fix(nubus): remove unnecessary memcached username

fix(nubus): Ensure that a memcached secret is created so that the pod can start although no memcached credentials are required at runtime
feat(nubus): keycloak creates secret itself / no extra secret needed now
2025-12-06 07:21:36 +01:00 · 2025-10-27 16:56:51 +01:00 · 2025-10-27 16:56:51 +01:00 · 2025-10-27 16:56:51 +01:00 · 2025-10-27 16:56:51 +01:00
1 changed files with 4 additions and 41 deletions
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -183,20 +183,12 @@ keycloak:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloak.registry | quote }}
    repository: {{ .Values.images.nubusKeycloak.repository }}
    tag: {{ .Values.images.nubusKeycloak.tag }}
    # NOTE: The subchart "keycloak" does not yet support
    # "global.imagePullPolicy". The local configuration can be removed once it
    # does have this feature.
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  ingress:
    enabled: false
  keycloak:
    auth:
      username: "kcadmin"
-      # TODO: Pending secrets refactoring to be able to provide the value directly
+      password: {{ .Values.secrets.keycloak.adminPassword | quote }}
      existingSecret:
        name: "ums-opendesk-keycloak-credentials"
        keyMapping:
          adminPassword: "admin_password"
    login:
      messages:
        de:
@@ -444,12 +436,6 @@ nubusKeycloakExtensions:
  keycloak:
    auth:
      username: "kcadmin"
      # TODO: Pending secrets refactoring in component chart. This will refer to
      # the secret generated by the keycloak subchart.
      existingSecret:
        name: "ums-opendesk-keycloak-credentials"
        keyMapping:
          adminPassword: "admin_password"
  proxy:
    additionalAnnotations:
      {{ .Values.annotations.nubusKeycloakExtensions.proxyAdditional | toYaml | nindent 6 }}
@@ -457,13 +443,6 @@ nubusKeycloakExtensions:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionProxy.registry | quote }}
      repository: {{ .Values.images.nubusKeycloakExtensionProxy.repository }}
      tag: {{ .Values.images.nubusKeycloakExtensionProxy.tag }}
      # NOTE: The subchart "keycloak-extensions" does not yet support
      # "global.imagePullPolicy".
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    # NOTE: Remove once the keycloak-extensions subchart respects
    # "global.imagePullSecrets".
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    ingress:
      annotations:
        nginx.org/proxy-buffer-size: "8k"
@@ -559,13 +538,6 @@ nubusKeycloakExtensions:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionHandler.registry | quote }}
      repository: {{ .Values.images.nubusKeycloakExtensionHandler.repository }}
      tag: {{ .Values.images.nubusKeycloakExtensionHandler.tag }}
      # NOTE: The subchart "keycloak-extensions" does not yet support
      # "global.imagePullPolicy".
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    # NOTE: Remove once the keycloak-extensions subchart respects
    # "global.imagePullSecrets".
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-keycloak-extensions-handler"
      {{- with .Values.annotations.nubusKeycloakExtensions.handlerPod }}
@@ -1260,8 +1232,6 @@ nubusStackDataUms:
  # the default username of `selfservice` is part of the customizing:
  nubusUmcServer:
    memcached:
      auth:
        username: ""
      connection:
        host: {{ .Values.cache.umsSelfservice.host | quote }}
    postgresql:
@@ -1456,7 +1426,9 @@ nubusUmcServer:
    bundled: false
    server: {{ .Values.cache.umsSelfservice.host | quote }}
    auth:
-      password: ""
+      # The memcached connection is not authenticated in openDesk but the umc-server pod needs a secret it can mount.
      password: "stub-value"
      existingSecret: null
  podAnnotations:
    {{ .Values.annotations.nubusUmcServer.pod | toYaml | nindent 4 }}
  # Ref.: https://docs.software-univention.de/nubus-kubernetes-operation/1.x/en/reference.html#envvar-nubusUmcServer.podManagementPolicy
@@ -1596,15 +1568,9 @@ nubusKeycloakBootstrap:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }}
    repository: {{ .Values.images.nubusKeycloakBootstrap.repository }}
    tag: {{ .Values.images.nubusKeycloakBootstrap.tag }}
    # NOTE: The subchart does not yet fully support
    # "global.imagePullPolicy". This can be removed once the subchart has
    # been adjusted.
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  keycloak:
    auth:
      username: "kcadmin"
      existingSecret:
        name: "ums-opendesk-keycloak-credentials"
  ldap:
    auth:
      bindDn: {{ printf "uid=ldapsearch_keycloak,cn=users,%s" .Values.ldap.baseDn }}
@@ -1639,9 +1605,6 @@ extraSecrets:
  - name: "ums-opendesk-guardian-client-secret"
    stringData:
      managementApiClientSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
  - name: "ums-opendesk-keycloak-credentials"
    stringData:
      admin_password: {{ .Values.secrets.keycloak.adminPassword | quote }}
  - name: "ums-keycloak-postgresql-opendesk-credentials"
    stringData:
      keycloakDatabasePassword: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
Author	SHA1	Message	Date
Dimitri Papoutsis	476bb41c57	fix(nubus): remove unnecessary memcached username	2025-10-27 16:56:51 +01:00
Johannes Lohmer	f26ef61935	fix(nubus): Ensure that a memcached secret is created so that the pod can start although no memcached credentials are required at runtime	2025-10-27 16:56:51 +01:00
Dimitri Papoutsis	063a06ea3e	feat(nubus): keycloak creates secret itself / no extra secret needed now	2025-10-27 16:56:51 +01:00
Dimitri Papoutsis	a2db8bb486	fix(nubus): remove local image pull policy and secret since keycloak-extensions support global ones	2025-10-27 16:56:51 +01:00