From c982b483dec05219cd2435c2469e19f080038447 Mon Sep 17 00:00:00 2001
From: Thomas Kaltenbrunner <tom@kaltenbrunner.it>
Date: Tue, 22 Jul 2025 12:49:20 +0200
Subject: [PATCH] feat(open-xchange): Use internal endpoint for provisioning
 and support for optionally spinning up a dedicated internal Pod just for
 provisioning (see `technial.oxAppSuite.provisioning.dedicatedCoreMwPod` for
 details)

---
 .../values-openxchange.yaml.gotmpl            | 43 +++++++++++++++++++
 .../values-oxconnector.yaml.gotmpl            |  2 +-
 .../environments/default/charts.yaml.gotmpl   |  2 +-
 .../default/technical.yaml.gotmpl             |  8 ++++
 4 files changed, 53 insertions(+), 2 deletions(-)

diff --git a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
index 87123faf..605aa34d 100644
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -120,6 +120,9 @@ appsuite:
         annotations:
           {{ .Values.annotations.openxchangeAppsuiteIngress.trailslash | toYaml | nindent 10 }}
       rest-routes-admin:
+        {{- if .Values.technical.oxAppSuite.provisioning.dedicatedCoreMwPod }}
+        enabled: false
+        {{- end }}
         annotations:
           {{ .Values.annotations.openxchangeAppsuiteIngress.restRoutesAdmin | toYaml | nindent 10 }}
       rest-routes-advertisement:
@@ -224,6 +227,34 @@ appsuite:
             - admin
             - businessmobility
             - request-analyzer
+    roles:
+      admin:
+        values:
+          features:
+            status:
+              admin: "enabled"
+          packages:
+            status:
+              open-xchange-admin-contextrestore: "enabled"
+              open-xchange-admin-oauth-provider: "enabled"
+              open-xchange-admin-soap: "enabled"
+              open-xchange-admin-soap-usercopy: "enabled"
+              open-xchange-admin-user-copy: "enabled"
+    {{- if .Values.technical.oxAppSuite.provisioning.dedicatedCoreMwPod }}
+    scaling:
+      nodes:
+        groupware:
+          replicas: {{ .Values.replicas.openxchangeCoreMW }}
+          roles:
+            - "http-api"
+            - "sync"
+            - "businessmobility"
+            - "request-analyzer"
+        admin:
+          replicas: 1
+          roles:
+            - "admin"
+    {{- end }}
     masterAdmin: "admin"
     masterPassword: {{ .Values.secrets.oxAppSuite.adminPassword | quote }}
     hzGroupName: "hzgroup"
@@ -245,6 +276,10 @@ appsuite:
         # admin: enabled
         documents: "disabled"
         guard: "enabled"
+        # disabling admin role breaks webmail
+        # {{- if .Values.technical.oxAppSuite.provisioning.dedicatedCoreMwPod }}
+        # admin: "disabled"
+        # {{- end }}
     gotenberg:
       enabled: true
       imagePullSecrets:
@@ -304,6 +339,14 @@ appsuite:
         open-xchange-hostname-config-cascade: "enabled"
         # Enable s3 storage
         open-xchange-filestore-s3: "enabled"
+        {{- if .Values.technical.oxAppSuite.provisioning.dedicatedCoreMwPod }}
+        # disabling admin feature breaks webmail, so only sub packages are disabled:
+        open-xchange-admin-contextrestore: "disabled"
+        open-xchange-admin-oauth-provider: "disabled"
+        open-xchange-admin-soap: "disabled"
+        open-xchange-admin-soap-usercopy: "disabled"
+        open-xchange-admin-user-copy: "disabled"
+        {{- end }}
     properties:
       com.openexchange.hostname: {{ printf "%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
       com.openexchange.UIWebPath: "/appsuite/"
diff --git a/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl b/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
index 260a5730..fdd1c107 100644
--- a/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
@@ -49,7 +49,7 @@ oxConnector:
   oxMasterAdmin: "admin"
   oxMasterPassword: {{ .Values.secrets.oxAppSuite.adminPassword | quote }}
   oxSmtpServer: "smtp://127.0.0.1:587"
-  oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
+  oxSoapServer: "http://open-xchange-core-mw-admin"
 
 provisioningApi:
   connection:
diff --git a/helmfile/environments/default/charts.yaml.gotmpl b/helmfile/environments/default/charts.yaml.gotmpl
index 67318207..d1780122 100644
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -407,7 +407,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap"
     name: "opendesk-open-xchange-bootstrap"
-    version: "4.0.0"
+    version: "4.0.1"
     verify: true
   oxConnector:
     # providerCategory: "Supplier"
diff --git a/helmfile/environments/default/technical.yaml.gotmpl b/helmfile/environments/default/technical.yaml.gotmpl
index 7f5fccfd..832ef73f 100644
--- a/helmfile/environments/default/technical.yaml.gotmpl
+++ b/helmfile/environments/default/technical.yaml.gotmpl
@@ -6,4 +6,12 @@ technical:
   collabora:
     # Defines the value for the start parameter `-o:num_prespawn_children`
     numPrespawnChildren: 4
+  # Groupware related technical settings
+  oxAppSuite:
+    provisioning:
+      # In environments with a large number of users and groups, we offer the option to enable a
+      # dedicated Pod for the OX App Suite Core Middleware, exclusively handling provisioning tasks.
+      # This approach ensures that heavy provisioning workloads do not negatively impact the user
+      # experience, such as by slowing down pods that serve end-user sessions.
+      dedicatedCoreMwPod: false
 ...