chore(misc): Add standard python script guard to charts-local.py

This adds a `if __name__ == "__main__"` guard to the charts-local.py script.
The guard should always be used to make it obvious to developers that this is
the entrypoint of the script and to prevent accidental side effects when handling
the script as a python module in any way (e.g. during interactive debugging).

dev/charts-local.py

@@ -1,6 +1,14 @@
 #!/usr/bin/env python3
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
+# /// script
+# requires-python = ">=3.12"
+# dependencies = [
+#     "configargparse",
+#     "gitpython",
+#     "pyyaml",
+# ]
+# ///
 
 import os.path
 import logging
@@ -13,40 +21,6 @@ import configargparse
 from pathlib import Path
 from git import Repo
 
-p = configargparse.ArgParser()
-p.add('--branch', env_var='CHART_DEV_BRANCH', help='The branch you want to work with. Will be created by the script if it does not exist yet.')
-p.add('--git_hostname', env_var='GIT_HOSTNAME', default='git@gitlab.opencode.de', help='Set the hostname for the chart git checkouts.')
-p.add('--revert', default=False, action='store_true', help='Set this parameter if you want to revert the referencing of the local helm chart checkout paths in the helmfiles.')
-p.add('--match', default='', help="Clone/pull only charts that contain the given string in their name.")
-p.add('--loglevel', env_var='LOGLEVEL', default='DEBUG', help='Set the loglevel: DEBUG, INFO, WARNING, ERROR, CRITICAL-')
-options = p.parse_args()
-
-script_path = os.path.dirname(os.path.realpath(__file__))
-# some static definitions
-log_path = script_path+'/../logs'
-charts_yaml = script_path+'/../helmfile/environments/default/charts.yaml.gotmpl'
-base_repo_path = script_path+'/..'
-base_helmfile = base_repo_path+'/helmfile_generic.yaml.gotmpl'
-helmfile_backup_extension = '.bak'
-
-Path(log_path).mkdir(parents=True, exist_ok=True)
-
-logFormatter = logging.Formatter("%(asctime)s %(levelname)-5.5s %(message)s")
-rootLogger = logging.getLogger()
-rootLogger.setLevel(options.loglevel)
-
-fileHandler = logging.FileHandler("{0}/{1}.log".format(log_path, os.path.basename(__file__)))
-fileHandler.setFormatter(logFormatter)
-rootLogger.addHandler(fileHandler)
-
-consoleHandler = logging.StreamHandler()
-consoleHandler.setFormatter(logFormatter)
-rootLogger.addHandler(consoleHandler)
-
-logging.debug(f"Working with relative paths from script location: {script_path}")
-logging.debug(f"Log directory:      {log_path}")
-logging.debug(f"charts.yaml.gotmpl: {charts_yaml}")
-
 
 def create_or_switch_branch_base_repo():
     base_repo = Repo(path=base_repo_path)
@@ -188,6 +162,45 @@ def revert_the_helmfiles():
 ##
 ## Main program
 ##
+if __name__ == "__main__":
+    p = configargparse.ArgParser()
+    p.add('--branch', env_var='CHART_DEV_BRANCH',
+          help='The branch you want to work with. Will be created by the script if it does not exist yet.')
+    p.add('--git_hostname', env_var='GIT_HOSTNAME', default='git@gitlab.opencode.de',
+          help='Set the hostname for the chart git checkouts.')
+    p.add('--revert', default=False, action='store_true',
+          help='Set this parameter if you want to revert the referencing of the local helm chart checkout paths in the helmfiles.')
+    p.add('--match', default='', help="Clone/pull only charts that contain the given string in their name.")
+    p.add('--loglevel', env_var='LOGLEVEL', default='DEBUG',
+          help='Set the loglevel: DEBUG, INFO, WARNING, ERROR, CRITICAL-')
+    options = p.parse_args()
+
+    script_path = os.path.dirname(os.path.realpath(__file__))
+    # some static definitions
+    log_path = script_path + '/../logs'
+    charts_yaml = script_path + '/../helmfile/environments/default/charts.yaml.gotmpl'
+    base_repo_path = script_path + '/..'
+    base_helmfile = base_repo_path + '/helmfile_generic.yaml.gotmpl'
+    helmfile_backup_extension = '.bak'
+
+    Path(log_path).mkdir(parents=True, exist_ok=True)
+
+    logFormatter = logging.Formatter("%(asctime)s %(levelname)-5.5s %(message)s")
+    rootLogger = logging.getLogger()
+    rootLogger.setLevel(options.loglevel)
+
+    fileHandler = logging.FileHandler("{0}/{1}.log".format(log_path, os.path.basename(__file__)))
+    fileHandler.setFormatter(logFormatter)
+    rootLogger.addHandler(fileHandler)
+
+    consoleHandler = logging.StreamHandler()
+    consoleHandler.setFormatter(logFormatter)
+    rootLogger.addHandler(consoleHandler)
+
+    logging.debug(f"Working with relative paths from script location: {script_path}")
+    logging.debug(f"Log directory:      {log_path}")
+    logging.debug(f"charts.yaml.gotmpl: {charts_yaml}")
+
     if options.revert:
         revert_the_helmfiles()
     else:

docs/enhanced-configuration/self-signed-certificates.md

@@ -26,186 +26,14 @@ There are two options to address these use case:
 This option is useful when you have your own PKI in your environment which is also trusted by all clients that should
 access openDesk.
 
-To help others with this section, we document the certificate creation, so
-please ensure that `openssl` is installed on your system.
-
-1. Create the Certificate Authority (CA) private key:
-    ```/bin/bash
-    $ openssl genrsa -aes256 -out ca-private_key.pem 2048
-    Enter PEM pass phrase:
-    Verifying - Enter PEM pass phrase:
-    ```
-
-2. Create the public certficiate for the Certificate Authority (CA):
-    ```/bin/bash
-    $ openssl req -x509 -new -nodes -extensions v3_ca -key ca-private_key.pem -days 1024 -out ca-cert.crt -sha512
-    Enter pass phrase for ca-private_key.pem:
-    You are about to be asked to enter information that will be incorporated
-    into your certificate request.
-    What you are about to enter is what is called a Distinguished Name or a DN.
-    There are quite a few fields but you can leave some blank
-    For some fields there will be a default value,
-    If you enter '.', the field will be left blank.
-    -----
-    Country Name (2 letter code) [AU]:DE
-    State or Province Name (full name) [Some-State]:
-    Locality Name (eg, city) []:
-    Organization Name (eg, company) [Internet Widgits Pty Ltd]:
-    Organizational Unit Name (eg, section) []:
-    Common Name (e.g. server FQDN or YOUR name) []:
-    Email Address []:
-    ```
-
-3. Generate the Java keystore (JKS) file `truststore.jks` with the CA certficiate (requires the Java SDK):
-    ```/bin/bash
-    $ export TRUSTSTORE_PASSWORD="passwordForTruststore.jks"
-    $ keytool -import -file ca-cert.crt -keystore truststore.jks -storepass "$TRUSTSTORE_PASSWORD"
-    Owner: O=Internet Widgits Pty Ltd, ST=Some-State, C=DE
-    Issuer: O=Internet Widgits Pty Ltd, ST=Some-State, C=DE
-    Serial number: ccb2fc7257ebb602de0b74394cb1c009806f706
-    Valid from: Wed Dec 03 16:31:39 UTC 2025 until: Fri Sep 22 16:31:39 UTC 2028
-    Certificate fingerprints:
-             SHA1: AE:6F:55:AA:45:B4:A2:E1:E2:96:18:CF:FC:C0:5D:4B:56:0E:C4:26
-             SHA256: 95:C0:0E:44:B7:92:86:B7:D9:74:F4:4C:64:81:BA:E2:BE:75:90:03:56:0F:5F:9D:B5:85:A1:4C:82:54:19:8E
-    Signature algorithm name: SHA512withRSA
-    Subject Public Key Algorithm: 2048-bit RSA key
-    Version: 3
-    
-    Extensions: 
-    
-    #1: ObjectId: 2.5.29.35 Criticality=false
-    AuthorityKeyIdentifier [
-    KeyIdentifier [
-    0000: 6A 64 5A 67 5E 11 8D B2   55 7B 53 0A 20 5C 9D 4D  jdZg^...U.S. \.M
-    0010: 9A E8 C0 DD                                        ....
-    ]
-    ]
-    
-    #2: ObjectId: 2.5.29.19 Criticality=true
-    BasicConstraints:[
-      CA:true
-      PathLen: no limit
-    ]
-    
-    #3: ObjectId: 2.5.29.14 Criticality=false
-    SubjectKeyIdentifier [
-    KeyIdentifier [
-    0000: 6A 64 5A 67 5E 11 8D B2   55 7B 53 0A 20 5C 9D 4D  jdZg^...U.S. \.M
-    0010: 9A E8 C0 DD                                        ....
-    ]
-    ]
-    
-    Trust this certificate? [no]:  yes
-    Certificate was added to keystore
-    ```
-
-4. Generate the private key and certificate request for the OpenDesk certificate (assuming a wildcard domain: '.opendesk-test.example.com'), use supply [all required subdomains](../../helmfile/environments/default/global.yaml.gotmpl)
-as SANs (Subject Alternative Name):
-    ```/bin/bash
-    $ openssl req -newkey rsa:2048 -nodes -keyout opendesk-cert-key.key -out opendesk-cert-request.csr -subj "/C=DE/O=OpenDesk Test/CN=opendesk-test.example.com" -addext "subjectAltName = DNS:opendesk-test.example.com,DNS:*.opendesk-test.example.com"
-    ....+...+..+.+.....+....+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+....+...............+.....+.......+..+......+....+......+.....+.........+.......+.....+....+......+........+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......................+..+.+......+...+........+...+.+..............................+.....+...+...+....+......+...............+.....+...+......+...+.+..+.........+.............+.....+...+.......+......+......+.....+....+..+...+.......+..............+...............+.+..+.......+...+..+.........+.+........+.+....................+..........+..+....+.....+.+.....+.......+...+........+................+...+..+...+..........+......+......+...+..+.+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-    .........+.......+..+................+..+..........+...+..+...+.+...+..+....+............+.....+.........+.+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*................+..+...+.............+..+.......+............+...+...........+.......+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.......+.....+..........+........+...+................+........+.+.....+......+.........+......+.+..+.......+.....+....+...........+....+......+...+......+...............+..+...+.+.....+.........+.+.........+..+...+....+..+..........+.....+....+............+..+...+............+.+......+...+........+....+.....+.+.........+.....+...+.+..+.........+................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-    -----
-    ```
-
-5. Sign the `opendesk-cert-request.csr` with the CA certficiate:
-    ```/bin/bash
-    $ openssl x509 -req -in opendesk-cert-request.csr -days 365 -CA ca-cert.crt -CAkey ca-private_key.pem -CAcreateserial -out opendesk-cert.crt -copy_extensions copy
-    Certificate request self-signature ok
-    subject=C = DE, O = OpenDesk Test, CN = opendesk-test.example.com
-    Enter pass phrase for ca-private_key.pem:
-    ```
-
-6. Control the certificate (X509v3 Subject Alternative Name must be given for the wildcard DNS):
-  ```/bin/bash
-  $ openssl x509 -in opendesk-cert.crt -noout -text
-  Certificate:
-      Data:
-          Version: 3 (0x2)
-          Serial Number:
-              15:be:c5:3b:f9:87:e2:89:3c:17:da:78:5f:ae:0e:4e:dc:b9:86:47
-          Signature Algorithm: sha256WithRSAEncryption
-          Issuer: C = DE, ST = Some-State, O = Test Organization Name
-          Validity
-              Not Before: Dec  4 08:17:17 2025 GMT
-              Not After : Dec  4 08:17:17 2026 GMT
-          Subject: C = DE, O = OpenDesk Test, CN = opendesk-test.example.com
-          Subject Public Key Info:
-              Public Key Algorithm: rsaEncryption
-                  Public-Key: (2048 bit)
-                  Modulus:
-                      00:86:68:e3:5b:d1:fd:3c:44:01:08:99:0c:82:0c:
-                      53:50:0c:4a:b2:59:30:ae:a2:6b:b0:a4:33:1b:e1:
-                      39:d1:8c:71:8a:a0:60:c4:26:2c:1a:74:66:6d:77:
-                      4e:1d:4f:0a:c2:c7:83:ac:20:09:eb:f2:ee:b1:19:
-                      85:71:6c:f6:dc:4a:ef:d9:87:10:db:ff:b6:0b:ce:
-                      6a:3a:c9:aa:08:9b:a0:b1:6d:d5:db:41:e3:58:98:
-                      87:78:51:ff:2c:6b:19:e6:f2:7d:a3:91:5a:e6:fd:
-                      08:f9:e5:be:19:1d:74:2c:1c:ee:1e:3a:39:3c:6a:
-                      31:40:f2:7b:e3:ad:a8:f5:1a:fd:92:8e:c4:f6:89:
-                      1b:e2:d4:e3:dc:f5:bc:3e:85:6e:08:3a:20:73:61:
-                      96:4a:85:70:93:e9:17:a5:8e:78:54:34:26:83:a9:
-                      44:17:7f:5d:49:19:ee:e0:ce:73:b5:c6:0d:4c:19:
-                      7b:33:78:41:8b:80:2f:4b:bf:1d:70:77:fc:21:90:
-                      6f:bd:ec:1e:12:38:a2:56:42:b8:c0:c9:b3:0c:be:
-                      b7:9a:fb:82:38:c8:0c:aa:6c:3e:84:f7:82:cf:1d:
-                      c5:9f:79:01:75:50:58:3d:92:22:e1:0c:9e:b4:7a:
-                      45:76:ec:98:69:2a:fe:ed:89:44:6e:b2:ba:6c:2b:
-                      2a:b7
-                  Exponent: 65537 (0x10001)
-          X509v3 extensions:
-              X509v3 Subject Alternative Name: 
-                  DNS:opendesk-test.example.com, DNS:*.opendesk-test.example.com
-              X509v3 Subject Key Identifier: 
-                  3B:8F:7B:9F:A8:4B:10:72:7E:AC:1D:0A:24:51:5E:42:E7:C1:BB:AA
-              X509v3 Authority Key Identifier: 
-                  32:C0:EB:DE:3F:05:1A:7F:88:0D:49:05:A7:E1:56:28:CF:90:E0:E2
-      Signature Algorithm: sha256WithRSAEncryption
-      Signature Value:
-          98:48:ec:04:0a:53:c5:25:66:ff:1c:bd:ab:09:a2:9f:c3:ba:
-          d8:d8:c9:d8:47:dd:d6:08:70:5d:6b:0c:e4:2b:cd:ef:2f:06:
-          6c:5c:09:58:c1:72:df:d1:13:e3:c4:6e:9a:6a:cf:b4:cc:4a:
-          58:35:26:28:cb:b6:1f:f8:fa:e9:07:1a:0d:ba:01:1f:08:ac:
-          65:08:e7:23:25:42:f6:66:6e:11:a0:ef:73:c3:8b:dd:69:2e:
-          47:bf:59:c8:c1:6c:05:31:be:82:81:9d:be:f2:b3:61:a4:af:
-          a1:79:24:6a:26:1f:54:81:a0:eb:b0:ee:e3:7b:a2:2f:e7:74:
-          6e:71:cd:76:5d:65:18:14:6b:da:79:5c:3a:11:ec:11:95:6e:
-          ec:62:1f:77:7c:e6:7b:cb:d7:dd:46:8b:40:30:7c:2d:20:55:
-          99:25:05:05:37:b9:ff:06:1b:23:b2:58:88:ac:e5:75:06:a0:
-          73:72:50:d0:4e:bd:52:ab:3c:56:c2:1a:3d:5e:b5:ac:1c:d1:
-          f3:fb:29:e3:f5:bd:74:05:72:fc:b0:74:54:3c:67:45:19:76:
-          29:3c:3c:5a:57:9f:bd:8c:58:ff:9c:f3:08:99:1d:86:0a:59:
-          be:77:5d:b2:a4:6a:6e:d8:6d:fa:7e:cc:d1:99:6e:d3:19:9a:
-          84:b8:24:98
-  ```
-  
-  You can now use the `truststore.jks`, `opendesk-cert.crt`, `opendesk-cert-key.key` and `ca-cert.crt` for the secrets.
-
-7. Import the certificates into the Kubernetes cluster through kubernetes secrets:
-  
-  ```/bin/bash
-  $ export KUBERNETES_NAMESAPCE="dev"
-  $ kubectl config set-context --current --namespace="$KUBERNETES_NAMESAPCE"
-  Context "default" modified.
-
-  # Generate the TLS secret
-  $ kubectl create secret tls opendesk-certificates-tls --key opendesk-cert-key.key --cert opendesk-cert.crt
-  secret/opendesk-certificates-tls created
-
-
-  # Generate the CA secret
-  $ kubectl create secret generic opendesk-certificates-ca-tls --from-file=ca.crt=ca-cert.crt --from-file truststore.jks
-  secret/opendesk-certificates-ca-tls created
-  ```
-
-8. Disable cert-manager.io certificate resource creation:
+1. Disable cert-manager.io certificate resource creation:
 
     ```yaml
     certificates:
       enabled: false
     ```
 
-9. Enable mount of self-signed certificates:
+2. Enable mount of self-signed certificates:
 
     ```yaml
     certificate:
@@ -214,20 +42,19 @@ as SANs (Subject Alternative Name):
         create: false
     ```
 
-10. Save the password for the generated JKS trust store (`truststore.jks`):
+3. Create a Kubernetes secret named `opendesk-certificates-tls` of type `kubernetes.io/tls` containing either a valid
+wildcard certificate or a certificate with [all required subdomains](../../helmfile/environments/default/global.yaml.gotmpl)
+set as SANs (Subject Alternative Name).
 
-    ```yaml
-    secrets:
-      certificates:
-        # The password from $TRUSTSTORE_PASSWORD
-        password: "passwordForTruststore.jks"
-    ```
+4. Create a Kubernetes secret with name `opendesk-certificates-ca-tls` of type `kubernetes.io/tls` containing the custom
+CA certificate as X.509 encoded (`ca.crt`) and as jks trust store (`truststore.jks`).
+
+5. Create a Kubernetes secret with name `opendesk-certificates-keystore-jks` with key `password` and as value the jks
+trust store password.
 
 > [!note]
-> If your OpenDesk applications access services from the internet, you have to append the relevant CA certificates
-> to the `ca.crt`certificate. You can use the file `/etc/ssl/certs/ca-certificates.crt` from Debian distro. The CA certificate
-> (`ca.crt`) can contain multiple certificates but keep in mind, that the `truststore.jks` must be updated as well.
-
+> XWiki does not support the use of an existing secret to access the keystore. Therefore you have to set the
+> password from step 5 also as `secrets.certificates.password`.
 
 ## Option 2a: Use cert-manager.io with auto-generated namespace based root-certificate
 

helmfile/apps/nubus/values-nubus.yaml.gotmpl

@@ -4,12 +4,6 @@
 additionalAnnotations:
   {{ .Values.annotations.nubus.additional | toYaml | nindent 2 }}
 
-# -- Disable the cert-manager resources from the Helm chart if certificates are deactivated
-{{- if not .Values.apps.certificates.enabled }}
-certificates:
-  enabled: False
-{{- end }}
-
 global:
   certManagerIssuer: {{ .Values.certificate.issuerRef.name | quote }}
   domain: {{ .Values.global.domain | quote }}
@@ -1527,12 +1521,6 @@ nubusUmcServer:
   smtp:
     auth:
       password: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
-{{- if .Values.certificate.selfSigned }}
-  extraVolumes:
-    - name: "certificates"
-      secret:
-        secretName: "opendesk-certificates-tls"
-{{- end }}
 
 nubusUmcGateway:
   containerSecurityContext: