chore(misc): Add standard python script guard to charts-local.py

This adds a `if __name__ == "__main__"` guard to the charts-local.py script. The guard should always be used to make it obvious to developers that this is the entrypoint of the script and to prevent accidental side effects when handling the script as a python module in any way (e.g. during interactive debugging).
chore(misc): Add PEP723 inline script metadata to charts-local.py
2025-12-06 15:31:38 +01:00 · 2025-12-03 10:32:43 +01:00 · 2025-12-03 10:32:43 +01:00
3 changed files with 67 additions and 239 deletions
--- a/dev/charts-local.py
+++ b/dev/charts-local.py
@@ -1,6 +1,14 @@
 #!/usr/bin/env python3
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 # /// script
 # requires-python = ">=3.12"
 # dependencies = [
 #     "configargparse",
 #     "gitpython",
 #     "pyyaml",
 # ]
 # ///
 import os.path
 import logging
@@ -13,40 +21,6 @@ import configargparse
 from pathlib import Path
 from git import Repo
 p = configargparse.ArgParser()
 p.add('--branch', env_var='CHART_DEV_BRANCH', help='The branch you want to work with. Will be created by the script if it does not exist yet.')
 p.add('--git_hostname', env_var='GIT_HOSTNAME', default='git@gitlab.opencode.de', help='Set the hostname for the chart git checkouts.')
 p.add('--revert', default=False, action='store_true', help='Set this parameter if you want to revert the referencing of the local helm chart checkout paths in the helmfiles.')
 p.add('--match', default='', help="Clone/pull only charts that contain the given string in their name.")
 p.add('--loglevel', env_var='LOGLEVEL', default='DEBUG', help='Set the loglevel: DEBUG, INFO, WARNING, ERROR, CRITICAL-')
 options = p.parse_args()
 script_path = os.path.dirname(os.path.realpath(__file__))
 # some static definitions
 log_path = script_path+'/../logs'
 charts_yaml = script_path+'/../helmfile/environments/default/charts.yaml.gotmpl'
 base_repo_path = script_path+'/..'
 base_helmfile = base_repo_path+'/helmfile_generic.yaml.gotmpl'
 helmfile_backup_extension = '.bak'
 Path(log_path).mkdir(parents=True, exist_ok=True)
 logFormatter = logging.Formatter("%(asctime)s %(levelname)-5.5s %(message)s")
 rootLogger = logging.getLogger()
 rootLogger.setLevel(options.loglevel)
 fileHandler = logging.FileHandler("{0}/{1}.log".format(log_path, os.path.basename(__file__)))
 fileHandler.setFormatter(logFormatter)
 rootLogger.addHandler(fileHandler)
 consoleHandler = logging.StreamHandler()
 consoleHandler.setFormatter(logFormatter)
 rootLogger.addHandler(consoleHandler)
 logging.debug(f"Working with relative paths from script location: {script_path}")
 logging.debug(f"Log directory:      {log_path}")
 logging.debug(f"charts.yaml.gotmpl: {charts_yaml}")
 def create_or_switch_branch_base_repo():
    base_repo = Repo(path=base_repo_path)
@@ -188,6 +162,45 @@ def revert_the_helmfiles():
 ##
 ## Main program
 ##
 if __name__ == "__main__":
    p = configargparse.ArgParser()
    p.add('--branch', env_var='CHART_DEV_BRANCH',
          help='The branch you want to work with. Will be created by the script if it does not exist yet.')
    p.add('--git_hostname', env_var='GIT_HOSTNAME', default='git@gitlab.opencode.de',
          help='Set the hostname for the chart git checkouts.')
    p.add('--revert', default=False, action='store_true',
          help='Set this parameter if you want to revert the referencing of the local helm chart checkout paths in the helmfiles.')
    p.add('--match', default='', help="Clone/pull only charts that contain the given string in their name.")
    p.add('--loglevel', env_var='LOGLEVEL', default='DEBUG',
          help='Set the loglevel: DEBUG, INFO, WARNING, ERROR, CRITICAL-')
    options = p.parse_args()
    script_path = os.path.dirname(os.path.realpath(__file__))
    # some static definitions
    log_path = script_path + '/../logs'
    charts_yaml = script_path + '/../helmfile/environments/default/charts.yaml.gotmpl'
    base_repo_path = script_path + '/..'
    base_helmfile = base_repo_path + '/helmfile_generic.yaml.gotmpl'
    helmfile_backup_extension = '.bak'
    Path(log_path).mkdir(parents=True, exist_ok=True)
    logFormatter = logging.Formatter("%(asctime)s %(levelname)-5.5s %(message)s")
    rootLogger = logging.getLogger()
    rootLogger.setLevel(options.loglevel)
    fileHandler = logging.FileHandler("{0}/{1}.log".format(log_path, os.path.basename(__file__)))
    fileHandler.setFormatter(logFormatter)
    rootLogger.addHandler(fileHandler)
    consoleHandler = logging.StreamHandler()
    consoleHandler.setFormatter(logFormatter)
    rootLogger.addHandler(consoleHandler)
    logging.debug(f"Working with relative paths from script location: {script_path}")
    logging.debug(f"Log directory:      {log_path}")
    logging.debug(f"charts.yaml.gotmpl: {charts_yaml}")
    if options.revert:
        revert_the_helmfiles()
    else:
--- a/docs/enhanced-configuration/self-signed-certificates.md
+++ b/docs/enhanced-configuration/self-signed-certificates.md
@@ -26,186 +26,14 @@ There are two options to address these use case:
 This option is useful when you have your own PKI in your environment which is also trusted by all clients that should
 access openDesk.
-To help others with this section, we document the certificate creation, so
+1. Disable cert-manager.io certificate resource creation:
 please ensure that `openssl` is installed on your system.
 1. Create the Certificate Authority (CA) private key:
    ```/bin/bash
    $ openssl genrsa -aes256 -out ca-private_key.pem 2048
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    ```
 2. Create the public certficiate for the Certificate Authority (CA):
    ```/bin/bash
    $ openssl req -x509 -new -nodes -extensions v3_ca -key ca-private_key.pem -days 1024 -out ca-cert.crt -sha512
    Enter pass phrase for ca-private_key.pem:
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:DE
    State or Province Name (full name) [Some-State]:
    Locality Name (eg, city) []:
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (e.g. server FQDN or YOUR name) []:
    Email Address []:
    ```
 3. Generate the Java keystore (JKS) file `truststore.jks` with the CA certficiate (requires the Java SDK):
    ```/bin/bash
    $ export TRUSTSTORE_PASSWORD="passwordForTruststore.jks"
    $ keytool -import -file ca-cert.crt -keystore truststore.jks -storepass "$TRUSTSTORE_PASSWORD"
    Owner: O=Internet Widgits Pty Ltd, ST=Some-State, C=DE
    Issuer: O=Internet Widgits Pty Ltd, ST=Some-State, C=DE
    Serial number: ccb2fc7257ebb602de0b74394cb1c009806f706
    Valid from: Wed Dec 03 16:31:39 UTC 2025 until: Fri Sep 22 16:31:39 UTC 2028
    Certificate fingerprints:
             SHA1: AE:6F:55:AA:45:B4:A2:E1:E2:96:18:CF:FC:C0:5D:4B:56:0E:C4:26
             SHA256: 95:C0:0E:44:B7:92:86:B7:D9:74:F4:4C:64:81:BA:E2:BE:75:90:03:56:0F:5F:9D:B5:85:A1:4C:82:54:19:8E
    Signature algorithm name: SHA512withRSA
    Subject Public Key Algorithm: 2048-bit RSA key
    Version: 3
    Extensions: 
    #1: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 6A 64 5A 67 5E 11 8D B2   55 7B 53 0A 20 5C 9D 4D  jdZg^...U.S. \.M
    0010: 9A E8 C0 DD                                        ....
    ]
    ]
    #2: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
      CA:true
      PathLen: no limit
    ]
    #3: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 6A 64 5A 67 5E 11 8D B2   55 7B 53 0A 20 5C 9D 4D  jdZg^...U.S. \.M
    0010: 9A E8 C0 DD                                        ....
    ]
    ]
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
    ```
 4. Generate the private key and certificate request for the OpenDesk certificate (assuming a wildcard domain: '.opendesk-test.example.com'), use supply [all required subdomains](../../helmfile/environments/default/global.yaml.gotmpl)
 as SANs (Subject Alternative Name):
    ```/bin/bash
    $ openssl req -newkey rsa:2048 -nodes -keyout opendesk-cert-key.key -out opendesk-cert-request.csr -subj "/C=DE/O=OpenDesk Test/CN=opendesk-test.example.com" -addext "subjectAltName = DNS:opendesk-test.example.com,DNS:*.opendesk-test.example.com"
    ....+...+..+.+.....+....+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+....+...............+.....+.......+..+......+....+......+.....+.........+.......+.....+....+......+........+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......................+..+.+......+...+........+...+.+..............................+.....+...+...+....+......+...............+.....+...+......+...+.+..+.........+.............+.....+...+.......+......+......+.....+....+..+...+.......+..............+...............+.+..+.......+...+..+.........+.+........+.+....................+..........+..+....+.....+.+.....+.......+...+........+................+...+..+...+..........+......+......+...+..+.+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    .........+.......+..+................+..+..........+...+..+...+.+...+..+....+............+.....+.........+.+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*................+..+...+.............+..+.......+............+...+...........+.......+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.......+.....+..........+........+...+................+........+.+.....+......+.........+......+.+..+.......+.....+....+...........+....+......+...+......+...............+..+...+.+.....+.........+.+.........+..+...+....+..+..........+.....+....+............+..+...+............+.+......+...+........+....+.....+.+.........+.....+...+.+..+.........+................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    -----
    ```
 5. Sign the `opendesk-cert-request.csr` with the CA certficiate:
    ```/bin/bash
    $ openssl x509 -req -in opendesk-cert-request.csr -days 365 -CA ca-cert.crt -CAkey ca-private_key.pem -CAcreateserial -out opendesk-cert.crt -copy_extensions copy
    Certificate request self-signature ok
    subject=C = DE, O = OpenDesk Test, CN = opendesk-test.example.com
    Enter pass phrase for ca-private_key.pem:
    ```
 6. Control the certificate (X509v3 Subject Alternative Name must be given for the wildcard DNS):
  ```/bin/bash
  $ openssl x509 -in opendesk-cert.crt -noout -text
  Certificate:
      Data:
          Version: 3 (0x2)
          Serial Number:
              15:be:c5:3b:f9:87:e2:89:3c:17:da:78:5f:ae:0e:4e:dc:b9:86:47
          Signature Algorithm: sha256WithRSAEncryption
          Issuer: C = DE, ST = Some-State, O = Test Organization Name
          Validity
              Not Before: Dec  4 08:17:17 2025 GMT
              Not After : Dec  4 08:17:17 2026 GMT
          Subject: C = DE, O = OpenDesk Test, CN = opendesk-test.example.com
          Subject Public Key Info:
              Public Key Algorithm: rsaEncryption
                  Public-Key: (2048 bit)
                  Modulus:
                      00:86:68:e3:5b:d1:fd:3c:44:01:08:99:0c:82:0c:
                      53:50:0c:4a:b2:59:30:ae:a2:6b:b0:a4:33:1b:e1:
                      39:d1:8c:71:8a:a0:60:c4:26:2c:1a:74:66:6d:77:
                      4e:1d:4f:0a:c2:c7:83:ac:20:09:eb:f2:ee:b1:19:
                      85:71:6c:f6:dc:4a:ef:d9:87:10:db:ff:b6:0b:ce:
                      6a:3a:c9:aa:08:9b:a0:b1:6d:d5:db:41:e3:58:98:
                      87:78:51:ff:2c:6b:19:e6:f2:7d:a3:91:5a:e6:fd:
                      08:f9:e5:be:19:1d:74:2c:1c:ee:1e:3a:39:3c:6a:
                      31:40:f2:7b:e3:ad:a8:f5:1a:fd:92:8e:c4:f6:89:
                      1b:e2:d4:e3:dc:f5:bc:3e:85:6e:08:3a:20:73:61:
                      96:4a:85:70:93:e9:17:a5:8e:78:54:34:26:83:a9:
                      44:17:7f:5d:49:19:ee:e0:ce:73:b5:c6:0d:4c:19:
                      7b:33:78:41:8b:80:2f:4b:bf:1d:70:77:fc:21:90:
                      6f:bd:ec:1e:12:38:a2:56:42:b8:c0:c9:b3:0c:be:
                      b7:9a:fb:82:38:c8:0c:aa:6c:3e:84:f7:82:cf:1d:
                      c5:9f:79:01:75:50:58:3d:92:22:e1:0c:9e:b4:7a:
                      45:76:ec:98:69:2a:fe:ed:89:44:6e:b2:ba:6c:2b:
                      2a:b7
                  Exponent: 65537 (0x10001)
          X509v3 extensions:
              X509v3 Subject Alternative Name: 
                  DNS:opendesk-test.example.com, DNS:*.opendesk-test.example.com
              X509v3 Subject Key Identifier: 
                  3B:8F:7B:9F:A8:4B:10:72:7E:AC:1D:0A:24:51:5E:42:E7:C1:BB:AA
              X509v3 Authority Key Identifier: 
                  32:C0:EB:DE:3F:05:1A:7F:88:0D:49:05:A7:E1:56:28:CF:90:E0:E2
      Signature Algorithm: sha256WithRSAEncryption
      Signature Value:
          98:48:ec:04:0a:53:c5:25:66:ff:1c:bd:ab:09:a2:9f:c3:ba:
          d8:d8:c9:d8:47:dd:d6:08:70:5d:6b:0c:e4:2b:cd:ef:2f:06:
          6c:5c:09:58:c1:72:df:d1:13:e3:c4:6e:9a:6a:cf:b4:cc:4a:
          58:35:26:28:cb:b6:1f:f8:fa:e9:07:1a:0d:ba:01:1f:08:ac:
          65:08:e7:23:25:42:f6:66:6e:11:a0:ef:73:c3:8b:dd:69:2e:
          47:bf:59:c8:c1:6c:05:31:be:82:81:9d:be:f2:b3:61:a4:af:
          a1:79:24:6a:26:1f:54:81:a0:eb:b0:ee:e3:7b:a2:2f:e7:74:
          6e:71:cd:76:5d:65:18:14:6b:da:79:5c:3a:11:ec:11:95:6e:
          ec:62:1f:77:7c:e6:7b:cb:d7:dd:46:8b:40:30:7c:2d:20:55:
          99:25:05:05:37:b9:ff:06:1b:23:b2:58:88:ac:e5:75:06:a0:
          73:72:50:d0:4e:bd:52:ab:3c:56:c2:1a:3d:5e:b5:ac:1c:d1:
          f3:fb:29:e3:f5:bd:74:05:72:fc:b0:74:54:3c:67:45:19:76:
          29:3c:3c:5a:57:9f:bd:8c:58:ff:9c:f3:08:99:1d:86:0a:59:
          be:77:5d:b2:a4:6a:6e:d8:6d:fa:7e:cc:d1:99:6e:d3:19:9a:
          84:b8:24:98
  ```
  You can now use the `truststore.jks`, `opendesk-cert.crt`, `opendesk-cert-key.key` and `ca-cert.crt` for the secrets.
 7. Import the certificates into the Kubernetes cluster through kubernetes secrets:
  ```/bin/bash
  $ export KUBERNETES_NAMESAPCE="dev"
  $ kubectl config set-context --current --namespace="$KUBERNETES_NAMESAPCE"
  Context "default" modified.
  # Generate the TLS secret
  $ kubectl create secret tls opendesk-certificates-tls --key opendesk-cert-key.key --cert opendesk-cert.crt
  secret/opendesk-certificates-tls created
  # Generate the CA secret
  $ kubectl create secret generic opendesk-certificates-ca-tls --from-file=ca.crt=ca-cert.crt --from-file truststore.jks
  secret/opendesk-certificates-ca-tls created
  ```
 8. Disable cert-manager.io certificate resource creation:
    ```yaml
    certificates:
      enabled: false
    ```
-9. Enable mount of self-signed certificates:
+2. Enable mount of self-signed certificates:
    ```yaml
    certificate:
@@ -214,20 +42,19 @@ as SANs (Subject Alternative Name):
        create: false
    ```
-10. Save the password for the generated JKS trust store (`truststore.jks`):
+3. Create a Kubernetes secret named `opendesk-certificates-tls` of type `kubernetes.io/tls` containing either a valid
 wildcard certificate or a certificate with [all required subdomains](../../helmfile/environments/default/global.yaml.gotmpl)
 set as SANs (Subject Alternative Name).
-    ```yaml
+4. Create a Kubernetes secret with name `opendesk-certificates-ca-tls` of type `kubernetes.io/tls` containing the custom
-    secrets:
+CA certificate as X.509 encoded (`ca.crt`) and as jks trust store (`truststore.jks`).
-      certificates:
+
-        # The password from $TRUSTSTORE_PASSWORD
+5. Create a Kubernetes secret with name `opendesk-certificates-keystore-jks` with key `password` and as value the jks
-        password: "passwordForTruststore.jks"
+trust store password.
    ```
 > [!note]
-> If your OpenDesk applications access services from the internet, you have to append the relevant CA certificates
+> XWiki does not support the use of an existing secret to access the keystore. Therefore you have to set the
-> to the `ca.crt`certificate. You can use the file `/etc/ssl/certs/ca-certificates.crt` from Debian distro. The CA certificate
+> password from step 5 also as `secrets.certificates.password`.
 > (`ca.crt`) can contain multiple certificates but keep in mind, that the `truststore.jks` must be updated as well.
 ## Option 2a: Use cert-manager.io with auto-generated namespace based root-certificate
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -4,12 +4,6 @@
 additionalAnnotations:
  {{ .Values.annotations.nubus.additional | toYaml | nindent 2 }}
 # -- Disable the cert-manager resources from the Helm chart if certificates are deactivated
 {{- if not .Values.apps.certificates.enabled }}
 certificates:
  enabled: False
 {{- end }}
 global:
  certManagerIssuer: {{ .Values.certificate.issuerRef.name | quote }}
  domain: {{ .Values.global.domain | quote }}
@@ -1527,12 +1521,6 @@ nubusUmcServer:
  smtp:
    auth:
      password: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
 {{- if .Values.certificate.selfSigned }}
  extraVolumes:
    - name: "certificates"
      secret:
        secretName: "opendesk-certificates-tls"
 {{- end }}
 nubusUmcGateway:
  containerSecurityContext: