From ed0096a9195635eea035547f22eaed45cd9a8a0d Mon Sep 17 00:00:00 2001
From: Axel Lender <lender@b1-systems.de>
Date: Wed, 21 May 2025 12:39:38 +0200
Subject: [PATCH] feat(helm): Template support for XWiki external secrets

Signed-off-by: Axel Lender <lender@b1-systems.de>
---
 docs/external-secrets.md                      | 14 +++++++++
 helmfile/apps/xwiki/values.yaml.gotmpl        | 30 ++++++++++++++++--
 .../default/external_secrets.yaml.gotmpl      | 31 +++++++++++++++++++
 3 files changed, 73 insertions(+), 2 deletions(-)

diff --git a/docs/external-secrets.md b/docs/external-secrets.md
index ffc18895..65527472 100644
--- a/docs/external-secrets.md
+++ b/docs/external-secrets.md
@@ -12,6 +12,7 @@ This document covers how to utilise external secrets and special requirements.
 * [Components](#components)
   * [MinIO](#minio)
   * [Cassandra](#cassandra)
+  * [XWiki](#xwiki)
 <!-- TOC -->
 
 # General
@@ -56,3 +57,16 @@ Cassandra is pre-populated with information regarding Dovecot with a `cql` scrip
 ```
 
 This has to be adapted into a secret that also holds a `cql` script and is named in `initDBSecret`.
+## XWiki
+
+Properties listed in the file of the external secret will overwrite plain values.
+
+Like described in the [upstream `values.yaml`](https://github.com/xwiki-contrib/xwiki-helm/blob/master/charts/xwiki/values.yaml#L435) credentials and information about a user in external secrets listed in `propertiesSecret` have to be formatted as follows:
+
+```yaml
+stringData:
+  propertiesFile: |
+    propertie1=propertie1Value
+    propertie2=propertie2Value
+    propertie3=propertie3Value
+```
diff --git a/helmfile/apps/xwiki/values.yaml.gotmpl b/helmfile/apps/xwiki/values.yaml.gotmpl
index 4bcc7d82..94a5782d 100644
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -30,6 +30,9 @@ javaOptsSecrets:
   trustStorePassword:
     option: "-Djavax.net.ssl.trustStorePassword="
     value: {{ .Values.secrets.certificates.password }}
+    secret:
+      name: {{ .Values.externalSecrets.certificates.password.name | quote }}
+      key: {{ .Values.externalSecrets.certificates.password.key | quote }}
   {{- end }}
 
 externalDB:
@@ -42,7 +45,18 @@ externalDB:
   user: {{ .Values.databases.xwiki.username | quote }}
   host: {{ printf "%s:%d" .Values.databases.xwiki.host .Values.databases.xwiki.port | quote }}
   customKeyRef:
+    {{- if or (.Values.externalSecrets.mariadb.rootPassword.name) (.Values.externalSecrets.postgresql.xwikiUser.name) }}
+    enabled: true
+    {{- else }}
     enabled: false
+    {{- end }}
+    {{- if eq .Values.databases.xwiki.type "mariadb" }}
+    name: {{ .Values.externalSecrets.mariadb.rootPassword.name | quote }}
+    key: {{ .Values.externalSecrets.mariadb.rootPassword.key | quote }}
+    {{- else }}
+    name: {{ .Values.externalSecrets.postgresql.xwikiUser.name | quote }}
+    key: {{ .Values.externalSecrets.postgresql.xwikiUser.key | quote }}
+    {{- end }}
 
 securityContext:
   enabled: true
@@ -119,14 +133,26 @@ customConfigsSecrets:
     ## Password of "superadmin" user, disables account if not password is set
     xwiki.superadminpassword:
       value: {{ .Values.secrets.xwiki.superadminpassword | quote }}
+      secret:
+        name: {{ .Values.externalSecrets.xwiki.xwikiSuperadminpassword.name | quote }}
+        key: {{ .Values.externalSecrets.xwiki.xwikiSuperadminpassword.key | quote }}
     {{ end }}
     xwiki.authentication.ldap.bind_pass:
       value: {{ .Values.secrets.nubus.ldapSearch.xwiki | quote }}
+      secret:
+        name: {{ .Values.externalSecrets.nubus.ldapSearch.xwiki.name | quote }}
+        key: {{ .Values.externalSecrets.nubus.ldapSearch.xwiki.key | quote }}
   xwiki.properties:
     oidc.secret:
       value: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
+      secret:
+        name: {{ .Values.externalSecrets.keycloak.clientSecret.xwiki.name | quote }}
+        key: {{ .Values.externalSecrets.keycloak.clientSecret.xwiki.key | quote }}
     workplaceServices.portalSecret:
       value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+      secret:
+        name: {{ .Values.externalSecrets.centralnavigation.apiKey.name | quote }}
+        key: {{ .Values.externalSecrets.centralnavigation.apiKey.key | quote }}
 
 ingress:
   enabled: {{ .Values.ingress.enabled }}
@@ -235,8 +261,8 @@ properties:
 
 ## Properties listed in the secret file will overwrite plain values
 propertiesSecret:
-  name: ""
-  key: ""
+  name: {{ .Values.externalSecrets.xwiki.propertiesSecret.name | quote }}
+  key: {{ .Values.externalSecrets.xwiki.propertiesSecret.key | quote }}
 
 cluster:
   replicas: {{ .Values.replicas.xwiki }}
diff --git a/helmfile/environments/default/external_secrets.yaml.gotmpl b/helmfile/environments/default/external_secrets.yaml.gotmpl
index dd4ae6f4..33fd2222 100644
--- a/helmfile/environments/default/external_secrets.yaml.gotmpl
+++ b/helmfile/environments/default/external_secrets.yaml.gotmpl
@@ -78,6 +78,37 @@ externalSecrets:
       name: ~
       key: ~
     apiAdminUsername:
+  centralnavigation:
+    apiKey:
+      name: ~
+      key: ~
+  certificates:
+    password:
+      name: ~
+      key: ~
+  keycloak:
+    clientSecret:
+      xwiki:
+        name: ~
+        key: ~
+  nubus:
+    ldapSearch:
+      xwiki:
+        name: ~
+        key: ~
+  mariadb:
+    rootPassword:
+      name: ~
+      key: ~
+  postgresql:
+    xwikiUser:
+      name: ~
+      key: ~
+  xwiki:
+    xwikiSuperadminpassword:
+      name: ~
+      key: ~
+    propertiesSecret:
       name: ~
       key: ~
 ...
\ No newline at end of file