feat(postgresql): Add template support for existing secrets

Signed-off-by: Axel Lender <lender@b1-systems.de>

docs/existing-secrets.md

@@ -0,0 +1,360 @@
+<!--
+SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>Existing Secrets</h1>
+
+This document covers how to utilise existing secrets and special requirements. The examples documented here are mostly showing the format with the openDesk default values.
+
+<!-- TOC -->
+* [General](#general)
+* [Components](#components)
+  * [Cassandra](#cassandra)
+  * [Keycloak](#keycloak)
+  * [MariaDB](#mariadb)
+  * [MinIO](#minio)
+  * [Notes](#notes)
+  * [OpenProject](#openproject)
+  * [PostgreSQL](#postgresql)
+  * [XWiki](#xwiki)
+<!-- TOC -->
+
+# General
+
+⚠ ATTENTION: This feature is still in early development. For now you can't simply replace plain secrets with existing secrets because some secrets are used several components where some maybe don't support existing secrets by now.
+
+For most components when set the existing secret will supersede e.g. a password in a `values.yaml` file.
+
+The file [`existing_secrets.yaml`](/helmfile/environments/default/existing_secrets.yaml.gotmpl) lists all possible references to existing secrets that are currently implemented in openDesk.
+
+# Components
+
+This section covers information and special requirements to existing secrets that some Helm Charts expect.
+
+## Cassandra
+
+Cassandra is pre-populated with information regarding Dovecot with a `cql` script. The openDesk default `initDB` setting is configured as follows:
+
+```yaml
+  initUserData.cql: >
+    CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
+    CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.username | quote }};
+    ALTER ROLE {{ .Values.databases.dovecotDictmap.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotDictmapUser "''" | squote }} AND LOGIN = true;
+    GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotDictmap.name | quote }} TO {{ .Values.databases.dovecotDictmap.username | quote }};
+    CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotACL.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
+    CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotACL.username | quote }};
+    ALTER ROLE {{ .Values.databases.dovecotACL.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotACLUser "''" | squote }} AND LOGIN = true;
+    GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotACL.name | quote }} TO {{ .Values.databases.dovecotACL.username | quote }};
+```
+
+This has to be adapted into a secret that also holds a `cql` script and is named in `initDBSecret`.
+
+## Keycloak
+
+Several existing secrets utilised by the Keycloak bootstrap chart are expected in a special format and/or key.
+
+### Admin credentials
+
+```yaml
+stringData:
+  admin.yaml: |
+    username: "kcadmin"
+    password: "{{ .Values.secrets.keycloak.adminPassword }}"
+```
+
+### ox-connector
+
+The secret `openxchangeConnector.provisioningApiPassword` has to provide a JSON file. The value `.Values.secrets.oxConnector.provisioningApiPassword` is taken from the default openDesk install without existing secrets and has to be replaced by some secret value. The following format is expected:
+
+```yaml
+    stringData:
+      ox-connector.json: "{ \"name\": \"ox-connector\", \"realms_topics\": [{\"realm\": \"udm\", \"topic\": \"oxmail/oxcontext\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/accessprofile\"}, {\"realm\": \"udm\", \"topic\": \"users/user\"}, {\"realm\": \"udm\", \"topic\": \"oxresources/oxresources\"}, {\"realm\": \"udm\", \"topic\": \"groups/group\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/functional_account\"}], \"request_prefill\": true, \"password\": \"{{ .Values.secrets.oxConnector.provisioningApiPassword }}\" }"
+```
+
+### LDAP Search
+
+The secret `nubus.ldapSearch.keycloak` has the requirement to use `password` as key.
+
+### SSOFederation and Clients
+
+Values taken from those existing secrets will supersede secret values that are already present for the `client`/`IdP` in the configuration or add them accordingly. Further the secrets for the have to provide a `yaml` file in a special format. Both formats rely on the same key as used in the configuration respectively. The expected format for each configuration can be seen in the table below:
+
+|Section                                              |Format       |
+|-----------------------------------------------------|-------------|
+|`functional.authentication.clients`                  |1.           |
+|`functional.authentication.ssoFederation.idpDict`    |2.           |
+|`keycloak.clients`                                   |1.           |
+
+1. Expected format for the `clients` secrets:
+ 
+    ```yaml
+    opendesk-intercom:
+      clientId: "opendesk-intercom"
+      secret: "{{ .Values.secrets.keycloak.clientSecret.intercom }}"
+    opendesk-notes:
+      clientId: "opendesk-notes"
+      secret: "{{ .Values.secrets.keycloak.clientSecret.notes }}"
+    opendesk-dovecot:
+      clientId: "opendesk-dovecot"
+      secret: "{{ .Values.secrets.keycloak.clientSecret.dovecot }}"
+    opendesk-oxappsuite:
+      clientId: "opendesk-oxappsuite"
+      secret: "{{ .Values.secrets.keycloak.clientSecret.as8oidc }}"
+    opendesk-matrix:
+      clientId: "opendesk-matrix"
+      secret: "{{ .Values.secrets.keycloak.clientSecret.matrix }}"
+    opendesk-nextcloud:
+      clientId: "opendesk-nextcloud"
+      secret: "{{ .Values.secrets.keycloak.clientSecret.ncoidc }}"
+    opendesk-openproject:
+      clientId: "opendesk-openproject"
+      secret: "{{ .Values.secrets.keycloak.clientSecret.openproject }}"
+    opendesk-xwiki:
+      clientId: "opendesk-xwiki"
+      secret: "{{ .Values.secrets.keycloak.clientSecret.xwiki }}"
+    ```
+
+2. Expected format for the `ssoFederation` secret:
+
+    ```yaml
+    yourIdpDictEntry:
+      clientId: "yourSecretValueHere"
+      clientSecret: "yourSecretValueHere"
+    ```
+## MariaDB
+
+When initialising databases, users and credentials the Chart expects `.sql` files inside the secret to mount and feed them to the database client.
+
+The expected format for the databases is as follows:
+
+```yaml
+stringData:
+  init-db-open-xchange.sql: |
+    CREATE DATABASE IF NOT EXISTS openxchange_dummy;
+    GRANT ALL PRIVILEGES ON openxchange_dummy.* TO "openxchange_user"@"%";
+    FLUSH PRIVILEGES;
+  init-db-nextcloud.sql: |
+    CREATE DATABASE IF NOT EXISTS nextcloud;
+    GRANT ALL PRIVILEGES ON nextcloud.* TO "nextcloud_user"@"%";
+    FLUSH PRIVILEGES;
+  init-db-xwiki.sql: |
+    CREATE DATABASE IF NOT EXISTS xwiki;
+    GRANT ALL PRIVILEGES ON xwiki.* TO "xwiki_user"@"%";
+    FLUSH PRIVILEGES;
+```
+
+For the user and credentials the following format is expected:
+
+```yaml
+stringData:
+  init-user-open-xchange.sql: |
+    CREATE USER IF NOT EXISTS "openxchange_user"@"%" IDENTIFIED BY {{ .Values.secrets.mariadb.openxchangeUser | quote }};
+    ALTER USER "openxchange_user"@"%" WITH MAX_USER_CONNECTIONS 100;
+    ALTER USER "openxchange_user"@"%" IDENTIFIED BY {{ .Values.secrets.mariadb.openxchangeUser | quote }};
+  init-user-nextcloud.sql: |
+    CREATE USER IF NOT EXISTS "nextcloud_user"@"%" IDENTIFIED BY {{ .Values.secrets.mariadb.nextcloudUser | quote }};
+    ALTER USER "nextcloud_user"@"%" WITH MAX_USER_CONNECTIONS 100;
+    ALTER USER "nextcloud_user"@"%" IDENTIFIED BY {{ .Values.secrets.mariadb.nextcloudUser | quote }};
+  init-user-xwiki.sql: |
+    CREATE USER IF NOT EXISTS "xwiki_user"@"%" IDENTIFIED BY {{ .Values.secrets.mariadb.xwikiUser | quote }};
+    ALTER USER "xwiki_user"@"%" WITH MAX_USER_CONNECTIONS 100;
+    ALTER USER "xwiki_user"@"%" IDENTIFIED BY {{ .Values.secrets.mariadb.xwikiUser | quote }};
+```
+
+
+## MinIO
+
+Like described in the [upstream `values.yaml`](https://github.com/bitnami/charts/blob/main/bitnami/minio/values.yaml#L1595) credentials and information about a user in existing secrets listed in `usersExistingSecrets` have to be formatted as follows:
+
+```yaml
+stringData:
+  username1: |
+    username=test-username
+    password=test-password
+    disabled=false
+    policies=readwrite,consoleAdmin,diagnostics
+    setPolicies=false
+```
+
+Further we need the credentials introduced at MinIO in various other components that didn't implement the special format from MinIO. Hence we have to create key-value-pairs of the passwords for them.
+
+## Notes
+
+There are some values that consist of more than just one secret part.
+
+```yaml
+backend:
+  configuration:
+    django:
+      superuserEmail:
+        value: {{ printf "default.admin@%s" .Values.global.domain | quote }}
+    redisUrl:
+      value: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7"
+```
+
+## OpenProject
+
+Here we need a custom secret to inject confidential data into environment variables as expected by OpenProject.
+
+```yaml
+stringData:
+  OPENPROJECT_SEED__ENTERPRISE__TOKEN: {{ .Values.enterpriseKeys.openproject.token | quote }}
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.nubus.ldapSearch.openproject | quote }}
+  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
+  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
+  OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+  OPENPROJECT_SMTP__PASSWORD: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
+```
+
+## PostgreSQL
+
+In order to initialise PostgreSQL with databases, users and credentials existing secrets are expected to contain `.sql` files.
+
+The expected format for the databases is as follows:
+
+```yaml
+stringData:
+  init-db-keycloak.sql: |
+    SELECT 'CREATE DATABASE keycloak' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'keycloak')\gexec
+    ALTER DATABASE keycloak OWNER TO keycloak_user;
+    GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak_user;
+  init-db-keycloakExtension.sql: |
+    SELECT 'CREATE DATABASE keycloak_extensions' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'keycloak_extensions')\gexec
+    ALTER DATABASE keycloak_extensions OWNER TO keycloak_extensions_user;
+    GRANT ALL PRIVILEGES ON DATABASE keycloak_extensions TO keycloak_extensions_user;
+  init-db-notes.sql.sql: |
+    SELECT 'CREATE DATABASE notes' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'notes')\gexec
+    ALTER DATABASE notes OWNER TO notes_user;
+    GRANT ALL PRIVILEGES ON DATABASE notes TO notes_user;
+  init-db-openproject.sql: |
+    SELECT 'CREATE DATABASE openproject' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'openproject')\gexec
+    ALTER DATABASE openproject OWNER TO openproject_user;
+    GRANT ALL PRIVILEGES ON DATABASE openproject TO openproject_user;
+  init-db-synapse.sql: |
+    SELECT 'CREATE DATABASE matrix ENCODING ''UTF8'' LC_COLLATE=''C'' LC_CTYPE=''C'' template=template0' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'matrix')\gexec
+    ALTER DATABASE matrix OWNER TO matrix_user;
+    GRANT ALL PRIVILEGES ON DATABASE matrix TO matrix_user;
+  init-db-umsGuardianManagementApi.sql: |
+    SELECT 'CREATE DATABASE guardianmanagementapi' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'guardianmanagementapi')\gexec
+    ALTER DATABASE guardianmanagementapi OWNER TO guardianmanagementapi_user;
+    GRANT ALL PRIVILEGES ON DATABASE guardianmanagementapi TO guardianmanagementapi_user;
+  init-db-umsNotificationsApi.sql: |
+    SELECT 'CREATE DATABASE notificationsapi' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'notificationsapi')\gexec
+    ALTER DATABASE notificationsapi OWNER TO notificationsapi_user;
+    GRANT ALL PRIVILEGES ON DATABASE notificationsapi TO notificationsapi_user;
+  init-db-umsSelfservice.sql: |
+    SELECT 'CREATE DATABASE selfservice' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'selfservice')\gexec
+    ALTER DATABASE selfservice OWNER TO selfservice_user;
+    GRANT ALL PRIVILEGES ON DATABASE selfservice TO selfservice_user;
+  init-db-nextcloud.sql: |
+    SELECT 'CREATE DATABASE nextcloud' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'nextcloud')\gexec
+    ALTER DATABASE nextcloud OWNER TO nextcloud_user;
+    GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud_user;
+  init-db-xwiki.sql: |
+    SELECT 'CREATE DATABASE xwiki ENCODING ''UNICODE'' template=template0' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'xwiki')\gexec
+    ALTER DATABASE xwiki OWNER TO xwiki_user;
+    GRANT ALL PRIVILEGES ON DATABASE xwiki TO xwiki_user;
+```
+
+For the user and credentials the following format is expected:
+
+```yaml
+stringData:
+  init-user-keycloak.sql: |
+    DO $$BEGIN
+    IF EXISTS (SELECT FROM pg_user WHERE usename = 'keycloak_user') THEN
+      ALTER ROLE "keycloak_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.keycloakUser | squote }} CONNECTION LIMIT 100;
+    ELSE
+      CREATE ROLE "keycloak_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.keycloakUser | squote }} CONNECTION LIMIT 100;
+    END IF;
+    END$$
+  init-user-notes.sql: |
+    DO $$BEGIN
+    IF EXISTS (SELECT FROM pg_user WHERE usename = 'notes_user') THEN
+      ALTER ROLE "notes_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.notesUser | squote }} CONNECTION LIMIT 100;
+    ELSE
+      CREATE ROLE "notes_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.notesUser | squote }} CONNECTION LIMIT 100;
+    END IF;
+    END$$
+  init-user-openproject.sql: |
+    DO $$BEGIN
+    IF EXISTS (SELECT FROM pg_user WHERE usename = 'openproject_user') THEN
+      ALTER ROLE "openproject_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.openprojectUser | squote }} CONNECTION LIMIT 100;
+    ELSE
+      CREATE ROLE "openproject_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.openprojectUser | squote }} CONNECTION LIMIT 100;
+    END IF;
+    END$$
+  init-user-keycloakExtension.sql: |
+    DO $$BEGIN
+    IF EXISTS (SELECT FROM pg_user WHERE usename = 'keycloak_extensions_user') THEN
+      ALTER ROLE "keycloak_extensions_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.keycloakExtensionUser | squote }} CONNECTION LIMIT 100;
+    ELSE
+      CREATE ROLE "keycloak_extensions_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.keycloakExtensionUser | squote }} CONNECTION LIMIT 100;
+    END IF;
+    END$$
+  init-user-synapse.sql: |
+    DO $$BEGIN
+    IF EXISTS (SELECT FROM pg_user WHERE usename = 'matrix_user') THEN
+      ALTER ROLE "matrix_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.matrixUser | squote }} CONNECTION LIMIT 100;
+    ELSE
+      CREATE ROLE "matrix_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.matrixUser | squote }} CONNECTION LIMIT 100;
+    END IF;
+    END$$
+  init-user-umsNotificationsApi.sql: |
+    DO $$BEGIN
+    IF EXISTS (SELECT FROM pg_user WHERE usename = 'notificationsapi_user') THEN
+      ALTER ROLE "notificationsapi_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.umsNotificationsApiUser | squote }} CONNECTION LIMIT 100;
+    ELSE
+      CREATE ROLE "notificationsapi_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.umsNotificationsApiUser | squote }} CONNECTION LIMIT 100;
+    END IF;
+    END$$
+  init-user-umsGuardianManagementApi.sql: |
+    DO $$BEGIN
+    IF EXISTS (SELECT FROM pg_user WHERE usename = 'guardianmanagementapi_user') THEN
+      ALTER ROLE "guardianmanagementapi_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.umsGuardianManagementApiUser | squote }} CONNECTION LIMIT 100;
+    ELSE
+      CREATE ROLE "guardianmanagementapi_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.umsGuardianManagementApiUser | squote }} CONNECTION LIMIT 100;
+    END IF;
+    END$$
+  init-user-umsSelfservice.sql: |
+    DO $$BEGIN
+    IF EXISTS (SELECT FROM pg_user WHERE usename = 'selfservice_user') THEN
+      ALTER ROLE "selfservice_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.umsSelfserviceUser | squote }} CONNECTION LIMIT 100;
+    ELSE
+      CREATE ROLE "selfservice_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.umsSelfserviceUser | squote }} CONNECTION LIMIT 100;
+    END IF;
+    END$$
+  init-user-nextcloud.sql: |
+    DO $$BEGIN
+    IF EXISTS (SELECT FROM pg_user WHERE usename = 'nextcloud_user') THEN
+      ALTER ROLE "nextcloud_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.nextcloudUser | squote }} CONNECTION LIMIT 100;
+    ELSE
+      CREATE ROLE "nextcloud_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.nextcloudUser | squote }} CONNECTION LIMIT 100;
+    END IF;
+    END$$
+  init-user-xwiki.sql: |
+    DO $$BEGIN
+    IF EXISTS (SELECT FROM pg_user WHERE usename = 'xwiki_user') THEN
+      ALTER ROLE "xwiki_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.xwikiUser | squote }} CONNECTION LIMIT 100;
+    ELSE
+      CREATE ROLE "xwiki_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.xwikiUser | squote }} CONNECTION LIMIT 100;
+    END IF;
+    END$$
+```
+
+## XWiki
+
+Properties listed in the file of the existing secret will overwrite plain values.
+
+Licenses can also be given via properties and require the format `licenses=<EnterpriseLicense>,<Applicationslicense>`.
+
+Like described in the [upstream `values.yaml`](https://github.com/xwiki-contrib/xwiki-helm/blob/master/charts/xwiki/values.yaml#L435) credentials and information about a user in existing secrets listed in `propertiesSecret` have to be formatted as follows:
+
+```yaml
+stringData:
+  propertiesFile: |
+    propertie1=propertie1Value
+    propertie2=propertie2Value
+    propertie3=propertie3Value
+```

docs/migrations.md

@@ -10,6 +10,7 @@ SPDX-License-Identifier: Apache-2.0
 * [Deprecation warnings](#deprecation-warnings)
 * [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
 * [Manual checks/actions](#manual-checksactions)
+  * [external secrets](#external-secrets)
   * [v1.7.1+](#v171)
     * [Pre-upgrade to v1.7.1+](#pre-upgrade-to-v171)
       * [New application default: Default group for two-factor authentication is now "2FA Users"](#new-application-default-default-group-for-two-factor-authentication-is-now-2fa-users)
@@ -137,6 +138,22 @@ If you would like more details about the automated migrations, please read secti
 
 # Manual checks/actions
 
+## external secrets
+
+### pre upgrade
+
+#### Changed structure in `functional.ssoFederation`
+
+**Target group:** All upgrade deployments with configured ssoFederation.
+
+The structure of the configuration for the usage of ssoFederation has changed, please see [`functional.yaml.gotmpl`](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/develop/helmfile/environments/default/functional.yaml.gotmpl) for further details of the new structure of the ssoFederation configuration.
+
+#### Changed structure in `config.opendesk.clients` and `config.custom.clients`
+
+**Target group:** All upgrade deployments
+
+The configuration underneath the named sections has changed from a list to a dictionary. An example can be seen in [`values-opendesk-keycloak-bootstrap.yaml.gotmpl`](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/develop/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl?ref_type=heads) for the `opendesk.clients`.
+
 ## v1.7.1+
 
 ### Pre-upgrade to v1.7.1+

docs/security.md

@@ -1,4 +1,5 @@
 <!--
+SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 -->
@@ -8,9 +9,10 @@ SPDX-License-Identifier: Apache-2.0
 This document covers the current status of security measures.
 
 <!-- TOC -->
-* [Helm chart trust chain](#helm-chart-trust-chain)
-* [Kubernetes security enforcements](#kubernetes-security-enforcements)
-* [Network policies](#network-policies)
+* [Helm Chart Trust Chain](#helm-chart-trust-chain)
+* [Kubernetes Security Enforcements](#kubernetes-security-enforcements)
+* [NetworkPolicies](#networkpolicies)
+* [Existing Secrets](#existing-secrets)
 <!-- TOC -->
 
 # Helm chart trust chain
@@ -49,3 +51,9 @@ security:
   otterizeIntents:
     enabled: true
 ```
+
+# Existing Secrets
+
+We urge you to use existing secrets for your confidential credentials.
+
+For further explanation and documentation please visit [Existing Secrets](./docs/existing-secrets.md).

docs/testing.md

@@ -86,7 +86,7 @@ The following naming scheme is applied for the deployment matrix:
   - *Secrets*: Master password based secrets based on `secrets.yaml.gotmpl`
   - *Certificates*: Letsencrypt-prod certificates are used.
   - *Deployment*: GitLab CI based deployment.
-- `funct1`: Different configuration of `functional.yaml`, self-signed-certs [and when available external secrets].
+- `funct1`: Different configuration of `functional.yaml`, self-signed-certs [and when available existing secrets].
 - `extsrv`: External services (where possible).
 - `gitops`: Argo CD based deployment.
 

helmfile/apps/collabora/values.yaml.gotmpl

@@ -40,6 +40,13 @@ collabora:
     {{- end }}
   username: "collabora-internal-admin"
   password: {{ .Values.secrets.collabora.adminPassword | quote }}
+  {{- if .Values.existingSecrets.collabora.existingSecret.name }}
+  existingSecret:
+    enabled: true
+    secretName: {{ .Values.existingSecrets.collabora.existingSecret.name | quote }}
+    usernameKey: {{ .Values.existingSecrets.collabora.existingSecret.usernameKey | quote }}
+    passwordKey: {{ .Values.existingSecrets.collabora.existingSecret.passwordKey | quote }}
+  {{- end }}
 
 fullnameOverride: "collabora"
 

helmfile/apps/nextcloud/values-nextcloud-management.yaml.gotmpl

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
@@ -26,8 +26,14 @@ configuration:
     enabled: true
     username:
       value: "nextcloud"
+      secret:
+        name: {{ .Values.existingSecrets.nextcloud.admin.username.name | quote }}
+        key: {{ .Values.existingSecrets.nextcloud.admin.username.key | quote }}
     password:
       value: {{ .Values.secrets.nextcloud.adminPassword | quote }}
+      secret:
+        name: {{ .Values.existingSecrets.nextcloud.admin.password.name | quote }}
+        key: {{ .Values.existingSecrets.nextcloud.admin.password.key | quote }}
 
   antivirus:
     {{- if .Values.antivirus.icap.host }}
@@ -47,8 +53,14 @@ configuration:
       enabled: true
       username:
         value: {{ .Values.cache.nextcloud.username }}
+        secret:
+          name: {{ .Values.existingSecrets.cache.nextcloud.username.name | quote }}
+          key: {{ .Values.existingSecrets.cache.nextcloud.username.key | quote }}
       password:
         value: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
+        secret:
+          name: {{ .Values.existingSecrets.cache.nextcloud.password.name | quote }}
+          key: {{ .Values.existingSecrets.cache.nextcloud.password.key | quote }}
     host: {{ .Values.cache.nextcloud.host | quote }}
     port: {{ .Values.cache.nextcloud.port | quote }}
     tls: {{ .Values.cache.nextcloud.tls }}
@@ -93,6 +105,9 @@ configuration:
     auth:
       username:
         value: {{ .Values.databases.nextcloud.username | quote }}
+        secret:
+          name: {{ .Values.existingSecrets.databases.nextcloud.username.name | quote }}
+          key: {{ .Values.existingSecrets.databases.nextcloud.username.key | quote }}
       password:
         {{- if or (eq .Values.databases.nextcloud.type "mariadb") (eq .Values.databases.nextcloud.type "mysql") }}
         value: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
@@ -101,6 +116,9 @@ configuration:
         {{- else }}
         value: {{ .Values.databases.nextcloud.password | quote }}
         {{- end }}
+        secret:
+          name: {{ .Values.existingSecrets.databases.nextcloud.password.name | quote }}
+          key: {{ .Values.existingSecrets.databases.nextcloud.password.key | quote }}
 
   ldap:
     base: {{ .Values.ldap.baseDn | quote }}
@@ -108,14 +126,23 @@ configuration:
     dn: "uid=ldapsearch_nextcloud,cn=users,{{ .Values.ldap.baseDn }}"
     password:
       value: {{ .Values.secrets.nubus.ldapSearch.nextcloud | quote }}
+      secret:
+        name: {{ .Values.existingSecrets.nubus.ldapSearch.nextcloud.name | quote }}
+        key: {{ .Values.existingSecrets.nubus.ldapSearch.nextcloud.key | quote }}
     adminGroupName: "managed-by-attribute-FileshareAdmin"
 
   objectstore:
     auth:
       accessKey:
         value: {{ .Values.objectstores.nextcloud.username | quote }}
+        secret:
+          name: {{ .Values.existingSecrets.objectstores.nextcloud.accessKey.name | quote }}
+          key: {{ .Values.existingSecrets.objectstores.nextcloud.accessKey.key | quote }}
       secretKey:
         value: {{ .Values.objectstores.nextcloud.secretKey | default .Values.secrets.minio.nextcloudUser | quote }}
+        secret:
+          name: {{ .Values.existingSecrets.objectstores.nextcloud.secretKey.name | quote }}
+          key: {{ .Values.existingSecrets.objectstores.nextcloud.secretKey.key | quote }}
     bucket: {{ .Values.objectstores.nextcloud.bucket | quote }}
     host: {{ .Values.objectstores.nextcloud.endpoint | quote }}
     region: {{ .Values.objectstores.nextcloud.region | quote }}
@@ -129,6 +156,9 @@ configuration:
       value: "opendesk-nextcloud"
     password:
       value: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
+      secret:
+        name: {{ .Values.existingSecrets.keycloak.clientSecret.nextcloudOidc.name | quote }}
+        key: {{ .Values.existingSecrets.keycloak.clientSecret.nextcloudOidc.key | quote }}
 
   opendeskIntegration:
     centralNavigation:
@@ -137,6 +167,9 @@ configuration:
         value: "opendesk_username"
       password:
         value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+        secret:
+          name: {{ .Values.existingSecrets.centralnavigation.apiKey.name | quote }}
+          key: {{ .Values.existingSecrets.centralnavigation.apiKey.key | quote }}
     oxAppSuite:
       enabled: {{ .Values.apps.oxAppSuite.enabled }}
 
@@ -161,6 +194,9 @@ configuration:
         value: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
       password:
         value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
+        secret:
+          name: {{ .Values.existingSecrets.postfix.opendeskSystem.password.name | quote }}
+          key: {{ .Values.existingSecrets.postfix.opendeskSystem.password.key | quote }}
     host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
     port: 587
     fromAddress: {{ .Values.smtp.localpartNoReply | quote }}
@@ -177,6 +213,9 @@ configuration:
   serverinfo:
     token:
       value: {{ .Values.secrets.nextcloud.metricsToken | quote }}
+      secret:
+        name: {{ .Values.existingSecrets.nextcloud.metricsToken.name | quote }}
+        key: {{ .Values.existingSecrets.nextcloud.metricsToken.key | quote }}
 
   forbiddenChars: {{ join " " .Values.functional.filestore.naming.forbiddenChars | quote }}
 

helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
@@ -18,6 +18,9 @@ exporter:
     server: "http://opendesk-nextcloud-aio"
     token:
       value: {{ .Values.secrets.nextcloud.metricsToken | quote }}
+      secret:
+        name: {{ .Values.existingSecrets.nextcloud.metricsToken.name | quote }}
+        key: {{ .Values.existingSecrets.nextcloud.metricsToken.key | quote }}
   containerSecurityContext:
     allowPrivilegeEscalation: false
     capabilities:
@@ -87,8 +90,14 @@ aio:
         enabled: true
         username:
           value: {{ .Values.cache.nextcloud.username }}
+          secret:
+            name: {{ .Values.existingSecrets.cache.nextcloud.username.name | quote }}
+            key: {{ .Values.existingSecrets.cache.nextcloud.username.key | quote }}
         password:
           value: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
+          secret:
+            name: {{ .Values.existingSecrets.cache.nextcloud.password.name | quote }}
+            key: {{ .Values.existingSecrets.cache.nextcloud.password.key | quote }}
       host: {{ .Values.cache.nextcloud.host | quote }}
       port: {{ .Values.cache.nextcloud.port | quote }}
       tls: {{ .Values.cache.nextcloud.tls }}
@@ -106,6 +115,9 @@ aio:
       auth:
         username:
           value: {{ .Values.databases.nextcloud.username | quote }}
+          secret:
+            name: {{ .Values.existingSecrets.databases.nextcloud.username.name | quote }}
+            key: {{ .Values.existingSecrets.databases.nextcloud.username.key | quote }}
         password:
           {{- if or (eq .Values.databases.nextcloud.type "mariadb") (eq .Values.databases.nextcloud.type "mysql") }}
           value: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
@@ -114,6 +126,9 @@ aio:
           {{- else }}
           value: {{ .Values.databases.nextcloud.password | quote }}
           {{- end }}
+          secret:
+            name: {{ .Values.existingSecrets.databases.nextcloud.password.name | quote }}
+            key: {{ .Values.existingSecrets.databases.nextcloud.password.key | quote }}
     trustedProxy: {{ join " " .Values.cluster.networking.cidr | quote }}
   containerSecurityContext:
     allowPrivilegeEscalation: false

helmfile/apps/notes/values.yaml.gotmpl

@@ -4,12 +4,22 @@
 global:
   collaborationServerSecret:
     value: {{ .Values.secrets.notes.collaborationSecret | quote }}
+    existingSecret:
+      name: {{ .Values.existingSecrets.notes.collaborationSecret.name | quote }}
+      key: {{ .Values.existingSecrets.notes.collaborationSecret.key | quote }}
   fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   tlsSecretName: {{ .Values.ingress.tls.secretName | quote }}
   yProviderApiKey:
     value: {{ .Values.secrets.notes.collaborationSecret | quote }}
+    existingSecret:
+      name: {{ .Values.existingSecrets.notes.collaborationSecret.name | quote }}
+      key: {{ .Values.existingSecrets.notes.collaborationSecret.key | quote }}
+  fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
+  tlsSecretName: {{ .Values.ingress.tls.secretName | quote }}
+  fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
+  tlsSecretName: {{ .Values.ingress.tls.secretName | quote }}
 
 backend:
   image:
@@ -36,14 +46,23 @@ backend:
     ai:
       apiKey:
         value: {{ .Values.ai.apiKey }}
+        existingSecret:
+          name: {{ .Values.existingSecrets.ai.apiKey.name | quote }}
+          key: {{ .Values.existingSecrets.ai.apiKey.key | quote }}
       baseUrl: {{ .Values.ai.endpoint }}
       model: {{ .Values.ai.model | quote }}
     aws:
       endpointUrl: {{ printf "https://%s" (.Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
       s3AccessKeyId:
         value: {{ .Values.objectstores.notes.username }}
+        existingSecret:
+          name: {{ .Values.existingSecrets.objectstores.notes.s3AccessKeyId.name | quote }}
+          key: {{ .Values.existingSecrets.objectstores.notes.s3AccessKeyId.key | quote }}
       s3SecretAccessKey:
         value: {{ .Values.objectstores.notes.secretKey | default .Values.secrets.minio.notesUser | quote }}
+        existingSecret:
+          name: {{ .Values.existingSecrets.objectstores.notes.s3SecretAccessKey.name | quote }}
+          key: {{ .Values.existingSecrets.objectstores.notes.s3SecretAccessKey.key | quote }}
       storageBucketName: {{ .Values.objectstores.notes.bucket }}
     collaboration:
       apiUrl: {{ printf "https://%s.%s/collaboration/api/" .Values.global.hosts.notes .Values.global.domain | quote }}
@@ -53,9 +72,15 @@ backend:
       name: {{ .Values.databases.notes.name | quote }}
       password:
         value: {{ .Values.databases.notes.password | default .Values.secrets.postgresql.notesUser | quote }}
+        existingSecret:
+          name: {{ .Values.existingSecrets.databases.notes.password.name | quote  }}
+          key: {{ .Values.existingSecrets.databases.notes.password.key | quote }}
       port: {{ .Values.databases.notes.port | quote }}
       user:
         value: {{ .Values.databases.notes.username | quote }}
+        existingSecret:
+          name: {{ .Values.existingSecrets.databases.notes.user.name | quote }}
+          key: {{ .Values.existingSecrets.databases.notes.user.key | quote }}
     email:
       brandName: "openDesk"
       from: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.mailDomain | default .Values.global.domain }}"
@@ -64,14 +89,23 @@ backend:
       logoImage: {{ printf "https://%s.%s/univention/portal/icons/entries/swp.notes.svg" .Values.global.hosts.nubus .Values.global.domain | quote }}
       user:
         value: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
+        existingSecret:
+          name: {{ .Values.existingSecrets.postfix.opendeskSystem.username.name | quote }}
+          key: {{ .Values.existingSecrets.postfix.opendeskSystem.username.key | quote }}
       password:
         value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
+        existingSecret:
+          name: {{ .Values.existingSecrets.postfix.opendeskSystem.password.name | quote }}
+          key: {{ .Values.existingSecrets.postfix.opendeskSystem.password.key | quote }}
     oidc:
       enabled: true
       rpClientId:
         value: "opendesk-notes"
       rpClientSecret:
         value: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
+        existingSecret:
+          name: {{ .Values.existingSecrets.keycloak.clientSecret.notes.name | quote }}
+          key: {{ .Values.existingSecrets.keycloak.clientSecret.notes.key | quote }}
       opJWKSEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
       opAuthorizationEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
       opTokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
@@ -88,14 +122,26 @@ backend:
     django:
       secretKey:
         value: {{ .Values.secrets.notes.djangoSecretKey }}
+        existingSecret:
+          name: {{ .Values.existingSecrets.notes.django.secretKey.name | quote }}
+          key: {{ .Values.existingSecrets.notes.django.secretKey.key | quote }}
       createSuperuser: true
       superuserEmail:
         value: {{ printf "default.admin@%s" .Values.global.domain | quote }}
+        existingSecret:
+          name: {{ .Values.existingSecrets.notes.django.superuserEmail.name | quote }}
+          key: {{ .Values.existingSecrets.notes.django.superuserEmail.key | quote }}
       superuserPassword:
         value: {{ .Values.secrets.notes.superuser }}
+        existingSecret:
+          name: {{ .Values.existingSecrets.notes.django.superuserPassword.name | quote }}
+          key: {{ .Values.existingSecrets.notes.django.superuserPassword.key | quote }}
     frontendTheme: "openDesk"
     redisUrl:
       value: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7"
+      existingSecret:
+        name: {{ .Values.existingSecrets.notes.redisUrl.name | quote }}
+        key: {{ .Values.existingSecrets.notes.redisUrl.key | quote }}
   extraEnvVars:
     - name: "FRONTEND_HOMEPAGE_FEATURE_ENABLED"
       value: "False"

helmfile/apps/nubus/values-intercom-service.yaml.gotmpl

@@ -53,6 +53,10 @@ global:
 ics:
   session:
     secret: {{ .Values.secrets.intercom.secret | quote }}
+    existingSecret:
+      name: {{ .Values.existingSecrets.nubus.ics.session.name | quote }}
+      keyMapping:
+        secret: {{ .Values.existingSecrets.nubus.ics.session.key | quote }}
   issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
   originRegex: "{{ .Values.global.domain }}"
   enableSessionCookie: true
@@ -66,21 +70,37 @@ ics:
   oidc:
     id: "opendesk-intercom"
     clientSecret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
+    existingSecret:
+      name: {{ .Values.existingSecrets.keycloak.clientSecret.intercom.name | quote}}
+      keyMapping:
+        clientSecret: {{ .Values.existingSecrets.keycloak.clientSecret.intercom.key | quote }}
   matrix:
     subdomain: {{ .Values.global.hosts.synapse | quote }}
     serverName: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
     auth:
       applicationServiceSecret: {{ .Values.secrets.intercom.synapseAsToken | quote }}
+      existingSecret:
+        name: {{ .Values.existingSecrets.nubus.ics.synapseAsToken.name | quote }}
+        keyMapping:
+          password: {{ .Values.existingSecrets.nubus.ics.synapseAsToken.key | quote }}
   nordeck:
     subdomain: {{ .Values.global.hosts.matrixNeoDateFixBot | quote }}
   portal:
     auth:
       sharedSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+      existingSecret:
+        name: {{ .Values.existingSecrets.centralnavigation.apiKey.name | quote }}
+        keyMapping:
+          sharedSecret: {{ .Values.existingSecrets.centralnavigation.apiKey.key | quote }}
   redis:
     host: {{ .Values.cache.intercomService.host | quote }}
     port: {{ .Values.cache.intercomService.port }}
     auth:
       password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }}
+      existingSecret:
+        name: {{ .Values.existingSecrets.redis.existingSecret | quote }}
+        keyMapping:
+          password: {{ .Values.existingSecrets.redis.existingSecretPasswordKey | quote }}
   openxchange:
     oci: true
     url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
@@ -131,10 +151,9 @@ provisioning:
       auth:
         username: "kcadmin"
         existingSecret:
-          name: "ums-opendesk-keycloak-credentials"
+          name: {{ .Values.existingSecrets.keycloak.adminPassword.name | default "ums-opendesk-keycloak-credentials" | quote }}
           keyMapping:
-            password: "admin_password"
-        key: "admin_password"
+            passowrd: {{ .Values.existingSecrets.keycloak.adminPassword.key | default "admin_password" | quote }}
   image:
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}

helmfile/apps/nubus/values-nginx-s3-gateway.yaml.gotmpl

@@ -38,8 +38,14 @@ configuration:
   credentials:
     accessKey:
       value: {{ .Values.objectstores.nubus.username | quote }}
+      existingSecret:
+        name: {{ .Values.existingSecrets.objectstores.nubus.accessKey.name | quote }}
+        key: {{ .Values.existingSecrets.objectstores.nubus.accessKey.key | quote }}
     secretKey:
       value: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
+      existingSecret:
+        name: {{ .Values.existingSecrets.objectstores.nubus.secretKey.name | quote }}
+        key: {{ .Values.existingSecrets.objectstores.nubus.secretKey.key | quote }}
 
 podAnnotations:
   {{ .Values.annotations.nubusNginxS3Gateway.pod | toYaml | nindent 2 }}

helmfile/apps/nubus/values-nubus-guardian.yaml.gotmpl

@@ -200,25 +200,25 @@ nubusGuardian:
       username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
       database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
       existingSecret:
-        name: "ums-guardian-postgresql-opendesk-credentials"
+        name: {{ .Values.existingSecrets.databases.umsGuardianManagementApi.password.name | default "ums-guardian-postgresql-opendesk-credentials" | quote }}
         keyMapping:
-          password: "guardianDatabasePassword"
+          password: {{ .Values.existingSecrets.databases.umsGuardianManagementApi.password.key | default "guardianDatabasePassword" | quote }}
   provisioning:
     enabled: false
     config:
       nubusBaseUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain }}
       keycloak:
         credentialSecret:
-          name: "ums-opendesk-keycloak-credentials"
-          key: "admin_password"
+          name: {{ .Values.existingSecrets.keycloak.adminPassword.name | default "ums-opendesk-keycloak-credentials" | quote }}
+          key: {{ .Values.existingSecrets.keycloak.adminPassword.key | default "admin_password" | quote }}
       realm: {{ .Values.platform.realm | quote }}
       username: "kcadmin"
     keycloak:
       auth:
         existingSecret:
-          name: "ums-opendesk-guardian-client-secret"
-          keyMapping:
-            password: "managementApiClientSecret"
+        name: {{ .Values.existingSecrets.keycloak.clientSecret.guardian.name | default "ums-opendesk-guardian-client-secret" | quote }}
+        keyMapping:
+          password: {{ .Values.existingSecrets.keycloak.clientSecret.guardian.key | default "managementApiClientSecret" | quote }}
       connection:
         host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
         baseUrl: "http://ums-keycloak:8080"

helmfile/apps/nubus/values-nubus.yaml.gotmpl

@@ -192,11 +192,10 @@ keycloak:
   keycloak:
     auth:
       username: "kcadmin"
-      # TODO: Pending secrets refactoring to be able to provide the value directly
       existingSecret:
-        name: "ums-opendesk-keycloak-credentials"
+        name: {{ .Values.existingSecrets.keycloak.adminPassword.name | default "ums-opendesk-keycloak-credentials" | quote }}
         keyMapping:
-          adminPassword: "admin_password"
+          adminPassword: {{ .Values.existingSecrets.keycloak.adminPassword.key | default "admin_password" | quote }}
     login:
       messages:
         de:
@@ -219,11 +218,10 @@ keycloak:
     auth:
       username: {{ .Values.databases.keycloak.username | quote }}
       database: {{ .Values.databases.keycloak.name | quote }}
-      # TODO: Pending secrets refactoring to be able to provide the value directly
       existingSecret:
-        name: "ums-keycloak-postgresql-opendesk-credentials"
+        name: {{ .Values.existingSecrets.databases.keycloak.password.name | default "ums-keycloak-postgresql-opendesk-credentials" | quote }}
         keyMapping:
-          password: keycloakDatabasePassword
+          password: {{ .Values.existingSecrets.databases.keycloak.password.key | default "keycloakDatabasePassword" | quote }}
   replicaCount: {{ .Values.replicas.keycloak }}
   resources:
     {{ .Values.resources.umsKeycloak | toYaml | nindent 4 }}
@@ -447,9 +445,9 @@ nubusKeycloakExtensions:
       # TODO: Pending secrets refactoring in component chart. This will refer to
       # the secret generated by the keycloak subchart.
       existingSecret:
-        name: "ums-opendesk-keycloak-credentials"
+        name: {{ .Values.existingSecrets.keycloak.adminPassword.name | default "ums-opendesk-keycloak-credentials" | quote }}
         keyMapping:
-          adminPassword: "admin_password"
+          adminPassword: {{ .Values.existingSecrets.keycloak.adminPassword.key | default "admin_password" | quote }}
   proxy:
     additionalAnnotations:
       {{ .Values.annotations.nubusKeycloakExtensions.proxyAdditional | toYaml | nindent 6 }}
@@ -527,11 +525,10 @@ nubusKeycloakExtensions:
     auth:
       database: {{ .Values.databases.keycloakExtension.name | quote }}
       username: {{ .Values.databases.keycloakExtension.username | quote }}
-      # TODO: Pending secrets refactoring for this component chart
       existingSecret:
-        name: "ums-keycloak-extensions-postgresql-opendesk-credentials"
+        name: {{ .Values.existingSecrets.databases.keycloakExtension.password.name | default "ums-keycloak-extensions-postgresql-opendesk-credentials" | quote }}
         keyMapping:
-          password: "umcKeycloakExtensionsDatabasePassword"
+          password: {{ .Values.existingSecrets.databases.keycloakExtension.password.key | default "umcKeycloakExtensionsDatabasePassword" | quote }}
   smtp:
     connection:
       host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
@@ -544,9 +541,9 @@ nubusKeycloakExtensions:
       # TODO: Pending secrets refactoring in the component chart
       password: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
       existingSecret:
-        name: "ums-keycloak-extensions-smtp-opendesk-credentials"
+        name: {{ .Values.existingSecrets.postfix.opendeskSystem.password.name | default "ums-keycloak-extensions-smtp-opendesk-credentials" | quote }}
         keyMapping:
-          password: "umcKeycloakExtensionsSmtpPassword"
+          password: {{ .Values.existingSecrets.postfix.opendeskSystem.password.key | default "umcKeycloakExtensionsSmtpPassword" | quote }}
   handler:
     additionalAnnotations:
       {{ .Values.annotations.nubusKeycloakExtensions.handlerAdditional | toYaml | nindent 6 }}
@@ -1110,9 +1107,9 @@ nubusProvisioning:
     createUsers:
       oxConsumer:
         existingSecret:
-          name: ums-provisioning-ox-credentials
+          name: {{ .Values.existingSecrets.openxchangeConnector.provisioningApiPassword.name | default "ums-provisioning-ox-credentials" | quote }}
           keyMapping:
-            registration: "ox-connector.json"
+            registration: {{ .Values.existingSecrets.openxchangeConnector.provisioningApiPassword.key | default "ox-connector.json" | quote }}
     {{- end }}
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
@@ -1604,16 +1601,14 @@ nubusKeycloakBootstrap:
     auth:
       username: "kcadmin"
       existingSecret:
-        name: "ums-opendesk-keycloak-credentials"
+        name: {{ .Values.existingSecrets.keycloak.adminPassword.name | default "ums-opendesk-keycloak-credentials" | quote }}
+        keyMapping:
+          adminPassword: {{ .Values.existingSecrets.keycloak.adminPassword.key | default "admin_password" | quote }}
   ldap:
     auth:
       bindDn: {{ printf "uid=ldapsearch_keycloak,cn=users,%s" .Values.ldap.baseDn }}
       existingSecret:
-        name: "ums-keycloak-bootstrap-ldap-opendesk-credentials"
-  oidc:
-    rp:
-      umcServer:
-        password: {{ .Values.secrets.keycloak.clientSecret.portal | quote }}
+        name: {{ .Values.existingSecrets.nubus.ldapSearch.keycloak.name | default "ums-keycloak-bootstrap-ldap-opendesk-credentials" | quote }}
   podAnnotations:
     intents.otterize.com/service-name: "ums-keycloak-bootstrap"
     {{- with .Values.annotations.nubusKeycloakBootstrapNubus.pod }}
@@ -1636,27 +1631,50 @@ nubusKeycloakBootstrap:
 
 # Credential secrets for accessing customer supplied services
 extraSecrets:
+  {{- if and (not .Values.existingSecrets.keycloak.clientSecret.guardian.name)
+             (not .Values.existingSecrets.keycloak.clientSecret.guardian.key) }}
   - name: "ums-opendesk-guardian-client-secret"
     stringData:
       managementApiClientSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
+  {{- end }}
+  {{- if and (not .Values.existingSecrets.keycloak.adminPassword.name)
+             (not .Values.existingSecrets.keycloak.adminPassword.key) }}
   - name: "ums-opendesk-keycloak-credentials"
     stringData:
       admin_password: {{ .Values.secrets.keycloak.adminPassword | quote }}
+  {{- end }}
+  {{- if and (not .Values.existingSecrets.databases.keycloak.password.name)
+             (not .Values.existingSecrets.databases.keycloak.password.key) }}
   - name: "ums-keycloak-postgresql-opendesk-credentials"
     stringData:
       keycloakDatabasePassword: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
+  {{- end }}
+  {{- if and (not .Values.existingSecrets.databases.umsGuardianManagementApi.password.name)
+             (not .Values.existingSecrets.databases.umsGuardianManagementApi.password.key) }}
   - name: "ums-guardian-postgresql-opendesk-credentials"
     stringData:
       guardianDatabasePassword: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
+  {{- end }}
+  {{- if and (not .Values.existingSecrets.databases.keycloakExtension.password.name)
+             (not .Values.existingSecrets.databases.keycloakExtension.password.key) }}
   - name: "ums-keycloak-extensions-postgresql-opendesk-credentials"
     stringData:
       umcKeycloakExtensionsDatabasePassword: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
+  {{- end }}
+  {{- if and (not .Values.existingSecrets.postfix.opendeskSystem.password.name)
+             (not .Values.existingSecrets.postfix.opendeskSystem.password.key) }}
   - name: "ums-keycloak-extensions-smtp-opendesk-credentials"
     stringData:
       umcKeycloakExtensionsSmtpPassword: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
+  {{- end }}
+  {{- if and (not .Values.existingSecrets.nubus.ldapSearch.keycloak.name) }}
   - name: "ums-keycloak-bootstrap-ldap-opendesk-credentials"
     stringData:
       password: {{ .Values.secrets.nubus.ldapSearch.keycloak | quote }}
+  {{- end }}
+  {{- if and (not .Values.existingSecrets.openxchangeConnector.provisioningApiPassword.name)
+             (not .Values.existingSecrets.openxchangeConnector.provisioningApiPassword.key) }}
   - name: "ums-provisioning-ox-credentials"
     stringData:
       ox-connector.json: "{ \"name\": \"ox-connector\", \"realms_topics\": [{\"realm\": \"udm\", \"topic\": \"oxmail/oxcontext\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/accessprofile\"}, {\"realm\": \"udm\", \"topic\": \"users/user\"}, {\"realm\": \"udm\", \"topic\": \"oxresources/oxresources\"}, {\"realm\": \"udm\", \"topic\": \"groups/group\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/functional_account\"}], \"request_prefill\": true, \"password\": \"{{ .Values.secrets.oxConnector.provisioningApiPassword }}\" }"
+  {{- end }}

helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -80,7 +80,11 @@ config:
     clientScopes:
       {{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }}
     clients:
-      {{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }}
+      value:
+        {{ .Values.functional.authentication.oidc.clients | toYaml | nindent 8 }}
+      existingSecret:
+        name: {{ .Values.existingSecrets.functional.authentication.clients.name | quote }}
+        key: {{ .Values.existingSecrets.functional.authentication.clients.key | quote }}
   managed:
     clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list',
                     'offline_access', 'roles', 'address', 'phone' ]
@@ -92,6 +96,8 @@ config:
       values:
         username: "kcadmin"
         password: {{ .Values.secrets.keycloak.adminPassword | quote }}
+      secret:
+        name: {{ .Values.existingSecrets.keycloak.adminSecret.name | quote }}
     realm: {{ .Values.platform.realm | quote }}
     intraCluster:
       enabled: true
@@ -113,8 +119,10 @@ config:
   ssoFederation:
     enabled: {{ .Values.functional.authentication.ssoFederation.enabled }}
     enforceFederatedLogin: {{ .Values.functional.authentication.ssoFederation.enforceFederatedLogin }}
-    name: {{ .Values.functional.authentication.ssoFederation.name | quote }}
-    idpDetails: {{ .Values.functional.authentication.ssoFederation.idpDetails | toYaml | nindent 6 }}
+    value: {{ .Values.functional.authentication.ssoFederation.idpDict | toYaml | nindent 8 }}
+    existingSecret:
+      name : {{ .Values.existingSecrets.functional.authentication.ssoFederation.name | quote }}
+      key : {{ .Values.existingSecrets.functional.authentication.ssoFederation.key | quote }}
   twoFactorSettings:
     additionalGroups: {{ .Values.functional.authentication.twoFactor.groups | toYaml | nindent 6 }}
   precreateGroups: [ 'Domain Admins', 'Domain Users', 'IAM API - Full Access',
@@ -517,233 +525,246 @@ config:
               jsonType.label: "String"
       {{ end }}
     clients:
-      - name: "opendesk-intercom"
-        clientId: "opendesk-intercom"
-        protocol: "openid-connect"
-        clientAuthenticatorType: "client-secret"
-        secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
-        redirectUris:
-          - "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback"
-        consentRequired: false
-        frontchannelLogout: false
-        publicClient: false
-        authorizationServicesEnabled: false
-        attributes:
-          use.refresh.tokens: true
-          backchannel.logout.session.required: true
-          standard.token.exchange.enabled: true
-          standard.token.exchange.enableRefreshRequestedTokenType: "SAME_SESSION"
-          backchannel.logout.revoke.offline.tokens: true
-          backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
-        protocolMappers:
-          - name: "intercom-audience"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "opendesk-intercom"
-              id.token.claim: false
-              access.token.claim: true
-          - name: "opendesk_username"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "uid"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "opendesk_username"
-              jsonType.label: "String"
-          - name: "opendesk_useruuid"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "entryUUID"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "opendesk_useruuid"
-              jsonType.label: "String"
-        defaultClientScopes:
-          - "offline_access"
-      {{ if .Values.apps.notes.enabled }}
-      - name: "opendesk-notes"
-        clientId: "opendesk-notes"
-        protocol: "openid-connect"
-        clientAuthenticatorType: "client-secret"
-        secret: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
-        redirectUris:
-          - "https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/api/v1.0/callback/"
-        standardFlowEnabled: true
-        implicitFlowEnabled: false
-        alwaysDisplayInConsole: false
-        bearerOnly: false
-        directAccessGrantsEnabled: true
-        serviceAccountsEnabled: false
-        consentRequired: false
-        frontchannelLogout: false
-        publicClient: false
-        authorizationServicesEnabled: false
-        surrogateAuthRequired: false
-        attributes:
-          backchannel.logout.revoke.offline.tokens: false
-          backchannel.logout.session.required: false
-          client.introspection.response.allow.jwt.claim.enabled: false
-          client.use.lightweight.access.token.enabled: false
-          client_credentials.use_refresh_token: false
-          display.on.consent.screen: false
-          oauth2.device.authorization.grant.enabled: false
-          oidc.ciba.grant.enabled: false
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/*"
-          require.pushed.authorization.requests: false
-          tls.client.certificate.bound.access.tokens: false
-          token.response.type.bearer.lower-case: false
-          use.jwks.url: false
-          use.refresh.tokens: false
-          # it is probably not even required to set this value explicitly.
-          user.info.response.signature.alg: "RS256"
-        defaultClientScopes:
-          - "opendesk-notes-scope"
-      {{ end }}
-      {{ if .Values.apps.oxAppSuite.enabled }}
-      - name: "opendesk-dovecot"
-        clientId: "opendesk-dovecot"
-        protocol: "openid-connect"
-        clientAuthenticatorType: "client-secret"
-        secret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
-        consentRequired: false
-        frontchannelLogout: false
-        publicClient: false
-        authorizationServicesEnabled: false
-        attributes:
-          backchannel.logout.session.required: false
-        defaultClientScopes:
-          - "opendesk-dovecot-scope"
-      - name: "opendesk-oxappsuite"
-        clientId: "opendesk-oxappsuite"
-        protocol: "openid-connect"
-        clientAuthenticatorType: "client-secret"
-        secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
-        redirectUris:
-          - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        consentRequired: false
-        frontchannelLogout: false
-        publicClient: false
-        authorizationServicesEnabled: false
-        attributes:
-          backchannel.logout.session.required: true
-          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        defaultClientScopes:
-          - "opendesk-oxappsuite-scope"
-          - "read_contacts"
-          - "write_contacts"
-      {{ end }}
-      {{ if .Values.apps.jitsi.enabled }}
-      - name: "opendesk-jitsi"
-        clientId: "opendesk-jitsi"
-        protocol: "openid-connect"
-        clientAuthenticatorType: "client-secret"
-        redirectUris:
-          - "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}/*"
-        consentRequired: false
-        frontchannelLogout: false
-        publicClient: true
-        fullScopeAllowed: true
-        authorizationServicesEnabled: false
-        defaultClientScopes:
-          - "opendesk-jitsi-scope"
-      {{ end }}
-      {{ if .Values.apps.element.enabled }}
-      - name: "opendesk-matrix"
-        clientId: "opendesk-matrix"
-        protocol: "openid-connect"
-        clientAuthenticatorType: "client-secret"
-        secret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
-        redirectUris:
-          - "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*"
-          - "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*"
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        standardFlowEnabled: true
-        directAccessGrantsEnabled: true
-        serviceAccountsEnabled: true
-        consentRequired: false
-        frontchannelLogout: false
-        publicClient: false
-        authorizationServicesEnabled: false
-        attributes:
-          backchannel.logout.session.required: true
-          backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        defaultClientScopes:
-          - "opendesk-matrix-scope"
-      {{ end }}
-      {{ if .Values.apps.nextcloud.enabled }}
-      - name: "opendesk-nextcloud"
-        clientId: "opendesk-nextcloud"
-        protocol: "openid-connect"
-        clientAuthenticatorType: "client-secret"
-        secret: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
-        redirectUris:
-          - "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*"
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        consentRequired: false
-        frontchannelLogout: false
-        publicClient: false
-        authorizationServicesEnabled: false
-        attributes:
-          backchannel.logout.session.required: true
-          backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/user_oidc/backchannel-logout/opendesk"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        defaultClientScopes:
-          - "opendesk-nextcloud-scope"
-          - "read_contacts"
-          - "write_contacts"
-      {{ end }}
-      {{ if .Values.apps.openproject.enabled }}
-      - name: "opendesk-openproject"
-        clientId: "opendesk-openproject"
-        protocol: "openid-connect"
-        clientAuthenticatorType: "client-secret"
-        secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
-        redirectUris:
-          - "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*"
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        consentRequired: false
-        frontchannelLogout: false
-        publicClient: false
-        serviceAccountsEnabled: true
-        authorizationServicesEnabled: false
-        attributes:
-          backchannel.logout.session.required: true
-          backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        defaultClientScopes:
-          - "opendesk-openproject-scope"
-      {{ end }}
-      {{ if .Values.apps.xwiki.enabled }}
-      - name: "opendesk-xwiki"
-        clientId: "opendesk-xwiki"
-        protocol: "openid-connect"
-        clientAuthenticatorType: "client-secret"
-        secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
-        redirectUris:
-          - "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*"
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        consentRequired: false
-        frontchannelLogout: false
-        publicClient: false
-        authorizationServicesEnabled: false
-        attributes:
-          backchannel.logout.session.required: false
-          backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        defaultClientScopes:
-          - "opendesk-xwiki-scope"
-      {{ end }}
+      value:
+        opendesk-intercom:
+          name: "opendesk-intercom"
+          clientId: "opendesk-intercom"
+          protocol: "openid-connect"
+          clientAuthenticatorType: "client-secret"
+          secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
+          redirectUris:
+            - "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback"
+          consentRequired: false
+          frontchannelLogout: false
+          publicClient: false
+          authorizationServicesEnabled: false
+          attributes:
+            use.refresh.tokens: true
+            backchannel.logout.session.required: true
+            standard.token.exchange.enabled: true
+            standard.token.exchange.enableRefreshRequestedTokenType: "SAME_SESSION"
+            backchannel.logout.revoke.offline.tokens: true
+            backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
+          protocolMappers:
+            - name: "intercom-audience"
+              protocol: "openid-connect"
+              protocolMapper: "oidc-audience-mapper"
+              consentRequired: false
+              config:
+                included.client.audience: "opendesk-intercom"
+                id.token.claim: false
+                access.token.claim: true
+            - name: "opendesk_username"
+              protocol: "openid-connect"
+              protocolMapper: "oidc-usermodel-attribute-mapper"
+              consentRequired: false
+              config:
+                userinfo.token.claim: true
+                user.attribute: "uid"
+                id.token.claim: true
+                access.token.claim: true
+                claim.name: "opendesk_username"
+                jsonType.label: "String"
+            - name: "opendesk_useruuid"
+              protocol: "openid-connect"
+              protocolMapper: "oidc-usermodel-attribute-mapper"
+              consentRequired: false
+              config:
+                userinfo.token.claim: true
+                user.attribute: "entryUUID"
+                id.token.claim: true
+                access.token.claim: true
+                claim.name: "opendesk_useruuid"
+                jsonType.label: "String"
+          defaultClientScopes:
+            - "offline_access"
+        {{ if .Values.apps.notes.enabled }}
+        opendesk-notes:
+          name: "opendesk-notes"
+          clientId: "opendesk-notes"
+          protocol: "openid-connect"
+          clientAuthenticatorType: "client-secret"
+          secret: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
+          redirectUris:
+            - "https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/api/v1.0/callback/"
+          standardFlowEnabled: true
+          implicitFlowEnabled: false
+          alwaysDisplayInConsole: false
+          bearerOnly: false
+          directAccessGrantsEnabled: true
+          serviceAccountsEnabled: false
+          consentRequired: false
+          frontchannelLogout: false
+          publicClient: false
+          authorizationServicesEnabled: false
+          surrogateAuthRequired: false
+          attributes:
+            backchannel.logout.revoke.offline.tokens: false
+            backchannel.logout.session.required: false
+            client.introspection.response.allow.jwt.claim.enabled: false
+            client.use.lightweight.access.token.enabled: false
+            client_credentials.use_refresh_token: false
+            display.on.consent.screen: false
+            oauth2.device.authorization.grant.enabled: false
+            oidc.ciba.grant.enabled: false
+            post.logout.redirect.uris: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/*"
+            require.pushed.authorization.requests: false
+            tls.client.certificate.bound.access.tokens: false
+            token.response.type.bearer.lower-case: false
+            use.jwks.url: false
+            use.refresh.tokens: false
+            # it is probably not even required to set this value explicitly.
+            user.info.response.signature.alg: "RS256"
+          defaultClientScopes:
+            - "opendesk-notes-scope"
+        {{ end }}
+        {{ if .Values.apps.oxAppSuite.enabled }}
+        opendesk-dovecot:
+          name: "opendesk-dovecot"
+          clientId: "opendesk-dovecot"
+          protocol: "openid-connect"
+          clientAuthenticatorType: "client-secret"
+          secret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
+          consentRequired: false
+          frontchannelLogout: false
+          publicClient: false
+          authorizationServicesEnabled: false
+          attributes:
+            backchannel.logout.session.required: false
+          defaultClientScopes:
+            - "opendesk-dovecot-scope"
+        opendesk-oxappsuite:
+          name: "opendesk-oxappsuite"
+          clientId: "opendesk-oxappsuite"
+          protocol: "openid-connect"
+          clientAuthenticatorType: "client-secret"
+          secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
+          redirectUris:
+            - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
+            - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+          consentRequired: false
+          frontchannelLogout: false
+          publicClient: false
+          authorizationServicesEnabled: false
+          attributes:
+            backchannel.logout.session.required: true
+            backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
+            post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+          defaultClientScopes:
+            - "opendesk-oxappsuite-scope"
+            - "read_contacts"
+            - "write_contacts"
+        {{ end }}
+        {{ if .Values.apps.jitsi.enabled }}
+        opendesk-jitsi:
+          name: "opendesk-jitsi"
+          clientId: "opendesk-jitsi"
+          protocol: "openid-connect"
+          clientAuthenticatorType: "client-secret"
+          redirectUris:
+            - "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}/*"
+          consentRequired: false
+          frontchannelLogout: false
+          publicClient: true
+          fullScopeAllowed: true
+          authorizationServicesEnabled: false
+          defaultClientScopes:
+            - "opendesk-jitsi-scope"
+        {{ end }}
+        {{ if .Values.apps.element.enabled }}
+        opendesk-matrix:
+          name: "opendesk-matrix"
+          clientId: "opendesk-matrix"
+          protocol: "openid-connect"
+          clientAuthenticatorType: "client-secret"
+          secret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
+          redirectUris:
+            - "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*"
+            - "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*"
+            - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+          standardFlowEnabled: true
+          directAccessGrantsEnabled: true
+          serviceAccountsEnabled: true
+          consentRequired: false
+          frontchannelLogout: false
+          publicClient: false
+          authorizationServicesEnabled: false
+          attributes:
+            backchannel.logout.session.required: true
+            backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
+            post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+          defaultClientScopes:
+            - "opendesk-matrix-scope"
+        {{ end }}
+        {{ if .Values.apps.nextcloud.enabled }}
+        opendesk-nextcloud:
+          name: "opendesk-nextcloud"
+          clientId: "opendesk-nextcloud"
+          protocol: "openid-connect"
+          clientAuthenticatorType: "client-secret"
+          secret: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
+          redirectUris:
+            - "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*"
+            - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+          consentRequired: false
+          frontchannelLogout: false
+          publicClient: false
+          authorizationServicesEnabled: false
+          attributes:
+            backchannel.logout.session.required: true
+            backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/user_oidc/backchannel-logout/opendesk"
+            post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+          defaultClientScopes:
+            - "opendesk-nextcloud-scope"
+            - "read_contacts"
+            - "write_contacts"
+        {{ end }}
+        {{ if .Values.apps.openproject.enabled }}
+        opendesk-openproject:
+          name: "opendesk-openproject"
+          clientId: "opendesk-openproject"
+          protocol: "openid-connect"
+          clientAuthenticatorType: "client-secret"
+          secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
+          redirectUris:
+            - "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*"
+            - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+          consentRequired: false
+          frontchannelLogout: false
+          publicClient: false
+          serviceAccountsEnabled: true
+          authorizationServicesEnabled: false
+          attributes:
+            backchannel.logout.session.required: true
+            backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
+            post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+          defaultClientScopes:
+            - "opendesk-openproject-scope"
+        {{ end }}
+        {{ if .Values.apps.xwiki.enabled }}
+        opendesk-xwiki:
+          name: "opendesk-xwiki"
+          clientId: "opendesk-xwiki"
+          protocol: "openid-connect"
+          clientAuthenticatorType: "client-secret"
+          secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
+          redirectUris:
+            - "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*"
+            - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+          consentRequired: false
+          frontchannelLogout: false
+          publicClient: false
+          authorizationServicesEnabled: false
+          attributes:
+            backchannel.logout.session.required: false
+            backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout"
+            post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+          defaultClientScopes:
+            - "opendesk-xwiki-scope"
+        {{ end }}
+      existingSecret:
+        name: {{ .Values.existingSecrets.keycloak.clients.name | quote }}
+        key: {{ .Values.existingSecrets.keycloak.clients.key | quote }}
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl

@@ -24,6 +24,9 @@ dovecot:
     username: {{ .Values.databases.dovecotDictmap.username | quote }}
     password:
       value: {{ .Values.secrets.cassandra.dovecotDictmapUser | quote }}
+      existingSecret:
+        name: {{ .Values.existingSecrets.dovecot.dictmapUser.name | quote }}
+        key: {{ .Values.existingSecrets.dovecot.dictmapUser.key | quote }}
     keyspace: {{ .Values.databases.dovecotDictmap.name | quote }}
   sharedMailboxes:
     enabled: true
@@ -32,16 +35,28 @@ dovecot:
     username: {{ .Values.databases.dovecotACL.username | quote }}
     password:
       value: {{ .Values.secrets.cassandra.dovecotACLUser | quote }}
+      existingSecret:
+        name: {{ .Values.existingSecrets.dovecot.aclUser.name | quote }}
+        key: {{ .Values.existingSecrets.dovecot.aclUser.key | quote }}
     keyspace: {{ .Values.databases.dovecotACL.name | quote }}
   objectStorage:
     bucket: {{ .Values.objectstores.dovecot.bucket | quote }}
     encryption:
       privateKey:
         value: {{ requiredEnv "DOVECOT_CRYPT_PRIVATE_KEY" | quote }}
+        existingSecret:
+          name: {{ .Values.existingSecrets.dovecot.objectStorage.encryption.privateKey.name | quote }}
+          key: {{ .Values.existingSecrets.dovecot.objectStorage.encryption.privateKey.key | quote }}
       publicKey:
         value: {{ requiredEnv "DOVECOT_CRYPT_PUBLIC_KEY" | quote }}
+        existingSecret:
+          name: {{ .Values.existingSecrets.dovecot.objectStorage.encryption.publicKey.name | quote }}
+          key: {{ .Values.existingSecrets.dovecot.objectStorage.encryption.publicKey.key | quote }}
     fqdn: {{ .Values.objectstores.dovecot.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
     username: {{ .Values.objectstores.dovecot.username | quote }}
     password:
       value: {{ .Values.objectstores.dovecot.secretKey | default .Values.secrets.minio.dovecotUser | quote }}
+      existingSecret:
+        name: {{ .Values.existingSecrets.objectstores.dovecotUser.name | quote }}
+        key: {{ .Values.existingSecrets.objectstores.dovecotUser.key | quote }}
 ...

helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl

@@ -25,10 +25,16 @@ dovecot:
   defaultMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
   password:
     value: {{ .Values.secrets.dovecot.doveadm | quote }}
+    existingSecret:
+      name: {{ .Values.existingSecrets.dovecot.doveadm.name | quote }}
+      key: {{ .Values.existingSecrets.dovecot.doveadm.key | quote }}
   migration:
     enabled: {{ .Values.functional.migration.oxAppSuite.enabled }}
     masterPassword:
       value: {{ .Values.secrets.oxAppSuite.migrationsMasterPassword | quote }}
+      existingSecret:
+        name: {{ .Values.existingSecrets.oxAppSuite.migrationsMasterPassword.name | quote }}
+        key: {{ .Values.existingSecrets.oxAppSuite.migrationsMasterPassword.key | quote }}
   ldap:
     enabled: true
     host: {{ .Values.ldap.host | quote }}
@@ -37,13 +43,20 @@ dovecot:
     dn: "uid=ldapsearch_dovecot,cn=users,{{ .Values.ldap.baseDn }}"
     password:
       value: {{ .Values.secrets.nubus.ldapSearch.dovecot | quote }}
+      existingSecret:
+        name: {{ .Values.existingSecrets.nubus.ldapSearch.dovecot.name | quote }}
+        key: {{ .Values.existingSecrets.nubus.ldapSearch.dovecot.key | quote }}
   loginTrustedNetworks: {{ join " " .Values.cluster.networking.cidr | quote }}
+
   oidc:
     enabled: true
     clientID:
       value: "opendesk-dovecot"
     clientSecret:
       value: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
+      existingSecret:
+        name: {{ .Values.existingSecrets.keycloak.clientSecret.dovecot.name | quote }}
+        key: {{ .Values.existingSecrets.keycloak.clientSecret.dovecot.key | quote }}
     introspectionHost: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
     introspectionPath: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token/introspect"
     usernameAttribute: "opendesk_username"

helmfile/apps/open-xchange/values-postfix.yaml.gotmpl

@@ -61,8 +61,14 @@ postfix:
     authentication:
       username:
         value: {{ .Values.smtp.username }}
+        existingSecret:
+          name: {{ .Values.existingSecrets.smtp.username.name | quote }}
+          key: {{ .Values.existingSecrets.smtp.username.key | quote }}
       password:
         value: {{ .Values.smtp.password }}
+        existingSecret:
+          name: {{ .Values.existingSecrets.smtp.password.name | quote }}
+          key: {{ .Values.existingSecrets.smtp.password.key | quote }}
   smtpSASLAuthEnable: "yes"
   {{- end }}
   allowRelayNets: false

helmfile/apps/opendesk-openproject-bootstrap/values.yaml.gotmpl

@@ -25,14 +25,26 @@ config:
     admin:
       username:
         value: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
+        secret:
+          name: {{ .Values.existingSecrets.openproject.apiAdmin.username.name | quote }}
+          key: {{ .Values.existingSecrets.openproject.apiAdmin.username.key | quote }}
       password:
         value: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
+        secret:
+          name: {{ .Values.existingSecrets.openproject.apiAdmin.password.name | quote }}
+          key: {{ .Values.existingSecrets.openproject.apiAdmin.password.key | quote }}
   nextcloud:
     admin:
       username:
         value: "nextcloud"
+        secret:
+          name: {{ .Values.existingSecrets.nextcloud.admin.username.name | quote }}
+          key: {{ .Values.existingSecrets.nextcloud.admin.username.key | quote }}
       password:
         value: {{ .Values.secrets.nextcloud.adminPassword | quote }}
+        secret:
+          name: {{ .Values.existingSecrets.nextcloud.admin.password.name | quote }}
+          key: {{ .Values.existingSecrets.nextcloud.admin.password.key | quote }}
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/apps/opendesk-services/values-certificates.yaml.gotmpl

@@ -71,6 +71,9 @@ selfSigned:
       enabled: true
       password:
         value: {{ .Values.secrets.certificates.password | quote }}
+        secret:
+          name: {{ .Values.existingSecrets.certificates.password.name | quote }}
+          key: {{ .Values.existingSecrets.certificates.password.key | quote }}
 
 wildcard: {{ .Values.certificate.wildcard }}
 ...

helmfile/apps/openproject/values.yaml.gotmpl

@@ -36,9 +36,17 @@ dbInit:
     {{ .Values.resources.openprojectDbInit | toYaml | nindent 4 }}
 
 environment:
-  {{- if and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.openproject.token }}
+  {{- if and (not .Values.existingSecrets.openproject.environment)
+             (and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.openproject.token) }}
   OPENPROJECT_SEED__ENTERPRISE__TOKEN: {{ .Values.enterpriseKeys.openproject.token | quote }}
   {{- end }}
+  {{- if not .Values.existingSecrets.openproject.environment }}
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.nubus.ldapSearch.openproject | quote }}
+  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
+  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
+  OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+  OPENPROJECT_SMTP__PASSWORD: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
+  {{- end }}
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
   OPENPROJECT_APP__TITLE: "Projekte - {{ .Values.theme.texts.productName }}"
@@ -52,7 +60,6 @@ environment:
   # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
   OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }}
   OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
-  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.nubus.ldapSearch.openproject | quote }}
   OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
   OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,{{ .Values.ldap.baseDn }}"
   OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "{{ .Values.ldap.baseDn }}"
@@ -69,13 +76,9 @@ environment:
     "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
   OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
   OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
-  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
-  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
-  OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
   OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
   OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
   OPENPROJECT_SMTP__USER__NAME: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
-  OPENPROJECT_SMTP__PASSWORD: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
   OPENPROJECT_SMTP__PORT: 587
   OPENPROJECT_SMTP__SSL: "false" # (default=false)
   OPENPROJECT_SMTP__ADDRESS: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
@@ -139,6 +142,10 @@ postgresql:
     password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser | quote }}
     username: {{ .Values.databases.openproject.username | quote }}
     database: {{ .Values.databases.openproject.name | quote }}
+    existingSecret: {{ .Values.existingSecrets.databases.openproject.name | quote }}
+    secretKeys:
+      adminPasswordKey: {{ .Values.existingSecrets.databases.openproject.adminPasswordKey | quote }}
+      userPasswordKey: {{ .Values.existingSecrets.databases.openproject.userPasswordKey | quote }}
   connection:
     host: {{ .Values.databases.openproject.host | quote }}
     port: {{ .Values.databases.openproject.port }}
@@ -164,6 +171,9 @@ openproject:
     # Lock the admin user, preventing internal logins.
     # Switch to true once the NC filestore bootstrapping is optimized.
     locked: false
+    secret: {{ .Values.existingSecrets.openproject.adminUserPassword.name | quote }}
+    secretKeys:
+      password: {{ .Values.existingSecrets.openproject.adminUserPassword.key | quote }}
   oidc:
     enabled: true
     authorizationEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
@@ -173,6 +183,10 @@ openproject:
     provider: "keycloak"
     scope: "[openid,opendesk-openproject-scope]"
     secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
+    existingSecret: {{ .Values.existingSecrets.keycloak.clientSecret.openproject.name | quote }}
+    secretKeys:
+      identifier: {{ .Values.existingSecrets.keycloak.clientSecret.openproject.identifier | quote }}
+      secret: {{ .Values.existingSecrets.keycloak.clientSecret.openproject.key | quote }}
     tokenEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
     userinfoEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
     attribute_map:
@@ -181,6 +195,7 @@ openproject:
   useTmpVolumes: true
   tmpVolumesAnnotations:
     {{ .Values.annotations.openproject.openprojectTempVolumes | toYaml | nindent 4 }}
+  extraEnvVarsSecret: {{ .Values.existingSecrets.openproject.environment | quote }}
 
 serviceAccount:
   annotations:
@@ -224,6 +239,10 @@ s3:
   auth:
     accessKeyId: {{ .Values.objectstores.openproject.username | quote }}
     secretAccessKey: {{ .Values.objectstores.openproject.secretKey | default .Values.secrets.minio.openprojectUser | quote }}
+    existingSecret: {{ .Values.existingSecrets.objectstores.openproject.name | quote }}
+    secretKeys:
+      accessKeyId: {{ .Values.existingSecrets.objectstores.openproject.accessKeyId | quote }}
+      secretAccessKey: {{ .Values.existingSecrets.objectstores.openproject.secretAccessKey | quote }}
 
 seederJob:
   annotations:

helmfile/apps/services-external/values-cassandra.yaml.gotmpl

@@ -20,7 +20,10 @@ containerSecurityContext:
 dbUser:
   user: "root"
   password: {{ .Values.secrets.cassandra.rootPassword | quote }}
-
+  existingSecret:
+    name: {{ .Values.existingSecrets.cassandra.existingSecret.name | quote }}
+    keyMapping:
+      cassandra-password: {{ .Values.existingSecrets.cassandra.existingSecret.passwordKey | quote }}
 global:
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -35,6 +38,7 @@ ingress:
   annotations:
     {{ .Values.annotations.cassandra.ingress | toYaml | nindent 6 }}
 
+{{- if not .Values.existingSecrets.cassandra.initDBSecret }}
 initDB:
   initUserData.cql: >
     CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
@@ -45,6 +49,9 @@ initDB:
     CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotACL.username | quote }};
     ALTER ROLE {{ .Values.databases.dovecotACL.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotACLUser "''" | squote }} AND LOGIN = true;
     GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotACL.name | quote }} TO {{ .Values.databases.dovecotACL.username | quote }};
+{{- end }}
+
+initDBSecret: {{ .Values.existingSecrets.cassandra.initDBSecret | quote }}
 
 # Will print a warning if unset but is automatically calculated:
 jvm:

helmfile/apps/services-external/values-mariadb.yaml.gotmpl

@@ -53,6 +53,7 @@ job:
       password: {{ .Values.secrets.mariadb.xwikiUser | quote }}
       connectionLimit: {{ .Values.databases.xwiki.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
 {{ end }}
+  usersExistingSecret: {{ .Values.existingSecrets.mariadb.users | quote }}
   databases:
     # OX uses root user and auto automanages the database, we add a dummy user and create a dummy/empty database.
     - name: "openxchange_dummy"
@@ -66,10 +67,14 @@ job:
     - name: {{ .Values.databases.xwiki.name | quote }}
       user: "xwiki_user"
 {{ end }}
+  databasesExistingSecret: {{ .Values.existingSecrets.mariadb.databases | quote }}
 
 mariadb:
   rootPassword:
     value: {{ .Values.secrets.mariadb.rootPassword | quote }}
+    existingSecret:
+      name: {{ .Values.existingSecrets.mariadb.rootPassword.name | quote }}
+      key: {{ .Values.existingSecrets.mariadb.rootPassword.key | quote }}
 
 persistence:
   size: {{ .Values.persistence.storages.mariadb.size | quote }}

helmfile/apps/services-external/values-minio.yaml.gotmpl

@@ -19,6 +19,9 @@ apiIngress:
 
 auth:
   rootPassword: {{ .Values.secrets.minio.rootPassword | quote }}
+  existingSecret: {{ .Values.existingSecrets.minio.existingSecret | quote }}
+  rootUserSecretKey: {{ .Values.existingSecrets.minio.rootUserSecretKey | quote }}
+  rootPasswordSecretKey: {{ .Values.existingSecrets.minio.rootPasswordSecretKey | quote }}
 
 commonAnnotations:
   {{ .Values.annotations.servicesExternalMinio.common | toYaml | nindent 2 }}
@@ -222,6 +225,7 @@ provisioning:
           actions:
             - "s3:*"
     {{- end }}
+  {{- if not .Values.existingSecrets.minio.usersExistingSecrets }}
   users:
     - username: {{ .Values.objectstores.migrations.username | quote }}
       password: {{ .Values.secrets.minio.migrationsUser | quote }}
@@ -267,6 +271,9 @@ provisioning:
         - "dovecot-bucket-policy"
       setPolicies: true
     {{- end }}
+  {{- else }}
+  usersExistingSecrets: {{ .Values.existingSecrets.minio.usersExistingSecrets }}
+  {{- end }}
   resources:
     {{ .Values.resources.minio | toYaml | nindent 4 }}
 

helmfile/apps/services-external/values-postfix.yaml.gotmpl

@@ -66,8 +66,14 @@ postfix:
     authentication:
       username:
         value: {{ .Values.smtp.username }}
+        existingSecret:
+          name: {{ .Values.existingSecrets.smtp.username.name | quote }}
+          key: {{ .Values.existingSecrets.smtp.username.key | quote }}
       password:
         value: {{ .Values.smtp.password }}
+        existingSecret:
+          name: {{ .Values.existingSecrets.smtp.password.name | quote }}
+          key: {{ .Values.existingSecrets.smtp.password.key | quote }}
   smtpSASLAuthEnable: "yes"
   {{- end }}
   # Warning: This setting allows unauthenticated mail relay from relayNets!
@@ -88,8 +94,14 @@ postfix:
     enabled: true
     username:
       value: "opendesk-system"
+      existingSecret:
+        name: {{ .Values.existingSecrets.postfix.opendeskSystem.username.name | quote }}
+        key: {{ .Values.existingSecrets.postfix.opendeskSystem.username.key | quote }}
     password:
       value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
+      existingSecret:
+        name: {{ .Values.existingSecrets.postfix.opendeskSystem.password.name | quote }}
+        key: {{ .Values.existingSecrets.postfix.opendeskSystem.password.key | quote }}
 
   {{- if .Values.antivirus.milter.host }}
   smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}"

helmfile/apps/services-external/values-postgresql.yaml.gotmpl

@@ -80,6 +80,7 @@ job:
       password: {{ .Values.secrets.postgresql.xwikiUser | quote }}
       connectionLimit: {{ .Values.databases.xwiki.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
 {{ end }}
+  usersExistingSecret: {{ .Values.existingSecrets.postgresql.users | quote }}
   databases:
     - name: {{ .Values.databases.keycloak.name | quote }}
       user: {{ .Values.databases.keycloak.username | quote }}
@@ -107,6 +108,7 @@ job:
       user: {{ .Values.databases.xwiki.username | quote }}
       additionalParams: "ENCODING 'UNICODE' template=template0"
 {{ end }}
+  databasesExistingSecret: {{ .Values.existingSecrets.postgresql.databases | quote }}
 
 persistence:
   size: {{ .Values.persistence.storages.postgresql.size | quote }}
@@ -123,7 +125,11 @@ podAnnotations:
 
 postgres:
   user: "postgres"
-  password: {{ .Values.secrets.postgresql.postgresUser | quote }}
+  password:
+    value: {{ .Values.secrets.postgresql.postgresUser | quote }}
+    existingSecret:
+      name: {{ .Values.existingSecrets.postgresql.rootPassword.name | quote }}
+      key: {{ .Values.existingSecrets.postgresql.rootPassword.key | quote }}
 
 resources:
   {{ .Values.resources.postgresql | toYaml | nindent 2 }}

helmfile/apps/services-external/values-redis.yaml.gotmpl

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
@@ -6,6 +6,8 @@ architecture: "standalone"
 
 auth:
   password: {{ .Values.secrets.redis.password | quote }}
+  existingSecret: {{ .Values.existingSecrets.redis.existingSecret | quote }}
+  existingSecretPasswordKey: {{ .Values.existingSecrets.redis.existingSecretPasswordKey | quote }}
 
 commonAnnotations:
   {{ .Values.annotations.servicesExternalRedis.common | toYaml | nindent 2 }}

helmfile/apps/xwiki/values.yaml.gotmpl

@@ -20,13 +20,19 @@ imagePullSecrets:
   {{ .Values.global.imagePullSecrets | toYaml | nindent 2 }}
 
 javaOpts:
-  {{- if and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense .Values.enterpriseKeys.xwiki.proApplicationslicense }}
-  - "-Dlicenses={{ .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense }},{{ .Values.enterpriseKeys.xwiki.proApplicationslicense }}"
-  {{- end }}
   {{- if .Values.certificate.selfSigned }}
   - "-Djavax.net.ssl.trustStore=/etc/ssl/certs/truststore.jks"
   - "-Djavax.net.ssl.trustStoreType=jks"
-  - {{ printf "%s=%s" "-Djavax.net.ssl.trustStorePassword" .Values.secrets.certificates.password | quote }}
+  {{- end }}
+
+javaOptsSecrets:
+  {{- if .Values.certificate.selfSigned }}
+  trustStorePassword:
+    option: "-Djavax.net.ssl.trustStorePassword="
+    value: {{ .Values.secrets.certificates.password }}
+    secret:
+      name: {{ .Values.existingSecrets.certificates.password.name | quote }}
+      key: {{ .Values.existingSecrets.certificates.password.key | quote }}
   {{- end }}
 
 externalDB:
@@ -39,7 +45,13 @@ externalDB:
   user: {{ .Values.databases.xwiki.username | quote }}
   host: {{ printf "%s:%d" .Values.databases.xwiki.host .Values.databases.xwiki.port | quote }}
   customKeyRef:
+    {{- if .Values.existingSecrets.databases.xwiki.password.name }}
+    enabled: true
+    name: {{ .Values.existingSecrets.databases.xwiki.password.name | quote }}
+    key: {{ .Values.existingSecrets.databases.xwiki.password.key | quote }}
+    {{- else }}
     enabled: false
+    {{- end }}
 
 securityContext:
   enabled: true
@@ -70,16 +82,11 @@ customConfigs:
     xwiki.authentication.ldap.photo_attribute: "jpegPhoto"
     ## Enable the synchronization of the LDAP profile picture
     xwiki.authentication.ldap.update_photo: 1
-    {{ if .Values.debug.enabled }}
-    ## Password of "superadmin" user, disables account if not password is set
-    xwiki.superadminpassword: {{ .Values.secrets.xwiki.superadminpassword | quote }}
-    {{ end }}
     ## LDAP Server configuration
     xwiki.authentication.ldap.server: {{ .Values.ldap.host | quote }}
     xwiki.authentication.ldap.port: 389
     ## Authentication to the LDAP server
     xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,{{ .Values.ldap.baseDn }}"
-    xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.nubus.ldapSearch.xwiki | quote }}
     ## Base DN used for searching for users
     xwiki.authentication.ldap.base_DN: "{{ .Values.ldap.baseDn }}"
     ## Allow short update cycles of the LDAP group cache
@@ -99,7 +106,6 @@ customConfigs:
     oidc.logoutMechanism: "rpInitiated"
     oidc.provider: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/opendesk"
     oidc.scope: "openid,opendesk-xwiki-scope"
-    oidc.secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
     oidc.skipped: false
     oidc.user.nameFormater: "${oidc.user.opendesk_username._clean._lowerCase}"
     oidc.user.subjectFormater: "${oidc.user.opendesk_username._lowerCase}"
@@ -111,12 +117,38 @@ customConfigs:
     url.trustedDomains: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
     workplaceServices.navigationEndpoint: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
     workplaceServices.base: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-    workplaceServices.portalSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
     openoffice.serverType: "0"
     openoffice.autoStart: "false"
     openoffice.homePath: "/tmp"
     notifications.emails.live.graceTime: "5"
 
+customConfigsSecrets:
+  xwiki.cfg:
+    {{ if .Values.debug.enabled }}
+    ## Password of "superadmin" user, disables account if not password is set
+    xwiki.superadminpassword:
+      value: {{ .Values.secrets.xwiki.superadminpassword | quote }}
+      secret:
+        name: {{ .Values.existingSecrets.xwiki.xwikiSuperadminpassword.name | quote }}
+        key: {{ .Values.existingSecrets.xwiki.xwikiSuperadminpassword.key | quote }}
+    {{ end }}
+    xwiki.authentication.ldap.bind_pass:
+      value: {{ .Values.secrets.nubus.ldapSearch.xwiki | quote }}
+      secret:
+        name: {{ .Values.existingSecrets.nubus.ldapSearch.xwiki.name | quote }}
+        key: {{ .Values.existingSecrets.nubus.ldapSearch.xwiki.key | quote }}
+  xwiki.properties:
+    oidc.secret:
+      value: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
+      secret:
+        name: {{ .Values.existingSecrets.keycloak.clientSecret.xwiki.name | quote }}
+        key: {{ .Values.existingSecrets.keycloak.clientSecret.xwiki.key | quote }}
+    workplaceServices.portalSecret:
+      value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+      secret:
+        name: {{ .Values.existingSecrets.centralnavigation.apiKey.name | quote }}
+        key: {{ .Values.existingSecrets.centralnavigation.apiKey.key | quote }}
+
 ingress:
   enabled: {{ .Values.ingress.enabled }}
   className: {{ .Values.ingress.ingressClassName | quote }}
@@ -218,6 +250,14 @@ properties:
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
     "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
   "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.title": "Wissen - $!tdoc.displayTitle - {{ .Values.theme.texts.productName }}"
+  {{- if and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense .Values.enterpriseKeys.xwiki.proApplicationslicense }}
+  "licenses": "{{ .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense }},{{ .Values.enterpriseKeys.xwiki.proApplicationslicense }}"
+  {{- end }}
+
+## Properties listed in the secret file will overwrite plain values
+propertiesSecret:
+  name: {{ .Values.existingSecrets.xwiki.propertiesSecret.name | quote }}
+  key: {{ .Values.existingSecrets.xwiki.propertiesSecret.key | quote }}
 
 cluster:
   replicas: {{ .Values.replicas.xwiki }}

helmfile/environments/default/charts.yaml.gotmpl

@@ -535,6 +535,6 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/xwiki/charts-mirror"
     name: "xwiki"
-    version: "1.4.4"
+    version: "1.5.4"
     verify: false
 ...

helmfile/environments/default/existing_secrets.yaml.gotmpl

@@ -0,0 +1,273 @@
+{{/*
+SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+existingSecrets:
+  ai:
+    apiKey:
+      name: ~
+      key: ~
+  cache:
+    intercom:
+      password:
+        name: ~
+        key: ~
+    nextcloud:
+      username:
+        name: ~
+        key: ~
+      password:
+        name: ~
+        key: ~
+  cassandra:
+    initDBSecret: ~
+    existingSecret:
+      name: ~
+      passwordKey: ~
+  centralnavigation:
+    apiKey:
+      name: ~
+      key: ~
+  certificates:
+    password:
+      name: ~
+      key: ~
+  collabora:
+    existingSecret:
+      name: ~
+      passwordKey: ~
+      usernameKey: ~
+  databases:
+    keycloak:
+      password:
+        name: ~
+        key: ~
+    keycloakExtension:
+      password:
+        name: ~
+        key: ~
+    nextcloud:
+      password:
+        name: ~
+        key: ~
+      username:
+        name: ~
+        key: ~
+    notes:
+      password:
+        name: ~
+        key: ~
+      user:
+        name: ~
+        key: ~
+    openproject:
+      name: ~
+      adminPasswordKey: ~
+      userPasswordKey: ~
+    umsGuardianManagementApi:
+      password:
+        name: ~
+        key: ~
+    xwiki:
+      password:
+        name:  ~
+        key: ~
+  dovecot:
+    doveadm:
+      name: ~
+      key: ~
+    aclUser:
+      name: ~
+      key: ~
+    dictmapUser:
+      name: ~
+      key: ~
+    objectStorage:
+      encryption:
+        privateKey:
+          name: ~
+          key: ~
+        publicKey:
+          name: ~
+          key: ~
+  functional:
+    authentication:
+      clients:
+        name: ~
+        key: ~
+      ssoFederation:
+        name: ~
+        key: ~
+  keycloak:
+    adminSecret:
+      name: ~
+    adminPassword:
+      name: ~
+      key: ~
+    clientSecret:
+      dovecot:
+        name: ~
+        key: ~
+      guardian:
+        name: ~
+        key: ~
+      intercom:
+        name: ~
+        key: ~
+      nextcloudOidc:
+        name: ~
+        key: ~
+      notes:
+        name: ~
+        key: ~
+      openproject:
+        name: ~
+        key: ~
+        identifier: ~
+      xwiki:
+        name: ~
+        key: ~
+    clients:
+      name: ~
+      key: ~
+  mariadb:
+    rootPassword:
+      name: ~
+      key: ~
+    databases: ~
+    users: ~
+  minio:
+    existingSecret: ~
+    rootUserSecretKey: ~
+    rootPasswordSecretKey: ~
+    usersExistingSecrets: []
+  nextcloud:
+    admin:
+      password:
+        name: ~
+        key: ~
+      username:
+        name: ~
+        key: ~
+    metricsToken:
+      name: ~
+      key: ~
+  notes:
+    collaborationSecret:
+      name: ~
+      key: ~
+    django:
+      secretKey:
+        name: ~
+        key: ~
+      superuserEmail:
+        name: ~
+        key: ~
+      superuserPassword:
+        name: ~
+        key: ~
+    redisUrl:
+      name: ~
+      key: ~
+  nubus:
+    ics:
+      session:
+        name: ~
+        key: ~
+      synapseAsToken:
+        name: ~
+        key: ~
+    ldapSearch:
+      dovecot:
+        name: ~
+        key: ~
+      keycloak:
+        name: ~
+      nextcloud:
+        name: ~
+        key: ~
+      xwiki:
+        name: ~
+        key: ~
+  objectstores:
+    dovecotUser:
+      name: ~
+      key: ~
+    nextcloud:
+      accessKey:
+        name: ~
+        key: ~
+      secretKey:
+        name: ~
+        key: ~
+    notes:
+      s3AccessKeyId:
+        name: ~
+        key: ~
+      s3SecretAccessKey:
+        name: ~
+        key: ~
+    nubus:
+      accessKey:
+        name: ~
+        key: ~
+      secretKey:
+        name: ~
+        key: ~
+    openproject:
+      name: ~
+      accessKeyId: ~
+      secretAccessKey: ~
+  openproject:
+    adminUserPassword:
+      name: ~
+      key: ~
+    apiAdmin:
+      password:
+        name: ~
+        key: ~
+      username:
+        name: ~
+        key: ~
+    environment: ~
+  openxchangeConnector:
+    provisioningApiPassword:
+      name: ~
+      key: ~
+  oxAppSuite:
+    migrationsMasterPassword:
+      name: ~
+      key: ~
+  postgresql:
+    rootPassword:
+      name: ~
+      key: ~
+    databases: ~
+    users: ~
+  postfix:
+    opendeskSystem:
+      password:
+        name: ~
+        key: ~
+      username:
+        name: ~
+        key: ~
+  redis:
+    existingSecret: ~
+    existingSecretPasswordKey: ~
+  smtp:
+    username:
+      name: ~
+      key: ~
+    password:
+      name: ~
+      key: ~
+  xwiki:
+    xwikiSuperadminpassword:
+      name: ~
+      key: ~
+    propertiesSecret:
+      name: ~
+      key: ~
+...

helmfile/environments/default/functional.yaml.gotmpl

@@ -22,11 +22,11 @@ functional:
         - "Domain Admins"
     oidc:
       # Define additional/custom OIDC clients to be created in the 'opendesk' realm within Keycloak.
-      clients: ~
+      clients: {}
       # Define additional/custom OIDC client scopes to be created in the 'opendesk' realm within Keycloak.
-      clientScopes: ~
-    # Global settings of the 'opendesk' realm within Keycloak. The values are used to set Keycloak's realm attributes
-    # of the same name and are applied by `opendesk-keycloak-bootstrap`.
+      clientScopes: {}
+    # Configure global settings of the 'opendesk' realm within Keycloak. The values are directly
+    # passed into the `realmSettings` section of the `opendesk-keycloak-bootstrap` chart.
     # Ref.: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap
     # Note: Global settings can potentially be overridden on a client level.
     # Note: All numeric "Lifespan" values are defined in seconds.
@@ -75,12 +75,12 @@ functional:
       # Enabling SSO federation requires an upstream IdP specific configuration in `idpDetails` below.
       enabled: false
       # When enforcing the federated login all users are immediately redirected to the federated IdP when a login
-      # is requested or required.
-      enforceFederatedLogin: false
-      # Name of the SSO federation, if you do not enforce the login the name is shown as a login option the user can select
+      # is requested or required. This has to be the exact key like configured in the 'idpDetails' dictionary.
+      enforceFederatedLogin: ""
+      # A dictionary with configured IdPs containing:
+      # 1. Name of the SSO federation, if you do not enforce the login the name is shown as a login option the user can select
       # within the openDesk login dialog.
-      name: "My upstream IdP"
-      # Configuration details for your upstream IdP, when you configured them manually in the Keycloak UI e.g. for
+      # 2. Configuration details underneath 'idpDetails' for your upstream IdP, when you configured them manually in the Keycloak UI e.g. for
       # testing the setup, you can get them from a Keycloak realm export in the `identityProviders` list.
       # Notes:
       # - You have to convert the configuration into YAML to apply it below.
@@ -90,8 +90,54 @@ functional:
       #  - `alias`
       #  - `firstBrokerLoginFlowAlias`
       #  - `internalId`
-      idpDetails: {}
-
+      # Example:
+      # myUpstreamIdP:
+      #   name: "My upstream IdP"
+      #   idpDetails:
+      #     providerId: "oidc"
+      #     enabled: true
+      #     updateProfileFirstLoginMode: 'on'
+      #     trustEmail: true
+      #     storeToken: true
+      #     addReadTokenRoleOnCreate: false
+      #     authenticateByDefault: false
+      #     linkOnly: false
+      #     config:
+      #       userInfoUrl: https://id.yourDomainHere/realms/opendesk/protocol/openid-connect/userinfo
+      #       validateSignature: 'true'
+      #       clientId: "yourSecretValueHere"
+      #       clientSecret: "yourSecretValueHere"
+      #       tokenUrl: https://id.yourDomainHere/realms/opendesk/protocol/openid-connect/token
+      #       jwksUrl: https://id.yourDomainHere/realms/opendesk/protocol/openid-connect/certs
+      #       issuer: https://id.yourDomainHere/realms/opendesk
+      #       useJwksUrl: 'true'
+      #       metadataDescriptorUrl: https://id.yourDomainHere/realms/opendesk/.well-known/openid-configuration
+      #       pkceEnabled: 'false'
+      #       authorizationUrl: https://id.yourDomainHere/realms/opendesk/protocol/openid-connect/auth
+      #       clientAuthMethod: client_secret_post
+      #       logoutUrl: https://id.yourDomainHere/realms/opendesk/protocol/openid-connect/logout
+      #       syncMode: LEGACY
+      #       guiOrder: ''
+      #       clientAssertionSigningAlg: ''
+      #       loginHint: 'false'
+      #       passMaxAge: 'false'
+      #       uiLocales: 'false'
+      #       backchannelSupported: 'true'
+      #       sendIdTokenOnLogout: 'true'
+      #       sendClientIdOnLogout: 'false'
+      #       disableUserInfo: 'false'
+      #       disableNonce: 'false'
+      #       defaultScope: ''
+      #       prompt: ''
+      #       acceptsPromptNoneForwardFromClient: 'false'
+      #       allowedClockSkew: 0
+      #       forwardParameters: ''
+      #       isAccessTokenJWT: 'false'
+      #       hideOnLoginPage: 'false'
+      #       filteredByClaim: 'false'
+      #       caseSensitiveOriginalUsername: 'true'
+      #     postBrokerLoginFlowAlias: ''
+      idpDict: {}
   chat:
     matrix:
       profile: