feat(nubus): Add self-signed certificate from secret

.gitlab-ci.yml

@@ -767,17 +767,33 @@ import-default-accounts:
     - "echo \"Starting default account import for ${DOMAIN}\""
     - "cd /app"
     - |
-      ./user_import_udm_rest_api.py \
-        --import_domain ${DOMAIN} \
-        --udm_api_password ${DEFAULT_ADMINISTRATOR_PASSWORD} \
-        --set_default_password ${DEFAULT_ACCOUNTS_PASSWORD} \
-        --import_filename ./template.ods \
-        --admin_enable_fileshare True \
-        --admin_enable_knowledgemanagement True \
-        --admin_enable_projectmanagement True \
-        --create_admin_accounts True \
-        --create_maildomains True \
-        --verify_certificate False
+      set +e
+      success=0
+      for i in {1..5}; do
+        echo "Attempt $i/5..."
+        ./user_import_udm_rest_api.py \
+          --import_domain ${DOMAIN} \
+          --udm_api_password ${DEFAULT_ADMINISTRATOR_PASSWORD} \
+          --set_default_password ${DEFAULT_ACCOUNTS_PASSWORD} \
+          --import_filename ./template.ods \
+          --admin_enable_fileshare True \
+          --admin_enable_knowledgemanagement True \
+          --admin_enable_projectmanagement True \
+          --create_admin_accounts True \
+          --create_maildomains True \
+          --verify_certificate False
+        if [ $? -eq 0 ]; then
+          echo "Script succeeded on attempt $i."
+          success=1
+          break
+        fi
+        echo "Script failed. Waiting 60 seconds before retry..."
+        sleep 60
+      done
+      if [ "$success" -ne 1 ]; then
+        echo "Script failed after 5 attempts."
+        exit 1
+      fi
 
 run-tests:
   stage: "post-execute"

CHANGELOG.md

@@ -14,7 +14,7 @@
 * **open-xchange:** Template SASL security options ([684c6d4](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/684c6d4f29dd447872ebe582eef43c04034896f7))
 * **open-xchange:** Update Dovecot configuration based on supplier's best practise review ([850761e](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/850761e0475b2f281fb23f6972d5c74fbdaa3a61))
 * **opendesk-static-files:** [[#260](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/260)] Fix doublette creation of configmap `data` keys when the same file is referenced multiple times for a component ([b5a76be](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b5a76bea57ef7b136c54d1bc95c40f0a0c3f9716))
-* **openproject:** Update from 16.1.0 to 16.1.1 ([62fae99](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/62fae9976a731c00700d56ce8fab198bb2531d20))
+* **openproject:** Update from 16.6.0 to 16.6.1 ([62fae99](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/62fae9976a731c00700d56ce8fab198bb2531d20))
 * **xwiki:** Update XWiki from 17.4.4 to 17.4.7 ([02a3b77](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/02a3b7711490394690df70ca92bab58b253e34f5))
 
 

docs/enhanced-configuration/self-signed-certificates.md

@@ -26,14 +26,186 @@ There are two options to address these use case:
 This option is useful when you have your own PKI in your environment which is also trusted by all clients that should
 access openDesk.
 
-1. Disable cert-manager.io certificate resource creation:
+To help others with this section, we document the certificate creation, so
+please ensure that `openssl` is installed on your system.
+
+1. Create the Certificate Authority (CA) private key:
+    ```/bin/bash
+    $ openssl genrsa -aes256 -out ca-private_key.pem 2048
+    Enter PEM pass phrase:
+    Verifying - Enter PEM pass phrase:
+    ```
+
+2. Create the public certficiate for the Certificate Authority (CA):
+    ```/bin/bash
+    $ openssl req -x509 -new -nodes -extensions v3_ca -key ca-private_key.pem -days 1024 -out ca-cert.crt -sha512
+    Enter pass phrase for ca-private_key.pem:
+    You are about to be asked to enter information that will be incorporated
+    into your certificate request.
+    What you are about to enter is what is called a Distinguished Name or a DN.
+    There are quite a few fields but you can leave some blank
+    For some fields there will be a default value,
+    If you enter '.', the field will be left blank.
+    -----
+    Country Name (2 letter code) [AU]:DE
+    State or Province Name (full name) [Some-State]:
+    Locality Name (eg, city) []:
+    Organization Name (eg, company) [Internet Widgits Pty Ltd]:
+    Organizational Unit Name (eg, section) []:
+    Common Name (e.g. server FQDN or YOUR name) []:
+    Email Address []:
+    ```
+
+3. Generate the Java keystore (JKS) file `truststore.jks` with the CA certficiate (requires the Java SDK):
+    ```/bin/bash
+    $ export TRUSTSTORE_PASSWORD="passwordForTruststore.jks"
+    $ keytool -import -file ca-cert.crt -keystore truststore.jks -storepass "$TRUSTSTORE_PASSWORD"
+    Owner: O=Internet Widgits Pty Ltd, ST=Some-State, C=DE
+    Issuer: O=Internet Widgits Pty Ltd, ST=Some-State, C=DE
+    Serial number: ccb2fc7257ebb602de0b74394cb1c009806f706
+    Valid from: Wed Dec 03 16:31:39 UTC 2025 until: Fri Sep 22 16:31:39 UTC 2028
+    Certificate fingerprints:
+             SHA1: AE:6F:55:AA:45:B4:A2:E1:E2:96:18:CF:FC:C0:5D:4B:56:0E:C4:26
+             SHA256: 95:C0:0E:44:B7:92:86:B7:D9:74:F4:4C:64:81:BA:E2:BE:75:90:03:56:0F:5F:9D:B5:85:A1:4C:82:54:19:8E
+    Signature algorithm name: SHA512withRSA
+    Subject Public Key Algorithm: 2048-bit RSA key
+    Version: 3
+    
+    Extensions: 
+    
+    #1: ObjectId: 2.5.29.35 Criticality=false
+    AuthorityKeyIdentifier [
+    KeyIdentifier [
+    0000: 6A 64 5A 67 5E 11 8D B2   55 7B 53 0A 20 5C 9D 4D  jdZg^...U.S. \.M
+    0010: 9A E8 C0 DD                                        ....
+    ]
+    ]
+    
+    #2: ObjectId: 2.5.29.19 Criticality=true
+    BasicConstraints:[
+      CA:true
+      PathLen: no limit
+    ]
+    
+    #3: ObjectId: 2.5.29.14 Criticality=false
+    SubjectKeyIdentifier [
+    KeyIdentifier [
+    0000: 6A 64 5A 67 5E 11 8D B2   55 7B 53 0A 20 5C 9D 4D  jdZg^...U.S. \.M
+    0010: 9A E8 C0 DD                                        ....
+    ]
+    ]
+    
+    Trust this certificate? [no]:  yes
+    Certificate was added to keystore
+    ```
+
+4. Generate the private key and certificate request for the OpenDesk certificate (assuming a wildcard domain: '.opendesk-test.example.com'), use supply [all required subdomains](../../helmfile/environments/default/global.yaml.gotmpl)
+as SANs (Subject Alternative Name):
+    ```/bin/bash
+    $ openssl req -newkey rsa:2048 -nodes -keyout opendesk-cert-key.key -out opendesk-cert-request.csr -subj "/C=DE/O=OpenDesk Test/CN=opendesk-test.example.com" -addext "subjectAltName = DNS:opendesk-test.example.com,DNS:*.opendesk-test.example.com"
+    ....+...+..+.+.....+....+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+....+...............+.....+.......+..+......+....+......+.....+.........+.......+.....+....+......+........+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......................+..+.+......+...+........+...+.+..............................+.....+...+...+....+......+...............+.....+...+......+...+.+..+.........+.............+.....+...+.......+......+......+.....+....+..+...+.......+..............+...............+.+..+.......+...+..+.........+.+........+.+....................+..........+..+....+.....+.+.....+.......+...+........+................+...+..+...+..........+......+......+...+..+.+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+    .........+.......+..+................+..+..........+...+..+...+.+...+..+....+............+.....+.........+.+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*................+..+...+.............+..+.......+............+...+...........+.......+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.......+.....+..........+........+...+................+........+.+.....+......+.........+......+.+..+.......+.....+....+...........+....+......+...+......+...............+..+...+.+.....+.........+.+.........+..+...+....+..+..........+.....+....+............+..+...+............+.+......+...+........+....+.....+.+.........+.....+...+.+..+.........+................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+    -----
+    ```
+
+5. Sign the `opendesk-cert-request.csr` with the CA certficiate:
+    ```/bin/bash
+    $ openssl x509 -req -in opendesk-cert-request.csr -days 365 -CA ca-cert.crt -CAkey ca-private_key.pem -CAcreateserial -out opendesk-cert.crt -copy_extensions copy
+    Certificate request self-signature ok
+    subject=C = DE, O = OpenDesk Test, CN = opendesk-test.example.com
+    Enter pass phrase for ca-private_key.pem:
+    ```
+
+6. Control the certificate (X509v3 Subject Alternative Name must be given for the wildcard DNS):
+  ```/bin/bash
+  $ openssl x509 -in opendesk-cert.crt -noout -text
+  Certificate:
+      Data:
+          Version: 3 (0x2)
+          Serial Number:
+              15:be:c5:3b:f9:87:e2:89:3c:17:da:78:5f:ae:0e:4e:dc:b9:86:47
+          Signature Algorithm: sha256WithRSAEncryption
+          Issuer: C = DE, ST = Some-State, O = Test Organization Name
+          Validity
+              Not Before: Dec  4 08:17:17 2025 GMT
+              Not After : Dec  4 08:17:17 2026 GMT
+          Subject: C = DE, O = OpenDesk Test, CN = opendesk-test.example.com
+          Subject Public Key Info:
+              Public Key Algorithm: rsaEncryption
+                  Public-Key: (2048 bit)
+                  Modulus:
+                      00:86:68:e3:5b:d1:fd:3c:44:01:08:99:0c:82:0c:
+                      53:50:0c:4a:b2:59:30:ae:a2:6b:b0:a4:33:1b:e1:
+                      39:d1:8c:71:8a:a0:60:c4:26:2c:1a:74:66:6d:77:
+                      4e:1d:4f:0a:c2:c7:83:ac:20:09:eb:f2:ee:b1:19:
+                      85:71:6c:f6:dc:4a:ef:d9:87:10:db:ff:b6:0b:ce:
+                      6a:3a:c9:aa:08:9b:a0:b1:6d:d5:db:41:e3:58:98:
+                      87:78:51:ff:2c:6b:19:e6:f2:7d:a3:91:5a:e6:fd:
+                      08:f9:e5:be:19:1d:74:2c:1c:ee:1e:3a:39:3c:6a:
+                      31:40:f2:7b:e3:ad:a8:f5:1a:fd:92:8e:c4:f6:89:
+                      1b:e2:d4:e3:dc:f5:bc:3e:85:6e:08:3a:20:73:61:
+                      96:4a:85:70:93:e9:17:a5:8e:78:54:34:26:83:a9:
+                      44:17:7f:5d:49:19:ee:e0:ce:73:b5:c6:0d:4c:19:
+                      7b:33:78:41:8b:80:2f:4b:bf:1d:70:77:fc:21:90:
+                      6f:bd:ec:1e:12:38:a2:56:42:b8:c0:c9:b3:0c:be:
+                      b7:9a:fb:82:38:c8:0c:aa:6c:3e:84:f7:82:cf:1d:
+                      c5:9f:79:01:75:50:58:3d:92:22:e1:0c:9e:b4:7a:
+                      45:76:ec:98:69:2a:fe:ed:89:44:6e:b2:ba:6c:2b:
+                      2a:b7
+                  Exponent: 65537 (0x10001)
+          X509v3 extensions:
+              X509v3 Subject Alternative Name: 
+                  DNS:opendesk-test.example.com, DNS:*.opendesk-test.example.com
+              X509v3 Subject Key Identifier: 
+                  3B:8F:7B:9F:A8:4B:10:72:7E:AC:1D:0A:24:51:5E:42:E7:C1:BB:AA
+              X509v3 Authority Key Identifier: 
+                  32:C0:EB:DE:3F:05:1A:7F:88:0D:49:05:A7:E1:56:28:CF:90:E0:E2
+      Signature Algorithm: sha256WithRSAEncryption
+      Signature Value:
+          98:48:ec:04:0a:53:c5:25:66:ff:1c:bd:ab:09:a2:9f:c3:ba:
+          d8:d8:c9:d8:47:dd:d6:08:70:5d:6b:0c:e4:2b:cd:ef:2f:06:
+          6c:5c:09:58:c1:72:df:d1:13:e3:c4:6e:9a:6a:cf:b4:cc:4a:
+          58:35:26:28:cb:b6:1f:f8:fa:e9:07:1a:0d:ba:01:1f:08:ac:
+          65:08:e7:23:25:42:f6:66:6e:11:a0:ef:73:c3:8b:dd:69:2e:
+          47:bf:59:c8:c1:6c:05:31:be:82:81:9d:be:f2:b3:61:a4:af:
+          a1:79:24:6a:26:1f:54:81:a0:eb:b0:ee:e3:7b:a2:2f:e7:74:
+          6e:71:cd:76:5d:65:18:14:6b:da:79:5c:3a:11:ec:11:95:6e:
+          ec:62:1f:77:7c:e6:7b:cb:d7:dd:46:8b:40:30:7c:2d:20:55:
+          99:25:05:05:37:b9:ff:06:1b:23:b2:58:88:ac:e5:75:06:a0:
+          73:72:50:d0:4e:bd:52:ab:3c:56:c2:1a:3d:5e:b5:ac:1c:d1:
+          f3:fb:29:e3:f5:bd:74:05:72:fc:b0:74:54:3c:67:45:19:76:
+          29:3c:3c:5a:57:9f:bd:8c:58:ff:9c:f3:08:99:1d:86:0a:59:
+          be:77:5d:b2:a4:6a:6e:d8:6d:fa:7e:cc:d1:99:6e:d3:19:9a:
+          84:b8:24:98
+  ```
+  
+  You can now use the `truststore.jks`, `opendesk-cert.crt`, `opendesk-cert-key.key` and `ca-cert.crt` for the secrets.
+
+7. Import the certificates into the Kubernetes cluster through kubernetes secrets:
+  
+  ```/bin/bash
+  $ export KUBERNETES_NAMESAPCE="dev"
+  $ kubectl config set-context --current --namespace="$KUBERNETES_NAMESAPCE"
+  Context "default" modified.
+
+  # Generate the TLS secret
+  $ kubectl create secret tls opendesk-certificates-tls --key opendesk-cert-key.key --cert opendesk-cert.crt
+  secret/opendesk-certificates-tls created
+
+
+  # Generate the CA secret
+  $ kubectl create secret generic opendesk-certificates-ca-tls --from-file=ca.crt=ca-cert.crt --from-file truststore.jks
+  secret/opendesk-certificates-ca-tls created
+  ```
+
+8. Disable cert-manager.io certificate resource creation:
 
     ```yaml
     certificates:
       enabled: false
     ```
 
-2. Enable mount of self-signed certificates:
+9. Enable mount of self-signed certificates:
 
     ```yaml
     certificate:
@@ -42,19 +214,20 @@ access openDesk.
         create: false
     ```
 
-3. Create a Kubernetes secret named `opendesk-certificates-tls` of type `kubernetes.io/tls` containing either a valid
-wildcard certificate or a certificate with [all required subdomains](../../helmfile/environments/default/global.yaml.gotmpl)
-set as SANs (Subject Alternative Name).
+10. Save the password for the generated JKS trust store (`truststore.jks`):
 
-4. Create a Kubernetes secret with name `opendesk-certificates-ca-tls` of type `kubernetes.io/tls` containing the custom
-CA certificate as X.509 encoded (`ca.crt`) and as jks trust store (`truststore.jks`).
-
-5. Create a Kubernetes secret with name `opendesk-certificates-keystore-jks` with key `password` and as value the jks
-trust store password.
+    ```yaml
+    secrets:
+      certificates:
+        # The password from $TRUSTSTORE_PASSWORD
+        password: "passwordForTruststore.jks"
+    ```
 
 > [!note]
-> XWiki does not support the use of an existing secret to access the keystore. Therefore you have to set the
-> password from step 5 also as `secrets.certificates.password`.
+> If your OpenDesk applications access services from the internet, you have to append the relevant CA certificates
+> to the `ca.crt`certificate. You can use the file `/etc/ssl/certs/ca-certificates.crt` from Debian distro. The CA certificate
+> (`ca.crt`) can contain multiple certificates but keep in mind, that the `truststore.jks` must be updated as well.
+
 
 ## Option 2a: Use cert-manager.io with auto-generated namespace based root-certificate
 

docs/migrations.md

@@ -15,6 +15,7 @@ SPDX-License-Identifier: Apache-2.0
       * [Helmfile new option: Annotations for external services (Dovecot, Jitsi JVB, Postfix)](#helmfile-new-option-annotations-for-external-services-dovecot-jitsi-jvb-postfix)
   * [Versions ≥ v1.10.0](#versions--v1100)
     * [Pre-upgrade to versions ≥ v1.10.0](#pre-upgrade-to-versions--v1100)
+      * [Deployment cleanup: Collabora Controller](#deployment-cleanup-collabora-controller)
       * [Helmfile new secret: `secrets.nubus.ldapSearch.postfix`](#helmfile-new-secret-secretsnubusldapsearchpostfix)
       * [Helmfile new secret: `secrets.doveocot.sharedMailboxesMasterPassword`](#helmfile-new-secret-secretsdoveocotsharedmailboxesmasterpassword)
       * [New Helmfile default: Nubus provisioning debug container no longer deployed](#new-helmfile-default-nubus-provisioning-debug-container-no-longer-deployed)
@@ -217,6 +218,25 @@ annotations for the external service use the newly introduced key `annotations.o
 
 ### Pre-upgrade to versions ≥ v1.10.0
 
+#### Deployment cleanup: Collabora Controller
+
+**Target group:** Existing openDesk Enterprise deployments using Collabora Controller. Actually only long running
+deployments are affected, but following the instructions won't hurt.
+
+As per upstream release notes for [Collabora Online Controller 1.1.4](https://www.collaboraonline.com/cool-controller-release-notes/)
+you have to remove the existing leases of the Controller. You can do so by setting `<your_namespace>` and executing
+the commands below.
+
+```shell
+export NAMESPACE=<your_namespace>
+export COLLABORA_CONTROLLER_DEPLOYMENT_NAME=collabora-controller-cool-controller
+kubectl -n ${NAMESPACE} scale deployment/${COLLABORA_CONTROLLER_DEPLOYMENT_NAME} --replicas=0
+kubectl -n ${NAMESPACE} delete -n collabora leases.coordination.k8s.io collabora-online
+```
+
+> [!note]
+> The Collabora Online Controller is not scaled up again, as this would happen as part of the upgrade deployment.
+
 #### Helmfile new secret: `secrets.nubus.ldapSearch.postfix`
 
 **Target group:** All existing deployments that use self-defined secrets.

docs/requirements.md

@@ -29,14 +29,14 @@ openDesk is a Kubernetes-only solution and requires an existing Kubernetes (K8s)
 - K8s cluster >= v1.24, [CNCF Certified Kubernetes distribution](https://www.cncf.io/certification/software-conformance/)
 - Domain and DNS Service
 - Ingress controller (Ingress NGINX) >= [4.11.5/1.11.5](https://github.com/kubernetes/ingress-nginx/releases)
-- [Helm](https://helm.sh/) >= v3.17.3, but not v3.18.0[^1]
+- [Helm](https://helm.sh/) >= v3.17.3 (but not v3.18.0[^1]) and < v4[^2],
 - [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= v1.0.0
 - [HelmDiff](https://github.com/databus23/helm-diff) >= v3.11.0
-- Volume provisioner supporting RWO (read-write-once)[^2]
+- Volume provisioner supporting RWO (read-write-once)[^3]
 - Certificate handling with [cert-manager](https://cert-manager.io/)
 
 **Additional openDesk Enterprise requirements**
-- [OpenKruise](https://openkruise.io/)[^3] >= v1.6
+- [OpenKruise](https://openkruise.io/)[^4] >= v1.6
 
 # Hardware
 
@@ -138,8 +138,11 @@ Helmfile requires [HelmDiff](https://github.com/databus23/helm-diff) to compare
 
 # Footnotes
 
-[^1]: Due to a [Helm bug](https://github.com/helm/helm/issues/30890) Helm 3.18.0 is not supported.
+[^1]: Due to a [Helm bug](https://github.com/helm/helm/issues/30890) Helm v3.18.0 is not supported.
 
-[^2]: Due to [restrictions on Kubernetes `emptyDir`](https://github.com/kubernetes/kubernetes/pull/130277) you need a volume provisioner that has sticky bit support, otherwise the OpenProject seeder job will fail. E.g. the `local-path-provisioner` does not have sticky bit support.
+[^2]: Helm v4 introduced stricter flag grouping that is not yet supported by the helmdiff plugin.
+
+[^3]: Due to [restrictions on Kubernetes `emptyDir`](https://github.com/kubernetes/kubernetes/pull/130277) you need a volume provisioner that has sticky bit support, otherwise the OpenProject seeder job will fail. E.g. the `local-path-provisioner` does not have sticky bit support.
+
+[^4]: Required for Dovecot Pro as part of openDesk Enterprise Edition.
 
-[^3]: Required for Dovecot Pro as part of openDesk Enterprise Edition.

helmfile/apps/nubus/values-nubus.yaml.gotmpl

@@ -4,6 +4,12 @@
 additionalAnnotations:
   {{ .Values.annotations.nubus.additional | toYaml | nindent 2 }}
 
+# -- Disable the cert-manager resources from the Helm chart if certificates are deactivated
+{{- if not .Values.apps.certificates.enabled }}
+certificates:
+  enabled: False
+{{- end }}
+
 global:
   certManagerIssuer: {{ .Values.certificate.issuerRef.name | quote }}
   domain: {{ .Values.global.domain | quote }}
@@ -1521,6 +1527,12 @@ nubusUmcServer:
   smtp:
     auth:
       password: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
+{{- if .Values.certificate.selfSigned }}
+  extraVolumes:
+    - name: "certificates"
+      secret:
+        secretName: "opendesk-certificates-tls"
+{{- end }}
 
 nubusUmcGateway:
   containerSecurityContext: