fix(nextcloud): Update Helm chart and images to fix warnings in admin overview and have /status.php behind BasicAuth; review migrations.md for required upgrade steps

dev/charts-local.py

@@ -1,14 +1,6 @@
 #!/usr/bin/env python3
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
-# /// script
-# requires-python = ">=3.12"
-# dependencies = [
-#     "configargparse",
-#     "gitpython",
-#     "pyyaml",
-# ]
-# ///
 
 import os.path
 import logging
@@ -21,6 +13,40 @@ import configargparse
 from pathlib import Path
 from git import Repo
 
+p = configargparse.ArgParser()
+p.add('--branch', env_var='CHART_DEV_BRANCH', help='The branch you want to work with. Will be created by the script if it does not exist yet.')
+p.add('--git_hostname', env_var='GIT_HOSTNAME', default='git@gitlab.opencode.de', help='Set the hostname for the chart git checkouts.')
+p.add('--revert', default=False, action='store_true', help='Set this parameter if you want to revert the referencing of the local helm chart checkout paths in the helmfiles.')
+p.add('--match', default='', help="Clone/pull only charts that contain the given string in their name.")
+p.add('--loglevel', env_var='LOGLEVEL', default='DEBUG', help='Set the loglevel: DEBUG, INFO, WARNING, ERROR, CRITICAL-')
+options = p.parse_args()
+
+script_path = os.path.dirname(os.path.realpath(__file__))
+# some static definitions
+log_path = script_path+'/../logs'
+charts_yaml = script_path+'/../helmfile/environments/default/charts.yaml.gotmpl'
+base_repo_path = script_path+'/..'
+base_helmfile = base_repo_path+'/helmfile_generic.yaml.gotmpl'
+helmfile_backup_extension = '.bak'
+
+Path(log_path).mkdir(parents=True, exist_ok=True)
+
+logFormatter = logging.Formatter("%(asctime)s %(levelname)-5.5s %(message)s")
+rootLogger = logging.getLogger()
+rootLogger.setLevel(options.loglevel)
+
+fileHandler = logging.FileHandler("{0}/{1}.log".format(log_path, os.path.basename(__file__)))
+fileHandler.setFormatter(logFormatter)
+rootLogger.addHandler(fileHandler)
+
+consoleHandler = logging.StreamHandler()
+consoleHandler.setFormatter(logFormatter)
+rootLogger.addHandler(consoleHandler)
+
+logging.debug(f"Working with relative paths from script location: {script_path}")
+logging.debug(f"Log directory:      {log_path}")
+logging.debug(f"charts.yaml.gotmpl: {charts_yaml}")
+
 
 def create_or_switch_branch_base_repo():
     base_repo = Repo(path=base_repo_path)
@@ -162,50 +188,11 @@ def revert_the_helmfiles():
 ##
 ## Main program
 ##
-if __name__ == "__main__":
-    p = configargparse.ArgParser()
-    p.add('--branch', env_var='CHART_DEV_BRANCH',
-          help='The branch you want to work with. Will be created by the script if it does not exist yet.')
-    p.add('--git_hostname', env_var='GIT_HOSTNAME', default='git@gitlab.opencode.de',
-          help='Set the hostname for the chart git checkouts.')
-    p.add('--revert', default=False, action='store_true',
-          help='Set this parameter if you want to revert the referencing of the local helm chart checkout paths in the helmfiles.')
-    p.add('--match', default='', help="Clone/pull only charts that contain the given string in their name.")
-    p.add('--loglevel', env_var='LOGLEVEL', default='DEBUG',
-          help='Set the loglevel: DEBUG, INFO, WARNING, ERROR, CRITICAL-')
-    options = p.parse_args()
-
-    script_path = os.path.dirname(os.path.realpath(__file__))
-    # some static definitions
-    log_path = script_path + '/../logs'
-    charts_yaml = script_path + '/../helmfile/environments/default/charts.yaml.gotmpl'
-    base_repo_path = script_path + '/..'
-    base_helmfile = base_repo_path + '/helmfile_generic.yaml.gotmpl'
-    helmfile_backup_extension = '.bak'
-
-    Path(log_path).mkdir(parents=True, exist_ok=True)
-
-    logFormatter = logging.Formatter("%(asctime)s %(levelname)-5.5s %(message)s")
-    rootLogger = logging.getLogger()
-    rootLogger.setLevel(options.loglevel)
-
-    fileHandler = logging.FileHandler("{0}/{1}.log".format(log_path, os.path.basename(__file__)))
-    fileHandler.setFormatter(logFormatter)
-    rootLogger.addHandler(fileHandler)
-
-    consoleHandler = logging.StreamHandler()
-    consoleHandler.setFormatter(logFormatter)
-    rootLogger.addHandler(consoleHandler)
-
-    logging.debug(f"Working with relative paths from script location: {script_path}")
-    logging.debug(f"Log directory:      {log_path}")
-    logging.debug(f"charts.yaml.gotmpl: {charts_yaml}")
-
-    if options.revert:
-        revert_the_helmfiles()
-    else:
-        branch = create_or_switch_branch_base_repo()
-        with open(charts_yaml, 'r') as file:
-            charts = yaml.safe_load(file)
-        charts_dict = clone_charts_locally(branch, charts)
-        process_the_helmfiles(charts_dict, charts)
+if options.revert:
+    revert_the_helmfiles()
+else:
+    branch = create_or_switch_branch_base_repo()
+    with open(charts_yaml, 'r') as file:
+        charts = yaml.safe_load(file)
+    charts_dict = clone_charts_locally(branch, charts)
+    process_the_helmfiles(charts_dict, charts)

docs/getting-started.md

@@ -65,7 +65,7 @@ For your convenience, we recommend creating a `*.domain.tld` A-Record for your c
 | Record name                   | Type | Value                                              | Additional information                                            |
 |-------------------------------|------|----------------------------------------------------|-------------------------------------------------------------------|
 | *.domain.tld                  | A    | IPv4 address of your Ingress Controller            |                                                                   |
-| *.domain.tld                  | AAAA | IPv6 address of your Ingress Controller            |                                                                   |
+| *.domain.tld                  | AAAA | IPv6 address of your Ingress Controller            | Optional                                                          |
 | mail.domain.tld               | A    | IPv4 address of your postfix NodePort/LoadBalancer | Optional, mail should directly be delivered to openDesk's Postfix |
 | mail.domain.tld               | AAAA | IPv6 address of your postfix NodePort/LoadBalancer | Optional, mail should directly be delivered to openDesk's Postfix |
 | domain.tld                    | MX   | `10 mail.domain.tld`                               |                                                                   |

docs/migrations.md

@@ -13,6 +13,7 @@ SPDX-License-Identifier: Apache-2.0
   * [Versions ≥ v1.11.0](#versions--v1110)
     * [Pre-upgrade to versions ≥ v1.11.0](#pre-upgrade-to-versions--v1110)
       * [Helmfile new option: Annotations for external services (Dovecot, Jitsi JVB, Postfix)](#helmfile-new-option-annotations-for-external-services-dovecot-jitsi-jvb-postfix)
+      * [Helmfile new secret: `secrets.nextcloud.statusPassword`](#helmfile-new-secret-secretsnextcloudstatuspassword)
   * [Versions ≥ v1.10.0](#versions--v1100)
     * [Pre-upgrade to versions ≥ v1.10.0](#pre-upgrade-to-versions--v1100)
       * [Deployment cleanup: Collabora Controller](#deployment-cleanup-collabora-controller)
@@ -214,6 +215,20 @@ Setting service annotation by `annotations.openxchangePostfix.service` applied t
 and external service. This key now only sets annotations for the internal service. If you want to set
 annotations for the external service use the newly introduced key `annotations.openxchangePostfix.serviceExternal`.
 
+#### Helmfile new secret: `secrets.nextcloud.statusPassword`
+
+**Target group:** All existing deployments that use self-defined secrets and have deployed Nextcloud.
+
+Access to Nextcloud's `/status.php` requires now BasicAuth. The related password is set in
+[`secrets.yaml.gotmpl`](../helmfile/environments/default/secrets.yaml.gotmpl) by the key
+`secrets.nextcloud.statusPassword`.
+
+If you define your own secrets, please ensure that you provide a value for this secret, otherwise it will
+be derived from the `MASTER_PASSWORD`.
+
+> [!note]
+> The username for the BasicAuth is hardcoded to "status-access".
+
 ## Versions ≥ v1.10.0
 
 ### Pre-upgrade to versions ≥ v1.10.0

docs/monitoring.md

@@ -23,8 +23,7 @@ openDesk includes integration with Prometheus-based monitoring.
 
 Together with [kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack), you can easily leverage the full potential of the open-source cloud-native observability stack.
 
-Before enabling the following options, you need to install the respective custom resource definitions (CRDs) from the kube-prometheus-stack
-repository or Prometheus operator.
+Before enabling the following options, you need to install the respective custom resource definitions (CRDs) from the kube-prometheus-stack repository which should at least include the Prometheus Operator.
 
 # Defaults
 
@@ -33,14 +32,16 @@ All configurable options and their defaults can be found in
 
 # Metrics
 
-To deploy `podMonitor` and `serviceMonitor` custom resources, enable it by:
+To deploy `podMonitor` and `serviceMonitor` custom resources, enable them by:
 
 ```yaml
-prometheus:
-  serviceMonitors:
-    enabled: true
-  podMonitors:
-    enabled: true
+monitoring:
+  prometheus:
+    serviceMonitors:
+      enabled: true
+    podMonitors:
+      enabled: true
+```
 ```
 
 # Alerts
@@ -51,19 +52,23 @@ Some of these are created by our partners while others are defined in [opendesk-
 All alert rules are deployed as [PrometheusRule](https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.PrometheusRule) and can be enabled like this:
 
 ```yaml
-prometheus:
-  prometheusRules:
-    enabled: true
+monitoring:
+  prometheus:
+    prometheusRules:
+      enabled: true
 ```
 
 # Dashboards for Grafana
 
-To deploy optional Grafana dashboards with ConfigMaps, enable the functionality with:
+If your Grafana instance is deployed via kube-prometheus-stack, or you have deployed the [Sidecar for datasources](https://github.com/grafana/helm-charts/blob/main/charts/grafana/README.md#sidecar-for-datasources), openDesk can make dashboards available via ConfigMap resources. 
+
+Enable the functionality with the following snippet:
 
 ```yaml
-grafana:
-  dashboards:
-    enabled: true
+monitoring:
+  grafana:
+    dashboards:
+      enabled: true
 ```
 
 Please find further details in the [related Helm chart](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dashboards).

helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl

@@ -118,6 +118,10 @@ aio:
           value: {{ .Values.databases.nextcloud.password | quote }}
           {{- end }}
     trustedProxy: {{ join " " .Values.cluster.networking.cidr | quote }}
+    status:
+      password:
+        value: {{ .Values.secrets.nextcloud.statusPassword | quote }}
+
   containerSecurityContext:
     allowPrivilegeEscalation: false
     capabilities:

helmfile/apps/opendesk-openproject-bootstrap/values.yaml.gotmpl

@@ -33,6 +33,9 @@ config:
         value: "nextcloud"
       password:
         value: {{ .Values.secrets.nextcloud.adminPassword | quote }}
+    status:
+      password:
+        value: {{ .Values.secrets.nextcloud.statusPassword | quote }}
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl

@@ -13,7 +13,7 @@ images:
   nextcloud:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/nextcloud/images/opendesk-nextcloud"
-    tag: "1.6.11@sha256:79bab3b5745eb2c0fdd5a8858d277495deb7f6e43b42c7046d5bfbee039aed0a"
+    tag: "1.7.1@sha256:aa91feaa89989178d859f21bb25633ef07facea19ac3ef696186256492a13b17"
   openxchangeCoreMW:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/middleware-public-sector-pro"

helmfile/environments/default/charts.yaml.gotmpl

@@ -249,7 +249,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud"
-    version: "4.4.4"
+    version: "4.5.0"
     verify: true
   nextcloudManagement:
     # providerCategory: "Platform"
@@ -259,7 +259,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud-management"
-    version: "4.4.4"
+    version: "4.5.0"
     verify: true
   nextcloudNotifyPush:
     # providerCategory: "Platform"
@@ -269,7 +269,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud-notifypush"
-    version: "4.4.4"
+    version: "4.5.0"
     verify: true
   nginx:
     # providerCategory: "Community"
@@ -383,7 +383,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-openproject-bootstrap"
     name: "opendesk-openproject-bootstrap"
-    version: "2.2.0"
+    version: "2.3.0"
     verify: true
   otterize:
     # providerCategory: "Platform"

helmfile/environments/default/images.yaml.gotmpl

@@ -330,7 +330,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
-    tag: "2.10.12@sha256:8a4cd73fdceb1da2c58a22a85d605eba575a2b1487e3927ab1971c9f1120549a"
+    tag: "2.11.0@sha256:481e83fb913c98d2ede8ae734f406ac5c12f805093af0a34cb9c86eeaa56bc01"
   nextcloudExporter:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -770,7 +770,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-openproject-bootstrap"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-openproject-bootstrap"
-    tag: "1.1.4@sha256:2fd97a316114428849aaeef87fb8755274e675830088a93afcafac91bb048d1d"
+    tag: "1.2.0@sha256:7d2ab97a8cd17aa2c12a6d613044c848edf0371974662390eb08c197aa12b84a"
   openprojectDbInit:
     # providerCategory: "Community"
     # providerResponsible: "OpenProject"

helmfile/environments/default/secrets.yaml.gotmpl

@@ -101,6 +101,7 @@ secrets:
   nextcloud:
     adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "nextcloud_admin_user" | sha1sum | quote }}
     metricsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "metricsToken" | sha1sum | quote }}
+    statusPassword: {{ derivePassword 1 "medium" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "nextcloud_status_user" | sha1sum | quote }}
   openproject:
     adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_admin_user" | sha1sum | quote }}
     apiAdminUsername: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_api_admin_username" | sha1sum | quote }}