff --git a/helmfile/environments/default/secrets.yaml.gotmpl b/helmfile/environments/default/secrets.yaml.gotmpl index 04365e12..a71ef7d4 100644 --- a/helmfile/environments/default/secrets.yaml.gotmpl +++ b/helmfile/environments/default/secrets.yaml.gotmpl @@ -46,17 +46,18 @@ secrets: provisioning: api: adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }} - natsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }} + # prefix `nats` passwords with `n` because of an upstream bug, for further information see https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/docs/getting-started.md?ref_type=heads#password-seed + natsPassword: {{ printf "n%s" (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum) | quote }} prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }} udmTransformerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }} - dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }} - prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }} - udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmListener" "nats" | sha1sum | quote }} - udmTransformerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmTransformer" "nats" | sha1sum | quote }} + dispatcherNatsPassword: {{ printf "n%s" (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum) | quote }} + prefillNatsPassword: {{ printf "n%s" (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum) | quote }} + udmListenerNatsPassword: {{ printf "n%s" (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmListener" "nats" | sha1sum) | quote }} + udmTransformerNatsPassword: {{ printf "n%s" (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmTransformer" "nats" | sha1sum) | quote }} guardian: udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }} nats: - natsAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "admin" "nats" | sha1sum | quote }} + natsAdminPassword: {{ printf "n%s" (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "admin" "nats" | sha1sum) | quote }} postgresql: postgresUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "postgres_user" | sha1sum | quote }} keycloakUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum | quote }}