diff --git a/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl b/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl index cf6619e0..c1d90326 100644 --- a/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl +++ b/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl @@ -26,6 +26,9 @@ dovecot: username: {{ .Values.databases.dovecotDictmap.username | quote }} password: value: {{ .Values.secrets.cassandra.dovecotDictmapUser | quote }} + existingSecret: + name: {{ .Values.externalSecrets.cassandra.dovecotDictmapUser.name | quote }} + key: {{ .Values.externalSecrets.cassandra.dovecotDictmapUser.key | quote }} keyspace: {{ .Values.databases.dovecotDictmap.name | quote }} sharedMailboxes: enabled: false @@ -34,16 +37,28 @@ dovecot: username: {{ .Values.databases.dovecotACL.username | quote }} password: value: {{ .Values.secrets.cassandra.dovecotACLUser | quote }} + existingSecret: + name: {{ .Values.externalSecrets.cassandra.dovecotACLUser.name | quote }} + key: {{ .Values.externalSecrets.cassandra.dovecotACLUser.key | quote }} keyspace: {{ .Values.databases.dovecotACL.name | quote }} objectStorage: bucket: {{ .Values.objectstores.dovecot.bucket | quote }} encryption: privateKey: value: {{ env "DOVECOT_CRYPT_PRIVATE_KEY" | quote }} + existingSecret: + name: {{ .Values.externalSecrets.dovecot.objectStorage.encryption.privateKey.name | quote }} + key: {{ .Values.externalSecrets.dovecot.objectStorage.encryption.privateKey.key | quote }} publicKey: value: {{ env "DOVECOT_CRYPT_PUBLIC_KEY" | quote }} + existingSecret: + name: {{ .Values.externalSecrets.dovecot.objectStorage.encryption.publicKey.name | quote }} + key: {{ .Values.externalSecrets.dovecot.objectStorage.encryption.publicKey.key | quote }} fqdn: {{ .Values.objectstores.dovecot.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }} username: {{ .Values.objectstores.dovecot.username | quote }} password: value: {{ .Values.secrets.minio.dovecotUser | quote }} + existingSecret: + name: {{ .Values.externalSecrets.minio.dovecotUser.name | quote }} + key: {{ .Values.externalSecrets.minio.dovecotUser.key | quote }} ... diff --git a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl index 027a8554..b9b964b3 100644 --- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl +++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl @@ -27,10 +27,16 @@ dovecot: defaultMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }} password: value: {{ .Values.secrets.dovecot.doveadm | quote }} + existingSecret: + name: {{ .Values.externalSecrets.dovecot.doveadm.name | quote }} + key: {{ .Values.externalSecrets.dovecot.doveadm.key | quote }} migration: enabled: {{ .Values.functional.migration.oxAppSuite.enabled }} masterPassword: value: {{ .Values.secrets.oxAppSuite.migrationsMasterPassword | quote }} + existingSecret: + name: {{ .Values.externalSecrets.oxAppSuite.migrationsMasterPassword.name | quote }} + key: {{ .Values.externalSecrets.oxAppSuite.migrationsMasterPassword.key | quote }} ldap: enabled: true host: {{ .Values.ldap.host | quote }} @@ -39,12 +45,18 @@ dovecot: dn: "uid=ldapsearch_dovecot,cn=users,{{ .Values.ldap.baseDn }}" password: value: {{ .Values.secrets.nubus.ldapSearch.dovecot | quote }} + existingSecret: + name: {{ .Values.externalSecrets.nubus.ldapSearch.dovecot.name | quote }} + key: {{ .Values.externalSecrets.nubus.ldapSearch.dovecot.key | quote }} oidc: enabled: true clientID: value: "opendesk-dovecot" clientSecret: value: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }} + existingSecret: + name: {{ .Values.externalSecrets.keycloak.clientSecret.dovecot.name | quote }} + key: {{ .Values.externalSecrets.keycloak.clientSecret.dovecot.key | quote }} introspectionHost: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }} introspectionPath: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token/introspect" usernameAttribute: "opendesk_username" diff --git a/helmfile/apps/services-external/values-postfix.yaml.gotmpl b/helmfile/apps/services-external/values-postfix.yaml.gotmpl index 283ceb41..2394f480 100644 --- a/helmfile/apps/services-external/values-postfix.yaml.gotmpl +++ b/helmfile/apps/services-external/values-postfix.yaml.gotmpl @@ -88,8 +88,14 @@ postfix: enabled: true username: value: "opendesk-system" + existingSecret: + name: {{ .Values.externalSecrets.postfix.opendeskSystemUsername.name | quote }} + key: {{ .Values.externalSecrets.postfix.opendeskSystemUsername.key | quote }} password: value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }} + existingSecret: + name: {{ .Values.externalSecrets.postfix.opendeskSystemPassword.name | quote }} + key: {{ .Values.externalSecrets.postfix.opendeskSystemPassword.key | quote }} {{- if .Values.antivirus.milter.host }} smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}" diff --git a/helmfile/environments/default/external_secrets.yaml.gotmpl b/helmfile/environments/default/external_secrets.yaml.gotmpl new file mode 100644 index 00000000..d86cd89d --- /dev/null +++ b/helmfile/environments/default/external_secrets.yaml.gotmpl @@ -0,0 +1,56 @@ +# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH +# SPDX-License-Identifier: Apache-2.0 +# The variables set in this file are required to upgrade components to their "Enterprise" product variant. +--- +externalSecrets: + cassandra: + dovecotACLUser: + name: ~ + key: ~ + dovecotDictmapUser: + name: ~ + key: ~ + + dovecot: + doveadm: + name: ~ + key: ~ + objectStorage: + encryption: + privateKey: + name: ~ + key: ~ + publicKey: + name: ~ + key: ~ + + keycloak: + clientSecret: + dovecot: + name: ~ + key: ~ + + minio: + dovecotUser: + name: ~ + key: ~ + + nubus: + ldapSearch: + dovecot: + name: ~ + key: ~ + + oxAppSuite: + migrationsMasterPassword: + name: ~ + key: ~ + + postfix: + opendeskSystemUsername: + name: ~ + key: ~ + opendeskSystemPassword: + name: ~ + key: ~ +... diff --git a/helmfile/environments/default/secrets.yaml.gotmpl b/helmfile/environments/default/secrets.yaml.gotmpl index 04365e12..417d5f2a 100644 --- a/helmfile/environments/default/secrets.yaml.gotmpl +++ b/helmfile/environments/default/secrets.yaml.gotmpl @@ -7,8 +7,8 @@ SPDX-License-Identifier: Apache-2.0 secrets: cassandra: rootPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "root_password" | sha1sum | quote }} - dovecotDictmapUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "dovecot_dictmap_user" | sha1sum | quote }} dovecotACLUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "dovecot_acl_user" | sha1sum | quote }} + dovecotDictmapUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "dovecot_dictmap_user" | sha1sum | quote }} oxAppSuite: adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "admin_password" | sha1sum | quote }} basicAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "basic_auth_password" | sha1sum | quote }}