fix(open-xchange): Add external secrets for Dovecot and Postfix

2025-12-06 07:21:36 +01:00 · 2025-06-13 15:54:09 +02:00
5 changed files with 90 additions and 1 deletions
--- a/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl
@@ -26,6 +26,9 @@ dovecot:
    username: {{ .Values.databases.dovecotDictmap.username | quote }}
    password:
      value: {{ .Values.secrets.cassandra.dovecotDictmapUser | quote }}
+      existingSecret:
+        name: {{ .Values.externalSecrets.cassandra.dovecotDictmapUser.name | quote }}
+        key: {{ .Values.externalSecrets.cassandra.dovecotDictmapUser.key | quote }}
    keyspace: {{ .Values.databases.dovecotDictmap.name | quote }}
  sharedMailboxes:
    enabled: false
@@ -34,16 +37,28 @@ dovecot:
    username: {{ .Values.databases.dovecotACL.username | quote }}
    password:
      value: {{ .Values.secrets.cassandra.dovecotACLUser | quote }}
+      existingSecret:
+        name: {{ .Values.externalSecrets.cassandra.dovecotACLUser.name | quote }}
+        key: {{ .Values.externalSecrets.cassandra.dovecotACLUser.key | quote }}
    keyspace: {{ .Values.databases.dovecotACL.name | quote }}
  objectStorage:
    bucket: {{ .Values.objectstores.dovecot.bucket | quote }}
    encryption:
      privateKey:
        value: {{ env "DOVECOT_CRYPT_PRIVATE_KEY" | quote }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.dovecot.objectStorage.encryption.privateKey.name | quote }}
+          key: {{ .Values.externalSecrets.dovecot.objectStorage.encryption.privateKey.key | quote }}
      publicKey:
        value: {{ env "DOVECOT_CRYPT_PUBLIC_KEY" | quote }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.dovecot.objectStorage.encryption.publicKey.name | quote }}
+          key: {{ .Values.externalSecrets.dovecot.objectStorage.encryption.publicKey.key | quote }}
    fqdn: {{ .Values.objectstores.dovecot.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
    username: {{ .Values.objectstores.dovecot.username | quote }}
    password:
      value: {{ .Values.secrets.minio.dovecotUser | quote }}
+      existingSecret:
+        name: {{ .Values.externalSecrets.minio.dovecotUser.name | quote }}
+        key: {{ .Values.externalSecrets.minio.dovecotUser.key | quote }}
 ...
--- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
@@ -27,10 +27,16 @@ dovecot:
  defaultMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
  password:
    value: {{ .Values.secrets.dovecot.doveadm | quote }}
+    existingSecret:
+      name: {{ .Values.externalSecrets.dovecot.doveadm.name | quote }}
+      key: {{ .Values.externalSecrets.dovecot.doveadm.key | quote }}
  migration:
    enabled: {{ .Values.functional.migration.oxAppSuite.enabled }}
    masterPassword:
      value: {{ .Values.secrets.oxAppSuite.migrationsMasterPassword | quote }}
+      existingSecret:
+        name: {{ .Values.externalSecrets.oxAppSuite.migrationsMasterPassword.name | quote }}
+        key: {{ .Values.externalSecrets.oxAppSuite.migrationsMasterPassword.key | quote }}
  ldap:
    enabled: true
    host: {{ .Values.ldap.host | quote }}
@@ -39,12 +45,18 @@ dovecot:
    dn: "uid=ldapsearch_dovecot,cn=users,{{ .Values.ldap.baseDn }}"
    password:
      value: {{ .Values.secrets.nubus.ldapSearch.dovecot | quote }}
+      existingSecret:
+        name: {{ .Values.externalSecrets.nubus.ldapSearch.dovecot.name | quote }}
+        key: {{ .Values.externalSecrets.nubus.ldapSearch.dovecot.key | quote }}
  oidc:
    enabled: true
    clientID:
      value: "opendesk-dovecot"
    clientSecret:
      value: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
+      existingSecret:
+        name: {{ .Values.externalSecrets.keycloak.clientSecret.dovecot.name | quote }}
+        key: {{ .Values.externalSecrets.keycloak.clientSecret.dovecot.key | quote }}
    introspectionHost: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
    introspectionPath: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token/introspect"
    usernameAttribute: "opendesk_username"
--- a/helmfile/apps/services-external/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-postfix.yaml.gotmpl
@@ -88,8 +88,14 @@ postfix:
    enabled: true
    username:
      value: "opendesk-system"
+      existingSecret:
+        name: {{ .Values.externalSecrets.postfix.opendeskSystemUsername.name | quote }}
+        key: {{ .Values.externalSecrets.postfix.opendeskSystemUsername.key | quote }}
    password:
      value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
+      existingSecret:
+        name: {{ .Values.externalSecrets.postfix.opendeskSystemPassword.name | quote }}
+        key: {{ .Values.externalSecrets.postfix.opendeskSystemPassword.key | quote }}

  {{- if .Values.antivirus.milter.host }}
  smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}"
--- a/helmfile/environments/default/external_secrets.yaml.gotmpl
+++ b/helmfile/environments/default/external_secrets.yaml.gotmpl
@@ -0,0 +1,56 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+# The variables set in this file are required to upgrade components to their "Enterprise" product variant.
+---
+externalSecrets:
+  cassandra:
+    dovecotACLUser:
+      name: ~
+      key: ~
+    dovecotDictmapUser:
+      name: ~
+      key: ~
+
+  dovecot:
+    doveadm:
+      name: ~
+      key: ~
+    objectStorage:
+      encryption:
+        privateKey:
+          name: ~
+          key: ~
+        publicKey:
+          name: ~
+          key: ~
+
+  keycloak:
+    clientSecret:
+      dovecot:
+        name: ~
+        key: ~
+
+  minio:
+    dovecotUser:
+      name: ~
+      key: ~
+
+  nubus:
+    ldapSearch:
+      dovecot:
+        name: ~
+        key: ~
+
+  oxAppSuite:
+    migrationsMasterPassword:
+      name: ~
+      key: ~
+
+  postfix:
+    opendeskSystemUsername:
+      name: ~
+      key: ~
+    opendeskSystemPassword:
+      name: ~
+      key: ~
+...
--- a/helmfile/environments/default/secrets.yaml.gotmpl
+++ b/helmfile/environments/default/secrets.yaml.gotmpl
@@ -7,8 +7,8 @@ SPDX-License-Identifier: Apache-2.0
 secrets:
  cassandra:
    rootPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "root_password" | sha1sum | quote }}
-    dovecotDictmapUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "dovecot_dictmap_user" | sha1sum | quote }}
    dovecotACLUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "dovecot_acl_user" | sha1sum | quote }}
+    dovecotDictmapUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "dovecot_dictmap_user" | sha1sum | quote }}
  oxAppSuite:
    adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "admin_password" | sha1sum | quote }}
    basicAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "basic_auth_password" | sha1sum | quote }}