feat(helmfile): Add support for external secrets for PostgreSQL

Signed-off-by: Axel Lender <lender@b1-systems.de>

helmfile/apps/services-external/values-postgresql.yaml.gotmpl

@@ -18,8 +18,8 @@ containerSecurityContext:
       - "ALL"
   enabled: true
   privileged: false
-  runAsUser: 1001
+  runAsUser: 70
-  runAsGroup: 1001
+  runAsGroup: 70
   seccompProfile:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
@@ -29,7 +29,7 @@ containerSecurityContext:
 
 podSecurityContext:
   enabled: true
-  fsGroup: 1001
+  fsGroup: 70
   fsGroupChangePolicy: "OnRootMismatch"
 
 replicaCount: {{ .Values.replicas.postgres }}
@@ -49,37 +49,77 @@ image:
 job:
   users:
     - username: {{ .Values.databases.keycloak.username | quote }}
-      password: {{ .Values.secrets.postgresql.keycloakUser | quote }}
+      password:
+        value: {{ .Values.secrets.postgresql.keycloakUser | quote }}
+        secret:
+          name: {{ .Values.external_secrets.postgresql.keycloakUser.name | quote }}
+          key: {{ .Values.external_secrets.postgresql.keycloakUser.key | quote }}
       connectionLimit: {{ .Values.databases.keycloak.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
     - username: {{ .Values.databases.notes.username | quote }}
-      password: {{ .Values.secrets.postgresql.notesUser | quote }}
+      password:
+        value: {{ .Values.secrets.postgresql.notesUser | quote }}
+        secret:
+          name: {{ .Values.external_secrets.postgresql.notesUser.name | quote }}
+          key: {{ .Values.external_secrets.postgresql.notesUser.key | quote }}
       connectionLimit: {{ .Values.databases.notes.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
     - username: {{ .Values.databases.openproject.username | quote }}
-      password: {{ .Values.secrets.postgresql.openprojectUser | quote }}
+      password:
+        value: {{ .Values.secrets.postgresql.openprojectUser | quote }}
+        secret:
+          name: {{ .Values.external_secrets.postgresql.openprojectUser.name | quote }}
+          key: {{ .Values.external_secrets.postgresql.openprojectUser.key | quote }}
       connectionLimit: {{ .Values.databases.openproject.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
     - username: {{ .Values.databases.keycloakExtension.username | quote }}
-      password: {{ .Values.secrets.postgresql.keycloakExtensionUser | quote }}
+      password:
+        value: {{ .Values.secrets.postgresql.keycloakExtensionUser | quote }}
+        secret:
+          name: {{ .Values.external_secrets.postgresql.keycloakExtensionUser.name | quote }}
+          key: {{ .Values.external_secrets.postgresql.keycloakExtensionUser.key | quote }}
       connectionLimit: {{ .Values.databases.keycloakExtension.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
     - username: {{ .Values.databases.synapse.username | quote }}
-      password: {{ .Values.secrets.postgresql.matrixUser | quote }}
+      password:
+        value: {{ .Values.secrets.postgresql.matrixUser | quote }}
+        secret:
+          name: {{ .Values.external_secrets.postgresql.matrixUser.name | quote }}
+          key: {{ .Values.external_secrets.postgresql.matrixUser.key | quote }}
       connectionLimit: {{ .Values.databases.synapse.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
     - username: {{ .Values.databases.umsNotificationsApi.username | quote }}
-      password: {{ .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
+      password:
+        value: {{ .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
+        secret:
+          name: {{ .Values.external_secrets.postgresql.umsNotificationsApiUser.name | quote }}
+          key: {{ .Values.external_secrets.postgresql.umsNotificationsApiUser.key | quote }}
       connectionLimit: {{ .Values.databases.umsNotificationsApi.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
     - username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
-      password: {{ .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
+      password:
+        value: {{ .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
+        secret:
+          name: {{ .Values.external_secrets.postgresql.umsGuardianManagementApiUser.name | quote }}
+          key: {{ .Values.external_secrets.postgresql.umsGuardianManagementApiUser.key | quote }}
       connectionLimit: {{ .Values.databases.umsGuardianManagementApi.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
     - username: {{ .Values.databases.umsSelfservice.username | quote }}
-      password: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
+      password:
+        value: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
+        secret:
+          name: {{ .Values.external_secrets.postgresql.umsSelfserviceUser.name | quote }}
+          key: {{ .Values.external_secrets.postgresql.umsSelfserviceUser.key | quote }}
       connectionLimit: {{ .Values.databases.umsSelfservice.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
 {{ if or (eq .Values.databases.nextcloud.type "postgresql") (eq .Values.databases.nextcloud.type "psql") }}
     - username: {{ .Values.databases.nextcloud.username | quote }}
-      password: {{ .Values.secrets.postgresql.nextcloudUser | quote }}
+      password:
+        value: {{ .Values.secrets.postgresql.nextcloudUser | quote }}
+        secret:
+          name: {{ .Values.external_secrets.postgresql.nextcloudUser.name | quote }}
+          key: {{ .Values.external_secrets.postgresql.nextcloudUser.key | quote }}
       connectionLimit: {{ .Values.databases.nextcloud.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
 {{ end }}
 {{ if eq .Values.databases.xwiki.type "postgresql" }}
     - username: {{ .Values.databases.xwiki.username | quote }}
-      password: {{ .Values.secrets.postgresql.xwikiUser | quote }}
+      password:
+        value: {{ .Values.secrets.postgresql.xwikiUser | quote }}
+        secret:
+          name: {{ .Values.external_secrets.postgresql.xwikiUser.name | quote }}
+          key: {{ .Values.external_secrets.postgresql.xwikiUser.key | quote }}
       connectionLimit: {{ .Values.databases.xwiki.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
 {{ end }}
   databases:
@@ -125,7 +165,11 @@ podAnnotations:
 
 postgres:
   user: "postgres"
-  password: {{ .Values.secrets.postgresql.postgresUser | quote }}
+  password:
+    value: {{ .Values.secrets.postgresql.postgresUser | quote }}
+    secret:
+      name: {{ .Values.external_secrets.postgresql.postgresUser.name | quote }}
+      key: {{ .Values.external_secrets.postgresql.postgresUser.key | quote }}
 
 resources:
   {{ .Values.resources.postgresql | toYaml | nindent 2 }}

helmfile/environments/default/external_secrets.yaml.gotmpl

@@ -0,0 +1,41 @@
+{{/*
+SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+external_secrets:
+  postgresql:
+    postgresUser:
+      name: ~
+      key: ~
+    keycloakUser:
+      name: ~
+      key: ~
+    keycloakExtensionUser:
+      name: ~
+      key: ~
+    matrixUser:
+      name: ~
+      key: ~
+    nextcloudUser:
+      name: ~
+      key: ~
+    notesUser:
+      name: ~
+      key: ~
+    openprojectUser:
+      name: ~
+      key: ~
+    umsNotificationsApiUser:
+      name: ~
+      key: ~
+    umsGuardianManagementApiUser:
+      name: ~
+      key: ~
+    umsSelfserviceUser:
+      name: ~
+      key: ~
+    xwikiUser:
+      name: ~
+      key: ~
+...