chore(misc): Add standard python script guard to charts-local.py

This adds a `if __name__ == "__main__"` guard to the charts-local.py script.
The guard should always be used to make it obvious to developers that this is
the entrypoint of the script and to prevent accidental side effects when handling
the script as a python module in any way (e.g. during interactive debugging).

dev/charts-local.py

@@ -1,6 +1,14 @@
 #!/usr/bin/env python3
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
+# /// script
+# requires-python = ">=3.12"
+# dependencies = [
+#     "configargparse",
+#     "gitpython",
+#     "pyyaml",
+# ]
+# ///
 
 import os.path
 import logging
@@ -13,40 +21,6 @@ import configargparse
 from pathlib import Path
 from git import Repo
 
-p = configargparse.ArgParser()
-p.add('--branch', env_var='CHART_DEV_BRANCH', help='The branch you want to work with. Will be created by the script if it does not exist yet.')
-p.add('--git_hostname', env_var='GIT_HOSTNAME', default='git@gitlab.opencode.de', help='Set the hostname for the chart git checkouts.')
-p.add('--revert', default=False, action='store_true', help='Set this parameter if you want to revert the referencing of the local helm chart checkout paths in the helmfiles.')
-p.add('--match', default='', help="Clone/pull only charts that contain the given string in their name.")
-p.add('--loglevel', env_var='LOGLEVEL', default='DEBUG', help='Set the loglevel: DEBUG, INFO, WARNING, ERROR, CRITICAL-')
-options = p.parse_args()
-
-script_path = os.path.dirname(os.path.realpath(__file__))
-# some static definitions
-log_path = script_path+'/../logs'
-charts_yaml = script_path+'/../helmfile/environments/default/charts.yaml.gotmpl'
-base_repo_path = script_path+'/..'
-base_helmfile = base_repo_path+'/helmfile_generic.yaml.gotmpl'
-helmfile_backup_extension = '.bak'
-
-Path(log_path).mkdir(parents=True, exist_ok=True)
-
-logFormatter = logging.Formatter("%(asctime)s %(levelname)-5.5s %(message)s")
-rootLogger = logging.getLogger()
-rootLogger.setLevel(options.loglevel)
-
-fileHandler = logging.FileHandler("{0}/{1}.log".format(log_path, os.path.basename(__file__)))
-fileHandler.setFormatter(logFormatter)
-rootLogger.addHandler(fileHandler)
-
-consoleHandler = logging.StreamHandler()
-consoleHandler.setFormatter(logFormatter)
-rootLogger.addHandler(consoleHandler)
-
-logging.debug(f"Working with relative paths from script location: {script_path}")
-logging.debug(f"Log directory:      {log_path}")
-logging.debug(f"charts.yaml.gotmpl: {charts_yaml}")
-
 
 def create_or_switch_branch_base_repo():
     base_repo = Repo(path=base_repo_path)
@@ -188,11 +162,50 @@ def revert_the_helmfiles():
 ##
 ## Main program
 ##
-if options.revert:
-    revert_the_helmfiles()
-else:
-    branch = create_or_switch_branch_base_repo()
-    with open(charts_yaml, 'r') as file:
-        charts = yaml.safe_load(file)
-    charts_dict = clone_charts_locally(branch, charts)
-    process_the_helmfiles(charts_dict, charts)
+if __name__ == "__main__":
+    p = configargparse.ArgParser()
+    p.add('--branch', env_var='CHART_DEV_BRANCH',
+          help='The branch you want to work with. Will be created by the script if it does not exist yet.')
+    p.add('--git_hostname', env_var='GIT_HOSTNAME', default='git@gitlab.opencode.de',
+          help='Set the hostname for the chart git checkouts.')
+    p.add('--revert', default=False, action='store_true',
+          help='Set this parameter if you want to revert the referencing of the local helm chart checkout paths in the helmfiles.')
+    p.add('--match', default='', help="Clone/pull only charts that contain the given string in their name.")
+    p.add('--loglevel', env_var='LOGLEVEL', default='DEBUG',
+          help='Set the loglevel: DEBUG, INFO, WARNING, ERROR, CRITICAL-')
+    options = p.parse_args()
+
+    script_path = os.path.dirname(os.path.realpath(__file__))
+    # some static definitions
+    log_path = script_path + '/../logs'
+    charts_yaml = script_path + '/../helmfile/environments/default/charts.yaml.gotmpl'
+    base_repo_path = script_path + '/..'
+    base_helmfile = base_repo_path + '/helmfile_generic.yaml.gotmpl'
+    helmfile_backup_extension = '.bak'
+
+    Path(log_path).mkdir(parents=True, exist_ok=True)
+
+    logFormatter = logging.Formatter("%(asctime)s %(levelname)-5.5s %(message)s")
+    rootLogger = logging.getLogger()
+    rootLogger.setLevel(options.loglevel)
+
+    fileHandler = logging.FileHandler("{0}/{1}.log".format(log_path, os.path.basename(__file__)))
+    fileHandler.setFormatter(logFormatter)
+    rootLogger.addHandler(fileHandler)
+
+    consoleHandler = logging.StreamHandler()
+    consoleHandler.setFormatter(logFormatter)
+    rootLogger.addHandler(consoleHandler)
+
+    logging.debug(f"Working with relative paths from script location: {script_path}")
+    logging.debug(f"Log directory:      {log_path}")
+    logging.debug(f"charts.yaml.gotmpl: {charts_yaml}")
+
+    if options.revert:
+        revert_the_helmfiles()
+    else:
+        branch = create_or_switch_branch_base_repo()
+        with open(charts_yaml, 'r') as file:
+            charts = yaml.safe_load(file)
+        charts_dict = clone_charts_locally(branch, charts)
+        process_the_helmfiles(charts_dict, charts)

docs/getting-started.md

@@ -65,7 +65,7 @@ For your convenience, we recommend creating a `*.domain.tld` A-Record for your c
 | Record name                   | Type | Value                                              | Additional information                                            |
 |-------------------------------|------|----------------------------------------------------|-------------------------------------------------------------------|
 | *.domain.tld                  | A    | IPv4 address of your Ingress Controller            |                                                                   |
-| *.domain.tld                  | AAAA | IPv6 address of your Ingress Controller            | Optional                                                          |
+| *.domain.tld                  | AAAA | IPv6 address of your Ingress Controller            |                                                                   |
 | mail.domain.tld               | A    | IPv4 address of your postfix NodePort/LoadBalancer | Optional, mail should directly be delivered to openDesk's Postfix |
 | mail.domain.tld               | AAAA | IPv6 address of your postfix NodePort/LoadBalancer | Optional, mail should directly be delivered to openDesk's Postfix |
 | domain.tld                    | MX   | `10 mail.domain.tld`                               |                                                                   |

docs/monitoring.md

@@ -23,7 +23,8 @@ openDesk includes integration with Prometheus-based monitoring.
 
 Together with [kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack), you can easily leverage the full potential of the open-source cloud-native observability stack.
 
-Before enabling the following options, you need to install the respective custom resource definitions (CRDs) from the kube-prometheus-stack repository which should at least include the Prometheus Operator.
+Before enabling the following options, you need to install the respective custom resource definitions (CRDs) from the kube-prometheus-stack
+repository or Prometheus operator.
 
 # Defaults
 
@@ -32,16 +33,14 @@ All configurable options and their defaults can be found in
 
 # Metrics
 
-To deploy `podMonitor` and `serviceMonitor` custom resources, enable them by:
+To deploy `podMonitor` and `serviceMonitor` custom resources, enable it by:
 
 ```yaml
-monitoring:
-  prometheus:
-    serviceMonitors:
-      enabled: true
-    podMonitors:
-      enabled: true
-```
+prometheus:
+  serviceMonitors:
+    enabled: true
+  podMonitors:
+    enabled: true
 ```
 
 # Alerts
@@ -52,23 +51,19 @@ Some of these are created by our partners while others are defined in [opendesk-
 All alert rules are deployed as [PrometheusRule](https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.PrometheusRule) and can be enabled like this:
 
 ```yaml
-monitoring:
-  prometheus:
-    prometheusRules:
-      enabled: true
+prometheus:
+  prometheusRules:
+    enabled: true
 ```
 
 # Dashboards for Grafana
 
-If your Grafana instance is deployed via kube-prometheus-stack, or you have deployed the [Sidecar for datasources](https://github.com/grafana/helm-charts/blob/main/charts/grafana/README.md#sidecar-for-datasources), openDesk can make dashboards available via ConfigMap resources. 
-
-Enable the functionality with the following snippet:
+To deploy optional Grafana dashboards with ConfigMaps, enable the functionality with:
 
 ```yaml
-monitoring:
-  grafana:
-    dashboards:
-      enabled: true
+grafana:
+  dashboards:
+    enabled: true
 ```
 
 Please find further details in the [related Helm chart](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dashboards).

helmfile/apps/cryptpad/values.yaml.gotmpl

@@ -17,14 +17,7 @@ application_config:
 #    - "diagram"
 
 autoscaling:
-  enabled: {{ .Values.technical.cryptpad.autoscaling.enabled }}
-  minReplicas: {{ .Values.technical.cryptpad.autoscaling.minReplicas }}
-  maxReplicas: {{ .Values.technical.cryptpad.autoscaling.maxReplicas }}
-  targetCPUUtilizationPercentage: {{ .Values.technical.cryptpad.autoscaling.targetCPUUtilizationPercentage }}
-  targetMemoryUtilizationPercentage: {{ .Values.technical.cryptpad.autoscaling.targetMemoryUtilizationPercentage }}
-
-config:
-  maxWorkers: {{ .Values.technical.cryptpad.maxWorkers }}
+  enabled: false
 
 enableEmbedding: true
 

helmfile/apps/nubus/values-nubus.yaml.gotmpl

@@ -53,8 +53,6 @@ global:
   configUcr:
     directory:
       manager:
-        mail-address:
-          uniqueness: "True"
         rest:
           authorized-groups:
             domain-admins: __DELETE_KEY__
@@ -69,9 +67,9 @@ global:
                   description:
                     syntax: "TextArea"
                   firstname:
-                    required: "True"
+                    required: "true"
                   mailPrimaryAddress:
-                    required: "True"
+                    required: "true"
                   username:
                     syntax: "uid"
                 search:

helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl

@@ -266,9 +266,6 @@ appsuite:
             com.openexchange.mail.filter.passwordSource: global
             com.openexchange.mail.filter.masterPassword:  {{ .Values.secrets.oxAppSuite.migrationsMasterPassword | quote }}
             com.openexchange.mail.filter.preferredSaslMech: ""
-            # Loosen API the rate limit
-            com.openexchange.servlet.maxRateTimeWindow: "60000"
-            com.openexchange.servlet.maxRate: "3000"
           propertiesFiles:
             /opt/open-xchange/etc/masterpassword-authentication.properties:
               com.openexchange.authentication.masterpassword.password: {{ .Values.secrets.oxAppSuite.migrationsMasterPassword | quote }}
@@ -635,12 +632,6 @@ appsuite:
       com.openexchange.share.cryptKey: {{ .Values.secrets.oxAppSuite.shareCryptKey | quote }}
       com.openexchange.conference.element.authToken: {{ .Values.secrets.oxAppSuite.synapseAsToken | quote }}
     propertiesFiles:
-      /opt/open-xchange/etc/server.properties:
-        MAX_UPLOAD_SIZE: {{ mul .Values.functional.groupware.mail.maxSize 1024 1024 | int | printf "%d" | quote }}
-      /opt/open-xchange/etc/infostore.properties:
-        MAX_UPLOAD_SIZE: {{ mul .Values.functional.groupware.mail.maxSize 1024 1024 | int | printf "%d" | quote }}
-      /opt/open-xchange/etc/attachment.properties:
-        MAX_UPLOAD_SIZE: {{ mul .Values.functional.groupware.mail.maxSize 1024 1024 | int | printf "%d" | quote }}
       /opt/open-xchange/etc/AdminDaemon.properties:
         MASTER_ACCOUNT_OVERRIDE: "true"
       /opt/open-xchange/etc/AdminUser.properties:

helmfile/apps/opendesk-services/values-opendesk-static-files.yaml.gotmpl

@@ -92,13 +92,12 @@ containerSecurityContext:
     drop:
       - "ALL"
   enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-  runAsGroup: 101
   runAsUser: 101
+  runAsGroup: 101
   seccompProfile:
     type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
   seLinuxOptions:
     {{ .Values.seLinuxOptions.opendeskStaticFiles | toYaml | nindent 4 }}
 

helmfile/environments/default/technical.yaml.gotmpl

@@ -3,28 +3,9 @@
 ---
 technical:
 
-  # Cryptpad related technical settings
-  cryptpad:
-    # Define how many child processes are initially spawned, even without any user accessing Cryptpad.
-    # Ref.: https://github.com/cryptpad/cryptpad/blob/0dd3c1f53d56dffb06651b86ead6b9b387920173/config/config.example.js#L111
-    maxWorkers: 4
-    # Autoscaling options
-    autoscaling:
-      # Enable the Autoscaling
-      enabled: false
-      # Minimal numbers of replicas
-      minReplicas: 1
-      # Maximum numbers of replicas
-      maxReplicas: 100
-      # Percentage of the targeted CPU Utilization
-      targetCPUUtilizationPercentage: 80
-      # Percentage of the targeted Memory Utilization
-      targetMemoryUtilizationPercentage: 80
-
   # Collabora related technical settings
   collabora:
-    # Set the value for the start parameter `-o:num_prespawn_children` to define how many child processes
-    # are initially spawned, even without any user accessing Collabora.
+    # Defines the value for the start parameter `-o:num_prespawn_children`
     numPrespawnChildren: 4
 
   # Dovecot EE related settings