fix(gotmpl): Sort values for existing secrets

Signed-off-by: Axel Lender <lender@b1-systems.de>

helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl

@@ -24,6 +24,9 @@ dovecot:
     username: {{ .Values.databases.dovecotDictmap.username | quote }}
     password:
       value: {{ .Values.secrets.cassandra.dovecotDictmapUser | quote }}
+      existingSecret:
+        name: {{ .Values.externalSecrets.dovecot.dictmapUser.name | quote }}
+        key: {{ .Values.externalSecrets.dovecot.dictmapUser.key | quote }}
     keyspace: {{ .Values.databases.dovecotDictmap.name | quote }}
   sharedMailboxes:
     enabled: true
@@ -32,16 +35,28 @@ dovecot:
     username: {{ .Values.databases.dovecotACL.username | quote }}
     password:
       value: {{ .Values.secrets.cassandra.dovecotACLUser | quote }}
+      existingSecret:
+        name: {{ .Values.externalSecrets.dovecot.aclUser.name | quote }}
+        key: {{ .Values.externalSecrets.dovecot.aclUser.key | quote }}
     keyspace: {{ .Values.databases.dovecotACL.name | quote }}
   objectStorage:
     bucket: {{ .Values.objectstores.dovecot.bucket | quote }}
     encryption:
       privateKey:
         value: {{ requiredEnv "DOVECOT_CRYPT_PRIVATE_KEY" | quote }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.dovecot.objectStorage.encryption.privateKey.name | quote }}
+          key: {{ .Values.externalSecrets.dovecot.objectStorage.encryption.privateKey.key | quote }}
       publicKey:
         value: {{ requiredEnv "DOVECOT_CRYPT_PUBLIC_KEY" | quote }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.dovecot.objectStorage.encryption.publicKey.name | quote }}
+          key: {{ .Values.externalSecrets.dovecot.objectStorage.encryption.publicKey.key | quote }}
     fqdn: {{ .Values.objectstores.dovecot.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
     username: {{ .Values.objectstores.dovecot.username | quote }}
     password:
       value: {{ .Values.objectstores.dovecot.secretKey | default .Values.secrets.minio.dovecotUser | quote }}
+      existingSecret:
+        name: {{ .Values.externalSecrets.objectstores.dovecotUser.name | quote }}
+        key: {{ .Values.externalSecrets.objectstores.dovecotUser.key | quote }}
 ...

helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl

@@ -25,10 +25,16 @@ dovecot:
   defaultMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
   password:
     value: {{ .Values.secrets.dovecot.doveadm | quote }}
+    existingSecret:
+      name: {{ .Values.externalSecrets.dovecot.doveadm.name | quote }}
+      key: {{ .Values.externalSecrets.dovecot.doveadm.key | quote }}
   migration:
     enabled: {{ .Values.functional.migration.oxAppSuite.enabled }}
     masterPassword:
       value: {{ .Values.secrets.oxAppSuite.migrationsMasterPassword | quote }}
+      existingSecret:
+        name: {{ .Values.externalSecrets.oxAppSuite.migrationsMasterPassword.name | quote }}
+        key: {{ .Values.externalSecrets.oxAppSuite.migrationsMasterPassword.key | quote }}
   ldap:
     enabled: true
     host: {{ .Values.ldap.host | quote }}
@@ -37,12 +43,18 @@ dovecot:
     dn: "uid=ldapsearch_dovecot,cn=users,{{ .Values.ldap.baseDn }}"
     password:
       value: {{ .Values.secrets.nubus.ldapSearch.dovecot | quote }}
+      existingSecret:
+        name: {{ .Values.externalSecrets.nubus.ldapSearch.dovecot.name | quote }}
+        key: {{ .Values.externalSecrets.nubus.ldapSearch.dovecot.key | quote }}
   oidc:
     enabled: true
     clientID:
       value: "opendesk-dovecot"
     clientSecret:
       value: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
+      existingSecret:
+        name: {{ .Values.externalSecrets.keycloak.clientSecret.dovecot.name | quote }}
+        key: {{ .Values.externalSecrets.keycloak.clientSecret.dovecot.key | quote }}
     introspectionHost: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
     introspectionPath: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token/introspect"
     usernameAttribute: "opendesk_username"

helmfile/apps/open-xchange/values-postfix.yaml.gotmpl

@@ -62,8 +62,14 @@ postfix:
     authentication:
       username:
         value: {{ .Values.smtp.username }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.smtp.username.name | quote }}
+          key: {{ .Values.externalSecrets.smtp.username.key | quote }}
       password:
         value: {{ .Values.smtp.password }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.smtp.password.name | quote }}
+          key: {{ .Values.externalSecrets.smtp.password.key | quote }}
   {{- end }}
   allowRelayNets: false
   smtpSASLAuthEnable: "yes"

helmfile/apps/services-external/values-postfix.yaml.gotmpl

@@ -66,8 +66,14 @@ postfix:
     authentication:
       username:
         value: {{ .Values.smtp.username }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.smtp.username.name | quote }}
+          key: {{ .Values.externalSecrets.smtp.username.key | quote }}
       password:
         value: {{ .Values.smtp.password }}
+        existingSecret:
+          name: {{ .Values.externalSecrets.smtp.password.name | quote }}
+          key: {{ .Values.externalSecrets.smtp.password.key | quote }}
   {{- end }}
   # Warning: This setting allows unauthenticated mail relay from relayNets!
   allowRelayNets: true
@@ -91,8 +97,14 @@ postfix:
     enabled: true
     username:
       value: "opendesk-system"
+      existingSecret:
+        name: {{ .Values.externalSecrets.postfix.opendeskSystemUsername.name | quote }}
+        key: {{ .Values.externalSecrets.postfix.opendeskSystemUsername.key | quote }}
     password:
       value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
+      existingSecret:
+        name: {{ .Values.externalSecrets.postfix.opendeskSystemPassword.name | quote }}
+        key: {{ .Values.externalSecrets.postfix.opendeskSystemPassword.key | quote }}
 
   {{- if .Values.antivirus.milter.host }}
   smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}"

helmfile/environments/default/external_secrets.yaml.gotmpl

@@ -0,0 +1,56 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+# The variables set in this file are required to upgrade components to their "Enterprise" product variant.
+---
+externalSecrets:
+  dovecot:
+    aclUser:
+      name: ~
+      key: ~
+    dictmapUser:
+      name: ~
+      key: ~
+    doveadm:
+      name: ~
+      key: ~
+    objectStorage:
+      encryption:
+        privateKey:
+          name: ~
+          key: ~
+        publicKey:
+          name: ~
+          key: ~
+  keycloak:
+    clientSecret:
+      dovecot:
+        name: ~
+        key: ~
+  nubus:
+    ldapSearch:
+      dovecot:
+        name: ~
+        key: ~
+  objectstores:
+    dovecotUser:
+      name: ~
+      key: ~
+  oxAppSuite:
+    migrationsMasterPassword:
+      name: ~
+      key: ~
+  postfix:
+    opendeskSystemPassword:
+      name: ~
+      key: ~
+    opendeskSystemUsername:
+      name: ~
+      key: ~
+  smtp:
+    password:
+      name: ~
+      key: ~
+    username:
+      name: ~
+      key: ~
+...