fix(univention-management-stack): Use global secrets to populate ldap related secrets

2025-12-06 15:31:38 +01:00 · 2023-09-04 14:58:03 +02:00
parent a4bab4068d
commit 9409ad829a
6 changed files with 7 additions and 8 deletions
--- a/helmfile/apps/univention-management-stack/values-portal-listener.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-listener.gotmpl
@@ -15,8 +15,8 @@ portalListener:
  ldapBaseDn: "dc=univention-organization,dc=intranet"
  ldapHost: "ums-ldap-server"
  ldapHostDn: "cn=admin,dc=univention-organization,dc=intranet"
-  ldapSecret: "univention"
-  machineSecret: "univention"
+  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+  machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
  notifierServer: "ums-ldap-notifier"
  portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,dc=univention-organization,dc=intranet"
  udmApiUrl: "http://ums-udm-rest-api/udm/"
--- a/helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl
@@ -4,7 +4,8 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 stackDataSwp:
-  udmApiPassword: "univention"
+  udmApiUsername: "cn=admin"
+  udmApiPassword: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
  udmApiUrl: "http://ums-udm-rest-api/udm/"
  loadDevData: true

--- a/helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl
@@ -4,7 +4,8 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 stackDataUms:
-  udmApiPassword: "univention"
+  udmApiUser: "cn=admin"
+  udmApiPassword: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
  udmApiUrl: "http://ums-udm-rest-api/udm/"
  loadDevData: true

--- a/helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl
@@ -17,7 +17,6 @@ udmRestApi:
  ldapHostDn: "cn=admin,dc=univention-organization,dc=intranet"
  # TODO: Secret should be entered without b64enc
  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
-  # TODO: There is on machine secret on the container
  # TODO: Secret should be entered without b64enc
  machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
  # TODO: why do we need this many subprocesses?
--- a/helmfile/apps/univention-management-stack/values-umc-server.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umc-server.gotmpl
@@ -23,7 +23,6 @@ umcServer:

  # TODO: Secret should be entered without b64enc
  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
-  # TODO: There is on machine secret on the container
  # TODO: Secret should be entered without b64enc
  machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"

--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -24,8 +24,7 @@ secrets:
      openproject: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_openproject" | sha1sum) }}
      xwiki: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_xwiki" | sha1sum) }}
  univentionManagementStack:
-    # TODO: Use "derivePassword"
-    ldapSecret: "univention"
+    ldapSecret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "ldap" | sha1sum) }}
    defaultAccounts:
      administratorPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "Administrator" "ums" | sha1sum) }}
    storeDavUsers: