feat(nubus): Template external secrets for keycloak-bootstrap

Signed-off-by: Axel Lender <lender@b1-systems.de>

docs/external-secrets.md

@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0
 
 <h1>External Secrets</h1>
 
-This document covers how to utilise external secrets and special requirements.
+This document covers how to utilise external secrets and special requirements. The examples documented here are mostly showing the format with the openDesk default values.
 
 <!-- TOC -->
 * [General](#general)
@@ -49,7 +49,9 @@ This has to be adapted into a secret that also holds a `cql` script and is named
 
 ## Keycloak
 
-The Keycloak bootstrap chart expects a special format for the admin credentials. The following example shows the format with the openDesk default values:
+Several external secrets utilised by the Keycloak bootstrap chart are expected in a special format and/or key.
+
+### Admin credentials
 
 ```yaml
 stringData:
@@ -58,6 +60,8 @@ stringData:
     password: "{{ .Values.secrets.keycloak.adminPassword }}"
 ```
 
+### ox-connector
+
 The secret `openxchangeConnector.provisioningApiPassword` has to provide a JSON file. The value `.Values.secrets.oxConnector.provisioningApiPassword` is taken from the default openDesk install without external secrets and has to be replaced by some secret value. The following format is expected:
 
 ```yaml
@@ -65,7 +69,56 @@ The secret `openxchangeConnector.provisioningApiPassword` has to provide a JSON
       ox-connector.json: "{ \"name\": \"ox-connector\", \"realms_topics\": [{\"realm\": \"udm\", \"topic\": \"oxmail/oxcontext\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/accessprofile\"}, {\"realm\": \"udm\", \"topic\": \"users/user\"}, {\"realm\": \"udm\", \"topic\": \"oxresources/oxresources\"}, {\"realm\": \"udm\", \"topic\": \"groups/group\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/functional_account\"}], \"request_prefill\": true, \"password\": \"{{ .Values.secrets.oxConnector.provisioningApiPassword }}\" }"
 ```
 
-The secret `nubus.ldapSearch.keycloak` has to contain `password` as key.
+### LDAP Search
+
+The secret `nubus.ldapSearch.keycloak` has the requirement to use `password` as key.
+
+### SSOFederation and Clients
+
+Values taken from those external secrets will supersede secret values that are already present for the `client` in the configuration or add them accordingly. Further the secrets for the clients have to provide a `yaml` file in a special format. The expected format for each configuration can be ssen in the as referenced in the table below:
+
+|Section                                              |Format       |Key          |
+|-----------------------------------------------------|-------------|-------------|
+|`functional.authentication.clients`                  |1.           |name.yaml  |
+|`functional.authentication.ssoFederation.idpDetails` |2.           |name.yaml  |
+|`keycloak.clients`                                   |1.           |name.yaml  |
+
+
+1. It is expected that the `name`, like it is set in the `clients` list:
+ 
+    ```yaml
+    opendesk-intercom:
+      clientId: "opendesk-intercom"
+      secret: "{{ .Values.secrets.keycloak.clientSecret.intercom }}"
+    opendesk-notes:
+      clientId: "opendesk-notes"
+      secret: "{{ .Values.secrets.keycloak.clientSecret.notes }}"
+    opendesk-dovecot:
+      clientId: "opendesk-dovecot"
+      secret: "{{ .Values.secrets.keycloak.clientSecret.dovecot }}"
+    opendesk-oxappsuite:
+      clientId: "opendesk-oxappsuite"
+      secret: "{{ .Values.secrets.keycloak.clientSecret.as8oidc }}"
+    opendesk-matrix:
+      clientId: "opendesk-matrix"
+      secret: "{{ .Values.secrets.keycloak.clientSecret.matrix }}"
+    opendesk-nextcloud:
+      clientId: "opendesk-nextcloud"
+      secret: "{{ .Values.secrets.keycloak.clientSecret.ncoidc }}"
+    opendesk-openproject:
+      clientId: "opendesk-openproject"
+      secret: "{{ .Values.secrets.keycloak.clientSecret.openproject }}"
+    opendesk-xwiki:
+      clientId: "opendesk-xwiki"
+      secret: "{{ .Values.secrets.keycloak.clientSecret.xwiki }}"
+    ```
+
+2. Since the configuration for `ssoFederation` is no list the key is ommited here:
+
+    ```yaml
+    clientId: "yourSecretValueHere"
+    secret: "yourSecretValueHere"
+    ```
 
 ## MinIO