From 9409ad829a725c84ebc3de5d1c4d42fe735e9d0c Mon Sep 17 00:00:00 2001
From: Johannes Bornhold <johannes.bornhold.extern@univention.de>
Date: Mon, 4 Sep 2023 14:58:03 +0200
Subject: [PATCH] fix(univention-management-stack): Use global secrets to
 populate ldap related secrets

---
 .../univention-management-stack/values-portal-listener.gotmpl | 4 ++--
 .../univention-management-stack/values-stack-data-swp.gotmpl  | 3 ++-
 .../univention-management-stack/values-stack-data-ums.gotmpl  | 3 ++-
 .../univention-management-stack/values-udm-rest-api.gotmpl    | 1 -
 .../apps/univention-management-stack/values-umc-server.gotmpl | 1 -
 helmfile/environments/default/secrets.gotmpl                  | 3 +--
 6 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/helmfile/apps/univention-management-stack/values-portal-listener.gotmpl b/helmfile/apps/univention-management-stack/values-portal-listener.gotmpl
index 244f7292..fb997119 100644
--- a/helmfile/apps/univention-management-stack/values-portal-listener.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-listener.gotmpl
@@ -15,8 +15,8 @@ portalListener:
   ldapBaseDn: "dc=univention-organization,dc=intranet"
   ldapHost: "ums-ldap-server"
   ldapHostDn: "cn=admin,dc=univention-organization,dc=intranet"
-  ldapSecret: "univention"
-  machineSecret: "univention"
+  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+  machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
   notifierServer: "ums-ldap-notifier"
   portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,dc=univention-organization,dc=intranet"
   udmApiUrl: "http://ums-udm-rest-api/udm/"
diff --git a/helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl b/helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl
index 4a9c2649..4d168e65 100644
--- a/helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl
@@ -4,7 +4,8 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 stackDataSwp:
-  udmApiPassword: "univention"
+  udmApiUsername: "cn=admin"
+  udmApiPassword: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
   udmApiUrl: "http://ums-udm-rest-api/udm/"
   loadDevData: true
 
diff --git a/helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl b/helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl
index accfc18e..7bdf2035 100644
--- a/helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl
@@ -4,7 +4,8 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 stackDataUms:
-  udmApiPassword: "univention"
+  udmApiUser: "cn=admin"
+  udmApiPassword: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
   udmApiUrl: "http://ums-udm-rest-api/udm/"
   loadDevData: true
 
diff --git a/helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl b/helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl
index bd792d14..53ddb893 100644
--- a/helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl
@@ -17,7 +17,6 @@ udmRestApi:
   ldapHostDn: "cn=admin,dc=univention-organization,dc=intranet"
   # TODO: Secret should be entered without b64enc
   ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
-  # TODO: There is on machine secret on the container
   # TODO: Secret should be entered without b64enc
   machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
   # TODO: why do we need this many subprocesses?
diff --git a/helmfile/apps/univention-management-stack/values-umc-server.gotmpl b/helmfile/apps/univention-management-stack/values-umc-server.gotmpl
index 23470611..c6c5554d 100644
--- a/helmfile/apps/univention-management-stack/values-umc-server.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umc-server.gotmpl
@@ -23,7 +23,6 @@ umcServer:
 
   # TODO: Secret should be entered without b64enc
   ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
-  # TODO: There is on machine secret on the container
   # TODO: Secret should be entered without b64enc
   machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
 
diff --git a/helmfile/environments/default/secrets.gotmpl b/helmfile/environments/default/secrets.gotmpl
index 49fe78de..a2a56c0e 100644
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -24,8 +24,7 @@ secrets:
       openproject: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_openproject" | sha1sum) }}
       xwiki: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_xwiki" | sha1sum) }}
   univentionManagementStack:
-    # TODO: Use "derivePassword"
-    ldapSecret: "univention"
+    ldapSecret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "ldap" | sha1sum) }}
     defaultAccounts:
       administratorPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "Administrator" "ums" | sha1sum) }}
     storeDavUsers: