fix(helmfile): Add S3 bucket for migrations.

docs/debugging.md

@@ -52,7 +52,7 @@ Below you will find some wrap-up notes when it comes to debugging openDesk by ad
 
 You can add a container by editing and updating an existing deployment, which is quite comfortable with tools like [Lens](https://k8slens.dev/).
 
-- Select the container you want to make use of as debugging container, in the example below it's `registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0`.
+- Select the container you want to make use of as debugging container, in the example below it's `registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:latest`.
 - Ensure the `shareProcessNamespace` option is enabled for the Pod.
 - Reference the selected container within the `containers` array of the deployment.
 - In case you want to access another containers filesystem, ensure the user/group settings of both containers match.

docs/migrations.md

@@ -0,0 +1,23 @@
+<!--
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>Migrations</h1>
+
+* [Disclaimer](#disclaimer)
+* [From v0.8.1](#from-v081)
+  * [`migrations` S3 bucket](#migrations-s3-bucket)
+
+# Disclaimer
+
+We do not offer support for upgrades before we reach openDesk 1.0.
+
+Though we try to ease the pain when it comes to 0.x upgrades. That is what this document is for.
+
+# From v0.8.1
+
+## `migrations` S3 bucket
+
+- Commit: [1e834fee](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/commit/1e834fee9db6bdb948f31c994d5ab309e6f86947)
+- Action: Please ensure you add a bucket `migrations` to your S3.

helmfile/apps/services/values-minio.yaml.gotmpl

@@ -89,16 +89,43 @@ provisioning:
   extraCommands:
     - "mc anonymous set download provisioning/ums/portal-assets"
   buckets:
+    - name: {{ .Values.objectstores.migrations.bucket | quote }}
+      versioning: false
+      withLock: false
+    - name: {{ .Values.objectstores.nextcloud.bucket | quote }}
+      versioning: true
+      withLock: false
     - name: {{ .Values.objectstores.openproject.bucket | quote }}
       versioning: true
       withLock: false
     - name: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
       versioning: false
       withLock: false
-    - name: {{ .Values.objectstores.nextcloud.bucket | quote }}
-      versioning: true
-      withLock: false
   policies:
+    - name: "migrations-bucket-policy"
+      statements:
+        - resources:
+            - "arn:aws:s3:::migrations"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+        - resources:
+            - "arn:aws:s3:::migrations/*"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+    - name: "nextcloud-bucket-policy"
+      statements:
+        - resources:
+            - "arn:aws:s3:::nextcloud"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+        - resources:
+            - "arn:aws:s3:::nextcloud/*"
+          effect: "Allow"
+          actions:
+            - "s3:*"
     - name: "openproject-bucket-policy"
       statements:
         - resources:
@@ -123,19 +150,19 @@ provisioning:
           effect: "Allow"
           actions:
             - "s3:*"
-    - name: "nextcloud-bucket-policy"
-      statements:
-        - resources:
-            - "arn:aws:s3:::nextcloud"
-          effect: "Allow"
-          actions:
-            - "s3:*"
-        - resources:
-            - "arn:aws:s3:::nextcloud/*"
-          effect: "Allow"
-          actions:
-            - "s3:*"
   users:
+    - username: {{ .Values.objectstores.migrations.username | quote }}
+      password: {{ .Values.secrets.minio.migrationsUser | quote }}
+      disabled: false
+      policies:
+        - "migrations-bucket-policy"
+      setPolicies: true
+    - username: {{ .Values.objectstores.nextcloud.username | quote }}
+      password: {{ .Values.secrets.minio.nextcloudUser | quote }}
+      disabled: false
+      policies:
+        - "nextcloud-bucket-policy"
+      setPolicies: true
     - username: {{ .Values.objectstores.openproject.username | quote }}
       password: {{ .Values.secrets.minio.openprojectUser | quote }}
       disabled: false
@@ -148,12 +175,6 @@ provisioning:
       policies:
         - "ums-bucket-policy"
       setPolicies: true
-    - username: {{ .Values.objectstores.nextcloud.username | quote }}
-      password: {{ .Values.secrets.minio.nextcloudUser | quote }}
-      disabled: false
-      policies:
-        - "nextcloud-bucket-policy"
-      setPolicies: true
   resources:
     {{ .Values.resources.minio | toYaml | nindent 4 }}
 

helmfile/environments/default/objectstore.gotmpl

@@ -4,6 +4,16 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 objectstores:
+  migrations:
+    bucket: "migrations"
+    endpoint: ""
+    region: "eu-west-1"
+    secretKey: ""
+    username: "migration_user"
+    storageClass: "STANDARD"
+    useSSL: true
+    pathStyle: true
+    port: 443
   nextcloud:
     bucket: "nextcloud"
     endpoint: ""

helmfile/environments/default/secrets.gotmpl

@@ -68,10 +68,10 @@ secrets:
     nextcloudUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "nextcloud_user" | sha1sum | quote }}
   minio:
     rootPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "root_password" | sha1sum | quote) }}
-    openprojectUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "openproject_user" | sha1sum | quote) }}
+    migrationsUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "migrations_user" | sha1sum | quote) }}
-    openxchangeUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "openxchange_user" | sha1sum | quote) }}
-    umsUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "ums_user" | sha1sum | quote) }}
     nextcloudUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "nextcloud_user" | sha1sum | quote) }}
+    openprojectUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "openproject_user" | sha1sum | quote) }}
+    umsUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "ums_user" | sha1sum | quote) }}
   keycloak:
     adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "adminPassword" | sha1sum | quote }}
     clientSecret: