feat(helmfile): Allow custom/self-signed ca-certificates

2025-12-06 15:31:38 +01:00 · 2024-07-02 15:32:13 +02:00
parent b25ada1f60
commit c71faf5e80
23 changed files with 422 additions and 2 deletions
--- a/cspell.json
+++ b/cspell.json
@@ -74,7 +74,9 @@
        "filestore",
        "trashbin",
        "bootstrap",
-        "configurability"
+        "configurability",
+        "selfsigned",
+        "truststore"
    ],
    "ignoreWords": [],
    "import": []
--- a/docs/enhanced-configuration.md
+++ b/docs/enhanced-configuration.md
@@ -13,3 +13,4 @@ The following enhanced configuration use cases are described in separate documen
 - [Federation with external identity provider](./enhanced-configuration/idp-federation.md)
 - [Matrix federation](./enhanced-configuration/matrix-federation.md)
 - [Groupware migration from M365 to openDesk](./enhanced-configuration/groupware-migration.md)
+- [Self-signed certificate and custom Certificate Authority (CA)](enhanced-configuration/self-signed-certificates.md)
--- a/docs/enhanced-configuration/self-signed-certificates.md
+++ b/docs/enhanced-configuration/self-signed-certificates.md
@@ -0,0 +1,74 @@
+<!--
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>Self-signed certificate and custom Certificate Authority (CA)</h1>
+
+<!-- TOC -->
+* [Use case](#use-case)
+* [Configuration](#configuration)
+  * [Option 1: Bring Your Own Certificate](#option-1-bring-your-own-certificate)
+  * [Option 2: Use cert-manager.io](#option-2-use-cert-managerio)
+<!-- TOC -->
+
+# Use case
+
+Deploying openDesk into an environment with custom public key infrastructure (PKI) that is usually not part of
+public certificate authority chains or deploying openDesk into a local cluster without ACME challenge.
+
+# Configuration
+
+There are two options to address the use case.
+
+## Option 1: Bring Your Own Certificate
+
+This option is useful, when you have your own PKI in your environment which is trusted by all clients that should
+access openDesk.
+
+1. Disable cert-manager.io certificate resource creation:
+
+    ```yaml
+    certificates:
+      enabled: false
+    ```
+
+1. Enable mount of self-signed certificates:
+
+    ```yaml
+    certificate:
+      selfSigned: true
+    ```
+
+1. Create a Kubernetes secret named `opendesk-certificates-tls` of type `kubernetes.io/tls` containing either a valid
+wildcard certificate or a certificate with [all required subdomains](../../helmfile/environments/default/global.yaml)
+set as SANs (Subject Alternative Name).
+
+1. Create a Kubernetes secret with name `opendesk-certificates-ca-tls` of type `kubernetes.io/tls` containing the custom
+CA certificate as X.509 encoded (`ca.crt`) and as jks trust store (`truststore.jks`).
+
+1. Create a Kubernetes secret with name `opendesk-certificates-keystore-jks` with key `password` and as value the jks
+trust store password.
+
+## Option 2: Use cert-manager.io
+
+This option is useful, when you do not have a trusted certificate available and can't fetch a certificate from
+Let’s Encrypt.
+
+1. Create self-signed cert-manager.io Cluster Issuer:
+    ```yaml
+    apiVersion: "cert-manager.io/v1"
+    kind: "ClusterIssuer"
+    metadata:
+      name: "selfsigned-issuer"
+    spec:
+      selfSigned: {}
+    ```
+
+1. Enable mount and creation of self-signed certificates:
+    ```yaml
+    certificate:
+      issuerRef:
+        name: "selfsigned-issuer"
+      selfSigned: true
+    ```
--- a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
@@ -47,6 +47,22 @@ extraEnvVars:
      secretKeyRef:
        name: "matrix-neodatefix-bot-account"
        key: "access_token"
+{{- if .Values.certificate.selfSigned }}
+  - name: "NODE_EXTRA_CA_CERTS"
+    value: "/etc/ssl/certs/ca-certificates.crt"
+
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}

 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -114,6 +114,27 @@ containerSecurityContext:
  seLinuxOptions:
    {{ .Values.seLinuxOptions.synapse | toYaml | nindent 4 }}

+{{- if .Values.certificate.selfSigned }}
+extraEnvVars:
+  - name: "REQUESTS_CA_BUNDLE"
+    value: "/etc/ssl/certs/ca-certificates.crt"
+  - name: "SSL_CERT_FILE"
+    value: "/etc/ssl/certs/ca-certificates.crt"
+  - name: "SSL_CERT_DIR"
+    value: "/etc/ssl/certs"
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
+
 federation:
  enabled: {{ .Values.functional.externalServices.matrix.federation.enabled }}
  ingress:
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -28,6 +28,25 @@ containerSecurityContext:
  seLinuxOptions:
    {{ .Values.seLinuxOptions.jitsiKeycloakAdapter | toYaml | nindent 4 }}

+
+{{- if .Values.certificate.selfSigned }}
+extraEnvVars:
+  - name: "DENO_CERT"
+    value: "/etc/ssl/certs/ca-certificates.crt"
+
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
+
 cleanup:
  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}

--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -1,4 +1,5 @@
 {{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -131,6 +132,23 @@ podSecurityContext:
 debug:
  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}

+{{- if .Values.certificate.selfSigned }}
+extraEnvVars:
+  - name: "FS_IMPORT_CA_CERTIFICATES"
+    value: "true"
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
+
 image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nextcloud.registry | quote }}
  repository: {{ .Values.images.nextcloud.repository | quote }}
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -1,4 +1,5 @@
 {{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -87,6 +88,24 @@ aio:
    successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
  debug:
    loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}
+  {{- if .Values.certificate.selfSigned }}
+  extraEnvVars:
+    - name: "FS_IMPORT_CA_CERTIFICATES"
+      value: "true"
+  {{- end }}
+  {{- if .Values.certificate.selfSigned }}
+  extraVolumes:
+    - name: "trusted-cert-secret-volume"
+      secret:
+        secretName: "opendesk-certificates-ca-tls"
+        items:
+          - key: "ca.crt"
+            path: "ca-certificates.crt"
+  extraVolumeMounts:
+    - name: "trusted-cert-secret-volume"
+      mountPath: "/etc/ssl/certs/ca-certificates.crt"
+      subPath: "ca-certificates.crt"
+  {{- end }}
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nextcloud.registry | quote }}
    repository: {{ .Values.images.nextcloud.repository | quote }}
--- a/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
@@ -20,6 +20,23 @@ containerSecurityContext:
  seLinuxOptions:
    {{ .Values.seLinuxOptions.intercom | toYaml | nindent 4 }}

+{{- if .Values.certificate.selfSigned }}
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+extraEnvVars:
+  - name: "NODE_EXTRA_CA_CERTS"
+    value: "/etc/ssl/certs/ca-certificates.crt"
+{{- end }}
+
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -161,6 +161,35 @@ minio:

 # Nubus services which use customer supplied services
 keycloak:
+  {{- if .Values.certificate.selfSigned }}
+  extraVolumes:
+    - name: "trusted-cert-crt-secret-volume"
+      secret:
+        secretName: "opendesk-certificates-ca-tls"
+        items:
+          - key: "ca.crt"
+            path: "ca-certificates.crt"
+    - name: "trusted-cert-jks-secret-volume"
+      secret:
+        secretName: "opendesk-certificates-ca-tls"
+        items:
+          - key: "truststore.jks"
+            path: "truststore.jks"
+  extraVolumeMounts:
+    - name: "trusted-cert-crt-secret-volume"
+      mountPath: "/etc/ssl/certs/ca-certificates.crt"
+      subPath: "ca-certificates.crt"
+    - name: "trusted-cert-jks-secret-volume"
+      mountPath: "/etc/ssl/certs/truststore.jks"
+      subPath: "truststore.jks"
+  extraEnvVars:
+    - name: "KC_HTTPS_TRUST_STORE_FILE"
+      value: "/etc/ssl/certs/truststore.jks"
+    - name: "KC_HTTPS_TRUST_STORE_PASSWORD"
+      value: {{ .Values.secrets.certificates.password | quote }}
+    - name: "KC_HTTPS_TRUST_STORE_TYPE"
+      value: "jks"
+  {{- end }}
  keycloak:
    auth:
      username: "kcadmin"
--- a/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl
@@ -287,6 +287,38 @@ nubusPortalConsumer:
      type: "RuntimeDefault"
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsPortalConsumer | toYaml | nindent 6 }}
+  {{- if .Values.certificate.selfSigned }}
+  extraVolumes:
+    - name: "trusted-cert-secret-volume"
+      secret:
+        secretName: "opendesk-certificates-ca-tls"
+        items:
+          - key: "ca.crt"
+            path: "ca-certificates.crt"
+          - key: "ca.crt"
+            path: "cacert.pem"
+  extraVolumeMounts:
+    - name: "trusted-cert-secret-volume"
+      mountPath: "/etc/ssl/certs/ca-certificates.crt"
+      subPath: "ca-certificates.crt"
+  waitForDependency:
+    extraVolumeMounts:
+      - name: "trusted-cert-secret-volume"
+        readOnly: true
+        mountPath: "/etc/ssl/certs/ca-certificates.crt"
+        subPath: "ca-certificates.crt"
+      - name: "trusted-cert-secret-volume"
+        readOnly: true
+        mountPath: "/usr/local/lib/python3.7/dist-packages/certifi/cacert.pem"
+        subPath: "cacert.pem"
+    extraEnvVars:
+      - name: "REQUESTS_CA_BUNDLE"
+        value: "/etc/ssl/certs/ca-certificates.crt"
+      - name: "DEFAULT_CA_BUNDLE_PATH"
+        value: "/etc/ssl/certs/ca-certificates.crt"
+      - name: "SSL_CERT_FILE"
+        value: "/etc/ssl/certs/ca-certificates.crt"
+  {{- end }}

 nubusUdmListener:
  containerSecurityContext:
@@ -333,6 +365,34 @@ nubusPortalServer:
  replicaCount: {{ .Values.replicas.umsPortalServer }}
  resources:
    {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}
+  {{- if .Values.certificate.selfSigned }}
+  extraVolumes:
+    - name: "trusted-cert-crt-secret-volume"
+      secret:
+        secretName: "opendesk-certificates-ca-tls"
+        items:
+          - key: "ca.crt"
+            path: "ca-certificates.crt"
+          - key: "ca.crt"
+            path: "cacert.pem"
+  extraVolumeMounts:
+    - name: "trusted-cert-crt-secret-volume"
+      readOnly: true
+      mountPath: "/etc/ssl/certs/ca-certificates.crt"
+      subPath: "ca-certificates.crt"
+    - name: "trusted-cert-crt-secret-volume"
+      readOnly: true
+      mountPath: "/usr/local/lib/python3.7/dist-packages/certifi/cacert.pem"
+      subPath: "cacert.pem"
+    - name: "trusted-cert-crt-secret-volume"
+      readOnly: true
+      mountPath: "/usr/lib/python3/dist-packages/botocore/cacert.pem"
+      subPath: "cacert.pem"
+    - name: "trusted-cert-crt-secret-volume"
+      readOnly: true
+      mountPath: "/usr/lib/python3/dist-packages/certifi/cacert.pem"
+      subPath: "cacert.pem"
+  {{- end }}

 nubusLdapNotifier:
  containerSecurityContext:
--- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -532,4 +532,18 @@ podSecurityContext:
 resources:
  {{ .Values.resources.opendeskKeycloakBootstrap | toYaml | nindent 2 }}

+{{- if .Values.certificate.selfSigned }}
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
+
 ...
--- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
@@ -72,6 +72,20 @@ containerSecurityContext:

 podAnnotations: {}

+{{- if .Values.certificate.selfSigned }}
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
+
 podSecurityContext:
  enabled: true
  fsGroup: 1000
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -287,6 +287,30 @@ appsuite:
      com.openexchange.smime.test: "true"
      # Other
      com.openexchange.secret.secretSource: "\"<user-id> + '@' + <context-id> + '/' + <random>\""
+      {{- if .Values.certificate.selfSigned }}
+      # Selfsigned
+      com.openexchange.net.ssl.default.truststore.enabled: "false"
+      com.openexchange.net.ssl.custom.truststore.enabled: "true"
+      com.openexchange.net.ssl.custom.truststore.path: "/etc/ssl/certs/truststore.jks"
+      com.openexchange.net.ssl.custom.truststore.password: {{ .Values.secrets.certificates.password | quote }}
+      {{- end }}
+    {{- if .Values.certificate.selfSigned }}
+    extraEnv:
+    - name: "JAVA_OPTS_APPEND"
+      value: {{ printf "%s %s=%s" "-Djavax.net.ssl.trustStore=/etc/ssl/certs/truststore.jks -Djavax.net.ssl.trustStoreType=jks" "-Djavax.net.ssl.trustStorePassword" (.Values.secrets.certificates.password | quote) | quote }}
+    extraVolumes:
+      - name: "trusted-cert-secret-volume"
+        secret:
+          secretName: "opendesk-certificates-ca-tls"
+          items:
+            - key: "truststore.jks"
+              path: "truststore.jks"
+            - key: "ca.crt"
+              path: "ca-certificates.crt"
+    extraMounts:
+      - name: "trusted-cert-secret-volume"
+        mountPath: "/etc/ssl/certs/"
+    {{- end }}
    secretProperties:
      com.openexchange.cookie.hash.salt: {{ .Values.secrets.oxAppsuite.cookieHashSalt | quote }}
      com.openexchange.sessiond.encryptionKey: {{ .Values.secrets.oxAppsuite.sessiondEncryptionKey | quote }}
--- a/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
@@ -4,6 +4,20 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
+{{- if .Values.certificate.selfSigned }}
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
+
 image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.oxConnector.registry | quote }}
  repository: {{ .Values.images.oxConnector.repository | quote }}
--- a/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
@@ -44,6 +44,20 @@ containerSecurityContext:
  seLinuxOptions:
    {{ .Values.seLinuxOptions.openprojectBootstrap | toYaml | nindent 4 }}

+{{- if .Values.certificate.selfSigned }}
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
+
 image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openprojectBootstrap.registry | quote }}
  repository: {{ .Values.images.openprojectBootstrap.repository | quote }}
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -87,6 +87,23 @@ environment:
  {{- if .Values.enterprise.openproject.token }}
  OPENPROJECT_ENTERPRISE__TOKEN: {{ .Values.enterprise.openproject.token | quote }}
  {{- end }}
+  {{- if .Values.certificate.selfSigned }}
+  SSL_CERT_FILE: "/etc/ssl/certs/ca-certificates.crt"
+  {{- end }}
+
+{{- if .Values.certificate.selfSigned }}
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}

 image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openproject.registry | quote }}
--- a/helmfile/apps/services/values-certificates.yaml.gotmpl
+++ b/helmfile/apps/services/values-certificates.yaml.gotmpl
@@ -56,5 +56,13 @@ issuerRef:
 cleanup:
  keepRessourceOnDelete: {{ .Values.debug.cleanup.keepRessourceOnDelete }}

+selfSigned:
+  enabled: {{ .Values.certificate.selfSigned }}
+  keystores:
+    jks:
+      enabled: true
+      password:
+        value: {{ .Values.secrets.certificates.password | quote }}
+
 wildcard: {{ .Values.certificate.wildcard }}
 ...
--- a/helmfile/apps/services/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services/values-minio.yaml.gotmpl
@@ -201,4 +201,16 @@ startupProbe:
 statefulset:
  replicaCount: {{ .Values.replicas.minio }}

+{{- if .Values.certificate.selfSigned }}
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "public.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/certs/CAs"
+{{- end }}
 ...
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -11,6 +11,14 @@ image:

 imagePullSecrets: {{ .Values.global.imagePullSecrets }}

+
+{{- if .Values.certificate.selfSigned }}
+javaOpts:
+  - "-Djavax.net.ssl.trustStore=/etc/ssl/certs/truststore.jks"
+  - "-Djavax.net.ssl.trustStoreType=jks"
+  - {{ printf "%s=%s" "-Djavax.net.ssl.trustStorePassword" .Values.secrets.certificates.password | quote }}
+{{- end }}
+
 externalDB:
  password: {{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword | quote }}
  database: {{ .Values.databases.xwiki.name | quote }}
@@ -199,4 +207,19 @@ service:
 volumePermissions:
  enabled: true

+{{- if .Values.certificate.selfSigned }}
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "truststore.jks"
+          path: "truststore.jks"
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs"
+{{- end }}
+
 ...
--- a/helmfile/environments/default/certificate.yaml
+++ b/helmfile/environments/default/certificate.yaml
@@ -1,3 +1,4 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
@@ -5,4 +6,5 @@ certificate:
  issuerRef:
    name: "letsencrypt-prod"
  wildcard: false
+  selfSigned: false
 ...
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -14,7 +14,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-certificates"
    name: "opendesk-certificates"
-    version: "2.1.3"
+    version: "3.1.0"
    verify: true
  clamav:
    # providerCategory: "Platform"
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -119,4 +119,6 @@ secrets:
    password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-neodatefix-bot" "password" | sha1sum | quote }}
  matrixUserVerificationService:
    password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-user-verification-service" "password" | sha1sum | quote }}
+  certificates:
+    password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "certificates" "password" | sha1sum | quote }}
 ...