fix(docs): Add GitOps / Argo CD documentation

2025-12-06 15:31:38 +01:00 · 2024-10-16 08:17:26 +02:00
parent 2ae3dc623b
commit 9cd8c2e8db
7 changed files with 84 additions and 25 deletions
--- a/docs/debugging.md
+++ b/docs/debugging.md
@@ -201,3 +201,6 @@ kubectl patch -n ${NAMESPACE} configmap ${CONFIGMAP_NAME} --type merge -p '{"dat
 ```

 2. Restart the Keycloak Pod(s).
+
+> **Note**<br>
+> As the `ums-keycloak-extensions-handler` is performing frequent (one per second) requests to Keycloak for retrieval of the Keycloak event history, you might want to stop/remove the deployment while debugging/analysing Keycloak to not get your debug output spammed by these requests.
--- a/docs/enhanced-configuration.md
+++ b/docs/enhanced-configuration.md
@@ -13,4 +13,5 @@ The following enhanced configuration use cases are described in separate documen
 - [Federation with external identity provider](./enhanced-configuration/idp-federation.md)
 - [Matrix federation](./enhanced-configuration/matrix-federation.md)
 - [Groupware migration from M365 to openDesk](./enhanced-configuration/groupware-migration.md)
- [Self-signed certificate and custom Certificate Authority (CA)](enhanced-configuration/self-signed-certificates.md)
+- [Self-signed certificate and custom Certificate Authority (CA)](./enhanced-configuration/self-signed-certificates.md)
+- [GitOps deployments using Argo CD](./enhanced-configuration/gitops.md)
--- a/docs/enhanced-configuration/gitops.md
+++ b/docs/enhanced-configuration/gitops.md
@@ -0,0 +1,55 @@
+<!--
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>GitOps Deployment</h1>
+
+<!-- TOC -->
+* [Considerations](#considerations)
+* [ArgoCD](#argocd)
+  * [Option 1: Use YAML manifests](#option-1-use-yaml-manifests)
+  * [Option 2: Helmfile plugin](#option-2-helmfile-plugin)
+<!-- TOC -->
+
+The recommended deployment method for openDesk is via Helmfile. This can be done "by hand", via CI/CD (Gitlab) or using
+the [GitOps](https://about.gitlab.com/topics/gitops/) approach with tools like [Argo CD](https://argoproj.github.io/cd/).
+
+This documentation will use Argo CD to explain how to deploy openDesk GitOps-style.
+
+# Considerations
+
+- openDesk consists of multiple applications which have to be deployed in order.
+- During upgrades, migrations have to run before and after applications.
+
+# ArgoCD
+
+We are continuously improving our Argo CD support, please share you experience with Argo CD deployments e.g. by [creating
+at ticket](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/issues).
+
+There are two options to deploy openDesk via Argo CD described in the following sections.
+
+## Option 1: Use YAML manifests
+
+This option requires a preprocessing step before using Argo CD. This step requires you to compile the Helmfile based
+deployment into Kubernetes YAML manifest, to do so you need to execute the helmfile binary:
+
+```shell
+helmfile template > opendesk.yaml
+```
+
+References:
+- [Helmfile CLI documentation](https://helmfile.readthedocs.io/en/latest/#cli-reference)
+- [Generate K8s YAML Manifests for openDesk](https://gitlab.opencode.de/bmi/opendesk/deployment/options/generate-k8s-yaml-manifests)
+
+Afterwards, you can use the resulting manifests within an standard Argo CD workflow.
+
+## Option 2: Helmfile plugin
+
+It is possible to deploy openDesk via Argo CD with community developed
+[Helmfile plugin](https://github.com/travisghansen/argo-cd-helmfile).
+
+You can find an example for this approach in the
+[Argo CD Deployments](https://gitlab.opencode.de/bmi/opendesk/deployment/options/argocd-deploy) repository.
+It contains an example Helm chart (`opendesk-parent`) to create Argo CD Applications via a Helm chart (`opendesk`)
+according to `app of apps pattern` and is using sync waves to follow dependencies.
--- a/docs/enhanced-configuration/idp-federation.md
+++ b/docs/enhanced-configuration/idp-federation.md
@@ -7,6 +7,7 @@ SPDX-License-Identifier: Apache-2.0

 <!-- TOC -->
 * [Context](#context)
+* [References](#references)
 * [Prerequisites](#prerequisites)
  * [User accounts](#user-accounts)
  * [External IdP with OIDC](#external-idp-with-oidc)
@@ -24,6 +25,15 @@ Most organizations already have an Identity and Access Management (IAM) system w

 This document shows how to configure your organization's IdP and the openDesk IdP to support account federation with openDesk single sign-on based on your organization's login.

+# References
+
+We would like to list successful IdP federation scenarios, so we are also happy about input from the community:
+
+| External IdP                                                        | last openDesk version tested |
+| ------------------------------------------------------------------- | ---------------------------- |
+| [EU Login](https://webgate.ec.europa.eu/cas/userdata/myAccount.cgi) | v0.9.0                       |
+| [ProConnect](https://www.proconnect.gouv.fr/)                       | v0.9.0                       |
+
 # Prerequisites

 ## User accounts
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -240,17 +240,7 @@ cluster:
 ```

 ### Volumes
-
-When your cluster has a `ReadWriteMany` volume provisioner, you can benefit from the distribution or scaling of apps. By
-default, only `ReadWriteOnce` is enabled. To enable `ReadWriteMany` you can set:
-
-```yaml
-cluster:
-  persistence:
-    readWriteMany: true
-```
-
-The **StorageClass** can be set by:
+The **StorageClass** must be set by:

 ```yaml
 persistence:
@@ -259,6 +249,18 @@ persistence:
    RWO: "my-read-write-once-class"
 ```

+`RWX` is optional and requires that your cluster has a `ReadWriteMany` volume provisioner. If you can make use
+of it it benefits the distribution or scaling of apps. By default, only `ReadWriteOnce` is enabled.
+To enable `ReadWriteMany` you have to set:
+
+```yaml
+cluster:
+  persistence:
+    readWriteMany: true
+```
+
+
+
 ## Connectivity

 ### Ports
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -41,7 +41,7 @@ environment:
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
  OPENPROJECT_APP__TITLE: "Projects | {{ .Values.theme.texts.productName }}"
-  OPENPROJECT_LOG__LEVEL: {{ if .Values.debug.enabled }}"debug"{{ else }}"warn"{{ end }}
+  OPENPROJECT_LOG__LEVEL: {{ if .Values.debug.enabled }}"debug"{{ else }}"info"{{ end }}
  OPENPROJECT_LOGIN__REQUIRED: "true"
  OPENPROJECT_USER__DEFAULT__TIMEZONE: "Europe/Berlin"
  OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
@@ -85,9 +85,6 @@ environment:
  OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.nubus .Values.global.domain | quote }}
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
-  {{- if .Values.enterprise.openproject.token }}
-  OPENPROJECT_ENTERPRISE__TOKEN: {{ .Values.enterprise.openproject.token | quote }}
-  {{- end }}
  {{- if .Values.certificate.selfSigned }}
  SSL_CERT_FILE: "/etc/ssl/certs/ca-certificates.crt"
  {{- end }}
--- a/helmfile/environments/default/enterprise.yaml
+++ b/helmfile/environments/default/enterprise.yaml
@@ -1,9 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-License-Identifier: Apache-2.0
-# The variables set in this file are required to upgrade components to their "Enterprise" product variant.
---
-enterprise:
-  openproject:
-    # Enterprise token must match the deployment's OpenProject host name.
-    token: ""
-...