feat(helmfile): Allow custom/self-signed ca-certificates

cspell.json

@@ -74,7 +74,9 @@
         "filestore",
         "trashbin",
         "bootstrap",
-        "configurability"
+        "configurability",
+        "selfsigned",
+        "truststore"
     ],
     "ignoreWords": [],
     "import": []

docs/enhanced-configuration.md

@@ -13,3 +13,4 @@ The following enhanced configuration use cases are described in separate documen
 - [Federation with external identity provider](./enhanced-configuration/idp-federation.md)
 - [Matrix federation](./enhanced-configuration/matrix-federation.md)
 - [Groupware migration from M365 to openDesk](./enhanced-configuration/groupware-migration.md)
+- [Self-signed certificate and custom Certificate Authority (CA)](enhanced-configuration/self-signed-certificates.md)

docs/enhanced-configuration/self-signed-certificates.md

@@ -0,0 +1,74 @@
+<!--
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>Self-signed certificate and custom Certificate Authority (CA)</h1>
+
+<!-- TOC -->
+* [Use case](#use-case)
+* [Configuration](#configuration)
+  * [Option 1: Bring Your Own Certificate](#option-1-bring-your-own-certificate)
+  * [Option 2: Use cert-manager.io](#option-2-use-cert-managerio)
+<!-- TOC -->
+
+# Use case
+
+Deploying openDesk into an environment with custom public key infrastructure (PKI) that is usually not part of
+public certificate authority chains or deploying openDesk into a local cluster without ACME challenge.
+
+# Configuration
+
+There are two options to address the use case.
+
+## Option 1: Bring Your Own Certificate
+
+This option is useful, when you have your own PKI in your environment which is trusted by all clients that should
+access openDesk.
+
+1. Disable cert-manager.io certificate resource creation:
+
+    ```yaml
+    certificates:
+      enabled: false
+    ```
+
+1. Enable mount of self-signed certificates:
+
+    ```yaml
+    certificate:
+      selfSigned: true
+    ```
+
+1. Create a Kubernetes secret named `opendesk-certificates-tls` of type `kubernetes.io/tls` containing either a valid
+wildcard certificate or a certificate with [all required subdomains](../../helmfile/environments/default/global.yaml)
+set as SANs (Subject Alternative Name).
+
+1. Create a Kubernetes secret with name `opendesk-certificates-ca-tls` of type `kubernetes.io/tls` containing the custom
+CA certificate as X.509 encoded (`ca.crt`) and as jks trust store (`truststore.jks`).
+
+1. Create a Kubernetes secret with name `opendesk-certificates-keystore-jks` with key `password` and as value the jks
+trust store password.
+
+## Option 2: Use cert-manager.io
+
+This option is useful, when you do not have a trusted certificate available and can't fetch a certificate from
+Let’s Encrypt.
+
+1. Create self-signed cert-manager.io Cluster Issuer:
+    ```yaml
+    apiVersion: "cert-manager.io/v1"
+    kind: "ClusterIssuer"
+    metadata:
+      name: "selfsigned-issuer"
+    spec:
+      selfSigned: {}
+    ```
+
+1. Enable mount and creation of self-signed certificates:
+    ```yaml
+    certificate:
+      issuerRef:
+        name: "selfsigned-issuer"
+      selfSigned: true
+    ```

helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl

@@ -47,6 +47,22 @@ extraEnvVars:
       secretKeyRef:
         name: "matrix-neodatefix-bot-account"
         key: "access_token"
+{{- if .Values.certificate.selfSigned }}
+  - name: "NODE_EXTRA_CA_CERTS"
+    value: "/etc/ssl/certs/ca-certificates.crt"
+
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
 
 image:
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}

helmfile/apps/element/values-synapse.yaml.gotmpl

@@ -114,6 +114,27 @@ containerSecurityContext:
   seLinuxOptions:
     {{ .Values.seLinuxOptions.synapse | toYaml | nindent 4 }}
 
+{{- if .Values.certificate.selfSigned }}
+extraEnvVars:
+  - name: "REQUESTS_CA_BUNDLE"
+    value: "/etc/ssl/certs/ca-certificates.crt"
+  - name: "SSL_CERT_FILE"
+    value: "/etc/ssl/certs/ca-certificates.crt"
+  - name: "SSL_CERT_DIR"
+    value: "/etc/ssl/certs"
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
+
 federation:
   enabled: {{ .Values.functional.externalServices.matrix.federation.enabled }}
   ingress:

helmfile/apps/jitsi/values-jitsi.yaml.gotmpl

@@ -28,6 +28,25 @@ containerSecurityContext:
   seLinuxOptions:
     {{ .Values.seLinuxOptions.jitsiKeycloakAdapter | toYaml | nindent 4 }}
 
+
+{{- if .Values.certificate.selfSigned }}
+extraEnvVars:
+  - name: "DENO_CERT"
+    value: "/etc/ssl/certs/ca-certificates.crt"
+
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
+
 cleanup:
   deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
 

helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl

@@ -1,4 +1,5 @@
 {{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -131,6 +132,23 @@ podSecurityContext:
 debug:
   loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}
 
+{{- if .Values.certificate.selfSigned }}
+extraEnvVars:
+  - name: "FS_IMPORT_CA_CERTIFICATES"
+    value: "true"
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
+
 image:
   registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nextcloud.registry | quote }}
   repository: {{ .Values.images.nextcloud.repository | quote }}

helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl

@@ -1,4 +1,5 @@
 {{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -87,6 +88,24 @@ aio:
     successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
   debug:
     loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}
+  {{- if .Values.certificate.selfSigned }}
+  extraEnvVars:
+    - name: "FS_IMPORT_CA_CERTIFICATES"
+      value: "true"
+  {{- end }}
+  {{- if .Values.certificate.selfSigned }}
+  extraVolumes:
+    - name: "trusted-cert-secret-volume"
+      secret:
+        secretName: "opendesk-certificates-ca-tls"
+        items:
+          - key: "ca.crt"
+            path: "ca-certificates.crt"
+  extraVolumeMounts:
+    - name: "trusted-cert-secret-volume"
+      mountPath: "/etc/ssl/certs/ca-certificates.crt"
+      subPath: "ca-certificates.crt"
+  {{- end }}
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nextcloud.registry | quote }}
     repository: {{ .Values.images.nextcloud.repository | quote }}

helmfile/apps/nubus/values-intercom-service.yaml.gotmpl

@@ -20,6 +20,23 @@ containerSecurityContext:
   seLinuxOptions:
     {{ .Values.seLinuxOptions.intercom | toYaml | nindent 4 }}
 
+{{- if .Values.certificate.selfSigned }}
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+extraEnvVars:
+  - name: "NODE_EXTRA_CA_CERTS"
+    value: "/etc/ssl/certs/ca-certificates.crt"
+{{- end }}
+
 global:
   domain: {{ .Values.global.domain | quote }}
   hosts:

helmfile/apps/nubus/values-nubus.yaml.gotmpl

@@ -161,6 +161,35 @@ minio:
 
 # Nubus services which use customer supplied services
 keycloak:
+  {{- if .Values.certificate.selfSigned }}
+  extraVolumes:
+    - name: "trusted-cert-crt-secret-volume"
+      secret:
+        secretName: "opendesk-certificates-ca-tls"
+        items:
+          - key: "ca.crt"
+            path: "ca-certificates.crt"
+    - name: "trusted-cert-jks-secret-volume"
+      secret:
+        secretName: "opendesk-certificates-ca-tls"
+        items:
+          - key: "truststore.jks"
+            path: "truststore.jks"
+  extraVolumeMounts:
+    - name: "trusted-cert-crt-secret-volume"
+      mountPath: "/etc/ssl/certs/ca-certificates.crt"
+      subPath: "ca-certificates.crt"
+    - name: "trusted-cert-jks-secret-volume"
+      mountPath: "/etc/ssl/certs/truststore.jks"
+      subPath: "truststore.jks"
+  extraEnvVars:
+    - name: "KC_HTTPS_TRUST_STORE_FILE"
+      value: "/etc/ssl/certs/truststore.jks"
+    - name: "KC_HTTPS_TRUST_STORE_PASSWORD"
+      value: {{ .Values.secrets.certificates.password | quote }}
+    - name: "KC_HTTPS_TRUST_STORE_TYPE"
+      value: "jks"
+  {{- end }}
   keycloak:
     auth:
       username: "kcadmin"

helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl

@@ -287,6 +287,38 @@ nubusPortalConsumer:
       type: "RuntimeDefault"
     seLinuxOptions:
       {{ .Values.seLinuxOptions.umsPortalConsumer | toYaml | nindent 6 }}
+  {{- if .Values.certificate.selfSigned }}
+  extraVolumes:
+    - name: "trusted-cert-secret-volume"
+      secret:
+        secretName: "opendesk-certificates-ca-tls"
+        items:
+          - key: "ca.crt"
+            path: "ca-certificates.crt"
+          - key: "ca.crt"
+            path: "cacert.pem"
+  extraVolumeMounts:
+    - name: "trusted-cert-secret-volume"
+      mountPath: "/etc/ssl/certs/ca-certificates.crt"
+      subPath: "ca-certificates.crt"
+  waitForDependency:
+    extraVolumeMounts:
+      - name: "trusted-cert-secret-volume"
+        readOnly: true
+        mountPath: "/etc/ssl/certs/ca-certificates.crt"
+        subPath: "ca-certificates.crt"
+      - name: "trusted-cert-secret-volume"
+        readOnly: true
+        mountPath: "/usr/local/lib/python3.7/dist-packages/certifi/cacert.pem"
+        subPath: "cacert.pem"
+    extraEnvVars:
+      - name: "REQUESTS_CA_BUNDLE"
+        value: "/etc/ssl/certs/ca-certificates.crt"
+      - name: "DEFAULT_CA_BUNDLE_PATH"
+        value: "/etc/ssl/certs/ca-certificates.crt"
+      - name: "SSL_CERT_FILE"
+        value: "/etc/ssl/certs/ca-certificates.crt"
+  {{- end }}
 
 nubusUdmListener:
   containerSecurityContext:
@@ -333,6 +365,34 @@ nubusPortalServer:
   replicaCount: {{ .Values.replicas.umsPortalServer }}
   resources:
     {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}
+  {{- if .Values.certificate.selfSigned }}
+  extraVolumes:
+    - name: "trusted-cert-crt-secret-volume"
+      secret:
+        secretName: "opendesk-certificates-ca-tls"
+        items:
+          - key: "ca.crt"
+            path: "ca-certificates.crt"
+          - key: "ca.crt"
+            path: "cacert.pem"
+  extraVolumeMounts:
+    - name: "trusted-cert-crt-secret-volume"
+      readOnly: true
+      mountPath: "/etc/ssl/certs/ca-certificates.crt"
+      subPath: "ca-certificates.crt"
+    - name: "trusted-cert-crt-secret-volume"
+      readOnly: true
+      mountPath: "/usr/local/lib/python3.7/dist-packages/certifi/cacert.pem"
+      subPath: "cacert.pem"
+    - name: "trusted-cert-crt-secret-volume"
+      readOnly: true
+      mountPath: "/usr/lib/python3/dist-packages/botocore/cacert.pem"
+      subPath: "cacert.pem"
+    - name: "trusted-cert-crt-secret-volume"
+      readOnly: true
+      mountPath: "/usr/lib/python3/dist-packages/certifi/cacert.pem"
+      subPath: "cacert.pem"
+  {{- end }}
 
 nubusLdapNotifier:
   containerSecurityContext:

helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -532,4 +532,18 @@ podSecurityContext:
 resources:
   {{ .Values.resources.opendeskKeycloakBootstrap | toYaml | nindent 2 }}
 
+{{- if .Values.certificate.selfSigned }}
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
+
 ...

helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl

@@ -72,6 +72,20 @@ containerSecurityContext:
 
 podAnnotations: {}
 
+{{- if .Values.certificate.selfSigned }}
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
+
 podSecurityContext:
   enabled: true
   fsGroup: 1000

helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl

@@ -287,6 +287,30 @@ appsuite:
       com.openexchange.smime.test: "true"
       # Other
       com.openexchange.secret.secretSource: "\"<user-id> + '@' + <context-id> + '/' + <random>\""
+      {{- if .Values.certificate.selfSigned }}
+      # Selfsigned
+      com.openexchange.net.ssl.default.truststore.enabled: "false"
+      com.openexchange.net.ssl.custom.truststore.enabled: "true"
+      com.openexchange.net.ssl.custom.truststore.path: "/etc/ssl/certs/truststore.jks"
+      com.openexchange.net.ssl.custom.truststore.password: {{ .Values.secrets.certificates.password | quote }}
+      {{- end }}
+    {{- if .Values.certificate.selfSigned }}
+    extraEnv:
+    - name: "JAVA_OPTS_APPEND"
+      value: {{ printf "%s %s=%s" "-Djavax.net.ssl.trustStore=/etc/ssl/certs/truststore.jks -Djavax.net.ssl.trustStoreType=jks" "-Djavax.net.ssl.trustStorePassword" (.Values.secrets.certificates.password | quote) | quote }}
+    extraVolumes:
+      - name: "trusted-cert-secret-volume"
+        secret:
+          secretName: "opendesk-certificates-ca-tls"
+          items:
+            - key: "truststore.jks"
+              path: "truststore.jks"
+            - key: "ca.crt"
+              path: "ca-certificates.crt"
+    extraMounts:
+      - name: "trusted-cert-secret-volume"
+        mountPath: "/etc/ssl/certs/"
+    {{- end }}
     secretProperties:
       com.openexchange.cookie.hash.salt: {{ .Values.secrets.oxAppsuite.cookieHashSalt | quote }}
       com.openexchange.sessiond.encryptionKey: {{ .Values.secrets.oxAppsuite.sessiondEncryptionKey | quote }}

helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl

@@ -4,6 +4,20 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
+{{- if .Values.certificate.selfSigned }}
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
+
 image:
   registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.oxConnector.registry | quote }}
   repository: {{ .Values.images.oxConnector.repository | quote }}

helmfile/apps/openproject-bootstrap/values.yaml.gotmpl

@@ -44,6 +44,20 @@ containerSecurityContext:
   seLinuxOptions:
     {{ .Values.seLinuxOptions.openprojectBootstrap | toYaml | nindent 4 }}
 
+{{- if .Values.certificate.selfSigned }}
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
+
 image:
   registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openprojectBootstrap.registry | quote }}
   repository: {{ .Values.images.openprojectBootstrap.repository | quote }}

helmfile/apps/openproject/values.yaml.gotmpl

@@ -87,6 +87,23 @@ environment:
   {{- if .Values.enterprise.openproject.token }}
   OPENPROJECT_ENTERPRISE__TOKEN: {{ .Values.enterprise.openproject.token | quote }}
   {{- end }}
+  {{- if .Values.certificate.selfSigned }}
+  SSL_CERT_FILE: "/etc/ssl/certs/ca-certificates.crt"
+  {{- end }}
+
+{{- if .Values.certificate.selfSigned }}
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
 
 image:
   registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openproject.registry | quote }}

helmfile/apps/services/values-certificates.yaml.gotmpl

@@ -56,5 +56,13 @@ issuerRef:
 cleanup:
   keepRessourceOnDelete: {{ .Values.debug.cleanup.keepRessourceOnDelete }}
 
+selfSigned:
+  enabled: {{ .Values.certificate.selfSigned }}
+  keystores:
+    jks:
+      enabled: true
+      password:
+        value: {{ .Values.secrets.certificates.password | quote }}
+
 wildcard: {{ .Values.certificate.wildcard }}
 ...

helmfile/apps/services/values-minio.yaml.gotmpl

@@ -201,4 +201,16 @@ startupProbe:
 statefulset:
   replicaCount: {{ .Values.replicas.minio }}
 
+{{- if .Values.certificate.selfSigned }}
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "public.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/certs/CAs"
+{{- end }}
 ...

helmfile/apps/xwiki/values.yaml.gotmpl

@@ -11,6 +11,14 @@ image:
 
 imagePullSecrets: {{ .Values.global.imagePullSecrets }}
 
+
+{{- if .Values.certificate.selfSigned }}
+javaOpts:
+  - "-Djavax.net.ssl.trustStore=/etc/ssl/certs/truststore.jks"
+  - "-Djavax.net.ssl.trustStoreType=jks"
+  - {{ printf "%s=%s" "-Djavax.net.ssl.trustStorePassword" .Values.secrets.certificates.password | quote }}
+{{- end }}
+
 externalDB:
   password: {{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword | quote }}
   database: {{ .Values.databases.xwiki.name | quote }}
@@ -199,4 +207,19 @@ service:
 volumePermissions:
   enabled: true
 
+{{- if .Values.certificate.selfSigned }}
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "truststore.jks"
+          path: "truststore.jks"
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs"
+{{- end }}
+
 ...

helmfile/environments/default/certificate.yaml

@@ -1,3 +1,4 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
@@ -5,4 +6,5 @@ certificate:
   issuerRef:
     name: "letsencrypt-prod"
   wildcard: false
+  selfSigned: false
 ...

helmfile/environments/default/charts.yaml

@@ -14,7 +14,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-certificates"
     name: "opendesk-certificates"
-    version: "2.1.3"
+    version: "3.1.0"
     verify: true
   clamav:
     # providerCategory: "Platform"

helmfile/environments/default/secrets.gotmpl

@@ -119,4 +119,6 @@ secrets:
     password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-neodatefix-bot" "password" | sha1sum | quote }}
   matrixUserVerificationService:
     password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-user-verification-service" "password" | sha1sum | quote }}
+  certificates:
+    password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "certificates" "password" | sha1sum | quote }}
 ...